Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Make upgrade workflows more accessible to third parties #1128

Merged
merged 2 commits into from
Nov 26, 2024

Conversation

ringods
Copy link
Member

@ringods ringods commented Nov 5, 2024

ThePULUMI_BOT_TOKEN requirement for third parties is not very intuitive and the upgrade workflows fail without this available.

  1. Add the option to use PULUMI_PROVIDER_AUTOMATION_TOKEN instead of the PULUMI_BOT_TOKEN as a more descriptive alternative.
  2. Add fallback if no PAT is available to use the built-in GitHub Actions token. A permissions block is therefore also added to allow it to push commits, create Github issues and pull requests in the repository.

Using the built-in token has the downside that the created PR will not be automatically built because it was created by an App (see the docs for details).

Internally, we should also switch to using PULUMI_PROVIDER_AUTOMATION_TOKEN instead of PULUMI_BOT_TOKEN as it's a better name that describes its purpose better within the ever-more crowded list of org-level secrets.

Contributes to: #1087

Copy link
Member

@danielrbradley danielrbradley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good at first glance. Will take this for a test drive before merging.

@iwahbe
Copy link
Member

iwahbe commented Nov 6, 2024

I remember taking a crack at this earlier, and hitting permission issues with publishing. If you can get it to work, then by all means merge it.

@ringods
Copy link
Member Author

ringods commented Nov 6, 2024

@iwahbe the upgrade workflows aren't publishing anything. The publishing in the release workflow is already working with GITHUB_TOKEN and elevated permissions, for instance:

https://github.com/pulumi/pulumi-cloudflare/blob/803fd6dd7d823d98cdf3e318739ed14080641def/.github/workflows/release.yml#L61-L65

@ringods ringods force-pushed the use-github-token-with-write-permissions branch from 0eaa172 to d786602 Compare November 8, 2024 08:25
danielrbradley pushed a commit to pulumi/pulumi-xyz that referenced this pull request Nov 8, 2024
@danielrbradley
Copy link
Member

danielrbradley commented Nov 8, 2024

I've set up the xyz provider to work for testing upgrade provider.

I've temporarily merged these changes into main to be able to test the upgrade bridge and provider workflows:

  • Upgrade bridge: job, PR

Edit: The changes for the provider upgrade were lost because the xyz provider didn't have the workflow enabled when this PR was opened.

It appears that the PR build is not running automatically. I think this is because GitHub actions disables auto-building for changes pushed by GitHub actions to avoid infinite loops. We need to investigate how to enable these builds.

image

@danielrbradley
Copy link
Member

From the docs:

When you use the repository's GITHUB_TOKEN to perform tasks, events triggered by the GITHUB_TOKEN, with the exception of workflow_dispatch and repository_dispatch, will not create a new workflow run. This prevents you from accidentally creating recursive workflow runs. For example, if a workflow run pushes code using the repository's GITHUB_TOKEN, a new workflow will not run even when the repository contains a workflow configured to run when push events occur.

The recommendation on this docs page is to use a PAT when pushing PRs which should trigger a workflow. Perhaps as an in-between we should use the BOT token when creating the pull request, if it's available, but fall back to the built-in token for third parties who haven't set this up yet.

Alternatively, we might be able to use a workflow_dispatch or repository_dispatch to run the acceptance tests directly, and allow the manual sentinel check to be written back to the correct PR, but this will require a little more engineering. One downside of this approach is that it won't give direct access to the job details on the PR if specific parts fail.

@danielrbradley
Copy link
Member

The GITHUB_TOKEN does not have scopes to create repository_dispatch or workflow_dispatch events, so we're back to requiring a PAT at some point here.

I think we might just have to gate the step for the creation of the PR on the PAT being set up. We could allow a less pulumi-bot specific secret name to be used instead. If third parties don't want to configure the PAT, then their only other option is to periodically run the upgrade job locally.

@ringods ringods changed the title Use GITHUB_TOKEN with elevated permissions Use PAT named UPGRADE_PROVIDER_TOKEN Nov 13, 2024
@ringods ringods force-pushed the use-github-token-with-write-permissions branch from d2a9176 to a13e572 Compare November 13, 2024 17:12
@ringods
Copy link
Member Author

ringods commented Nov 13, 2024

@danielrbradley @t0yv0 @iwahbe linking back to Daniel's comment here: #1128 (comment)

I would like to settle on the name of the PAT token so I can test this upfront using a Pulumiverse provider. Since I don't have admin access anymore on Pulumiverse, I have to ask approval to the Pulumiverse GH org admins when using a fine-grained PAT.

Here are my suggestions:

  • PULUMI_PROVIDER_AUTO_PR_TOKEN
  • PULUMI_PROVIDER_AUTOMATION_TOKEN

I personally don't mind a longer name if it explains better what it is for.

@danielrbradley
Copy link
Member

PULUMI_PROVIDER_AUTOMATION_TOKEN is pretty nice

@ringods ringods changed the title Use PAT named UPGRADE_PROVIDER_TOKEN Use PAT named PULUMI_PROVIDER_AUTOMATION_TOKEN Nov 14, 2024
@ringods ringods force-pushed the use-github-token-with-write-permissions branch from a13e572 to 1b11bec Compare November 14, 2024 16:59
@t0yv0
Copy link
Member

t0yv0 commented Nov 14, 2024

Folks I'm summoned to review but I don't have a good handle on what's going on here. NO objection from me if it keeps working for the Pulumi providers builds 🙏

ringods added a commit to pulumiverse/pulumi-acme that referenced this pull request Nov 15, 2024
ringods added a commit to pulumiverse/pulumi-cockroach that referenced this pull request Nov 15, 2024
ringods added a commit to pulumiverse/pulumi-grafana that referenced this pull request Nov 15, 2024
ringods added a commit to pulumiverse/pulumi-matchbox that referenced this pull request Nov 15, 2024
ringods added a commit to pulumiverse/pulumi-scaleway that referenced this pull request Nov 15, 2024
ringods added a commit to pulumiverse/pulumi-unifi that referenced this pull request Nov 15, 2024
@ringods
Copy link
Member Author

ringods commented Nov 22, 2024

Verification of a succesful run:

  • A PAT linked to my GH account is configured as PULUMI_PROVIDER_AUTOMATION_TOKEN
  • The Upgrade Provider workflow ran succesfully for the Pulumiverse Cockroach provider.
  • It resulted in PR #55
  • By using a PAT, also the Run Acceptance Tests workflow was correctly started.

@danielrbradley
Copy link
Member

Testing with no new version to upgrade to: https://github.com/pulumi/pulumi-xyz/actions/runs/11975610349/job/33389373072

Currently, something is not working as it's never detecting the new upstream version.

The token needs to have repository scoped permissions to:
- **Read** access to actions, commit statuses, metadata, and secrets
- **Read** and **Write** access to code, issues, pull requests, and workflows
@ringods ringods force-pushed the use-github-token-with-write-permissions branch from 1b11bec to 29af6e0 Compare November 25, 2024 09:46
Copy link
Member

@iwahbe iwahbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I havn't been following very well. @ringods Are you still developing here or is this ready for review?

@ringods
Copy link
Member Author

ringods commented Nov 25, 2024

@iwahbe this is ready for review. This works for me for my Pulumiverse providers, but it should still be tested on a Pulumi-managed provider.

@danielrbradley
Copy link
Member

danielrbradley commented Nov 26, 2024

Next test, I've opened a PR (#148) in pulumi-tf-bridge-boilerplate.

I've then started the upgrade-provider job manually from that temporary branch.

There was an existing upgrade PR that was opened last night. This was not modified by the run.

I've closed the existing PR, deleted the branch and retried the upgrade-provider job from the temporary branch.

This second run correctly opened a new PR 🎉

Copy link
Member

@danielrbradley danielrbradley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After testing via the TF bridge boilerplate this looks to be functional 👍

@danielrbradley danielrbradley changed the title Use PAT named PULUMI_PROVIDER_AUTOMATION_TOKEN Make upgrade workflows more accessible to third parties Nov 26, 2024
@danielrbradley
Copy link
Member

@iwahbe I think this is good to go. I've updated the description and title. I'll merge this afternoon, but wanted to give you the opportunity in case you've got any thoughts to add before this ships.

@danielrbradley danielrbradley requested review from iwahbe and a team November 26, 2024 11:27
Copy link
Member

@iwahbe iwahbe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it works (and we've tested it), it looks good to me.

@ringods ringods added this pull request to the merge queue Nov 26, 2024
Merged via the queue into master with commit 3211fa3 Nov 26, 2024
7 checks passed
@ringods ringods deleted the use-github-token-with-write-permissions branch November 26, 2024 16:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants