chore: make ci-mgmt

2025-12-06 01:43:51 -05:00
parent ef3fde0b79
commit 4f829f9e0a
34 changed files with 623 additions and 467 deletions
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,24 +1,19 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt

 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
-  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
-  PYPI_USERNAME: __token__
-  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
-  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
-  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  TF_APPEND_USER_AGENT: pulumi
+
 jobs:
  prerequisites:
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write # For ESC secrets.
    uses: ./.github/workflows/prerequisites.yml
    secrets: inherit
    with:
@@ -30,6 +25,9 @@ jobs:
    uses: ./.github/workflows/build_provider.yml
    needs: prerequisites
    secrets: inherit
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}

@@ -38,6 +36,9 @@ jobs:
    needs: prerequisites
    uses: ./.github/workflows/build_sdk.yml
    secrets: inherit
+    permissions:
+      contents: write # For Renovate SDKs.
+      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}

@@ -46,6 +47,9 @@ jobs:
    needs: prerequisites
    uses: ./.github/workflows/main-post-build.yml
    secrets: inherit
+    permissions:
+      contents: write # For Renovate SDKs.
+      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}

@@ -73,6 +77,7 @@ jobs:
    with:
      version: ${{ needs.prerequisites.outputs.version }}
      isPrerelease: true
+      setLatestRelease: false
      skipGoSdk: true
      skipJavaSdk: true

@@ -80,7 +85,17 @@ jobs:
    name: Tag release if labeled as needs-release
    needs: publish
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      with:
+        persist-credentials: false    
+    - id: esc-secrets
+      name: Map environment to ESC outputs
+      uses: ./.github/actions/esc-action
    - name: check if this commit needs release
      if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
      uses: pulumi/action-release-by-pr-label@main
@@ -88,10 +103,10 @@ jobs:
        command: "release-if-needed"
        repo: ${{ github.repository }}
        commit: ${{ github.sha }}
-        slack_channel: ${{ secrets.RELEASE_OPS_SLACK_CHANNEL }}
+        slack_channel: C02MGR8JVST
      env:
-        RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

  test: