diff --git a/.devcontainer/Dockerfile b/.devcontainer/Dockerfile index 7d46cd80..9366ae6b 100644 --- a/.devcontainer/Dockerfile +++ b/.devcontainer/Dockerfile @@ -1,4 +1,4 @@ -FROM jetpackio/devbox:latest +FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7 # Installing your devbox project WORKDIR /code diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml index b0304f9e..a1b22c16 100644 --- a/.github/workflows/build_provider.yml +++ b/.github/workflows/build_provider.yml @@ -39,7 +39,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: @@ -53,16 +53,16 @@ jobs: uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b # Without ldid cross-compiling Node binaries on a Linux worker intended to work on darwin-arm64 fails to sign the # binaries properly and they do not work as expected. See https://github.com/pulumi/pulumi-awsx/issues/1490 - - uses: MOZGIII/install-ldid-action@v1 + - uses: MOZGIII/install-ldid-action@d5ab465f3a66a4d60a59882b935eb30e18e8d043 # v1 with: tag: v2.1.5-procursus2 - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} # only saving the cache in the prerequisites job cache_save: false # Based on https://github.com/actions/cache/blob/main/examples.md#go---modules @@ -77,7 +77,7 @@ jobs: run: | echo "path=$(go env GOMODCACHE)" >> "${GITHUB_OUTPUT}" - name: Go Cache - uses: actions/cache@v4 + uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4 with: path: | ${{ steps.gocache.outputs.path }} diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml index c59a8671..452fe476 100644 --- a/.github/workflows/build_sdk.yml +++ b/.github/workflows/build_sdk.yml @@ -13,6 +13,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -39,7 +40,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: @@ -58,12 +59,12 @@ jobs: .pulumi/examples-cache key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }} - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} # only saving the cache in the prerequisites job cache_save: false - name: Setup Go Cache diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index 1a732ead..b4de7290 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -4,6 +4,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -18,7 +19,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: @@ -30,7 +31,7 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4 + - uses: peter-evans/slash-command-dispatch@5c11dc7efead556e3bdabf664302212f79eb26fa # v5 with: commands: | run-acceptance-tests diff --git a/.github/workflows/community-moderation.yml b/.github/workflows/community-moderation.yml index a0a1a4c5..860596fb 100644 --- a/.github/workflows/community-moderation.yml +++ b/.github/workflows/community-moderation.yml @@ -6,7 +6,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - id: schema_changed diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml index bf8f34a0..873ac2f1 100644 --- a/.github/workflows/copilot-setup-steps.yml +++ b/.github/workflows/copilot-setup-steps.yml @@ -28,12 +28,12 @@ jobs: # If you do not check out your code, Copilot will do this for you. steps: - name: Checkout code - uses: actions/checkout@v5 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 with: persist-credentials: false - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: diff --git a/.github/workflows/export-repo-secrets.yml b/.github/workflows/export-repo-secrets.yml index 00397097..93f70f24 100644 --- a/.github/workflows/export-repo-secrets.yml +++ b/.github/workflows/export-repo-secrets.yml @@ -8,7 +8,7 @@ jobs: steps: - name: Generate a GitHub token id: generate-token - uses: actions/create-github-app-token@v1 + uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2 with: app-id: 1256780 # Export Secrets GitHub App private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }} diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 82244441..348f9801 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -10,6 +10,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -19,18 +20,31 @@ jobs: license_check: name: License Check runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false + persist-credentials: false + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false" + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} # only saving the cache in the prerequisites job cache_save: false - run: make prepare_local_workspace diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 9f684fd8..cc4aa7bf 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -10,6 +10,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -19,18 +20,31 @@ jobs: lint: name: lint runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: write + id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: - persist-credentials: false + persist-credentials: false + - env: + ESC_ACTION_ENVIRONMENT: imports/github-secrets + ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false" + ESC_ACTION_OIDC_AUTH: "true" + ESC_ACTION_OIDC_ORGANIZATION: pulumi + ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization + id: esc-secrets + name: Fetch secrets from ESC + uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} cache_save: false # A different job handles caching our tools. - name: disarm go:embed directives to enable lint continue-on-error: true # this fails if there are no go:embed directives diff --git a/.github/workflows/main-post-build.yml b/.github/workflows/main-post-build.yml index 848f21b6..f25ea30b 100644 --- a/.github/workflows/main-post-build.yml +++ b/.github/workflows/main-post-build.yml @@ -13,6 +13,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -33,7 +34,7 @@ jobs: tool-cache: false swap-storage: false - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: @@ -46,18 +47,18 @@ jobs: name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }} aws-region: us-west-2 aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }} - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} # only saving the cache in the prerequisites job cache_save: false - name: Setup Go Cache diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 9a603c23..bacd346c 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -4,6 +4,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -91,7 +92,7 @@ jobs: id-token: write # For ESC secrets. steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index dec5e248..0112750a 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -5,6 +5,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -15,6 +16,7 @@ jobs: permissions: contents: read pull-requests: write + id-token: write # For ESC secrets. uses: ./.github/workflows/prerequisites.yml secrets: inherit with: @@ -23,6 +25,9 @@ jobs: is_automated: ${{ github.actor == 'dependabot[bot]' }} build_provider: + permissions: + contents: read + id-token: write # For ESC secrets. uses: ./.github/workflows/build_provider.yml needs: prerequisites secrets: inherit @@ -34,6 +39,9 @@ jobs: needs: prerequisites uses: ./.github/workflows/build_sdk.yml secrets: inherit + permissions: + contents: write # For Renovate SDKs. + id-token: write # For ESC secrets. with: version: ${{ needs.prerequisites.outputs.version }} @@ -50,6 +58,7 @@ jobs: name: publish permissions: contents: write + pull-requests: write id-token: write needs: - prerequisites diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml index 7ed747ee..352e1990 100644 --- a/.github/workflows/prerequisites.yml +++ b/.github/workflows/prerequisites.yml @@ -23,6 +23,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -40,7 +41,7 @@ jobs: version: ${{ steps.provider-version.outputs.version }} steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: @@ -52,7 +53,7 @@ jobs: id: esc-secrets name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - - uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0 + - uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1 id: provider-version with: major-version: 1 @@ -64,12 +65,12 @@ jobs: .pulumi/examples-cache key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }} - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} # only saving the cache in the prerequisites job cache_save: true - name: Setup Go Cache diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 998f5213..34d9449f 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -44,7 +44,7 @@ jobs: if: inputs.skipGoSdk && inputs.isPrerelease == false run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: @@ -57,15 +57,15 @@ jobs: name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} cache_save: false - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1 with: aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }} aws-region: us-east-2 @@ -110,7 +110,7 @@ jobs: - name: Upload Provider Binaries run: aws s3 cp dist s3://get.pulumi.com/releases/plugins/ --recursive - name: Create GH Release - uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2 + uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2 if: inputs.isPrerelease == false with: tag_name: v${{ inputs.version }} @@ -133,7 +133,7 @@ jobs: python_version: ${{ steps.python_version.outputs.version }} steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: # Persist credentials so we can push back to the repo persist-credentials: true @@ -147,23 +147,23 @@ jobs: name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} # only saving the cache in the prerequisites job cache_save: false - name: Setup Node - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: # we don't set node-version because we install with mise. # this step is needed to setup npm auth registry-url: https://registry.npmjs.org - name: Publish SDKs if: inputs.skipJavaSdk == false - uses: pulumi/pulumi-package-publisher@c1672c7928591d563dccb12729e05e315c21f8c2 # v0.0.22 + uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23 with: sdk: all version: ${{ inputs.version }} @@ -179,7 +179,7 @@ jobs: NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }} - name: Publish SDKs (except Java) if: inputs.skipJavaSdk == true - uses: pulumi/pulumi-package-publisher@c1672c7928591d563dccb12729e05e315c21f8c2 # v0.0.22 + uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23 with: sdk: all,!java version: ${{ inputs.version }} @@ -224,7 +224,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: @@ -258,7 +258,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 5bd6f501..2beaad82 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -4,6 +4,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8a8e49fa..06448086 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -10,6 +10,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin diff --git a/.github/workflows/release_command.yml b/.github/workflows/release_command.yml index 195bc381..c474a262 100644 --- a/.github/workflows/release_command.yml +++ b/.github/workflows/release_command.yml @@ -11,7 +11,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 2868cd3c..7d834a5f 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -15,6 +15,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -78,7 +79,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - id: run-url diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e57692e8..b3d3c35f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -17,6 +17,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -32,7 +33,7 @@ jobs: PROVIDER_VERSION: ${{ inputs.version }} steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: ref: ${{ env.PR_COMMIT_SHA }} persist-credentials: false @@ -47,18 +48,18 @@ jobs: uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: repository: pulumi/examples path: p-examples - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_ENV: test MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} # also save this cache since we are using a different mise env. cache_save: true - name: Prepare local workspace diff --git a/.github/workflows/upgrade-bridge.yml b/.github/workflows/upgrade-bridge.yml index 8300dde4..abb657d6 100644 --- a/.github/workflows/upgrade-bridge.yml +++ b/.github/workflows/upgrade-bridge.yml @@ -65,6 +65,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -76,7 +77,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: @@ -89,12 +90,12 @@ jobs: name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} # only saving the cache in the prerequisites job cache_save: false - name: Call upgrade provider action diff --git a/.github/workflows/upgrade-provider.yml b/.github/workflows/upgrade-provider.yml index 19f0fe6f..fd60c322 100644 --- a/.github/workflows/upgrade-provider.yml +++ b/.github/workflows/upgrade-provider.yml @@ -26,6 +26,7 @@ env: PULUMI_API: https://api.pulumi-staging.io PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget + PULUMI_PULUMI_ENABLE_JOURNALING: "true" SPLUNK_PASSWORD: password SPLUNK_URL: localhost:8089 SPLUNK_USERNAME: admin @@ -43,7 +44,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: # Persist credentials so upgrade-provider can push a new branch. persist-credentials: true @@ -57,12 +58,12 @@ jobs: name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup mise - uses: jdx/mise-action@v3 + uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3 env: MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s with: version: 2025.11.6 - github_token: ${{ secrets.GITHUB_TOKEN }} + github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }} # only saving the cache in the prerequisites job cache_save: false - name: Install upgrade-provider diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml index 7c006411..629bef47 100644 --- a/.github/workflows/verify-release.yml +++ b/.github/workflows/verify-release.yml @@ -65,7 +65,7 @@ jobs: - name: Configure Git to checkout files with long names run: git config --global core.longpaths true - name: Checkout Repo - uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1 + uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0 with: persist-credentials: false - env: @@ -78,7 +78,7 @@ jobs: name: Fetch secrets from ESC uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b - name: Setup Python - uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0 + uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 # v6.1.0 with: python-version: 3.11.8 - name: Setup Java @@ -92,11 +92,11 @@ jobs: with: gradle-version: 7.6 - name: Setup DotNet - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 # v5.0.1 with: dotnet-version: 8.0.x - name: Setup Node - uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6 + uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6 with: node-version: 20.x registry-url: https://registry.npmjs.org @@ -115,6 +115,6 @@ jobs: run: | echo "GOTOOLCHAIN=auto" >> "$GITHUB_ENV" - name: Install Pulumi CLI - uses: pulumi/actions@d7ceb0215da5a14ec84f50b703365ddf0194a9c8 # v6 + uses: pulumi/actions@8582a9e8cc630786854029b4e09281acd6794b58 # v6 with: pulumi-version: "dev"