From a93c701afab57a90814fd2c96a6400e9ae06dee8 Mon Sep 17 00:00:00 2001
From: Ringo De Smet <ringo@de-smet.name>
Date: Tue, 15 Oct 2024 13:42:04 +0200
Subject: [PATCH] Use the standard Github generated token with elevated
 permissions (#1099)

Relates to: #1053, #1087

Moving from a central `PULUMI_BOT_TOKEN` to the Github Actions
permissions block makes the workflows reusable for third party
providers. The generated `GITHUB_TOKEN` secret in each workflow instance
will receive elevated permissions based on the permissions configuration
block. To limit the blast radius of a possible error, this PR focuses on
the `main|master` and `(pre)release` workflows for now. Similar changes
for other workflows will come in subsequent pull requests.

Besides making the workflows more reusable for third-party providers, it
also improves on the situation for rate limits tied to the central
`PULUMI_BOT_TOKEN`. The generated `GITHUB_TOKEN` has [much higher API
rate
limits](https://docs.github.com/en/rest/using-the-rest-api/rate-limits-for-the-rest-api?apiVersion=2022-11-28#primary-rate-limit-for-github_token-in-github-actions)
on our Github Enterprise backed subscription for `pulumi` organization:

> The rate limit for `GITHUB_TOKEN` is 1,000 requests per hour per
repository. For requests to resources that belong to a GitHub Enterprise
Cloud account, the limit is 15,000 requests per hour per repository.

Already moving the `main|master` and `(pre)release` workflows to use the
`GITHUB_TOKEN` reduces the usage of the `PULUMI_BOT_TOKEN`, so lowering
the chance of bumping into a rate limit.

Github Docs: [Controlling permissions for
`GITHUB_TOKEN`](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/controlling-permissions-for-github_token)

**NOTE:** The required permissions for the `publish` workflow are set on
the calling side of the nested job instead of within the nested job. I
tested setting it within publish.yml but it seems it is not possible
anymore to elevate permissions in a nested job:
https://github.com/pulumiverse/pulumi-acme/actions/runs/11181469935

The changes of this PR are validated in the following third-party
packages:

| Package | Commit with changes from this PR | Green `main` run | Green
`release` |
|--------|--------|--------|--------|
| [pulumiverse/pulumi-acme](https://github.com/pulumiverse/pulumi-acme)
|
[33e7fa5](https://github.com/pulumiverse/pulumi-acme/commit/33e7fa53d999e8eee09fd19bdb1d2046b58021ce)
|
[11182399934](https://github.com/pulumiverse/pulumi-acme/actions/runs/11182399934)
|
[11182413642](https://github.com/pulumiverse/pulumi-acme/actions/runs/11182413642)
|
|
[pulumiverse/pulumi-matchbox](https://github.com/pulumiverse/pulumi-matchbox)
|
[f370a12](https://github.com/pulumiverse/pulumi-matchbox/commit/f370a122007a617e5449fa9f6e2f97db75af9532)
|
[11232745061](https://github.com/pulumiverse/pulumi-matchbox/actions/runs/11232926252)
|
[11182413642](https://github.com/pulumiverse/pulumi-matchbox/actions/runs/11232926252)
|
---
 .../pkg/templates/bridged-provider/.github/workflows/main.yml  | 2 ++
 .../bridged-provider/.github/workflows/prerelease.yml          | 2 ++
 .../templates/bridged-provider/.github/workflows/publish.yml   | 2 +-
 .../templates/bridged-provider/.github/workflows/release.yml   | 3 +++
 provider-ci/test-providers/acme/.github/workflows/main.yml     | 2 ++
 .../test-providers/acme/.github/workflows/prerelease.yml       | 2 ++
 provider-ci/test-providers/acme/.github/workflows/publish.yml  | 2 +-
 provider-ci/test-providers/acme/.github/workflows/release.yml  | 3 +++
 provider-ci/test-providers/aws/.github/workflows/master.yml    | 2 ++
 .../test-providers/aws/.github/workflows/prerelease.yml        | 2 ++
 provider-ci/test-providers/aws/.github/workflows/publish.yml   | 2 +-
 provider-ci/test-providers/aws/.github/workflows/release.yml   | 3 +++
 .../test-providers/cloudflare/.github/workflows/master.yml     | 2 ++
 .../test-providers/cloudflare/.github/workflows/prerelease.yml | 2 ++
 .../test-providers/cloudflare/.github/workflows/publish.yml    | 2 +-
 .../test-providers/cloudflare/.github/workflows/release.yml    | 3 +++
 provider-ci/test-providers/docker/.github/workflows/master.yml | 2 ++
 .../test-providers/docker/.github/workflows/prerelease.yml     | 2 ++
 .../test-providers/docker/.github/workflows/publish.yml        | 2 +-
 .../test-providers/docker/.github/workflows/release.yml        | 3 +++
 20 files changed, 40 insertions(+), 5 deletions(-)

diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml
index 6d32eeca2..79d49ed8f 100644
--- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml
+++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml
@@ -82,6 +82,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml
index 2fecad9af..34d5eaea1 100644
--- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml
+++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml
@@ -41,6 +41,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml
index 636282c61..428e76548 100644
--- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml
+++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml
@@ -93,7 +93,7 @@ jobs:
         generate_release_notes: true
         files: dist/*
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish_sdk:
     name: publish_sdk
diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml
index 636a49155..cbe2c632e 100644
--- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml
+++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml
@@ -49,6 +49,9 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/acme/.github/workflows/main.yml b/provider-ci/test-providers/acme/.github/workflows/main.yml
index 0d0bb7f9d..751021e99 100644
--- a/provider-ci/test-providers/acme/.github/workflows/main.yml
+++ b/provider-ci/test-providers/acme/.github/workflows/main.yml
@@ -90,6 +90,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml
index df0e21c45..8ea1d556a 100644
--- a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml
+++ b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml
@@ -53,6 +53,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/acme/.github/workflows/publish.yml b/provider-ci/test-providers/acme/.github/workflows/publish.yml
index ea1b024f9..f74b5851f 100644
--- a/provider-ci/test-providers/acme/.github/workflows/publish.yml
+++ b/provider-ci/test-providers/acme/.github/workflows/publish.yml
@@ -88,7 +88,7 @@ jobs:
         generate_release_notes: true
         files: dist/*
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish_sdk:
     name: publish_sdk
diff --git a/provider-ci/test-providers/acme/.github/workflows/release.yml b/provider-ci/test-providers/acme/.github/workflows/release.yml
index 9cb4ba5b1..eb1327d31 100644
--- a/provider-ci/test-providers/acme/.github/workflows/release.yml
+++ b/provider-ci/test-providers/acme/.github/workflows/release.yml
@@ -58,6 +58,9 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/aws/.github/workflows/master.yml b/provider-ci/test-providers/aws/.github/workflows/master.yml
index 994a8e621..6ae11b745 100644
--- a/provider-ci/test-providers/aws/.github/workflows/master.yml
+++ b/provider-ci/test-providers/aws/.github/workflows/master.yml
@@ -91,6 +91,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml
index 2953868d4..0f56e6690 100644
--- a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml
+++ b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml
@@ -52,6 +52,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/aws/.github/workflows/publish.yml b/provider-ci/test-providers/aws/.github/workflows/publish.yml
index d35d7b9cd..1b909fab9 100644
--- a/provider-ci/test-providers/aws/.github/workflows/publish.yml
+++ b/provider-ci/test-providers/aws/.github/workflows/publish.yml
@@ -105,7 +105,7 @@ jobs:
         generate_release_notes: true
         files: dist/*
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish_sdk:
     name: publish_sdk
diff --git a/provider-ci/test-providers/aws/.github/workflows/release.yml b/provider-ci/test-providers/aws/.github/workflows/release.yml
index e702fe253..39ad9db5a 100644
--- a/provider-ci/test-providers/aws/.github/workflows/release.yml
+++ b/provider-ci/test-providers/aws/.github/workflows/release.yml
@@ -57,6 +57,9 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml
index f1ad1e446..3c72f29e6 100644
--- a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml
+++ b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml
@@ -92,6 +92,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml
index d065bee01..77d066b03 100644
--- a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml
+++ b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml
@@ -55,6 +55,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml
index d50726b1f..3cc3d3d15 100644
--- a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml
+++ b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml
@@ -102,7 +102,7 @@ jobs:
         generate_release_notes: true
         files: dist/*
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish_sdk:
     name: publish_sdk
diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml
index 5fecd7b51..f76a2992c 100644
--- a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml
+++ b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml
@@ -60,6 +60,9 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/docker/.github/workflows/master.yml b/provider-ci/test-providers/docker/.github/workflows/master.yml
index e6f30d1e3..d5a6681f6 100644
--- a/provider-ci/test-providers/docker/.github/workflows/master.yml
+++ b/provider-ci/test-providers/docker/.github/workflows/master.yml
@@ -105,6 +105,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/docker/.github/workflows/prerelease.yml b/provider-ci/test-providers/docker/.github/workflows/prerelease.yml
index dac351df2..40fc22da4 100644
--- a/provider-ci/test-providers/docker/.github/workflows/prerelease.yml
+++ b/provider-ci/test-providers/docker/.github/workflows/prerelease.yml
@@ -68,6 +68,8 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
     needs:
       - prerequisites
       - build_provider
diff --git a/provider-ci/test-providers/docker/.github/workflows/publish.yml b/provider-ci/test-providers/docker/.github/workflows/publish.yml
index 4556c032a..1a8eaf107 100644
--- a/provider-ci/test-providers/docker/.github/workflows/publish.yml
+++ b/provider-ci/test-providers/docker/.github/workflows/publish.yml
@@ -115,7 +115,7 @@ jobs:
         generate_release_notes: true
         files: dist/*
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   publish_sdk:
     name: publish_sdk
diff --git a/provider-ci/test-providers/docker/.github/workflows/release.yml b/provider-ci/test-providers/docker/.github/workflows/release.yml
index e8fdff91e..014f734c5 100644
--- a/provider-ci/test-providers/docker/.github/workflows/release.yml
+++ b/provider-ci/test-providers/docker/.github/workflows/release.yml
@@ -73,6 +73,9 @@ jobs:
 
   publish:
     name: publish
+    permissions:
+      contents: write
+      pull-requests: write
     needs:
       - prerequisites
       - build_provider