Add support for GitHub private releases as plugin source

[patriziobruno]

Description

This change adds support for downloading plugins from private GitHub releases. I added the change under the feature flag PULUMI_EXPERIMENTAL. It works as follows:
If the plugin can't be downloaded from Pulumi's public GitHub releases, an attempt is made to download from private GitHub releases using GitHub info and credentials passed as environment variables. To be compatible with GitHub Actions, env variable names come from official documentation.

• GITHUB_REPO_OWNER
• GITHUB_TOKEN
• GITHUB_ACTOR
• GITHUB_PERSONAL_ACCESS_TOKEN (this is not an official pipeline context var)
  The implementation uses either GITHUB_TOKEN for service2service authentication or GITHUB_ACTOR + GITHUB_PERSONAL_ACCESS_TOKEN for HTTP basic authentication. It gets the requested releaseId from GitHub's Releases API and, if successful, downloads the release from the URL of the asset matching the expected file-name format pulumi-<type>-<name>-v<version>-<operatingSystem>-<arch>.tar.gz.

If this method fails, pulumi plugin download falls back on get.pulumi.com.

Before adding testing, I wanted to gather feedback from the maintainers on the implementation.

Fixes #8943

Checklist

• I have added tests that prove my fix is effective or that my feature works

• I have updated the CHANGELOG-PENDING file with my change

• Yes, there are changes in this PR that warrants bumping the Pulumi Service API version

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[patriziobruno]

@Frassle I was wondering if it made sense to put this code under a different feature flag from PULUMI_EXPERIMENTAL. Maybe, PULUMI_EXPERIMENTAL_GH_PRIVATE_REL? To let users decide which experiments they want to use and which not?

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[Frassle]

@Frassle I was wondering if it made sense to put this code under a different feature flag from PULUMI_EXPERIMENTAL. Maybe, PULUMI_EXPERIMENTAL_GH_PRIVATE_REL? To let users decide which experiments they want to use and which not?

We've discussed this internally before and decided to just stick to the simplicity of everything under one experimental flag for now. We don't expect to have things live as experimental for long.

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[Frassle]

This looks reasonable to me.

[Frassle]

/run-acceptance-tests

[github-actions]

Please view the results of the PR Build + Acceptance Tests Run Here

[iwahbe]

This looks good to me. LGTM

[patriziobruno]

Are there any additional steps before merging this?

[Frassle]

Spoken to @stack72 about this. We do want to make sure we can support your workflow @patriziobruno, but further thinking about this we're not sure the proposed download flow is one we should support.

Would it be acceptable to use the pluginDownloadURL to point to your private github release instead of the download flow trying to work that out from env[GITHUB_REPOSITORY_OWNER]. We'd then change the pluginDownloadURL using code to add github auth tokens (if and only if the url was for something at github.com) so it could auth to that custom url.

I'm happy to do the required code changes here if that would still work for your usecase. If that wouldn't work do share why, we'll think some more about what we can do.

[patriziobruno]

@Frassle @stack72 the problem about the pluginDownloadURL approach is that endpoints pointed by a browser_download_url don't accept GitHub Actions tokens, nor Basic authentication. Clients need to authenticate using a browser and the cookies that GitHub.com sends, which is not doable in a pipeline. Furthermore, once the user has authenticated, how would pulumi CLI access the authentication cookies? Unless GitHub.com adds OAuth tokens as a means to authenticate access to their browser_download_url, there's no way to download a private release without using the release API.

[Frassle]

Ah right I've followed through the REST calls this makes and I see what you mean there. pluginDownloadURL makes assumptions about the format of the url, github releases don't match that format even if you pre-looked up the api style url to use.

@stack72 I can't see a simple way to fit this into our pluginDownloadURL flow given the above. I think we need to give that feature a major rethink and for now accept the PR as is, with the expectation that we'll have to break all custom plugin flows at some point to tidy this up (4.0 or even 5.0 change).

[mikhailshilkov]

I think we need to give that feature a major rethink and for now accept the PR as is, with the expectation that we'll have to break all custom plugin flows at some point to tidy this up (4.0 or even 5.0 change).

This sounds somewhat scary to me... Will you leave this PR's flow behind the flag until 4.0/5.0? Otherwise that breaking change may be quite hard to pull in. It would be nice to understand what that future tidy-up may look like.

[patriziobruno]

@mikhailshilkov This workflow doesn't make any use of pluginDownloadURL, so it would be minimally affected by any breaking change. Should the new workflow introduce configuration to replace the environment variables used by the current code, backward compatibility may be kept with little effort by keep using the all of the env vars that are set by GitHub Actions and progressively deprecating the one that is not, GITHUB_PERSONAL_ACCESS_TOKEN.
example schema.yaml:

pluginDownload:
  workflow: privateGitHubRelease
  with:
    repoOwner: owner # defaults to env[GITHUB_REPO_OWNER]
    actor: github_username # defaults to env[GITHUB_ACTOR]
    personalAccessToken: /path/to/file/containing/token or env var name containing token or any other means that is not putting a plain text secret into schema.yaml # initially defaults to env[GITHUB_PERSONAL_ACCESS_TOKEN] for backward compatibility

I don't mean to give suggestions on how to change the plugin download workflow, just making an example that wouldn't break this code.

[Frassle]

Will you leave this PR's flow behind the flag until 4.0/5.0?

Yes I think we'd want to do that.

This workflow doesn't make any use of pluginDownloadURL, so it would be minimally affected by any breaking change

I should have been more clear here. I think pluginDownloadURL is not descriptive enough to support all the cases we want to support custom download from, it's not even descriptive enough to support github releases let alone anything more esoteric. So I think potential breaking change 1 is redesigning pluginDownloadURL so it can describe these cases, which might not be doable in a way that also maintains the current behaviour (it might be possible to do this change compatibly, needs more thinking).
Breaking change 2 is that once we can support github releases via some sort of pluginDownloadURL feature we would not want to have it run implicitly for every plugin download that this PR is adding, and so we would break this flow at somepoint.

It would be nice to understand what that future tidy-up may look like.

The example schema.yaml in @patriziobruno post looks something like what I expect we'd change to.

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[github-actions]

PR is now waiting for a maintainer to take action.

Note for the maintainer: Commands available:

• /run-acceptance-tests - used to test run the acceptance tests for the project
• /run-codegen - used to test the Pull Request against downstream codegen
• /run-docs-gen - used to test the Pull Request against documentation generation
• /run-containers - used to test the Pull Request against the containers tests

[Frassle]

I'm going to merge this in with the understanding that it will stay under EXPERIMENTAL until we can spend the engineering time to rework custom plugin downloads to support this properly. Some time after adding proper support for this via the custom plugin work we will remove this code flow, and your workflow will be broken if you haven't updated to use the supported custom plugin settings.

I have raised #9007 to track the re-design work.