diff --git a/.ci-mgmt.yaml b/.ci-mgmt.yaml index 37c65f6..34f78d3 100644 --- a/.ci-mgmt.yaml +++ b/.ci-mgmt.yaml @@ -10,3 +10,6 @@ plugins: version: "1.0.16" kind: converter integrationTestProvider: true +esc: + enabled: true + environment: imports/github-secrets # No repo-specific secrets. diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml index 33b08d8..f7fc842 100644 --- a/.github/workflows/build_provider.yml +++ b/.github/workflows/build_provider.yml @@ -42,9 +42,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b # Without ldid cross-compiling Node binaries on a Linux worker intended to work on darwin-arm64 fails to sign the # binaries properly and they do not work as expected. See https://github.com/pulumi/pulumi-awsx/issues/1490 - uses: MOZGIII/install-ldid-action@v1 diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml index bf4913d..d50a83a 100644 --- a/.github/workflows/build_sdk.yml +++ b/.github/workflows/build_sdk.yml @@ -10,17 +10,9 @@ on: type: string env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi PROVIDER_VERSION: ${{ inputs.version }} @@ -47,9 +39,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Cache examples generation uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4 with: diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index 3c6cb02..9c1320a 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -1,17 +1,9 @@ # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -26,9 +18,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4 with: commands: | diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 951217d..876de80 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -7,17 +7,9 @@ on: inputs: {} env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 86a804c..b156850 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -7,17 +7,9 @@ on: inputs: {} env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: diff --git a/.github/workflows/main-post-build.yml b/.github/workflows/main-post-build.yml index fbbc586..713dbeb 100644 --- a/.github/workflows/main-post-build.yml +++ b/.github/workflows/main-post-build.yml @@ -10,17 +10,9 @@ on: required: true env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -41,9 +33,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0 with: diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 09820f0..c47e51b 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -1,17 +1,9 @@ # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -98,9 +90,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: check if this commit needs release if: ${{ env.RELEASE_BOT_ENDPOINT != '' }} uses: pulumi/action-release-by-pr-label@main diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 1b13c0b..fbf81fd 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -2,17 +2,9 @@ env: IS_PRERELEASE: true - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml index e427a19..4368ee8 100644 --- a/.github/workflows/prerequisites.yml +++ b/.github/workflows/prerequisites.yml @@ -20,17 +20,9 @@ on: value: ${{ jobs.prerequisites.outputs.version }} env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -48,9 +40,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 id: provider-version with: diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 2b0bbf5..c211ff8 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -21,24 +21,9 @@ on: env: IS_PRERELEASE: ${{ inputs.isPrerelease }} - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_UPLOAD_ROLE_ARN: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -56,9 +41,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -135,9 +125,14 @@ jobs: with: # Persist credentials so we can push back to the repo persist-credentials: true - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -209,9 +204,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Dispatch Metadata build uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3 with: @@ -237,9 +237,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 096190c..0e6795f 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -1,17 +1,9 @@ # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -24,9 +16,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Comment PR uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 3e109a5..320dd43 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,17 +7,9 @@ on: - "!v*.*.*-**" env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: diff --git a/.github/workflows/release_command.yml b/.github/workflows/release_command.yml index aab7724..4c455e9 100644 --- a/.github/workflows/release_command.yml +++ b/.github/workflows/release_command.yml @@ -14,9 +14,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 0868fe9..b6af3a5 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -12,17 +12,9 @@ on: env: PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi # This should cancel any previous runs of the same workflow on the same branch which are still running. diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 950de0e..90c6e65 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,17 +12,9 @@ on: env: PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -39,9 +31,14 @@ jobs: with: ref: ${{ env.PR_COMMIT_SHA }} persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 diff --git a/.github/workflows/upgrade-bridge.yml b/.github/workflows/upgrade-bridge.yml index c3500ee..b010f0a 100644 --- a/.github/workflows/upgrade-bridge.yml +++ b/.github/workflows/upgrade-bridge.yml @@ -61,17 +61,9 @@ permissions: pull-requests: write env: - AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} - AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} - S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -83,9 +75,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/.github/workflows/upgrade-java.yml b/.github/workflows/upgrade-java.yml index bb2fee6..da1c4cb 100644 --- a/.github/workflows/upgrade-java.yml +++ b/.github/workflows/upgrade-java.yml @@ -33,9 +33,14 @@ jobs: with: # Persist credentials so upgrade-provider can push a new branch. persist-credentials: true - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup tools uses: ./.github/actions/setup-tools diff --git a/.github/workflows/upgrade-provider.yml b/.github/workflows/upgrade-provider.yml index d0018d9..525f101 100644 --- a/.github/workflows/upgrade-provider.yml +++ b/.github/workflows/upgrade-provider.yml @@ -31,15 +31,21 @@ jobs: upgrade_provider: name: upgrade-provider runs-on: ubuntu-latest + permissions: write-all steps: - name: Checkout Repo uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: # Persist credentials so upgrade-provider can push a new branch. persist-credentials: true - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml index feff58a..6c6cf07 100644 --- a/.github/workflows/verify-release.yml +++ b/.github/workflows/verify-release.yml @@ -37,24 +37,9 @@ on: required: false env: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_UPLOAD_ROLE_ARN: ${{ secrets.AWS_UPLOAD_ROLE_ARN }} - CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} - JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} - JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} - JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} - NPM_TOKEN: ${{ secrets.NPM_TOKEN }} - NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} PULUMI_API: https://api.pulumi-staging.io - PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget - PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }} - RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }} - RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }} TF_APPEND_USER_AGENT: pulumi jobs: @@ -80,9 +65,14 @@ jobs: uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 with: persist-credentials: false - - id: esc-secrets - name: Map environment to ESC outputs - uses: ./.github/actions/esc-action + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup tools uses: ./.github/actions/setup-tools with: