Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the standard Github generated token with elevated permissions #1099

Merged
merged 2 commits into from
Oct 15, 2024
Merged

Use the standard Github generated token with elevated permissions #1099

merged 2 commits into from
Oct 15, 2024

Conversation

ringods
Copy link
Member

@ringods ringods commented Oct 8, 2024
edited
Loading

Relates to: #1053, #1087

Moving from a central PULUMI_BOT_TOKEN to the Github Actions permissions block makes the workflows reusable for third party providers. The generated GITHUB_TOKEN secret in each workflow instance will receive elevated permissions based on the permissions configuration block. To limit the blast radius of a possible error, this PR focuses on the main|master and (pre)release workflows for now. Similar changes for other workflows will come in subsequent pull requests.

Besides making the workflows more reusable for third-party providers, it also improves on the situation for rate limits tied to the central PULUMI_BOT_TOKEN. The generated GITHUB_TOKEN has much higher API rate limits on our Github Enterprise backed subscription for pulumi organization:

The rate limit for GITHUB_TOKEN is 1,000 requests per hour per repository. For requests to resources that belong to a GitHub Enterprise Cloud account, the limit is 15,000 requests per hour per repository.

Already moving the main|master and (pre)release workflows to use the GITHUB_TOKEN reduces the usage of the PULUMI_BOT_TOKEN, so lowering the chance of bumping into a rate limit.

Github Docs: Controlling permissions for GITHUB_TOKEN

NOTE: The required permissions for the publish workflow are set on the calling side of the nested job instead of within the nested job. I tested setting it within publish.yml but it seems it is not possible anymore to elevate permissions in a nested job: https://github.com/pulumiverse/pulumi-acme/actions/runs/11181469935

The changes of this PR are validated in the following third-party packages:

Package Commit with changes from this PR Green main run Green release
pulumiverse/pulumi-acme 33e7fa5 11182399934 11182413642
pulumiverse/pulumi-matchbox f370a12 11232745061 11182413642

@ringods ringods mentioned this pull request Oct 8, 2024
Draft
@ringods ringods self-assigned this Oct 8, 2024
@ringods ringods mentioned this pull request Oct 14, 2024
Open
@danielrbradley
Copy link
Member

Merging as this is a fairly small area of impact. Merging will release the xyz provider to prove this is all functional. If that release fails, we'll roll this back.

@danielrbradley danielrbradley added this pull request to the merge queue Oct 15, 2024
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to no response for status checks Oct 15, 2024
@ringods ringods force-pushed the from-bot-token-to-per-workflow-generated-token-for-main-and-release branch from 00de0c3 to 0d3e479 Compare October 15, 2024 11:25
@danielrbradley danielrbradley added this pull request to the merge queue Oct 15, 2024
Merged via the queue into master with commit a93c701 Oct 15, 2024
6 checks passed
@danielrbradley danielrbradley deleted the from-bot-token-to-per-workflow-generated-token-for-main-and-release branch October 15, 2024 12:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danielrbradley danielrbradley danielrbradley approved these changes

@guineveresaenger guineveresaenger Awaiting requested review from guineveresaenger

Assignees

@ringods ringods

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ringods @danielrbradley