chore: make ci-mgmt

2025-12-06 01:43:51 -05:00
parent ef3fde0b79
commit 4f829f9e0a
34 changed files with 623 additions and 467 deletions
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,39 +7,37 @@ on:
    inputs: {}

 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
-  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-  PYPI_USERNAME: __token__
-  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
-  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
-  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  TF_APPEND_USER_AGENT: pulumi

 jobs:
  lint:
    name: lint
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
-        persist-credentials: false
-    - name: Install go
-      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
+        persist-credentials: false    
+    - id: esc-secrets
+      name: Map environment to ESC outputs
+      uses: ./.github/actions/esc-action
+    - name: Setup mise
+      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
+      env:
+        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        # The versions of golangci-lint and setup-go here cross-depend and need to update together.
-        go-version: 1.23
-        # Either this action or golangci-lint needs to disable the cache
-        cache: false
+        version: 2025.11.6
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        cache_save: false # A different job handles caching our tools.
    - name: disarm go:embed directives to enable lint
      continue-on-error: true # this fails if there are no go:embed directives
      run: |
@@ -47,8 +45,10 @@ jobs:
    - name: prepare workspace
      continue-on-error: true
      run: make prepare_local_workspace
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: golangci-lint
      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
      with:
-        version: v1.64.6
+        install-mode: none # Handled by mise.
        working-directory: provider