Skip to content

Use ESC secrets #2172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
+68 −20
Open

Use ESC secrets #2172

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 11 additions & 1 deletion .github/workflows/add-to-project.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
permissions: write-all # Equivalent to default permissions plus id-token: write
env:
ESC_ACTION_OIDC_AUTH: true
ESC_ACTION_OIDC_ORGANIZATION: pulumi
ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
ESC_ACTION_ENVIRONMENT: imports/github-secrets
ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
name: Add issues to project
on:
issues:
Expand All @@ -8,8 +15,11 @@ jobs:
add-to-project:
runs-on: ubuntu-latest
steps:
- name: Fetch secrets from ESC
id: esc-secrets
uses: pulumi/esc-action@v1
- name: Add to DevRel
uses: actions/add-to-project@244f685bbc3b7adfa8466e08b698b5577571133e # v1.0.2
with:
project-url: https://github.com/orgs/pulumi/projects/47
github-token: ${{ secrets.PULUMI_BOT_GHA_MARKETING }}
github-token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_GHA_MARKETING }}
12 changes: 11 additions & 1 deletion .github/workflows/command-dispatch.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
permissions: write-all # Equivalent to default permissions plus id-token: write
env:
ESC_ACTION_OIDC_AUTH: true
ESC_ACTION_OIDC_ORGANIZATION: pulumi
ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
ESC_ACTION_ENVIRONMENT: imports/github-secrets
ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
name: Command dispatch for testing
on:
issue_comment:
Expand All @@ -8,6 +15,9 @@ jobs:
command-dispatch-for-testing:
runs-on: ubuntu-latest
steps:
- name: Fetch secrets from ESC
id: esc-secrets
uses: pulumi/esc-action@v1
- name: Checkout Repo
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Run Build
Expand All @@ -18,4 +28,4 @@ jobs:
permission: write
reaction-token: ${{ secrets.GITHUB_TOKEN }}
repository: pulumi/examples
token: ${{ secrets.EVENT_PAT }}
token: ${{ steps.esc-secrets.outputs.EVENT_PAT }}
64 changes: 46 additions & 18 deletions .github/workflows/test-examples.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,10 @@
permissions: write-all # Equivalent to default permissions plus id-token: write
env:
ESC_ACTION_OIDC_AUTH: true
ESC_ACTION_OIDC_ORGANIZATION: pulumi
ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
ESC_ACTION_ENVIRONMENT: imports/github-secrets
ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
name: Test examples
on:
pull_request:
Expand All @@ -18,6 +25,9 @@ jobs:
id-token: write
contents: read
steps:
- name: Fetch secrets from ESC
id: esc-secrets
uses: pulumi/esc-action@v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Set up the environment
Expand All @@ -26,7 +36,7 @@ jobs:
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
aws-role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }}
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Lint
Expand All @@ -40,6 +50,9 @@ jobs:
id-token: write
contents: read
steps:
- name: Fetch secrets from ESC
id: esc-secrets
uses: pulumi/esc-action@v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Set up the environment
Expand All @@ -48,7 +61,7 @@ jobs:
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
aws-role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }}
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: unit tests
Expand All @@ -70,7 +83,7 @@ jobs:
- name: Set up Python
uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
with:
python-version: 3.9 # Adjust the version as needed
python-version: 3.9 # Adjust the version as needed

# Step 3: Install Make (already installed on Ubuntu, but explicit just in case)
- name: Ensure Make is Installed
Expand All @@ -90,6 +103,9 @@ jobs:
id-token: write
contents: read
steps:
- name: Fetch secrets from ESC
id: esc-secrets
uses: pulumi/esc-action@v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Set up the environment
Expand All @@ -98,7 +114,7 @@ jobs:
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
aws-role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }}
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: unit tests
Expand All @@ -114,6 +130,9 @@ jobs:
id-token: write
contents: read
steps:
- name: Fetch secrets from ESC
id: esc-secrets
uses: pulumi/esc-action@v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Set up the environment
Expand All @@ -122,7 +141,7 @@ jobs:
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
aws-role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }}
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: unit tests
Expand All @@ -136,6 +155,9 @@ jobs:
id-token: write
contents: read
steps:
- name: Fetch secrets from ESC
id: esc-secrets
uses: pulumi/esc-action@v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Set up the environment
Expand All @@ -144,7 +166,7 @@ jobs:
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
aws-role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }}
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: unit tests
Expand All @@ -169,13 +191,16 @@ jobs:

steps:
# Run as first step so we don't delete things that have just been installed
- name: Fetch secrets from ESC
id: esc-secrets
uses: pulumi/esc-action@v1
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
tool-cache: false
swap-storage: false
dotnet: false

- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Set up the environment
Expand All @@ -184,7 +209,7 @@ jobs:
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
aws-role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }}
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Run tests
Expand All @@ -194,20 +219,20 @@ jobs:
AWS_SECRET_ACCESS_KEY: ${{ steps.setup.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.setup.outputs.aws-session-token }}
AWS_REGION: ${{ steps.setup.outputs.aws-region }}
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_CLIENT_ID: ${{ steps.esc-secrets.outputs.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
ARM_ENVIRONMENT: public
ARM_LOCATION: westus
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ steps.esc-secrets.outputs.ARM_SUBSCRIPTION_ID }}
ARM_TENANT_ID: ${{ steps.esc-secrets.outputs.ARM_TENANT_ID }}
GOOGLE_PROJECT: ${{ steps.setup.outputs.google-project-name }}
GOOGLE_REGION: ${{ steps.setup.outputs.google-region }}
GOOGLE_ZONE: ${{ steps.setup.outputs.google-zone }}
DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
PACKET_AUTH_TOKEN: ${{ secrets.PACKET_AUTH_TOKEN }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
PACKET_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.PACKET_AUTH_TOKEN }}
PULUMI_ACCESS_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}

strategy:
fail-fast: false
Expand Down Expand Up @@ -236,6 +261,9 @@ jobs:
contents: read

steps:
- name: Fetch secrets from ESC
id: esc-secrets
uses: pulumi/esc-action@v1
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4

- name: Set up the environment
Expand All @@ -244,7 +272,7 @@ jobs:
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
aws-role-to-assume: ${{ steps.esc-secrets.outputs.AWS_CI_ROLE_ARN }}
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Set up Minikube
Expand Down Expand Up @@ -281,6 +309,6 @@ jobs:
AWS_SECRET_ACCESS_KEY: ${{ steps.setup.outputs.aws-secret-access-key }}
AWS_SESSION_TOKEN: ${{ steps.setup.outputs.aws-session-token }}
AWS_REGION: ${{ steps.setup.outputs.aws-region }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
PULUMI_ACCESS_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_ACCESS_TOKEN }}
PULUMI_API: https://api.pulumi-staging.io
INFRA_STACK_NAME: ${{ github.sha }}-${{ github.run_number }}
Loading