From 4316873bacec6a58035c024b4e77744f17ed0b11 Mon Sep 17 00:00:00 2001 From: Pulumi Bot Date: Sat, 2 Nov 2024 05:54:54 +0000 Subject: [PATCH] [internal] Update GitHub Actions workflow files --- .github/workflows/build_provider.yml | 2 + .github/workflows/build_sdk.yml | 2 + .github/workflows/check-upstream-upgrade.yml | 38 ---------------- .github/workflows/command-dispatch.yml | 2 + .github/workflows/community-moderation.yml | 2 + .github/workflows/license.yml | 2 + .github/workflows/lint.yml | 2 + .github/workflows/master.yml | 4 ++ .github/workflows/prerelease.yml | 2 + .github/workflows/prerequisites.yml | 4 +- .github/workflows/publish.yml | 9 +++- .github/workflows/pull-request.yml | 2 + .github/workflows/release.yml | 2 + .github/workflows/release_command.yml | 2 + .github/workflows/resync-build.yml | 4 ++ .github/workflows/run-acceptance-tests.yml | 1 + .github/workflows/upgrade-bridge.yml | 2 + .github/workflows/upgrade-provider.yml | 47 +++++++++++++++----- .github/workflows/verify-release.yml | 2 + 19 files changed, 81 insertions(+), 50 deletions(-) delete mode 100644 .github/workflows/check-upstream-upgrade.yml diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml index 9753209a..9f2b380c 100644 --- a/.github/workflows/build_provider.yml +++ b/.github/workflows/build_provider.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml index 3ea00fab..77ed7218 100644 --- a/.github/workflows/build_sdk.yml +++ b/.github/workflows/build_sdk.yml @@ -45,6 +45,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/.github/workflows/check-upstream-upgrade.yml b/.github/workflows/check-upstream-upgrade.yml deleted file mode 100644 index a4d997bc..00000000 --- a/.github/workflows/check-upstream-upgrade.yml +++ /dev/null @@ -1,38 +0,0 @@ - -#WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt - -env: - GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} -jobs: - check_upgrade_provider: - name: Check for upstream provider upgrades - runs-on: ubuntu-latest - steps: - - name: Checkout Repo - uses: actions/checkout@v4 - - name: Setup tools - uses: ./.github/actions/setup-tools - with: - tools: go - - name: Install upgrade-provider - run: go install github.com/pulumi/upgrade-provider@main - shell: bash - - name: "Set up git identity: name" - run: git config --global user.name pulumi-bot - shell: bash - - name: "Set up git identity: email" - run: git config --global user.email bot@pulumi.com - shell: bash - - name: Run upgrade-provider upstream check - id: upstream_version - run: | - upgrade-provider "$REPO" --kind=check-upstream-version - env: - REPO: ${{ github.repository }} - shell: bash -name: Check upstream upgrade -on: - workflow_dispatch: {} #so we can run this manually if necessary. - schedule: - # 3 AM UTC ~ 8 PM PDT / 7 PM PST daily. Time chosen to run during off hours. - - cron: 0 3 * * * diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml index 97977990..5386c7c1 100644 --- a/.github/workflows/command-dispatch.yml +++ b/.github/workflows/command-dispatch.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: peter-evans/slash-command-dispatch@v4 with: commands: | diff --git a/.github/workflows/community-moderation.yml b/.github/workflows/community-moderation.yml index 4c3414b9..2afb297c 100644 --- a/.github/workflows/community-moderation.yml +++ b/.github/workflows/community-moderation.yml @@ -9,6 +9,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@v2 diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml index 440584da..35566d44 100644 --- a/.github/workflows/license.yml +++ b/.github/workflows/license.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 2d0c6f5a..406b7d0e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml index 6a1dfc9b..3a0911bd 100644 --- a/.github/workflows/master.yml +++ b/.github/workflows/master.yml @@ -59,6 +59,8 @@ jobs: swap-storage: false - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -139,6 +141,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/.github/workflows/prerelease.yml b/.github/workflows/prerelease.yml index 9e3a8c9a..3b7cc468 100644 --- a/.github/workflows/prerelease.yml +++ b/.github/workflows/prerelease.yml @@ -83,6 +83,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml index 508d06d0..44966abe 100644 --- a/.github/workflows/prerequisites.yml +++ b/.github/workflows/prerequisites.yml @@ -47,6 +47,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -79,7 +81,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/pulumi -p splunk -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-splunk/schema.json; + schema-tools compare -r github://api.github.com/pulumi -p splunk -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-splunk/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 051474cb..b6bd38ad 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -50,6 +50,8 @@ jobs: run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -75,7 +77,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-splunk_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-splunk_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -112,6 +114,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -169,6 +174,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml index 0abd4f40..caac8368 100644 --- a/.github/workflows/pull-request.yml +++ b/.github/workflows/pull-request.yml @@ -28,6 +28,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@v2 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8f2b1ab6..d3194bbb 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -89,6 +89,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/.github/workflows/release_command.yml b/.github/workflows/release_command.yml index 2a8fff36..4029f32a 100644 --- a/.github/workflows/release_command.yml +++ b/.github/workflows/release_command.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/.github/workflows/resync-build.yml b/.github/workflows/resync-build.yml index faf2530a..c14a6fed 100644 --- a/.github/workflows/resync-build.yml +++ b/.github/workflows/resync-build.yml @@ -29,11 +29,15 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: actions/checkout@v4 with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml index 6d3ef1e6..ffc18474 100644 --- a/.github/workflows/run-acceptance-tests.yml +++ b/.github/workflows/run-acceptance-tests.yml @@ -133,6 +133,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ env.PR_COMMIT_SHA }} + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@v4 diff --git a/.github/workflows/upgrade-bridge.yml b/.github/workflows/upgrade-bridge.yml index 0c47364c..639cbed5 100644 --- a/.github/workflows/upgrade-bridge.yml +++ b/.github/workflows/upgrade-bridge.yml @@ -59,6 +59,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/.github/workflows/upgrade-provider.yml b/.github/workflows/upgrade-provider.yml index 29115ec1..f8651665 100644 --- a/.github/workflows/upgrade-provider.yml +++ b/.github/workflows/upgrade-provider.yml @@ -1,16 +1,33 @@ # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt +name: Upgrade provider +on: + workflow_dispatch: + inputs: + version: + description: | + The version of the upstream provider to upgrade to, without the 'v' prefix + + If no version is specified, it will be inferred from the upstream provider's release tags. + required: false + type: string + schedule: + # 3 AM UTC ~ 8 PM PDT / 7 PM PST daily. Time chosen to run during off hours. + - cron: 0 3 * * * + env: GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} jobs: upgrade_provider: - if: ${{ (github.event.issue.user.login == 'pulumi-bot' && contains(github.event.issue.title, 'Upgrade terraform-provider-')) || github.event_name == 'workflow_dispatch' }} name: upgrade-provider runs-on: ubuntu-latest steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -18,17 +35,27 @@ jobs: - name: Install upgrade-provider run: go install github.com/pulumi/upgrade-provider@main shell: bash - - name: "Set up git identity: name" + - name: "Set up git identity" run: | git config --global user.name 'bot@pulumi.com' git config --global user.email 'bot@pulumi.com' shell: bash - - name: Run upgrade-provider - run: upgrade-provider "${{ github.repository }}" --kind="all" + - name: Create issues for new upstream version + if: inputs.version == '' + id: upstream_version + # This step outputs `latest_version` if there is a pending upgrade + run: upgrade-provider "$REPO" --kind=check-upstream-version + env: + REPO: ${{ github.repository }} + shell: bash + - name: Calculate target version + id: target_version + # Prefer the manually specified version if it exists + # upstream_version will be empty if the provider is up-to-date + run: echo "version=${{ github.event.inputs.version || steps.upstream_version.outputs.latest_version }}" >> "$GITHUB_OUTPUT" + shell: bash + - name: Attempt provider upgrade + # Only attempt the upgrade if we have a target version + if: steps.target_version.outputs.version != '' + run: upgrade-provider "${{ github.repository }}" --kind="all" --target-version="${{ steps.target_version.outputs.version }}" shell: bash -name: Upgrade provider -on: - issues: - types: - - opened - workflow_dispatch: {} diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml index ba5c7c08..6c0ea9e3 100644 --- a/.github/workflows/verify-release.yml +++ b/.github/workflows/verify-release.yml @@ -73,6 +73,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: