diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml index 15985f293..4ce93fbb9 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml @@ -40,10 +40,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# - #{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# - #{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_sdk.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_sdk.yml index c183792cc..8b23d826a 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_sdk.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_sdk.yml @@ -32,10 +32,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml index 79d49ed8f..6d5a9e7da 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml @@ -41,10 +41,11 @@ jobs: swap-storage: false - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Configure AWS Credentials uses: #{{ .Config.actionVersions.configureAwsCredentials }}# with: @@ -140,10 +141,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/nightly-test.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/nightly-test.yml index eafb85564..ae9f03c9e 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/nightly-test.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/nightly-test.yml @@ -50,10 +50,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml index 34d5eaea1..2d5aba254 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml @@ -80,10 +80,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml index db68021e4..d8cf644c5 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml @@ -38,10 +38,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -77,7 +78,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/#{{ .Config.organization }}# -p #{{ .Config.provider }}# -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-#{{ .Config.provider }}#/schema.json; + schema-tools compare -r github://api.github.com/#{{ .Config.organization }}# -p #{{ .Config.provider }}# -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-#{{ .Config.provider }}#/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml index 428e76548..b63c413a6 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml @@ -32,10 +32,11 @@ jobs: run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -63,7 +64,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-#{{ .Config.provider }}#_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-#{{ .Config.provider }}#_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -102,10 +103,12 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -168,7 +171,9 @@ jobs: runs-on: #{{ .Config.runner.default }}# steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: #{{ .Config.actionVersions.checkout }}# + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml index cbe2c632e..2329f3735 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml @@ -89,10 +89,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/resync-build.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/resync-build.yml index e0f51b0d0..bec52713d 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/resync-build.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/resync-build.yml @@ -11,15 +11,18 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# - #{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# - #{{- end }}# + #{{- end }}# + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: #{{ .Config.actionVersions.checkout }}# with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml index 09b91fc6d..f01a25c9c 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml @@ -135,6 +135,7 @@ jobs: #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# #{{- end }}# + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: #{{ .Config.actionVersions.checkout }}# diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml index 003c05837..4071e841e 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml @@ -68,10 +68,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# - #{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# - #{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-provider.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-provider.yml index 526386cae..ce2318d83 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-provider.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-provider.yml @@ -34,10 +34,12 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# - #{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# - #{{- end }}# + #{{- end }}# + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/provider/.github/workflows/license.yml b/provider-ci/internal/pkg/templates/provider/.github/workflows/license.yml index 773a521c2..3cd459eef 100644 --- a/provider-ci/internal/pkg/templates/provider/.github/workflows/license.yml +++ b/provider-ci/internal/pkg/templates/provider/.github/workflows/license.yml @@ -15,7 +15,9 @@ jobs: runs-on: #{{ .Config.runner.default }}# steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: #{{ .Config.actionVersions.checkout }}# + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/provider/.github/workflows/lint.yml b/provider-ci/internal/pkg/templates/provider/.github/workflows/lint.yml index 3c6234641..efa180263 100644 --- a/provider-ci/internal/pkg/templates/provider/.github/workflows/lint.yml +++ b/provider-ci/internal/pkg/templates/provider/.github/workflows/lint.yml @@ -16,10 +16,11 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/internal/pkg/templates/provider/.github/workflows/pull-request.yml b/provider-ci/internal/pkg/templates/provider/.github/workflows/pull-request.yml index bee3b2af6..753769ba0 100644 --- a/provider-ci/internal/pkg/templates/provider/.github/workflows/pull-request.yml +++ b/provider-ci/internal/pkg/templates/provider/.github/workflows/pull-request.yml @@ -10,10 +10,11 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Comment PR uses: #{{ .Config.actionVersions.prComment }}# with: diff --git a/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml b/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml index 6f24e6baf..1d84855c1 100644 --- a/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml +++ b/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml @@ -64,7 +64,9 @@ jobs: runs-on: ${{ matrix.runner }} steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: #{{ .Config.actionVersions.checkout }}# + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/command-dispatch.yml b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/command-dispatch.yml index d2babf7a5..cdb6b197c 100644 --- a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/command-dispatch.yml +++ b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/command-dispatch.yml @@ -9,10 +9,11 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - uses: peter-evans/slash-command-dispatch@v4 with: commands: | diff --git a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/community-moderation.yml b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/community-moderation.yml index e42edd537..f6d25b9a4 100644 --- a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/community-moderation.yml +++ b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/community-moderation.yml @@ -9,10 +9,11 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: #{{ .Config.actionVersions.pathsFilter }}# diff --git a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/release_command.yml b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/release_command.yml index 028caf41e..95b4d185c 100644 --- a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/release_command.yml +++ b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/release_command.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# + with: + persist-credentials: false - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/acme/.github/workflows/build_provider.yml b/provider-ci/test-providers/acme/.github/workflows/build_provider.yml index 849e0bbf1..9c7853b3e 100644 --- a/provider-ci/test-providers/acme/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/acme/.github/workflows/build_provider.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/build_sdk.yml b/provider-ci/test-providers/acme/.github/workflows/build_sdk.yml index ae90fb5e8..ae5417747 100644 --- a/provider-ci/test-providers/acme/.github/workflows/build_sdk.yml +++ b/provider-ci/test-providers/acme/.github/workflows/build_sdk.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/test-providers/acme/.github/workflows/license.yml b/provider-ci/test-providers/acme/.github/workflows/license.yml index d285937a0..83f8357b2 100644 --- a/provider-ci/test-providers/acme/.github/workflows/license.yml +++ b/provider-ci/test-providers/acme/.github/workflows/license.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/lint.yml b/provider-ci/test-providers/acme/.github/workflows/lint.yml index f9f1b428c..988e3b2ac 100644 --- a/provider-ci/test-providers/acme/.github/workflows/lint.yml +++ b/provider-ci/test-providers/acme/.github/workflows/lint.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/test-providers/acme/.github/workflows/main.yml b/provider-ci/test-providers/acme/.github/workflows/main.yml index 751021e99..fe3d37807 100644 --- a/provider-ci/test-providers/acme/.github/workflows/main.yml +++ b/provider-ci/test-providers/acme/.github/workflows/main.yml @@ -56,6 +56,8 @@ jobs: swap-storage: false - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -136,6 +138,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml index 8ea1d556a..b561ef30a 100644 --- a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml @@ -80,6 +80,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/prerequisites.yml b/provider-ci/test-providers/acme/.github/workflows/prerequisites.yml index a7ae38662..36e9c47b4 100644 --- a/provider-ci/test-providers/acme/.github/workflows/prerequisites.yml +++ b/provider-ci/test-providers/acme/.github/workflows/prerequisites.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -76,7 +78,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/pulumiverse -p acme -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-acme/schema.json; + schema-tools compare -r github://api.github.com/pulumiverse -p acme -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-acme/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/test-providers/acme/.github/workflows/publish.yml b/provider-ci/test-providers/acme/.github/workflows/publish.yml index f74b5851f..fe1a37b93 100644 --- a/provider-ci/test-providers/acme/.github/workflows/publish.yml +++ b/provider-ci/test-providers/acme/.github/workflows/publish.yml @@ -47,6 +47,8 @@ jobs: run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -62,7 +64,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-acme_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-acme_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -97,6 +99,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -135,6 +140,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/acme/.github/workflows/pull-request.yml b/provider-ci/test-providers/acme/.github/workflows/pull-request.yml index bd321f5a2..beb84a898 100644 --- a/provider-ci/test-providers/acme/.github/workflows/pull-request.yml +++ b/provider-ci/test-providers/acme/.github/workflows/pull-request.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@v2 with: diff --git a/provider-ci/test-providers/acme/.github/workflows/release.yml b/provider-ci/test-providers/acme/.github/workflows/release.yml index eb1327d31..aa6276feb 100644 --- a/provider-ci/test-providers/acme/.github/workflows/release.yml +++ b/provider-ci/test-providers/acme/.github/workflows/release.yml @@ -86,6 +86,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/resync-build.yml b/provider-ci/test-providers/acme/.github/workflows/resync-build.yml index 1cf1bb031..1e0940414 100644 --- a/provider-ci/test-providers/acme/.github/workflows/resync-build.yml +++ b/provider-ci/test-providers/acme/.github/workflows/resync-build.yml @@ -26,11 +26,15 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: actions/checkout@v4 with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/test-providers/acme/.github/workflows/run-acceptance-tests.yml b/provider-ci/test-providers/acme/.github/workflows/run-acceptance-tests.yml index 03f68fb64..eacde3039 100644 --- a/provider-ci/test-providers/acme/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/test-providers/acme/.github/workflows/run-acceptance-tests.yml @@ -130,6 +130,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ env.PR_COMMIT_SHA }} + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@v4 diff --git a/provider-ci/test-providers/acme/.github/workflows/upgrade-bridge.yml b/provider-ci/test-providers/acme/.github/workflows/upgrade-bridge.yml index 37b34914d..a47be8c6f 100644 --- a/provider-ci/test-providers/acme/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/test-providers/acme/.github/workflows/upgrade-bridge.yml @@ -59,6 +59,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/upgrade-provider.yml b/provider-ci/test-providers/acme/.github/workflows/upgrade-provider.yml index d8d681a5e..f86516650 100644 --- a/provider-ci/test-providers/acme/.github/workflows/upgrade-provider.yml +++ b/provider-ci/test-providers/acme/.github/workflows/upgrade-provider.yml @@ -25,6 +25,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/verify-release.yml b/provider-ci/test-providers/acme/.github/workflows/verify-release.yml index 50bbe0105..79fc0f644 100644 --- a/provider-ci/test-providers/acme/.github/workflows/verify-release.yml +++ b/provider-ci/test-providers/acme/.github/workflows/verify-release.yml @@ -70,6 +70,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/build_provider.yml b/provider-ci/test-providers/aws/.github/workflows/build_provider.yml index eff24b362..33f08d4ee 100644 --- a/provider-ci/test-providers/aws/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/aws/.github/workflows/build_provider.yml @@ -40,6 +40,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/build_sdk.yml b/provider-ci/test-providers/aws/.github/workflows/build_sdk.yml index 0cba628ef..40b8f0e3a 100644 --- a/provider-ci/test-providers/aws/.github/workflows/build_sdk.yml +++ b/provider-ci/test-providers/aws/.github/workflows/build_sdk.yml @@ -54,6 +54,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/test-providers/aws/.github/workflows/command-dispatch.yml b/provider-ci/test-providers/aws/.github/workflows/command-dispatch.yml index fdd32460c..96e2d1a7b 100644 --- a/provider-ci/test-providers/aws/.github/workflows/command-dispatch.yml +++ b/provider-ci/test-providers/aws/.github/workflows/command-dispatch.yml @@ -29,6 +29,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - uses: peter-evans/slash-command-dispatch@v4 with: commands: | diff --git a/provider-ci/test-providers/aws/.github/workflows/community-moderation.yml b/provider-ci/test-providers/aws/.github/workflows/community-moderation.yml index 2a1470993..7beeb63e8 100644 --- a/provider-ci/test-providers/aws/.github/workflows/community-moderation.yml +++ b/provider-ci/test-providers/aws/.github/workflows/community-moderation.yml @@ -11,6 +11,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@v2 diff --git a/provider-ci/test-providers/aws/.github/workflows/license.yml b/provider-ci/test-providers/aws/.github/workflows/license.yml index 12920f4b1..f318695d7 100644 --- a/provider-ci/test-providers/aws/.github/workflows/license.yml +++ b/provider-ci/test-providers/aws/.github/workflows/license.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/lint.yml b/provider-ci/test-providers/aws/.github/workflows/lint.yml index e1f366f66..3bb14f160 100644 --- a/provider-ci/test-providers/aws/.github/workflows/lint.yml +++ b/provider-ci/test-providers/aws/.github/workflows/lint.yml @@ -36,6 +36,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/test-providers/aws/.github/workflows/master.yml b/provider-ci/test-providers/aws/.github/workflows/master.yml index 6ae11b745..8a373012e 100644 --- a/provider-ci/test-providers/aws/.github/workflows/master.yml +++ b/provider-ci/test-providers/aws/.github/workflows/master.yml @@ -61,6 +61,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -150,6 +151,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/nightly-test.yml b/provider-ci/test-providers/aws/.github/workflows/nightly-test.yml index 41be16c2e..a424e335f 100644 --- a/provider-ci/test-providers/aws/.github/workflows/nightly-test.yml +++ b/provider-ci/test-providers/aws/.github/workflows/nightly-test.yml @@ -67,6 +67,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml index 0f56e6690..b332e1f84 100644 --- a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml @@ -92,6 +92,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/prerequisites.yml b/provider-ci/test-providers/aws/.github/workflows/prerequisites.yml index 546c648bc..4d5745564 100644 --- a/provider-ci/test-providers/aws/.github/workflows/prerequisites.yml +++ b/provider-ci/test-providers/aws/.github/workflows/prerequisites.yml @@ -56,6 +56,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -88,7 +89,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/pulumi -p aws -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-aws/schema.json; + schema-tools compare -r github://api.github.com/pulumi -p aws -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-aws/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/test-providers/aws/.github/workflows/publish.yml b/provider-ci/test-providers/aws/.github/workflows/publish.yml index 1b909fab9..1ceebb946 100644 --- a/provider-ci/test-providers/aws/.github/workflows/publish.yml +++ b/provider-ci/test-providers/aws/.github/workflows/publish.yml @@ -52,6 +52,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -77,7 +78,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-aws_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-aws_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -116,6 +117,8 @@ jobs: uses: actions/checkout@v4 with: submodules: true + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -173,6 +176,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/aws/.github/workflows/pull-request.yml b/provider-ci/test-providers/aws/.github/workflows/pull-request.yml index 5b20f8ee2..5bab42686 100644 --- a/provider-ci/test-providers/aws/.github/workflows/pull-request.yml +++ b/provider-ci/test-providers/aws/.github/workflows/pull-request.yml @@ -30,6 +30,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@v2 with: diff --git a/provider-ci/test-providers/aws/.github/workflows/release.yml b/provider-ci/test-providers/aws/.github/workflows/release.yml index 39ad9db5a..95c53595f 100644 --- a/provider-ci/test-providers/aws/.github/workflows/release.yml +++ b/provider-ci/test-providers/aws/.github/workflows/release.yml @@ -98,6 +98,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/release_command.yml b/provider-ci/test-providers/aws/.github/workflows/release_command.yml index 2a8fff366..4029f32a7 100644 --- a/provider-ci/test-providers/aws/.github/workflows/release_command.yml +++ b/provider-ci/test-providers/aws/.github/workflows/release_command.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/aws/.github/workflows/resync-build.yml b/provider-ci/test-providers/aws/.github/workflows/resync-build.yml index 6d10e619c..11f10eb67 100644 --- a/provider-ci/test-providers/aws/.github/workflows/resync-build.yml +++ b/provider-ci/test-providers/aws/.github/workflows/resync-build.yml @@ -31,11 +31,14 @@ jobs: uses: actions/checkout@v4 with: submodules: true + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: actions/checkout@v4 with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml b/provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml index d76ed64fd..7055f99ae 100644 --- a/provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml @@ -138,6 +138,7 @@ jobs: with: ref: ${{ env.PR_COMMIT_SHA }} submodules: true + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@v4 diff --git a/provider-ci/test-providers/aws/.github/workflows/upgrade-bridge.yml b/provider-ci/test-providers/aws/.github/workflows/upgrade-bridge.yml index 8e79b2619..22d119a45 100644 --- a/provider-ci/test-providers/aws/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/test-providers/aws/.github/workflows/upgrade-bridge.yml @@ -68,6 +68,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/upgrade-provider.yml b/provider-ci/test-providers/aws/.github/workflows/upgrade-provider.yml index 7e807a043..0d7101ae8 100644 --- a/provider-ci/test-providers/aws/.github/workflows/upgrade-provider.yml +++ b/provider-ci/test-providers/aws/.github/workflows/upgrade-provider.yml @@ -34,6 +34,8 @@ jobs: uses: actions/checkout@v4 with: submodules: true + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/verify-release.yml b/provider-ci/test-providers/aws/.github/workflows/verify-release.yml index 8f32d0afd..3c4eeccaf 100644 --- a/provider-ci/test-providers/aws/.github/workflows/verify-release.yml +++ b/provider-ci/test-providers/aws/.github/workflows/verify-release.yml @@ -73,6 +73,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml b/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml index f11b063e8..8c9605a57 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/build_sdk.yml b/provider-ci/test-providers/cloudflare/.github/workflows/build_sdk.yml index 604397d14..f0c948199 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/build_sdk.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/build_sdk.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/command-dispatch.yml b/provider-ci/test-providers/cloudflare/.github/workflows/command-dispatch.yml index b7bf4db48..ec6aed074 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/command-dispatch.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/command-dispatch.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: peter-evans/slash-command-dispatch@v4 with: commands: | diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/community-moderation.yml b/provider-ci/test-providers/cloudflare/.github/workflows/community-moderation.yml index 4c3414b90..2afb297c2 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/community-moderation.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/community-moderation.yml @@ -9,6 +9,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@v2 diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/license.yml b/provider-ci/test-providers/cloudflare/.github/workflows/license.yml index 4f885f86d..355857e2b 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/license.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/license.yml @@ -33,6 +33,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/lint.yml b/provider-ci/test-providers/cloudflare/.github/workflows/lint.yml index feffb40df..257cf7210 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/lint.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/lint.yml @@ -33,6 +33,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml index 3c72f29e6..2192bbd3d 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml @@ -58,6 +58,8 @@ jobs: swap-storage: false - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -138,6 +140,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml index 77d066b03..aac539df0 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml @@ -82,6 +82,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/prerequisites.yml b/provider-ci/test-providers/cloudflare/.github/workflows/prerequisites.yml index ad10171e6..e20ae63fd 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/prerequisites.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/prerequisites.yml @@ -46,6 +46,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -78,7 +80,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/pulumi -p cloudflare -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-cloudflare/schema.json; + schema-tools compare -r github://api.github.com/pulumi -p cloudflare -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-cloudflare/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml index 3cc3d3d15..6d2db0865 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml @@ -49,6 +49,8 @@ jobs: run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -74,7 +76,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-cloudflare_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-cloudflare_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -111,6 +113,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -168,6 +173,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/pull-request.yml b/provider-ci/test-providers/cloudflare/.github/workflows/pull-request.yml index c8dce0d5b..7bb38bf7d 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/pull-request.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/pull-request.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@v2 with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml index f76a2992c..66998502c 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml @@ -88,6 +88,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/release_command.yml b/provider-ci/test-providers/cloudflare/.github/workflows/release_command.yml index 2a8fff366..4029f32a7 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/release_command.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/release_command.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/resync-build.yml b/provider-ci/test-providers/cloudflare/.github/workflows/resync-build.yml index 14a121ce9..298e40a20 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/resync-build.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/resync-build.yml @@ -28,11 +28,15 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: actions/checkout@v4 with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/run-acceptance-tests.yml b/provider-ci/test-providers/cloudflare/.github/workflows/run-acceptance-tests.yml index 58fc81359..3a2829799 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/run-acceptance-tests.yml @@ -132,6 +132,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ env.PR_COMMIT_SHA }} + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@v4 diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-bridge.yml b/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-bridge.yml index 0c47364ca..639cbed52 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-bridge.yml @@ -59,6 +59,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-provider.yml b/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-provider.yml index d8d681a5e..f86516650 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-provider.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-provider.yml @@ -25,6 +25,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/verify-release.yml b/provider-ci/test-providers/cloudflare/.github/workflows/verify-release.yml index bfe4faaef..1d2219a28 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/verify-release.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/verify-release.yml @@ -72,6 +72,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/build_provider.yml b/provider-ci/test-providers/docker/.github/workflows/build_provider.yml index 69bf40b0e..e9448588d 100644 --- a/provider-ci/test-providers/docker/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/docker/.github/workflows/build_provider.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/build_sdk.yml b/provider-ci/test-providers/docker/.github/workflows/build_sdk.yml index cd903d668..8bdc9f079 100644 --- a/provider-ci/test-providers/docker/.github/workflows/build_sdk.yml +++ b/provider-ci/test-providers/docker/.github/workflows/build_sdk.yml @@ -57,6 +57,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/test-providers/docker/.github/workflows/command-dispatch.yml b/provider-ci/test-providers/docker/.github/workflows/command-dispatch.yml index d9c927f78..9b68cdaaf 100644 --- a/provider-ci/test-providers/docker/.github/workflows/command-dispatch.yml +++ b/provider-ci/test-providers/docker/.github/workflows/command-dispatch.yml @@ -39,6 +39,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: peter-evans/slash-command-dispatch@v4 with: commands: | diff --git a/provider-ci/test-providers/docker/.github/workflows/community-moderation.yml b/provider-ci/test-providers/docker/.github/workflows/community-moderation.yml index 4c3414b90..2afb297c2 100644 --- a/provider-ci/test-providers/docker/.github/workflows/community-moderation.yml +++ b/provider-ci/test-providers/docker/.github/workflows/community-moderation.yml @@ -9,6 +9,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@v2 diff --git a/provider-ci/test-providers/docker/.github/workflows/license.yml b/provider-ci/test-providers/docker/.github/workflows/license.yml index 7bf7ad140..79e2055c3 100644 --- a/provider-ci/test-providers/docker/.github/workflows/license.yml +++ b/provider-ci/test-providers/docker/.github/workflows/license.yml @@ -46,6 +46,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/lint.yml b/provider-ci/test-providers/docker/.github/workflows/lint.yml index 5f4f82a4a..ae2e8815a 100644 --- a/provider-ci/test-providers/docker/.github/workflows/lint.yml +++ b/provider-ci/test-providers/docker/.github/workflows/lint.yml @@ -46,6 +46,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/test-providers/docker/.github/workflows/master.yml b/provider-ci/test-providers/docker/.github/workflows/master.yml index d5a6681f6..64de7e819 100644 --- a/provider-ci/test-providers/docker/.github/workflows/master.yml +++ b/provider-ci/test-providers/docker/.github/workflows/master.yml @@ -71,6 +71,8 @@ jobs: swap-storage: false - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -151,6 +153,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/prerelease.yml b/provider-ci/test-providers/docker/.github/workflows/prerelease.yml index 40fc22da4..aad3a563c 100644 --- a/provider-ci/test-providers/docker/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/docker/.github/workflows/prerelease.yml @@ -95,6 +95,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/prerequisites.yml b/provider-ci/test-providers/docker/.github/workflows/prerequisites.yml index 77dd32b5f..b4527a4f1 100644 --- a/provider-ci/test-providers/docker/.github/workflows/prerequisites.yml +++ b/provider-ci/test-providers/docker/.github/workflows/prerequisites.yml @@ -59,6 +59,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -91,7 +93,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/pulumi -p docker -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-docker/schema.json; + schema-tools compare -r github://api.github.com/pulumi -p docker -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-docker/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/test-providers/docker/.github/workflows/publish.yml b/provider-ci/test-providers/docker/.github/workflows/publish.yml index 1a8eaf107..812ece1cd 100644 --- a/provider-ci/test-providers/docker/.github/workflows/publish.yml +++ b/provider-ci/test-providers/docker/.github/workflows/publish.yml @@ -62,6 +62,8 @@ jobs: run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -87,7 +89,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-docker_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-docker_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -124,6 +126,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -181,6 +186,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/docker/.github/workflows/pull-request.yml b/provider-ci/test-providers/docker/.github/workflows/pull-request.yml index 71c51bc57..faac179a9 100644 --- a/provider-ci/test-providers/docker/.github/workflows/pull-request.yml +++ b/provider-ci/test-providers/docker/.github/workflows/pull-request.yml @@ -40,6 +40,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@v2 with: diff --git a/provider-ci/test-providers/docker/.github/workflows/release.yml b/provider-ci/test-providers/docker/.github/workflows/release.yml index 014f734c5..4a56b7b8d 100644 --- a/provider-ci/test-providers/docker/.github/workflows/release.yml +++ b/provider-ci/test-providers/docker/.github/workflows/release.yml @@ -101,6 +101,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/release_command.yml b/provider-ci/test-providers/docker/.github/workflows/release_command.yml index 2a8fff366..4029f32a7 100644 --- a/provider-ci/test-providers/docker/.github/workflows/release_command.yml +++ b/provider-ci/test-providers/docker/.github/workflows/release_command.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/docker/.github/workflows/resync-build.yml b/provider-ci/test-providers/docker/.github/workflows/resync-build.yml index 714210ddd..99d38561b 100644 --- a/provider-ci/test-providers/docker/.github/workflows/resync-build.yml +++ b/provider-ci/test-providers/docker/.github/workflows/resync-build.yml @@ -41,11 +41,15 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: actions/checkout@v4 with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/test-providers/docker/.github/workflows/run-acceptance-tests.yml b/provider-ci/test-providers/docker/.github/workflows/run-acceptance-tests.yml index 0c531a8a0..a04ee60ba 100644 --- a/provider-ci/test-providers/docker/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/test-providers/docker/.github/workflows/run-acceptance-tests.yml @@ -145,6 +145,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ env.PR_COMMIT_SHA }} + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@v4 diff --git a/provider-ci/test-providers/docker/.github/workflows/upgrade-bridge.yml b/provider-ci/test-providers/docker/.github/workflows/upgrade-bridge.yml index 0c47364ca..639cbed52 100644 --- a/provider-ci/test-providers/docker/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/test-providers/docker/.github/workflows/upgrade-bridge.yml @@ -59,6 +59,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/upgrade-provider.yml b/provider-ci/test-providers/docker/.github/workflows/upgrade-provider.yml index d8d681a5e..f86516650 100644 --- a/provider-ci/test-providers/docker/.github/workflows/upgrade-provider.yml +++ b/provider-ci/test-providers/docker/.github/workflows/upgrade-provider.yml @@ -25,6 +25,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/verify-release.yml b/provider-ci/test-providers/docker/.github/workflows/verify-release.yml index 16708eb59..c256de52a 100644 --- a/provider-ci/test-providers/docker/.github/workflows/verify-release.yml +++ b/provider-ci/test-providers/docker/.github/workflows/verify-release.yml @@ -85,6 +85,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: