1+ permissions : write-all # Equivalent to default permissions plus id-token: write
2+ env :
3+ ESC_ACTION_OIDC_AUTH : true
4+ ESC_ACTION_OIDC_ORGANIZATION : pulumi
5+ ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE : urn:pulumi:token-type:access_token:organization
6+ ESC_ACTION_ENVIRONMENT : imports/github-secrets
7+ ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES : false
18name : Test examples
29on :
310 pull_request :
1825 id-token : write
1926 contents : read
2027 steps :
28+ - name : Fetch secrets from ESC
29+ id : esc-secrets
30+ uses : pulumi/esc-action@v1
2131 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
2232
2333 - name : Set up the environment
2636 with :
2737 aws-access-key-id : ${{ secrets.AWS_ACCESS_KEY_ID }}
2838 aws-secret-access-key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
29- aws-role-to-assume : ${{ secrets.AWS_CI_ROLE_ARN }}
39+ aws-role-to-assume : ${{ steps.esc- secrets.outputs .AWS_CI_ROLE_ARN }}
3040 github-token : ${{ secrets.GITHUB_TOKEN }}
3141
3242 - name : Lint
4050 id-token : write
4151 contents : read
4252 steps :
53+ - name : Fetch secrets from ESC
54+ id : esc-secrets
55+ uses : pulumi/esc-action@v1
4356 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
4457
4558 - name : Set up the environment
4861 with :
4962 aws-access-key-id : ${{ secrets.AWS_ACCESS_KEY_ID }}
5063 aws-secret-access-key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
51- aws-role-to-assume : ${{ secrets.AWS_CI_ROLE_ARN }}
64+ aws-role-to-assume : ${{ steps.esc- secrets.outputs .AWS_CI_ROLE_ARN }}
5265 github-token : ${{ secrets.GITHUB_TOKEN }}
5366
5467 - name : unit tests
7083 - name : Set up Python
7184 uses : actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
7285 with :
73- python-version : 3.9 # Adjust the version as needed
86+ python-version : 3.9 # Adjust the version as needed
7487
7588 # Step 3: Install Make (already installed on Ubuntu, but explicit just in case)
7689 - name : Ensure Make is Installed
90103 id-token : write
91104 contents : read
92105 steps :
106+ - name : Fetch secrets from ESC
107+ id : esc-secrets
108+ uses : pulumi/esc-action@v1
93109 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
94110
95111 - name : Set up the environment
98114 with :
99115 aws-access-key-id : ${{ secrets.AWS_ACCESS_KEY_ID }}
100116 aws-secret-access-key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
101- aws-role-to-assume : ${{ secrets.AWS_CI_ROLE_ARN }}
117+ aws-role-to-assume : ${{ steps.esc- secrets.outputs .AWS_CI_ROLE_ARN }}
102118 github-token : ${{ secrets.GITHUB_TOKEN }}
103119
104120 - name : unit tests
@@ -114,6 +130,9 @@ jobs:
114130 id-token : write
115131 contents : read
116132 steps :
133+ - name : Fetch secrets from ESC
134+ id : esc-secrets
135+ uses : pulumi/esc-action@v1
117136 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
118137
119138 - name : Set up the environment
@@ -122,7 +141,7 @@ jobs:
122141 with :
123142 aws-access-key-id : ${{ secrets.AWS_ACCESS_KEY_ID }}
124143 aws-secret-access-key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
125- aws-role-to-assume : ${{ secrets.AWS_CI_ROLE_ARN }}
144+ aws-role-to-assume : ${{ steps.esc- secrets.outputs .AWS_CI_ROLE_ARN }}
126145 github-token : ${{ secrets.GITHUB_TOKEN }}
127146
128147 - name : unit tests
@@ -136,6 +155,9 @@ jobs:
136155 id-token : write
137156 contents : read
138157 steps :
158+ - name : Fetch secrets from ESC
159+ id : esc-secrets
160+ uses : pulumi/esc-action@v1
139161 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
140162
141163 - name : Set up the environment
@@ -144,7 +166,7 @@ jobs:
144166 with :
145167 aws-access-key-id : ${{ secrets.AWS_ACCESS_KEY_ID }}
146168 aws-secret-access-key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
147- aws-role-to-assume : ${{ secrets.AWS_CI_ROLE_ARN }}
169+ aws-role-to-assume : ${{ steps.esc- secrets.outputs .AWS_CI_ROLE_ARN }}
148170 github-token : ${{ secrets.GITHUB_TOKEN }}
149171
150172 - name : unit tests
@@ -169,13 +191,16 @@ jobs:
169191
170192 steps :
171193 # Run as first step so we don't delete things that have just been installed
194+ - name : Fetch secrets from ESC
195+ id : esc-secrets
196+ uses : pulumi/esc-action@v1
172197 - name : Free Disk Space (Ubuntu)
173198 uses : jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
174199 with :
175200 tool-cache : false
176201 swap-storage : false
177202 dotnet : false
178-
203+
179204 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
180205
181206 - name : Set up the environment
@@ -184,7 +209,7 @@ jobs:
184209 with :
185210 aws-access-key-id : ${{ secrets.AWS_ACCESS_KEY_ID }}
186211 aws-secret-access-key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
187- aws-role-to-assume : ${{ secrets.AWS_CI_ROLE_ARN }}
212+ aws-role-to-assume : ${{ steps.esc- secrets.outputs .AWS_CI_ROLE_ARN }}
188213 github-token : ${{ secrets.GITHUB_TOKEN }}
189214
190215 - name : Run tests
@@ -194,20 +219,20 @@ jobs:
194219 AWS_SECRET_ACCESS_KEY : ${{ steps.setup.outputs.aws-secret-access-key }}
195220 AWS_SESSION_TOKEN : ${{ steps.setup.outputs.aws-session-token }}
196221 AWS_REGION : ${{ steps.setup.outputs.aws-region }}
197- ARM_CLIENT_ID : ${{ secrets.ARM_CLIENT_ID }}
198- ARM_CLIENT_SECRET : ${{ secrets.ARM_CLIENT_SECRET }}
222+ ARM_CLIENT_ID : ${{ steps.esc- secrets.outputs .ARM_CLIENT_ID }}
223+ ARM_CLIENT_SECRET : ${{ steps.esc- secrets.outputs .ARM_CLIENT_SECRET }}
199224 ARM_ENVIRONMENT : public
200225 ARM_LOCATION : westus
201- ARM_SUBSCRIPTION_ID : ${{ secrets.ARM_SUBSCRIPTION_ID }}
202- ARM_TENANT_ID : ${{ secrets.ARM_TENANT_ID }}
226+ ARM_SUBSCRIPTION_ID : ${{ steps.esc- secrets.outputs .ARM_SUBSCRIPTION_ID }}
227+ ARM_TENANT_ID : ${{ steps.esc- secrets.outputs .ARM_TENANT_ID }}
203228 GOOGLE_PROJECT : ${{ steps.setup.outputs.google-project-name }}
204229 GOOGLE_REGION : ${{ steps.setup.outputs.google-region }}
205230 GOOGLE_ZONE : ${{ steps.setup.outputs.google-zone }}
206- DIGITALOCEAN_TOKEN : ${{ secrets.DIGITALOCEAN_TOKEN }}
207- PACKET_AUTH_TOKEN : ${{ secrets.PACKET_AUTH_TOKEN }}
208- PULUMI_ACCESS_TOKEN : ${{ secrets.PULUMI_ACCESS_TOKEN }}
231+ DIGITALOCEAN_TOKEN : ${{ steps.esc- secrets.outputs .DIGITALOCEAN_TOKEN }}
232+ PACKET_AUTH_TOKEN : ${{ steps.esc- secrets.outputs .PACKET_AUTH_TOKEN }}
233+ PULUMI_ACCESS_TOKEN : ${{ steps.esc- secrets.outputs .PULUMI_ACCESS_TOKEN }}
209234 PULUMI_API : https://api.pulumi-staging.io
210- SLACK_WEBHOOK_URL : ${{ secrets.SLACK_WEBHOOK_URL }}
235+ SLACK_WEBHOOK_URL : ${{ steps.esc- secrets.outputs .SLACK_WEBHOOK_URL }}
211236
212237 strategy :
213238 fail-fast : false
@@ -236,6 +261,9 @@ jobs:
236261 contents : read
237262
238263 steps :
264+ - name : Fetch secrets from ESC
265+ id : esc-secrets
266+ uses : pulumi/esc-action@v1
239267 - uses : actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
240268
241269 - name : Set up the environment
@@ -244,7 +272,7 @@ jobs:
244272 with :
245273 aws-access-key-id : ${{ secrets.AWS_ACCESS_KEY_ID }}
246274 aws-secret-access-key : ${{ secrets.AWS_SECRET_ACCESS_KEY }}
247- aws-role-to-assume : ${{ secrets.AWS_CI_ROLE_ARN }}
275+ aws-role-to-assume : ${{ steps.esc- secrets.outputs .AWS_CI_ROLE_ARN }}
248276 github-token : ${{ secrets.GITHUB_TOKEN }}
249277
250278 - name : Set up Minikube
@@ -281,6 +309,6 @@ jobs:
281309 AWS_SECRET_ACCESS_KEY : ${{ steps.setup.outputs.aws-secret-access-key }}
282310 AWS_SESSION_TOKEN : ${{ steps.setup.outputs.aws-session-token }}
283311 AWS_REGION : ${{ steps.setup.outputs.aws-region }}
284- PULUMI_ACCESS_TOKEN : ${{ secrets.PULUMI_ACCESS_TOKEN }}
312+ PULUMI_ACCESS_TOKEN : ${{ steps.esc- secrets.outputs .PULUMI_ACCESS_TOKEN }}
285313 PULUMI_API : https://api.pulumi-staging.io
286314 INFRA_STACK_NAME : ${{ github.sha }}-${{ github.run_number }}
0 commit comments