Update vulnerable dependencies to v25.0.6+incompatible [SECURITY] #1318
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt | |
name: run-acceptance-tests | |
on: | |
pull_request: | |
paths-ignore: | |
- CHANGELOG.md | |
repository_dispatch: | |
types: | |
- run-acceptance-tests-command | |
env: | |
PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }} | |
ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e | |
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }} | |
ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1 | |
ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7 | |
AWS_REGION: us-west-2 | |
AZURE_LOCATION: westus | |
DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }} | |
DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: [email protected] | |
GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci | |
GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci | |
GOOGLE_PROJECT: pulumi-ci-gcp-provider | |
GOOGLE_PROJECT_NUMBER: "895284651812" | |
GOOGLE_REGION: us-central1 | |
GOOGLE_ZONE: us-central1-a | |
NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }} | |
NPM_TOKEN: ${{ secrets.NPM_TOKEN }} | |
NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }} | |
PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }} | |
PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }} | |
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} | |
PULUMI_API: https://api.pulumi-staging.io | |
PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/.. | |
PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget | |
PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }} | |
PYPI_USERNAME: __token__ | |
SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }} | |
SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }} | |
SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }} | |
TF_APPEND_USER_AGENT: pulumi | |
# This should cancel any previous runs of the same workflow on the same branch which are still running. | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
prerequisites: | |
if: github.event_name == 'repository_dispatch' || | |
github.event.pull_request.head.repo.full_name == github.repository | |
permissions: | |
pull-requests: write | |
uses: ./.github/workflows/prerequisites.yml | |
secrets: inherit | |
with: | |
default_branch: ${{ github.event.repository.default_branch }} | |
is_pr: ${{ github.event_name == 'pull_request' }} | |
is_automated: ${{ github.actor == 'dependabot[bot]' }} | |
build_provider: | |
uses: ./.github/workflows/build_provider.yml | |
needs: prerequisites | |
secrets: inherit | |
with: | |
version: ${{ needs.prerequisites.outputs.version }} | |
build_sdk: | |
if: github.event_name == 'repository_dispatch' || | |
github.event.pull_request.head.repo.full_name == github.repository | |
name: build_sdk | |
needs: prerequisites | |
uses: ./.github/workflows/build_sdk.yml | |
secrets: inherit | |
with: | |
version: ${{ needs.prerequisites.outputs.version }} | |
comment-notification: | |
if: github.event_name == 'repository_dispatch' | |
name: comment-notification | |
permissions: | |
pull-requests: write | |
runs-on: ubuntu-latest | |
steps: | |
- id: run-url | |
name: Create URL to the run output | |
run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" | |
- name: Update with Result | |
uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0 | |
with: | |
body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}" | |
issue-number: ${{ github.event.client_payload.github.payload.issue.number }} | |
repository: ${{ github.event.client_payload.github.payload.repository.full_name }} | |
token: ${{ secrets.GITHUB_TOKEN }} | |
lint: | |
if: github.event_name == 'repository_dispatch' || | |
github.event.pull_request.head.repo.full_name == github.repository | |
name: lint | |
uses: ./.github/workflows/lint.yml | |
secrets: inherit | |
sentinel: | |
name: sentinel | |
if: github.event_name == 'repository_dispatch' || | |
github.event.pull_request.head.repo.full_name == github.repository | |
permissions: | |
statuses: write | |
needs: | |
- test | |
- build_provider | |
- license_check | |
- lint | |
runs-on: ubuntu-latest | |
steps: | |
- uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13 | |
with: | |
authToken: ${{secrets.GITHUB_TOKEN}} | |
# Write an explicit status check called "Sentinel" which will only pass if this code really runs. | |
# This should always be a required check for PRs. | |
context: 'Sentinel' | |
description: 'All required checks passed' | |
state: 'success' | |
# Write to the PR commit SHA if it's available as we don't want the merge commit sha, | |
# otherwise use the current SHA for any other type of build. | |
sha: ${{ github.event.pull_request.head.sha || github.sha }} | |
test: | |
if: github.event_name == 'repository_dispatch' || | |
github.event.pull_request.head.repo.full_name == github.repository | |
name: test | |
needs: | |
- prerequisites | |
- build_sdk | |
permissions: | |
contents: read | |
id-token: write | |
runs-on: ubuntu-latest | |
env: | |
PROVIDER_VERSION: ${{ needs.prerequisites.outputs.version }} | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
ref: ${{ env.PR_COMMIT_SHA }} | |
persist-credentials: false | |
- name: Checkout p/examples | |
if: matrix.testTarget == 'pulumiExamples' | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
repository: pulumi/examples | |
path: p-examples | |
- name: Setup tools | |
uses: ./.github/actions/setup-tools | |
with: | |
tools: pulumictl, pulumicli, ${{ matrix.language }} | |
- name: Prepare local workspace | |
run: make prepare_local_workspace | |
- name: Download bin | |
uses: ./.github/actions/download-bin | |
- name: Download SDK | |
uses: ./.github/actions/download-sdk | |
with: | |
language: ${{ matrix.language }} | |
- name: Restore makefile progress | |
run: make --touch provider schema build_${{ matrix.language }} | |
- name: Update path | |
run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH" | |
- name: Install Python deps | |
if: matrix.language == 'python' | |
run: |- | |
pip3 install virtualenv==20.0.23 | |
pip3 install pipenv | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-region: ${{ env.AWS_REGION }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
role-duration-seconds: 7200 | |
role-session-name: docker@githubActions | |
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }} | |
- name: Authenticate to Google Cloud | |
uses: google-github-actions/auth@6fc4af4b145ae7821d527454aa9bd537d1f2dc5f # v2.1.7 | |
with: | |
service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }} | |
workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER | |
}}/locations/global/workloadIdentityPools/${{ | |
env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{ | |
env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }} | |
- name: Setup gcloud auth | |
uses: google-github-actions/setup-gcloud@6189d56e4096ee891640bb02ac264be376592d6a # v2.1.2 | |
with: | |
install_components: gke-gcloud-auth-plugin | |
- name: Login to Google Cloud Registry | |
run: gcloud --quiet auth configure-docker | |
- name: Install dependencies | |
run: make install_${{ matrix.language}}_sdk | |
- name: Install gotestfmt | |
uses: GoTestTools/gotestfmt-action@v2 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
version: v2.5.0 | |
- name: Setup SSH key | |
uses: webfactory/[email protected] | |
with: | |
ssh-private-key: ${{ secrets.PRIVATE_SSH_KEY_FOR_DIGITALOCEAN }} | |
- name: Run tests | |
if: matrix.testTarget == 'local' | |
run: cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -skip TestPulumiExamples -parallel 4 . | |
- name: Run pulumi/examples tests | |
if: matrix.testTarget == 'pulumiExamples' | |
run: cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -run TestPulumiExamples -parallel 4 . | |
strategy: | |
fail-fast: false | |
matrix: | |
language: | |
- nodejs | |
- python | |
- dotnet | |
- go | |
- java | |
testTarget: [local] | |
license_check: | |
name: License Check | |
uses: ./.github/workflows/license.yml | |
secrets: inherit |