Use the standard Github generated token with elevated permissions #1099
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Relates to: #1053, #1087
Moving from a central
PULUMI_BOT_TOKEN
to the Github Actions permissions block makes the workflows reusable for third party providers. The generatedGITHUB_TOKEN
secret in each workflow instance will receive elevated permissions based on the permissions configuration block. To limit the blast radius of a possible error, this PR focuses on themain|master
and(pre)release
workflows for now. Similar changes for other workflows will come in subsequent pull requests.Besides making the workflows more reusable for third-party providers, it also improves on the situation for rate limits tied to the central
PULUMI_BOT_TOKEN
. The generatedGITHUB_TOKEN
has much higher API rate limits on our Github Enterprise backed subscription forpulumi
organization:Already moving the
main|master
and(pre)release
workflows to use theGITHUB_TOKEN
reduces the usage of thePULUMI_BOT_TOKEN
, so lowering the chance of bumping into a rate limit.Github Docs: Controlling permissions for
GITHUB_TOKEN
NOTE: The required permissions for the
publish
workflow are set on the calling side of the nested job instead of within the nested job. I tested setting it within publish.yml but it seems it is not possible anymore to elevate permissions in a nested job: https://github.com/pulumiverse/pulumi-acme/actions/runs/11181469935The changes of this PR are validated in the following third-party packages:
main
runrelease