Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use PAT named PULUMI_PROVIDER_AUTOMATION_TOKEN #1128

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Use PAT named PULUMI_PROVIDER_AUTOMATION_TOKEN #1128

wants to merge 2 commits into from

Conversation

ringods
Copy link
Member

@ringods ringods commented Nov 5, 2024
edited
Loading

To make the upgrade-bridge and upgrade-provider workflows usable for thirdparty packages, the use of PULUMI_BOT_TOKEN is replaced by the generated GITHUB_TOKEN a PAT named PULUMI_PROVIDER_AUTOMATION_TOKEN (see discussion below).

A permissions block is added to allow it to push commits, create Github issues and pull requests in the repository.

Contributes to: #1087

danielrbradley
danielrbradley reviewed Nov 5, 2024
View reviewed changes
Copy link
Member

@danielrbradley danielrbradley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good at first glance. Will take this for a test drive before merging.

@iwahbe
Copy link
Member

iwahbe commented Nov 6, 2024

I remember taking a crack at this earlier, and hitting permission issues with publishing. If you can get it to work, then by all means merge it.

@ringods
Copy link
Member Author

ringods commented Nov 6, 2024

@iwahbe the upgrade workflows aren't publishing anything. The publishing in the release workflow is already working with GITHUB_TOKEN and elevated permissions, for instance:

https://github.com/pulumi/pulumi-cloudflare/blob/803fd6dd7d823d98cdf3e318739ed14080641def/.github/workflows/release.yml#L61-L65

@ringods ringods force-pushed the use-github-token-with-write-permissions branch from 0eaa172 to d786602 Compare November 8, 2024 08:25
danielrbradley pushed a commit to pulumi/pulumi-xyz that referenced this pull request Nov 8, 2024
@pulumi-bot
Test Use GITHUB_TOKEN with elevated permissions #1128
6826f53 
pulumi/ci-mgmt#1128
@danielrbradley
Copy link
Member

danielrbradley commented Nov 8, 2024
edited
Loading

I've set up the xyz provider to work for testing upgrade provider.

I've temporarily merged these changes into main to be able to test the upgrade bridge and provider workflows:

  • Upgrade bridge: job, PR

Edit: The changes for the provider upgrade were lost because the xyz provider didn't have the workflow enabled when this PR was opened.

It appears that the PR build is not running automatically. I think this is because GitHub actions disables auto-building for changes pushed by GitHub actions to avoid infinite loops. We need to investigate how to enable these builds.

image

@danielrbradley
Copy link
Member

From the docs:

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

The recommendation on this docs page is to use a PAT when pushing PRs which should trigger a workflow. Perhaps as an in-between we should use the BOT token when creating the pull request, if it's available, but fall back to the built-in token for third parties who haven't set this up yet.

Alternatively, we might be able to use a workflow_dispatch or repository_dispatch to run the acceptance tests directly, and allow the manual sentinel check to be written back to the correct PR, but this will require a little more engineering. One downside of this approach is that it won't give direct access to the job details on the PR if specific parts fail.

@danielrbradley
Copy link
Member

The GITHUB_TOKEN does not have scopes to create repository_dispatch or workflow_dispatch events, so we're back to requiring a PAT at some point here.

I think we might just have to gate the step for the creation of the PR on the PAT being set up. We could allow a less pulumi-bot specific secret name to be used instead. If third parties don't want to configure the PAT, then their only other option is to periodically run the upgrade job locally.

@danielrbradley danielrbradley mentioned this pull request Nov 11, 2024
Merged
@ringods ringods changed the title Use GITHUB_TOKEN with elevated permissions Use PAT named UPGRADE_PROVIDER_TOKEN Nov 13, 2024
@ringods ringods force-pushed the use-github-token-with-write-permissions branch from d2a9176 to a13e572 Compare November 13, 2024 17:12
@ringods
Copy link
Member Author

ringods commented Nov 13, 2024

@danielrbradley @t0yv0 @iwahbe linking back to Daniel's comment here: #1128 (comment)

I would like to settle on the name of the PAT token so I can test this upfront using a Pulumiverse provider. Since I don't have admin access anymore on Pulumiverse, I have to ask approval to the Pulumiverse GH org admins when using a fine-grained PAT.

Here are my suggestions:

  • PULUMI_PROVIDER_AUTO_PR_TOKEN
  • PULUMI_PROVIDER_AUTOMATION_TOKEN

I personally don't mind a longer name if it explains better what it is for.

@danielrbradley
Copy link
Member

PULUMI_PROVIDER_AUTOMATION_TOKEN is pretty nice

@ringods ringods changed the title Use PAT named UPGRADE_PROVIDER_TOKEN Use PAT named PULUMI_PROVIDER_AUTOMATION_TOKEN Nov 14, 2024
@ringods
Updating to a chain of tokens
1b11bec 
The token needs to have repository scoped permissions to:
- **Read** access to actions, commit statuses, metadata, and secrets
- **Read** and **Write** access to code, issues, pull requests, and workflows
@ringods ringods force-pushed the use-github-token-with-write-permissions branch from a13e572 to 1b11bec Compare November 14, 2024 16:59
@t0yv0
Copy link
Member

t0yv0 commented Nov 14, 2024

Folks I'm summoned to review but I don't have a good handle on what's going on here. NO objection from me if it keeps working for the Pulumi providers builds 🙏

ringods added a commit to pulumiverse/pulumi-acme that referenced this pull request Nov 15, 2024
@ringods
Updated token name
70699bf 
pulumi/ci-mgmt#1128
ringods added a commit to pulumiverse/pulumi-cockroach that referenced this pull request Nov 15, 2024
@ringods
Updated token name
2ff82ff 
pulumi/ci-mgmt#1128
ringods added a commit to pulumiverse/pulumi-grafana that referenced this pull request Nov 15, 2024
@ringods
Updated token name
112f1b2 
pulumi/ci-mgmt#1128
ringods added a commit to pulumiverse/pulumi-matchbox that referenced this pull request Nov 15, 2024
@ringods
Updated token name
da81df6 
pulumi/ci-mgmt#1128
ringods added a commit to pulumiverse/pulumi-scaleway that referenced this pull request Nov 15, 2024
@ringods
Updated token name
f1762f2 
pulumi/ci-mgmt#1128
ringods added a commit to pulumiverse/pulumi-unifi that referenced this pull request Nov 15, 2024
@ringods
Updated token name
2df97d6 
pulumi/ci-mgmt#1128
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielrbradley danielrbradley danielrbradley left review comments

@t0yv0 t0yv0 Awaiting requested review from t0yv0

@iwahbe iwahbe Awaiting requested review from iwahbe

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@ringods @iwahbe @danielrbradley @t0yv0