-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for GitHub private releases as plugin source #8944
Add support for GitHub private releases as plugin source #8944
Conversation
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
1 similar comment
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
@Frassle I was wondering if it made sense to put this code under a different feature flag from |
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
1 similar comment
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
Co-authored-by: Fraser Waters <frassle@gmail.com>
179ccca
to
7e42255
Compare
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
We've discussed this internally before and decided to just stick to the simplicity of everything under one experimental flag for now. We don't expect to have things live as experimental for long. |
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks reasonable to me.
/run-acceptance-tests |
Please view the results of the PR Build + Acceptance Tests Run Here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks good to me. LGTM
Are there any additional steps before merging this? |
Spoken to @stack72 about this. We do want to make sure we can support your workflow @patriziobruno, but further thinking about this we're not sure the proposed download flow is one we should support. Would it be acceptable to use the pluginDownloadURL to point to your private github release instead of the download flow trying to work that out from env[GITHUB_REPOSITORY_OWNER]. We'd then change the pluginDownloadURL using code to add github auth tokens (if and only if the url was for something at github.com) so it could auth to that custom url. I'm happy to do the required code changes here if that would still work for your usecase. If that wouldn't work do share why, we'll think some more about what we can do. |
@Frassle @stack72 the problem about the |
Ah right I've followed through the REST calls this makes and I see what you mean there. pluginDownloadURL makes assumptions about the format of the url, github releases don't match that format even if you pre-looked up the api style url to use. @stack72 I can't see a simple way to fit this into our pluginDownloadURL flow given the above. I think we need to give that feature a major rethink and for now accept the PR as is, with the expectation that we'll have to break all custom plugin flows at some point to tidy this up (4.0 or even 5.0 change). |
This sounds somewhat scary to me... Will you leave this PR's flow behind the flag until 4.0/5.0? Otherwise that breaking change may be quite hard to pull in. It would be nice to understand what that future tidy-up may look like. |
@mikhailshilkov This workflow doesn't make any use of pluginDownload:
workflow: privateGitHubRelease
with:
repoOwner: owner # defaults to env[GITHUB_REPO_OWNER]
actor: github_username # defaults to env[GITHUB_ACTOR]
personalAccessToken: /path/to/file/containing/token or env var name containing token or any other means that is not putting a plain text secret into schema.yaml # initially defaults to env[GITHUB_PERSONAL_ACCESS_TOKEN] for backward compatibility I don't mean to give suggestions on how to change the plugin download workflow, just making an example that wouldn't break this code. |
Yes I think we'd want to do that.
I should have been more clear here. I think pluginDownloadURL is not descriptive enough to support all the cases we want to support custom download from, it's not even descriptive enough to support github releases let alone anything more esoteric. So I think potential breaking change 1 is redesigning pluginDownloadURL so it can describe these cases, which might not be doable in a way that also maintains the current behaviour (it might be possible to do this change compatibly, needs more thinking).
The example schema.yaml in @patriziobruno post looks something like what I expect we'd change to. |
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
PR is now waiting for a maintainer to take action. Note for the maintainer: Commands available:
|
I'm going to merge this in with the understanding that it will stay under EXPERIMENTAL until we can spend the engineering time to rework custom plugin downloads to support this properly. Some time after adding proper support for this via the custom plugin work we will remove this code flow, and your workflow will be broken if you haven't updated to use the supported custom plugin settings. I have raised #9007 to track the re-design work. |
Description
This change adds support for downloading plugins from private GitHub releases. I added the change under the feature flag
PULUMI_EXPERIMENTAL
. It works as follows:If the plugin can't be downloaded from Pulumi's public GitHub releases, an attempt is made to download from private GitHub releases using GitHub info and credentials passed as environment variables. To be compatible with GitHub Actions, env variable names come from official documentation.
The implementation uses either
GITHUB_TOKEN
for service2service authentication orGITHUB_ACTOR
+GITHUB_PERSONAL_ACCESS_TOKEN
for HTTP basic authentication. It gets the requestedreleaseId
from GitHub's Releases API and, if successful, downloads the release from the URL of the asset matching the expected file-name formatpulumi-<type>-<name>-v<version>-<operatingSystem>-<arch>.tar.gz
.If this method fails,
pulumi plugin download
falls back on get.pulumi.com.Before adding testing, I wanted to gather feedback from the maintainers on the implementation.
Fixes #8943
Checklist