Skip to content

Commit

Permalink
Reintroduce OIDC test without the condition blocking releases (#3176)
Browse files Browse the repository at this point in the history 
Revert "Revert "CI tests for OIDC authentication (#3074)" (#3175)". The
other test jobs have no guarding conditions, so this one shouldn't need
any either.
  • Loading branch information
@thomas11
thomas11 committed Dec 27, 2023
1 parent 31412fb commit b4ef67c
Show file tree
Hide file tree
Showing 19 changed files with 570 additions and 18 deletions.
95 changes: 95 additions & 0 deletions .ci-mgmt.yaml
View file
Expand Up @@ -8,6 +8,7 @@ providerVersion: github.com/hashicorp/terraform-provider-aws/version.ProviderVer
env:
PULUMI_MISSING_DOCS_ERROR: true
AWS_REGION: "us-west-2"
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
makeTemplate: bridged
checkoutSubmodules: true
# TODO: remove XrunUpstreamTools flag after work to add docs replacement strategies to resources.go is completed
Expand Down Expand Up @@ -94,3 +95,97 @@ extraTests:
uses: codecov/codecov-action@v3
env:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}

test_oidc:
name: test_oidc
needs: build_sdk
permissions:
contents: read
id-token: write
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
uses: actions/checkout@v3
with:
ref: ${{ env.PR_COMMIT_SHA }}
submodules: true
- name: Checkout Scripts Repo
uses: actions/checkout@v3
with:
path: ci-scripts
repository: pulumi/scripts
- name: Unshallow clone for tags
run: git fetch --prune --unshallow --tags
- name: Install Go
uses: actions/setup-go@v4
with:
cache-dependency-path: |
sdk/go.sum
go-version: 1.21.x
- name: Install pulumictl
uses: jaxxstorm/action-install-gh-release@v1.5.0
with:
repo: pulumi/pulumictl
- name: Install Pulumi CLI
uses: pulumi/actions@v4
with:
pulumi-version: v3.77.1
- name: Setup Node
uses: actions/setup-node@v2
with:
node-version: ${{ env.NODEVERSION }}
registry-url: https://registry.npmjs.org
- name: Download provider + tfgen binaries
uses: actions/download-artifact@v2
with:
name: ${{ env.PROVIDER }}-provider.tar.gz
path: ${{ github.workspace }}/bin
- name: Untar provider binaries
run: >-
tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
github.workspace}}/bin
find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;
- name: Download SDK
uses: actions/download-artifact@v2
with:
name: ${{ matrix.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/
- name: Uncompress SDK folder
run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{
github.workspace }}/sdk/${{ matrix.language }}
- name: Update path
run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Install dependencies
run: make install_${{ matrix.language}}_sdk
- name: Install gotestfmt
uses: GoTestTools/gotestfmt-action@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: v2.4.0
- name: Make upstream
run: make upstream
- name: Run selected tests with manual web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- name: Configure AWS Credentials for OIDC
uses: aws-actions/configure-aws-credentials@v4
with:
unset-current-credentials: true
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 3600
role-session-name: ${{ env.PROVIDER }}@githubActions
role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
- name: Run selected tests with configure-aws-credentials web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- if: failure() && github.event_name == 'push'
name: Notify Slack
uses: 8398a7/action-slack@v3
with:
author_name: Failure in running ${{ matrix.language }} tests
fields: repo,commit,author,action
status: ${{ job.status }}
strategy:
fail-fast: false
matrix:
language:
- nodejs
1 change: 1 addition & 0 deletions .github/workflows/command-dispatch.yml
View file
Expand Up @@ -14,6 +14,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/license.yml
View file
Expand Up @@ -20,6 +20,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/lint.yml
View file
Expand Up @@ -19,6 +19,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
92 changes: 92 additions & 0 deletions .github/workflows/master.yml
View file
Expand Up @@ -14,6 +14,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down Expand Up @@ -286,6 +287,7 @@ jobs:
- test
- license_check
- go_test_shim
- test_oidc
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
Expand Down Expand Up @@ -517,6 +519,96 @@ jobs:
name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v3
timeout-minutes: 60
test_oidc:
name: test_oidc
needs: build_sdk
permissions:
contents: read
id-token: write
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
uses: actions/checkout@v3
with:
ref: ${{ env.PR_COMMIT_SHA }}
submodules: true
- name: Checkout Scripts Repo
uses: actions/checkout@v3
with:
path: ci-scripts
repository: pulumi/scripts
- name: Unshallow clone for tags
run: git fetch --prune --unshallow --tags
- name: Install Go
uses: actions/setup-go@v4
with:
cache-dependency-path: |
sdk/go.sum
go-version: 1.21.x
- name: Install pulumictl
uses: jaxxstorm/action-install-gh-release@v1.5.0
with:
repo: pulumi/pulumictl
- name: Install Pulumi CLI
uses: pulumi/actions@v4
with:
pulumi-version: v3.77.1
- name: Setup Node
uses: actions/setup-node@v2
with:
node-version: ${{ env.NODEVERSION }}
registry-url: https://registry.npmjs.org
- name: Download provider + tfgen binaries
uses: actions/download-artifact@v2
with:
name: ${{ env.PROVIDER }}-provider.tar.gz
path: ${{ github.workspace }}/bin
- name: Untar provider binaries
run: |-
tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;
- name: Download SDK
uses: actions/download-artifact@v2
with:
name: ${{ matrix.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/
- name: Uncompress SDK folder
run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }}
- name: Update path
run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Install dependencies
run: make install_${{ matrix.language}}_sdk
- name: Install gotestfmt
uses: GoTestTools/gotestfmt-action@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: v2.4.0
- name: Make upstream
run: make upstream
- name: Run selected tests with manual web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- name: Configure AWS Credentials for OIDC
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 3600
role-session-name: ${{ env.PROVIDER }}@githubActions
role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
unset-current-credentials: true
- name: Run selected tests with configure-aws-credentials web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- if: failure() && github.event_name == 'push'
name: Notify Slack
uses: 8398a7/action-slack@v3
with:
author_name: Failure in running ${{ matrix.language }} tests
fields: repo,commit,author,action
status: ${{ job.status }}
strategy:
fail-fast: false
matrix:
language:
- nodejs

name: master
on:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/nightly-test.yml
View file
Expand Up @@ -14,6 +14,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down
92 changes: 92 additions & 0 deletions .github/workflows/prerelease.yml
View file
Expand Up @@ -15,6 +15,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down Expand Up @@ -229,6 +230,7 @@ jobs:
- test
- license_check
- go_test_shim
- test_oidc
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
Expand Down Expand Up @@ -442,6 +444,96 @@ jobs:
name: Upload coverage reports to Codecov
uses: codecov/codecov-action@v3
timeout-minutes: 60
test_oidc:
name: test_oidc
needs: build_sdk
permissions:
contents: read
id-token: write
runs-on: pulumi-ubuntu-8core
steps:
- name: Checkout Repo
uses: actions/checkout@v3
with:
ref: ${{ env.PR_COMMIT_SHA }}
submodules: true
- name: Checkout Scripts Repo
uses: actions/checkout@v3
with:
path: ci-scripts
repository: pulumi/scripts
- name: Unshallow clone for tags
run: git fetch --prune --unshallow --tags
- name: Install Go
uses: actions/setup-go@v4
with:
cache-dependency-path: |
sdk/go.sum
go-version: 1.21.x
- name: Install pulumictl
uses: jaxxstorm/action-install-gh-release@v1.5.0
with:
repo: pulumi/pulumictl
- name: Install Pulumi CLI
uses: pulumi/actions@v4
with:
pulumi-version: v3.77.1
- name: Setup Node
uses: actions/setup-node@v2
with:
node-version: ${{ env.NODEVERSION }}
registry-url: https://registry.npmjs.org
- name: Download provider + tfgen binaries
uses: actions/download-artifact@v2
with:
name: ${{ env.PROVIDER }}-provider.tar.gz
path: ${{ github.workspace }}/bin
- name: Untar provider binaries
run: |-
tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;
- name: Download SDK
uses: actions/download-artifact@v2
with:
name: ${{ matrix.language }}-sdk.tar.gz
path: ${{ github.workspace}}/sdk/
- name: Uncompress SDK folder
run: tar -zxf ${{ github.workspace }}/sdk/${{ matrix.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ matrix.language }}
- name: Update path
run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
- name: Install dependencies
run: make install_${{ matrix.language}}_sdk
- name: Install gotestfmt
uses: GoTestTools/gotestfmt-action@v2
with:
token: ${{ secrets.GITHUB_TOKEN }}
version: v2.4.0
- name: Make upstream
run: make upstream
- name: Run selected tests with manual web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatchOidcManual -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- name: Configure AWS Credentials for OIDC
uses: aws-actions/configure-aws-credentials@v4
with:
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 3600
role-session-name: ${{ env.PROVIDER }}@githubActions
role-to-assume: ${{ secrets.OIDC_ROLE_ARN }}
unset-current-credentials: true
- name: Run selected tests with configure-aws-credentials web identity/OIDC auth
run: cd examples && go test -v -json -count=1 -run TestAccCloudWatch -tags=${{ matrix.language }} -parallel 4 . 2>&1 | tee /tmp/gotest.log | gotestfmt
- if: failure() && github.event_name == 'push'
name: Notify Slack
uses: 8398a7/action-slack@v3
with:
author_name: Failure in running ${{ matrix.language }} tests
fields: repo,commit,author,action
status: ${{ job.status }}
strategy:
fail-fast: false
matrix:
language:
- nodejs

name: prerelease
on:
Expand Down
1 change: 1 addition & 0 deletions .github/workflows/pull-request.yml
View file
Expand Up @@ -14,6 +14,7 @@ env:
NODEVERSION: 20.x
NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
Expand Down

0 comments on commit b4ef67c

Please sign in to comment.