-
Notifications
You must be signed in to change notification settings - Fork 4
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Use the standard Github generated token with elevated permissions (#1099
) Relates to: #1053, #1087 Moving from a central `PULUMI_BOT_TOKEN` to the Github Actions permissions block makes the workflows reusable for third party providers. The generated `GITHUB_TOKEN` secret in each workflow instance will receive elevated permissions based on the permissions configuration block. To limit the blast radius of a possible error, this PR focuses on the `main|master` and `(pre)release` workflows for now. Similar changes for other workflows will come in subsequent pull requests. Besides making the workflows more reusable for third-party providers, it also improves on the situation for rate limits tied to the central `PULUMI_BOT_TOKEN`. The generated `GITHUB_TOKEN` has [much higher API rate limits](https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#primary-rate-limit-for-github_token-in-github-actions) on our Github Enterprise backed subscription for `pulumi` organization: > The rate limit for `GITHUB_TOKEN` is 1,000 requests per hour per repository. For requests to resources that belong to a GitHub Enterprise Cloud account, the limit is 15,000 requests per hour per repository. Already moving the `main|master` and `(pre)release` workflows to use the `GITHUB_TOKEN` reduces the usage of the `PULUMI_BOT_TOKEN`, so lowering the chance of bumping into a rate limit. Github Docs: [Controlling permissions for `GITHUB_TOKEN`](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token) **NOTE:** The required permissions for the `publish` workflow are set on the calling side of the nested job instead of within the nested job. I tested setting it within publish.yml but it seems it is not possible anymore to elevate permissions in a nested job: https://github.com/pulumiverse/pulumi-acme/actions/runs/11181469935 The changes of this PR are validated in the following third-party packages: | Package | Commit with changes from this PR | Green `main` run | Green `release` | |--------|--------|--------|--------| | [pulumiverse/pulumi-acme](https://github.com/pulumiverse/pulumi-acme) | [33e7fa5](pulumiverse/pulumi-acme@33e7fa5) | [11182399934](https://github.com/pulumiverse/pulumi-acme/actions/runs/11182399934) | [11182413642](https://github.com/pulumiverse/pulumi-acme/actions/runs/11182413642) | | [pulumiverse/pulumi-matchbox](https://github.com/pulumiverse/pulumi-matchbox) | [f370a12](pulumiverse/pulumi-matchbox@f370a12) | [11232745061](https://github.com/pulumiverse/pulumi-matchbox/actions/runs/11232926252) | [11182413642](https://github.com/pulumiverse/pulumi-matchbox/actions/runs/11232926252) |
- Loading branch information
Showing
20 changed files
with
40 additions
and
5 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -82,6 +82,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -41,6 +41,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -90,6 +90,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -53,6 +53,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -91,6 +91,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -52,6 +52,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -92,6 +92,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -55,6 +55,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -105,6 +105,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -68,6 +68,8 @@ jobs: | |
|
||
publish: | ||
name: publish | ||
permissions: | ||
contents: write | ||
needs: | ||
- prerequisites | ||
- build_provider | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters