Run tests for thirdparty packages (#1102)

I moved `run-acceptance-tests.yml` in #1084 to the `pulumi-provider`
folder as I thought it was Pulumi Corp specific. I'm moving this back to
`bridged-provider` folder because it is also needed for third-party
provider packages. The workflow is updated to use the `GITHUB_TOKEN`
with elevated permissions for commenting on the PR.

provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/run-acceptance-tests.yml → provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml

@@ -1,5 +1,15 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
+name: run-acceptance-tests
+
+on:
+  pull_request:
+    paths-ignore:
+    - CHANGELOG.md
+  repository_dispatch:
+    types:
+    - run-acceptance-tests-command
+
 env:
   PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 #{{ .Config.env | toYaml | indent 2 }}#
@@ -8,6 +18,7 @@ env:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
+
 jobs:
   prerequisites:
     if: github.event_name == 'repository_dispatch' ||
@@ -39,6 +50,8 @@ jobs:
   comment-notification:
     if: github.event_name == 'repository_dispatch'
     name: comment-notification
+    permissions:
+      pull-requests: write
     runs-on: #{{ .Config.runner.default }}#
     steps:
     - id: run-url
@@ -50,7 +63,7 @@ jobs:
         body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}"
         issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
   #{{ if .Config.lint -}}#
   lint:
     if: github.event_name == 'repository_dispatch' ||
@@ -230,11 +243,3 @@ jobs:
 #{{- if .Config.extraTests }}#
 #{{ .Config.extraTests | toYaml | indent 2 }}#
 #{{ end }}#
-name: run-acceptance-tests
-on:
-  pull_request:
-    paths-ignore:
-    - CHANGELOG.md
-  repository_dispatch:
-    types:
-    - run-acceptance-tests-command

provider-ci/test-providers/acme/.github/workflows/run-acceptance-tests.yml

@@ -0,0 +1,180 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+name: run-acceptance-tests
+
+on:
+  pull_request:
+    paths-ignore:
+    - CHANGELOG.md
+  repository_dispatch:
+    types:
+    - run-acceptance-tests-command
+
+env:
+  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PYPI_USERNAME: __token__
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  TF_APPEND_USER_AGENT: pulumi
+
+# This should cancel any previous runs of the same workflow on the same branch which are still running.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  prerequisites:
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+    uses: ./.github/workflows/prerequisites.yml
+    secrets: inherit
+    with:
+      default_branch: ${{ github.event.repository.default_branch }}
+      is_pr: ${{ github.event_name == 'pull_request' }}
+      is_automated: ${{ github.actor == 'dependabot[bot]' }}
+
+  build_provider:
+    uses: ./.github/workflows/build_provider.yml
+    needs: prerequisites
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
+
+  build_sdk:
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+    name: build_sdk
+    needs: prerequisites
+    uses: ./.github/workflows/build_sdk.yml
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
+
+  comment-notification:
+    if: github.event_name == 'repository_dispatch'
+    name: comment-notification
+    permissions:
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+    - id: run-url
+      name: Create URL to the run output
+      run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT"
+    - name: Update with Result
+      uses: peter-evans/create-or-update-comment@v1
+      with:
+        body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}"
+        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
+        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+        token: ${{ secrets.GITHUB_TOKEN }}
+  lint:
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+    name: lint
+    uses: ./.github/workflows/lint.yml
+    secrets: inherit
+  sentinel:
+    name: sentinel
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+    needs:
+    - test
+    - build_provider
+    - license_check
+    - lint
+    runs-on: ubuntu-latest
+    steps:
+    - uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76
+      with:
+        authToken: ${{secrets.GITHUB_TOKEN}}
+        # Write an explicit status check called "Sentinel" which will only pass if this code really runs.
+        # This should always be a required check for PRs.
+        context: 'Sentinel'
+        description: 'All required checks passed'
+        state: 'success'
+        # Write to the PR commit SHA if it's available as we don't want the merge commit sha,
+        # otherwise use the current SHA for any other type of build.
+        sha: ${{ github.event.pull_request.head.sha || github.sha }}
+
+  test:
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+    name: test
+    needs:
+      - prerequisites
+      - build_sdk
+    permissions:
+      contents: read
+      id-token: write
+    runs-on: ubuntu-latest
+    env:
+      PROVIDER_VERSION: ${{ needs.prerequisites.outputs.version }}
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@v4
+      with:
+        ref: ${{ env.PR_COMMIT_SHA }}
+    - name: Checkout p/examples
+      if: matrix.testTarget == 'pulumiExamples'
+      uses: actions/checkout@v4
+      with:
+        repository: pulumi/examples
+        path: p-examples
+    - name: Setup tools
+      uses: ./.github/actions/setup-tools
+      with:
+        tools: pulumictl, pulumicli, ${{ matrix.language }}
+    - name: Download bin
+      uses: ./.github/actions/download-bin
+    - name: Add NuGet source
+      if: matrix.language == 'dotnet'
+      run: dotnet nuget add source ${{ github.workspace }}/nuget
+    - name: Download SDK
+      uses: ./.github/actions/download-sdk
+      with:
+        language: ${{ matrix.language }}
+    - name: Update path
+      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+    - name: Install Python deps
+      if: matrix.language == 'python'
+      run: |-
+        pip3 install virtualenv==20.0.23
+        pip3 install pipenv
+    - name: Install dependencies
+      run: make install_${{ matrix.language}}_sdk
+    - name: Install gotestfmt
+      uses: GoTestTools/gotestfmt-action@v2
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        version: v2.5.0
+    - name: Run tests
+      if: matrix.testTarget == 'local'
+      run: cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -skip TestPulumiExamples -parallel 4 .
+    - name: Run pulumi/examples tests
+      if: matrix.testTarget == 'pulumiExamples'
+      run: cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -run TestPulumiExamples -parallel 4 .
+    strategy:
+      fail-fast: false
+      matrix:
+        language:
+        - dotnet
+        - go
+        - nodejs
+        - python
+        testTarget: [local]
+  license_check:
+    name: License Check
+    uses: ./.github/workflows/license.yml
+    secrets: inherit

provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml

@@ -1,5 +1,15 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
+name: run-acceptance-tests
+
+on:
+  pull_request:
+    paths-ignore:
+    - CHANGELOG.md
+  repository_dispatch:
+    types:
+    - run-acceptance-tests-command
+
 env:
   PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
   AWS_REGION: us-west-2
@@ -26,6 +36,7 @@ env:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
+
 jobs:
   prerequisites:
     if: github.event_name == 'repository_dispatch' ||
@@ -57,6 +68,8 @@ jobs:
   comment-notification:
     if: github.event_name == 'repository_dispatch'
     name: comment-notification
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - id: run-url
@@ -68,7 +81,7 @@ jobs:
         body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}"
         issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
   sentinel:
     name: sentinel
     if: github.event_name == 'repository_dispatch' ||
@@ -403,11 +416,3 @@ jobs:
               make provider-lint
       timeout-minutes: 60
 
-name: run-acceptance-tests
-on:
-  pull_request:
-    paths-ignore:
-    - CHANGELOG.md
-  repository_dispatch:
-    types:
-    - run-acceptance-tests-command

provider-ci/test-providers/cloudflare/.github/workflows/run-acceptance-tests.yml

@@ -1,5 +1,15 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
+name: run-acceptance-tests
+
+on:
+  pull_request:
+    paths-ignore:
+    - CHANGELOG.md
+  repository_dispatch:
+    types:
+    - run-acceptance-tests-command
+
 env:
   PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
   CLOUDFLARE_ACCOUNT_ID: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
@@ -25,6 +35,7 @@ env:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
+
 jobs:
   prerequisites:
     if: github.event_name == 'repository_dispatch' ||
@@ -56,6 +67,8 @@ jobs:
   comment-notification:
     if: github.event_name == 'repository_dispatch'
     name: comment-notification
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - id: run-url
@@ -67,7 +80,7 @@ jobs:
         body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}"
         issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
   lint:
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
@@ -174,11 +187,3 @@ jobs:
     name: License Check
     uses: ./.github/workflows/license.yml
     secrets: inherit
-name: run-acceptance-tests
-on:
-  pull_request:
-    paths-ignore:
-    - CHANGELOG.md
-  repository_dispatch:
-    types:
-    - run-acceptance-tests-command

provider-ci/test-providers/docker/.github/workflows/run-acceptance-tests.yml

@@ -1,5 +1,15 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
+name: run-acceptance-tests
+
+on:
+  pull_request:
+    paths-ignore:
+    - CHANGELOG.md
+  repository_dispatch:
+    types:
+    - run-acceptance-tests-command
+
 env:
   PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
@@ -38,6 +48,7 @@ env:
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
   cancel-in-progress: true
+
 jobs:
   prerequisites:
     if: github.event_name == 'repository_dispatch' ||
@@ -69,6 +80,8 @@ jobs:
   comment-notification:
     if: github.event_name == 'repository_dispatch'
     name: comment-notification
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
     - id: run-url
@@ -80,7 +93,7 @@ jobs:
         body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}"
         issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
   lint:
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
@@ -208,11 +221,3 @@ jobs:
     name: License Check
     uses: ./.github/workflows/license.yml
     secrets: inherit
-name: run-acceptance-tests
-on:
-  pull_request:
-    paths-ignore:
-    - CHANGELOG.md
-  repository_dispatch:
-    types:
-    - run-acceptance-tests-command