diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 1581016a629..6d4c6209652 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -1,3 +1,4 @@ +permissions: write-all # Equivalent to default permissions plus id-token: write on: pull_request: paths-ignore: @@ -24,7 +25,6 @@ on: env: PULUMI_API: https://api.pulumi-staging.io - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} AWS_REGION: us-west-2 GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com @@ -32,6 +32,11 @@ env: GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci GOOGLE_PROJECT_NUMBER: 895284651812 GOLANGCI_LINT_VERSION: v1.64.4 + ESC_ACTION_OIDC_AUTH: true + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: PULUMI_ACCESS_TOKEN jobs: @@ -41,6 +46,9 @@ jobs: outputs: gotcloudcreds: ${{ steps.gotcloudcreds.outputs.gotcloudcreds }} steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - uses: actions/checkout@v3 with: submodules: recursive @@ -93,7 +101,7 @@ jobs: uses: codecov/codecov-action@v5 with: directory: sdk/java/pulumi/build/reports/jacoco/allTests - token: ${{ secrets.CODECOV_TOKEN }} + token: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }} - run: make build_go - run: make bin/pulumi-java-gen - run: make bin/pulumi-language-java @@ -133,6 +141,9 @@ jobs: strategy: fail-fast: false steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - uses: actions/checkout@v3 with: submodules: recursive @@ -219,6 +230,9 @@ jobs: contents: read id-token: write steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - uses: actions/checkout@v3 with: submodules: recursive @@ -274,14 +288,11 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 3600 role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} + role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }} - name: Authenticate to Google Cloud uses: google-github-actions/auth@v2 with: - workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER - }}/locations/global/workloadIdentityPools/${{ - env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{ - env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }} + workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{ env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }} service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }} - name: Setup gcloud auth uses: google-github-actions/setup-gcloud@v2 @@ -289,11 +300,11 @@ jobs: install_components: gke-gcloud-auth-plugin - name: Run ${{ matrix.example }} example env: - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} - ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + PULUMI_ACCESS_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_ACCESS_TOKEN }} + ARM_CLIENT_ID: ${{ steps.esc-secrets.outputs.ARM_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ steps.esc-secrets.outputs.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ steps.esc-secrets.outputs.ARM_TENANT_ID }} run: make test_example.${{ matrix.example }} go-lint: @@ -301,6 +312,9 @@ jobs: timeout-minutes: 10 name: Lint pkg steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - name: Checkout Repo uses: actions/checkout@v3 with: @@ -338,6 +352,9 @@ jobs: - provider-maven - provider-gradle steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - uses: actions/checkout@v3 with: submodules: recursive @@ -386,7 +403,7 @@ jobs: path: ~/.m2/repository/com/pulumi - name: Run ${{ matrix.integration }} integration env: - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} + PULUMI_ACCESS_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_ACCESS_TOKEN }} run: make test_integration.${{ matrix.integration }} test_templates: @@ -398,6 +415,9 @@ jobs: contents: read id-token: write steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - uses: actions/checkout@v3 with: submodules: recursive @@ -449,25 +469,22 @@ jobs: aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} role-duration-seconds: 3600 role-session-name: ${{ env.PROVIDER }}@githubActions - role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} + role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }} - name: Authenticate to Google Cloud uses: google-github-actions/auth@v2 with: - workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER - }}/locations/global/workloadIdentityPools/${{ - env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{ - env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }} + workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER }}/locations/global/workloadIdentityPools/${{ env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{ env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }} service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }} - name: Setup gcloud auth uses: google-github-actions/setup-gcloud@v2 with: install_components: gke-gcloud-auth-plugin - env: - PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} - ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }} - ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} - ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }} - ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }} + PULUMI_ACCESS_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_ACCESS_TOKEN }} + ARM_CLIENT_ID: ${{ steps.esc-secrets.outputs.ARM_CLIENT_ID }} + ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }} + ARM_SUBSCRIPTION_ID: ${{ steps.esc-secrets.outputs.ARM_SUBSCRIPTION_ID }} + ARM_TENANT_ID: ${{ steps.esc-secrets.outputs.ARM_TENANT_ID }} run: make test_templates ci-ok: @@ -476,6 +493,9 @@ jobs: if: always() runs-on: ubuntu-latest steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - name: CI failed if: ${{ needs.go-tests.result != 'success' || needs.examples.result != 'success' || needs.go-lint.result != 'success' || needs.test_integrations.result != 'success' || needs.test_templates.result != 'success' }} run: exit 1 diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index 6f141324d0c..f03804e630f 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -1,3 +1,10 @@ +permissions: write-all # Equivalent to default permissions plus id-token: write +env: + ESC_ACTION_OIDC_AUTH: true + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false name: Command Dispatch for PR events on: issue_comment: @@ -9,11 +16,14 @@ jobs: command-dispatch-for-testing: runs-on: ubuntu-latest steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - uses: actions/checkout@v3 - name: Run Build uses: peter-evans/slash-command-dispatch@v4 with: - token: ${{ secrets.PULUMI_BOT_TOKEN }} + token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} reaction-token: ${{ secrets.GITHUB_TOKEN }} commands: run-acceptance-tests event-type-suffix: -command diff --git a/.github/workflows/release-java-provider.yml b/.github/workflows/release-java-provider.yml index 3079c71f4ff..d17b7deb968 100644 --- a/.github/workflows/release-java-provider.yml +++ b/.github/workflows/release-java-provider.yml @@ -1,3 +1,4 @@ +permissions: write-all # Equivalent to default permissions plus id-token: write on: push: tags: @@ -8,12 +9,19 @@ on: - "README.md" env: - GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} + ESC_ACTION_OIDC_AUTH: true + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: GITHUB_TOKEN=PULUMI_BOT_TOKEN jobs: release-pulumi-language-java: runs-on: ubuntu-latest steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - uses: actions/checkout@v3 - name: Fetch Tags run: | diff --git a/.github/workflows/release-java-sdk-to-maven-central.yml b/.github/workflows/release-java-sdk-to-maven-central.yml index a7a9f876449..49c27c69e73 100644 --- a/.github/workflows/release-java-sdk-to-maven-central.yml +++ b/.github/workflows/release-java-sdk-to-maven-central.yml @@ -1,3 +1,4 @@ +permissions: write-all # Equivalent to default permissions plus id-token: write # A successful run of this action creates a staging repo at # s01.oss.sonatype.org. Further manual steps are needed to complete # publishing to Maven Central, see: @@ -15,24 +16,20 @@ env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} OSSRH_REPO_URL: https://s01.oss.sonatype.org/service/local/staging/deploy/maven2/ - OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }} - OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} - - # Include only last 8 hex digits of the key ID included, due to - # limitations of gradle. - SIGNING_KEY_ID: ${{ secrets.SIGNING_KEY_ID }} - - # Obtained by `gpg --armor --export-secret-key support@pulumi.com`. - SIGNING_KEY: ${{ secrets.SIGNING_KEY }} - - # Aka passphrase for the GPG key. - SIGNING_PASSWORD: ${{ secrets.SIGNING_PASSWORD }} + ESC_ACTION_OIDC_AUTH: true + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: OSSRH_USERNAME,OSSRH_PASSWORD,SIGNING_KEY_ID,SIGNING_KEY,SIGNING_PASSWORD jobs: publish: runs-on: ubuntu-latest timeout-minutes: 10 steps: + - name: Fetch secrets from ESC + id: esc-secrets + uses: pulumi/esc-action@v1 - uses: actions/checkout@v3 with: submodules: recursive @@ -59,4 +56,4 @@ jobs: uses: gradle/gradle-build-action@749f47bda3e44aa060e82d7b3ef7e40d953bd629 with: arguments: pulumi:publishToSonatype closeAndReleaseSonatypeStagingRepository - build-root-directory: sdk/java \ No newline at end of file + build-root-directory: sdk/java