From f3712fc20118361a28fd8acf25d5deb5ee8dbe15 Mon Sep 17 00:00:00 2001 From: Daniel Bradley Date: Fri, 1 Nov 2024 15:33:21 +0000 Subject: [PATCH] Fix security warnings from zizmor (#1115) Experimenting with the new [zizmor tool](https://github.com/woodruffw/zizmor). There's still a number of false-positives so probably not yet worth integrating into our CI run, but have audited the current feedback. Related to: - https://github.com/pulumi/ci-mgmt/issues/1114 ## Only persist git credentials where we need to use them - Don't leave these around when we don't need to. - Explicitly set to true where we need them, with a comment highlighting why we're keeping them. - Fix a few places we weren't using the centrally managed checkout version. - Tweak the conditionals for submodules so the `with:` is always there now. ## Use of fundamentally insecure workflow trigger - `pull_request_target` These appear ok because we're just using this to comment on community PRs. These don't run builds ``` error[dangerous-triggers]: use of fundamentally insecure workflow trigger --> .github/workflows/community-moderation.yml:38:1 | 38 | / on: 39 | | pull_request_target: ... | 42 | | types: 43 | | - opened | |_____________^ pull_request_target is almost always used insecurely | ``` ``` error[dangerous-triggers]: use of fundamentally insecure workflow trigger --> .github/workflows/pull-request.yml:44:1 | 44 | / on: 45 | | pull_request_target: {} | |__________________________^ pull_request_target is almost always used insecurely | ``` ## Code injection via template expansion ``` .github/workflows/master.yml env.COVERAGE_OUTPUT_DIR may expand into attacker-controllable code ``` This is not inputtable by a third party user. ``` .github/workflows/prerequisites.yml inputs.default_branch may expand into attacker-controllable code ``` This is a workflow call (reusable workflow) and the input is always set as `github.event.repository.default_branch`. ``` .github/workflows/upgrade-provider.yml github.event.inputs.version may expand into attacker-controllable code steps.upstream_version.outputs.latest_version may expand into attacker-controllable code github.repository may expand into attacker-controllable code steps.target_version.outputs.version may expand into attacker-controllable code ``` This can only be triggered by internal users. --- .../.github/workflows/build_provider.yml | 5 +++-- .../.github/workflows/build_sdk.yml | 5 +++-- .../bridged-provider/.github/workflows/main.yml | 10 ++++++---- .../.github/workflows/nightly-test.yml | 5 +++-- .../.github/workflows/prerelease.yml | 5 +++-- .../.github/workflows/prerequisites.yml | 7 ++++--- .../.github/workflows/publish.yml | 17 +++++++++++------ .../.github/workflows/release.yml | 5 +++-- .../.github/workflows/resync-build.yml | 7 +++++-- .../.github/workflows/run-acceptance-tests.yml | 1 + .../.github/workflows/upgrade-bridge.yml | 5 +++-- .../.github/workflows/upgrade-provider.yml | 6 ++++-- .../provider/.github/workflows/license.yml | 4 +++- .../provider/.github/workflows/lint.yml | 5 +++-- .../provider/.github/workflows/pull-request.yml | 5 +++-- .../.github/workflows/verify-release.yml | 4 +++- .../.github/workflows/command-dispatch.yml | 5 +++-- .../.github/workflows/community-moderation.yml | 5 +++-- .../.github/workflows/release_command.yml | 2 ++ .../acme/.github/workflows/build_provider.yml | 2 ++ .../acme/.github/workflows/build_sdk.yml | 2 ++ .../acme/.github/workflows/license.yml | 2 ++ .../acme/.github/workflows/lint.yml | 2 ++ .../acme/.github/workflows/main.yml | 4 ++++ .../acme/.github/workflows/prerelease.yml | 2 ++ .../acme/.github/workflows/prerequisites.yml | 4 +++- .../acme/.github/workflows/publish.yml | 9 ++++++++- .../acme/.github/workflows/pull-request.yml | 2 ++ .../acme/.github/workflows/release.yml | 2 ++ .../acme/.github/workflows/resync-build.yml | 4 ++++ .../.github/workflows/run-acceptance-tests.yml | 1 + .../acme/.github/workflows/upgrade-bridge.yml | 2 ++ .../acme/.github/workflows/upgrade-provider.yml | 3 +++ .../acme/.github/workflows/verify-release.yml | 2 ++ .../aws/.github/workflows/build_provider.yml | 1 + .../aws/.github/workflows/build_sdk.yml | 1 + .../aws/.github/workflows/command-dispatch.yml | 1 + .../.github/workflows/community-moderation.yml | 1 + .../aws/.github/workflows/license.yml | 2 ++ .../aws/.github/workflows/lint.yml | 1 + .../aws/.github/workflows/master.yml | 2 ++ .../aws/.github/workflows/nightly-test.yml | 1 + .../aws/.github/workflows/prerelease.yml | 1 + .../aws/.github/workflows/prerequisites.yml | 3 ++- .../aws/.github/workflows/publish.yml | 7 ++++++- .../aws/.github/workflows/pull-request.yml | 1 + .../aws/.github/workflows/release.yml | 1 + .../aws/.github/workflows/release_command.yml | 2 ++ .../aws/.github/workflows/resync-build.yml | 3 +++ .../.github/workflows/run-acceptance-tests.yml | 1 + .../aws/.github/workflows/upgrade-bridge.yml | 1 + .../aws/.github/workflows/upgrade-provider.yml | 2 ++ .../aws/.github/workflows/verify-release.yml | 2 ++ .../.github/workflows/build_provider.yml | 2 ++ .../cloudflare/.github/workflows/build_sdk.yml | 2 ++ .../.github/workflows/command-dispatch.yml | 2 ++ .../.github/workflows/community-moderation.yml | 2 ++ .../cloudflare/.github/workflows/license.yml | 2 ++ .../cloudflare/.github/workflows/lint.yml | 2 ++ .../cloudflare/.github/workflows/master.yml | 4 ++++ .../cloudflare/.github/workflows/prerelease.yml | 2 ++ .../.github/workflows/prerequisites.yml | 4 +++- .../cloudflare/.github/workflows/publish.yml | 9 ++++++++- .../.github/workflows/pull-request.yml | 2 ++ .../cloudflare/.github/workflows/release.yml | 2 ++ .../.github/workflows/release_command.yml | 2 ++ .../.github/workflows/resync-build.yml | 4 ++++ .../.github/workflows/run-acceptance-tests.yml | 1 + .../.github/workflows/upgrade-bridge.yml | 2 ++ .../.github/workflows/upgrade-provider.yml | 3 +++ .../.github/workflows/verify-release.yml | 2 ++ .../docker/.github/workflows/build_provider.yml | 2 ++ .../docker/.github/workflows/build_sdk.yml | 2 ++ .../.github/workflows/command-dispatch.yml | 2 ++ .../.github/workflows/community-moderation.yml | 2 ++ .../docker/.github/workflows/license.yml | 2 ++ .../docker/.github/workflows/lint.yml | 2 ++ .../docker/.github/workflows/master.yml | 4 ++++ .../docker/.github/workflows/prerelease.yml | 2 ++ .../docker/.github/workflows/prerequisites.yml | 4 +++- .../docker/.github/workflows/publish.yml | 9 ++++++++- .../docker/.github/workflows/pull-request.yml | 2 ++ .../docker/.github/workflows/release.yml | 2 ++ .../.github/workflows/release_command.yml | 2 ++ .../docker/.github/workflows/resync-build.yml | 4 ++++ .../.github/workflows/run-acceptance-tests.yml | 1 + .../docker/.github/workflows/upgrade-bridge.yml | 2 ++ .../.github/workflows/upgrade-provider.yml | 3 +++ .../docker/.github/workflows/verify-release.yml | 2 ++ 89 files changed, 236 insertions(+), 47 deletions(-) diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml index 15985f2934..4ce93fbb92 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_provider.yml @@ -40,10 +40,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# - #{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# - #{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_sdk.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_sdk.yml index c183792ccf..8b23d826a2 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_sdk.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/build_sdk.yml @@ -32,10 +32,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml index 79d49ed8f2..6d5a9e7da1 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/main.yml @@ -41,10 +41,11 @@ jobs: swap-storage: false - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Configure AWS Credentials uses: #{{ .Config.actionVersions.configureAwsCredentials }}# with: @@ -140,10 +141,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/nightly-test.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/nightly-test.yml index eafb855640..ae9f03c9e2 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/nightly-test.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/nightly-test.yml @@ -50,10 +50,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml index 34d5eaea11..2d5aba254d 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerelease.yml @@ -80,10 +80,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml index db68021e4a..d8cf644c5e 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/prerequisites.yml @@ -38,10 +38,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -77,7 +78,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/#{{ .Config.organization }}# -p #{{ .Config.provider }}# -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-#{{ .Config.provider }}#/schema.json; + schema-tools compare -r github://api.github.com/#{{ .Config.organization }}# -p #{{ .Config.provider }}# -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-#{{ .Config.provider }}#/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml index 428e765482..b63c413a6b 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/publish.yml @@ -32,10 +32,11 @@ jobs: run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -63,7 +64,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-#{{ .Config.provider }}#_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-#{{ .Config.provider }}#_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -102,10 +103,12 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -168,7 +171,9 @@ jobs: runs-on: #{{ .Config.runner.default }}# steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: #{{ .Config.actionVersions.checkout }}# + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml index cbe2c632eb..2329f37357 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/release.yml @@ -89,10 +89,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/resync-build.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/resync-build.yml index e0f51b0d0e..bec52713d5 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/resync-build.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/resync-build.yml @@ -11,15 +11,18 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# - #{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# - #{{- end }}# + #{{- end }}# + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: #{{ .Config.actionVersions.checkout }}# with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml index 09b91fc6da..f01a25c9c0 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/run-acceptance-tests.yml @@ -135,6 +135,7 @@ jobs: #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# #{{- end }}# + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: #{{ .Config.actionVersions.checkout }}# diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml index 003c058375..4071e841e4 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml @@ -68,10 +68,11 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# - #{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# - #{{- end }}# + #{{- end }}# + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-provider.yml b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-provider.yml index 526386caeb..ce2318d83d 100644 --- a/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-provider.yml +++ b/provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-provider.yml @@ -34,10 +34,12 @@ jobs: #{{- end }}# - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# - #{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# - #{{- end }}# + #{{- end }}# + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/provider/.github/workflows/license.yml b/provider-ci/internal/pkg/templates/provider/.github/workflows/license.yml index 773a521c2c..3cd459eef5 100644 --- a/provider-ci/internal/pkg/templates/provider/.github/workflows/license.yml +++ b/provider-ci/internal/pkg/templates/provider/.github/workflows/license.yml @@ -15,7 +15,9 @@ jobs: runs-on: #{{ .Config.runner.default }}# steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: #{{ .Config.actionVersions.checkout }}# + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/provider/.github/workflows/lint.yml b/provider-ci/internal/pkg/templates/provider/.github/workflows/lint.yml index 3c62346414..efa1802636 100644 --- a/provider-ci/internal/pkg/templates/provider/.github/workflows/lint.yml +++ b/provider-ci/internal/pkg/templates/provider/.github/workflows/lint.yml @@ -16,10 +16,11 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/internal/pkg/templates/provider/.github/workflows/pull-request.yml b/provider-ci/internal/pkg/templates/provider/.github/workflows/pull-request.yml index bee3b2af67..753769ba0f 100644 --- a/provider-ci/internal/pkg/templates/provider/.github/workflows/pull-request.yml +++ b/provider-ci/internal/pkg/templates/provider/.github/workflows/pull-request.yml @@ -10,10 +10,11 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - name: Comment PR uses: #{{ .Config.actionVersions.prComment }}# with: diff --git a/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml b/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml index 6f24e6baf6..1d84855c12 100644 --- a/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml +++ b/provider-ci/internal/pkg/templates/provider/.github/workflows/verify-release.yml @@ -64,7 +64,9 @@ jobs: runs-on: ${{ matrix.runner }} steps: - name: Checkout Repo - uses: actions/checkout@v4 + uses: #{{ .Config.actionVersions.checkout }}# + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/command-dispatch.yml b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/command-dispatch.yml index d2babf7a5a..cdb6b197ce 100644 --- a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/command-dispatch.yml +++ b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/command-dispatch.yml @@ -9,10 +9,11 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - uses: peter-evans/slash-command-dispatch@v4 with: commands: | diff --git a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/community-moderation.yml b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/community-moderation.yml index e42edd5378..f6d25b9a40 100644 --- a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/community-moderation.yml +++ b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/community-moderation.yml @@ -9,10 +9,11 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# -#{{- if .Config.checkoutSubmodules }}# with: + #{{- if .Config.checkoutSubmodules }}# submodules: #{{ .Config.checkoutSubmodules }}# -#{{- end }}# + #{{- end }}# + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: #{{ .Config.actionVersions.pathsFilter }}# diff --git a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/release_command.yml b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/release_command.yml index 028caf41e7..95b4d185c6 100644 --- a/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/release_command.yml +++ b/provider-ci/internal/pkg/templates/pulumi-provider/.github/workflows/release_command.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout Repo uses: #{{ .Config.actionVersions.checkout }}# + with: + persist-credentials: false - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/acme/.github/workflows/build_provider.yml b/provider-ci/test-providers/acme/.github/workflows/build_provider.yml index 849e0bbf1e..9c7853b3ef 100644 --- a/provider-ci/test-providers/acme/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/acme/.github/workflows/build_provider.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/build_sdk.yml b/provider-ci/test-providers/acme/.github/workflows/build_sdk.yml index ae90fb5e8f..ae5417747f 100644 --- a/provider-ci/test-providers/acme/.github/workflows/build_sdk.yml +++ b/provider-ci/test-providers/acme/.github/workflows/build_sdk.yml @@ -41,6 +41,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/test-providers/acme/.github/workflows/license.yml b/provider-ci/test-providers/acme/.github/workflows/license.yml index d285937a01..83f8357b28 100644 --- a/provider-ci/test-providers/acme/.github/workflows/license.yml +++ b/provider-ci/test-providers/acme/.github/workflows/license.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/lint.yml b/provider-ci/test-providers/acme/.github/workflows/lint.yml index f9f1b428c0..988e3b2ac4 100644 --- a/provider-ci/test-providers/acme/.github/workflows/lint.yml +++ b/provider-ci/test-providers/acme/.github/workflows/lint.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/test-providers/acme/.github/workflows/main.yml b/provider-ci/test-providers/acme/.github/workflows/main.yml index 751021e993..fe3d378072 100644 --- a/provider-ci/test-providers/acme/.github/workflows/main.yml +++ b/provider-ci/test-providers/acme/.github/workflows/main.yml @@ -56,6 +56,8 @@ jobs: swap-storage: false - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -136,6 +138,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml index 8ea1d556ae..b561ef30a0 100644 --- a/provider-ci/test-providers/acme/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/acme/.github/workflows/prerelease.yml @@ -80,6 +80,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/prerequisites.yml b/provider-ci/test-providers/acme/.github/workflows/prerequisites.yml index a7ae386623..36e9c47b45 100644 --- a/provider-ci/test-providers/acme/.github/workflows/prerequisites.yml +++ b/provider-ci/test-providers/acme/.github/workflows/prerequisites.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -76,7 +78,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/pulumiverse -p acme -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-acme/schema.json; + schema-tools compare -r github://api.github.com/pulumiverse -p acme -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-acme/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/test-providers/acme/.github/workflows/publish.yml b/provider-ci/test-providers/acme/.github/workflows/publish.yml index f74b5851fc..fe1a37b934 100644 --- a/provider-ci/test-providers/acme/.github/workflows/publish.yml +++ b/provider-ci/test-providers/acme/.github/workflows/publish.yml @@ -47,6 +47,8 @@ jobs: run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -62,7 +64,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-acme_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-acme_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -97,6 +99,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -135,6 +140,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/acme/.github/workflows/pull-request.yml b/provider-ci/test-providers/acme/.github/workflows/pull-request.yml index bd321f5a27..beb84a8981 100644 --- a/provider-ci/test-providers/acme/.github/workflows/pull-request.yml +++ b/provider-ci/test-providers/acme/.github/workflows/pull-request.yml @@ -25,6 +25,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@v2 with: diff --git a/provider-ci/test-providers/acme/.github/workflows/release.yml b/provider-ci/test-providers/acme/.github/workflows/release.yml index eb1327d314..aa6276feb9 100644 --- a/provider-ci/test-providers/acme/.github/workflows/release.yml +++ b/provider-ci/test-providers/acme/.github/workflows/release.yml @@ -86,6 +86,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/resync-build.yml b/provider-ci/test-providers/acme/.github/workflows/resync-build.yml index 1cf1bb0316..1e0940414b 100644 --- a/provider-ci/test-providers/acme/.github/workflows/resync-build.yml +++ b/provider-ci/test-providers/acme/.github/workflows/resync-build.yml @@ -26,11 +26,15 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: actions/checkout@v4 with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/test-providers/acme/.github/workflows/run-acceptance-tests.yml b/provider-ci/test-providers/acme/.github/workflows/run-acceptance-tests.yml index 03f68fb645..eacde30391 100644 --- a/provider-ci/test-providers/acme/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/test-providers/acme/.github/workflows/run-acceptance-tests.yml @@ -130,6 +130,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ env.PR_COMMIT_SHA }} + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@v4 diff --git a/provider-ci/test-providers/acme/.github/workflows/upgrade-bridge.yml b/provider-ci/test-providers/acme/.github/workflows/upgrade-bridge.yml index 37b34914d9..a47be8c6fd 100644 --- a/provider-ci/test-providers/acme/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/test-providers/acme/.github/workflows/upgrade-bridge.yml @@ -59,6 +59,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/upgrade-provider.yml b/provider-ci/test-providers/acme/.github/workflows/upgrade-provider.yml index d8d681a5e8..f86516650f 100644 --- a/provider-ci/test-providers/acme/.github/workflows/upgrade-provider.yml +++ b/provider-ci/test-providers/acme/.github/workflows/upgrade-provider.yml @@ -25,6 +25,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/acme/.github/workflows/verify-release.yml b/provider-ci/test-providers/acme/.github/workflows/verify-release.yml index 50bbe0105e..79fc0f644f 100644 --- a/provider-ci/test-providers/acme/.github/workflows/verify-release.yml +++ b/provider-ci/test-providers/acme/.github/workflows/verify-release.yml @@ -70,6 +70,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/build_provider.yml b/provider-ci/test-providers/aws/.github/workflows/build_provider.yml index eff24b362f..33f08d4ee6 100644 --- a/provider-ci/test-providers/aws/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/aws/.github/workflows/build_provider.yml @@ -40,6 +40,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/build_sdk.yml b/provider-ci/test-providers/aws/.github/workflows/build_sdk.yml index 0cba628ef7..40b8f0e3a2 100644 --- a/provider-ci/test-providers/aws/.github/workflows/build_sdk.yml +++ b/provider-ci/test-providers/aws/.github/workflows/build_sdk.yml @@ -54,6 +54,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/test-providers/aws/.github/workflows/command-dispatch.yml b/provider-ci/test-providers/aws/.github/workflows/command-dispatch.yml index fdd32460c3..96e2d1a7bd 100644 --- a/provider-ci/test-providers/aws/.github/workflows/command-dispatch.yml +++ b/provider-ci/test-providers/aws/.github/workflows/command-dispatch.yml @@ -29,6 +29,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - uses: peter-evans/slash-command-dispatch@v4 with: commands: | diff --git a/provider-ci/test-providers/aws/.github/workflows/community-moderation.yml b/provider-ci/test-providers/aws/.github/workflows/community-moderation.yml index 2a14709936..7beeb63e8a 100644 --- a/provider-ci/test-providers/aws/.github/workflows/community-moderation.yml +++ b/provider-ci/test-providers/aws/.github/workflows/community-moderation.yml @@ -11,6 +11,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@v2 diff --git a/provider-ci/test-providers/aws/.github/workflows/license.yml b/provider-ci/test-providers/aws/.github/workflows/license.yml index 12920f4b1f..f318695d7e 100644 --- a/provider-ci/test-providers/aws/.github/workflows/license.yml +++ b/provider-ci/test-providers/aws/.github/workflows/license.yml @@ -34,6 +34,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/lint.yml b/provider-ci/test-providers/aws/.github/workflows/lint.yml index e1f366f66b..3bb14f160e 100644 --- a/provider-ci/test-providers/aws/.github/workflows/lint.yml +++ b/provider-ci/test-providers/aws/.github/workflows/lint.yml @@ -36,6 +36,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/test-providers/aws/.github/workflows/master.yml b/provider-ci/test-providers/aws/.github/workflows/master.yml index 6ae11b745c..8a373012e4 100644 --- a/provider-ci/test-providers/aws/.github/workflows/master.yml +++ b/provider-ci/test-providers/aws/.github/workflows/master.yml @@ -61,6 +61,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -150,6 +151,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/nightly-test.yml b/provider-ci/test-providers/aws/.github/workflows/nightly-test.yml index 41be16c2e0..a424e335fd 100644 --- a/provider-ci/test-providers/aws/.github/workflows/nightly-test.yml +++ b/provider-ci/test-providers/aws/.github/workflows/nightly-test.yml @@ -67,6 +67,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml index 0f56e6690a..b332e1f846 100644 --- a/provider-ci/test-providers/aws/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/aws/.github/workflows/prerelease.yml @@ -92,6 +92,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/prerequisites.yml b/provider-ci/test-providers/aws/.github/workflows/prerequisites.yml index 546c648bc6..4d5745564b 100644 --- a/provider-ci/test-providers/aws/.github/workflows/prerequisites.yml +++ b/provider-ci/test-providers/aws/.github/workflows/prerequisites.yml @@ -56,6 +56,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -88,7 +89,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/pulumi -p aws -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-aws/schema.json; + schema-tools compare -r github://api.github.com/pulumi -p aws -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-aws/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/test-providers/aws/.github/workflows/publish.yml b/provider-ci/test-providers/aws/.github/workflows/publish.yml index 1b909fab94..1ceebb9469 100644 --- a/provider-ci/test-providers/aws/.github/workflows/publish.yml +++ b/provider-ci/test-providers/aws/.github/workflows/publish.yml @@ -52,6 +52,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -77,7 +78,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-aws_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-aws_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -116,6 +117,8 @@ jobs: uses: actions/checkout@v4 with: submodules: true + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -173,6 +176,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/aws/.github/workflows/pull-request.yml b/provider-ci/test-providers/aws/.github/workflows/pull-request.yml index 5b20f8ee26..5bab426867 100644 --- a/provider-ci/test-providers/aws/.github/workflows/pull-request.yml +++ b/provider-ci/test-providers/aws/.github/workflows/pull-request.yml @@ -30,6 +30,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@v2 with: diff --git a/provider-ci/test-providers/aws/.github/workflows/release.yml b/provider-ci/test-providers/aws/.github/workflows/release.yml index 39ad9db5ad..95c53595f3 100644 --- a/provider-ci/test-providers/aws/.github/workflows/release.yml +++ b/provider-ci/test-providers/aws/.github/workflows/release.yml @@ -98,6 +98,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/release_command.yml b/provider-ci/test-providers/aws/.github/workflows/release_command.yml index 2a8fff366c..4029f32a79 100644 --- a/provider-ci/test-providers/aws/.github/workflows/release_command.yml +++ b/provider-ci/test-providers/aws/.github/workflows/release_command.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/aws/.github/workflows/resync-build.yml b/provider-ci/test-providers/aws/.github/workflows/resync-build.yml index 6d10e619c7..11f10eb67b 100644 --- a/provider-ci/test-providers/aws/.github/workflows/resync-build.yml +++ b/provider-ci/test-providers/aws/.github/workflows/resync-build.yml @@ -31,11 +31,14 @@ jobs: uses: actions/checkout@v4 with: submodules: true + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: actions/checkout@v4 with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml b/provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml index d76ed64fd7..7055f99ae4 100644 --- a/provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml @@ -138,6 +138,7 @@ jobs: with: ref: ${{ env.PR_COMMIT_SHA }} submodules: true + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@v4 diff --git a/provider-ci/test-providers/aws/.github/workflows/upgrade-bridge.yml b/provider-ci/test-providers/aws/.github/workflows/upgrade-bridge.yml index 8e79b2619f..22d119a457 100644 --- a/provider-ci/test-providers/aws/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/test-providers/aws/.github/workflows/upgrade-bridge.yml @@ -68,6 +68,7 @@ jobs: uses: actions/checkout@v4 with: submodules: true + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/upgrade-provider.yml b/provider-ci/test-providers/aws/.github/workflows/upgrade-provider.yml index 7e807a0430..0d7101ae86 100644 --- a/provider-ci/test-providers/aws/.github/workflows/upgrade-provider.yml +++ b/provider-ci/test-providers/aws/.github/workflows/upgrade-provider.yml @@ -34,6 +34,8 @@ jobs: uses: actions/checkout@v4 with: submodules: true + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/aws/.github/workflows/verify-release.yml b/provider-ci/test-providers/aws/.github/workflows/verify-release.yml index 8f32d0afd1..3c4eeccaf8 100644 --- a/provider-ci/test-providers/aws/.github/workflows/verify-release.yml +++ b/provider-ci/test-providers/aws/.github/workflows/verify-release.yml @@ -73,6 +73,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml b/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml index f11b063e8c..8c9605a577 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/build_provider.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/build_sdk.yml b/provider-ci/test-providers/cloudflare/.github/workflows/build_sdk.yml index 604397d147..f0c9481995 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/build_sdk.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/build_sdk.yml @@ -44,6 +44,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/command-dispatch.yml b/provider-ci/test-providers/cloudflare/.github/workflows/command-dispatch.yml index b7bf4db481..ec6aed074a 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/command-dispatch.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/command-dispatch.yml @@ -26,6 +26,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: peter-evans/slash-command-dispatch@v4 with: commands: | diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/community-moderation.yml b/provider-ci/test-providers/cloudflare/.github/workflows/community-moderation.yml index 4c3414b904..2afb297c25 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/community-moderation.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/community-moderation.yml @@ -9,6 +9,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@v2 diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/license.yml b/provider-ci/test-providers/cloudflare/.github/workflows/license.yml index 4f885f86dd..355857e2bd 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/license.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/license.yml @@ -33,6 +33,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/lint.yml b/provider-ci/test-providers/cloudflare/.github/workflows/lint.yml index feffb40df0..257cf7210e 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/lint.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/lint.yml @@ -33,6 +33,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml index 3c72f29e69..2192bbd3df 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/master.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/master.yml @@ -58,6 +58,8 @@ jobs: swap-storage: false - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -138,6 +140,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml index 77d066b03e..aac539df0f 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/prerelease.yml @@ -82,6 +82,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/prerequisites.yml b/provider-ci/test-providers/cloudflare/.github/workflows/prerequisites.yml index ad10171e65..e20ae63fda 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/prerequisites.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/prerequisites.yml @@ -46,6 +46,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -78,7 +80,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/pulumi -p cloudflare -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-cloudflare/schema.json; + schema-tools compare -r github://api.github.com/pulumi -p cloudflare -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-cloudflare/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml index 3cc3d3d15f..6d2db0865e 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/publish.yml @@ -49,6 +49,8 @@ jobs: run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -74,7 +76,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-cloudflare_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-cloudflare_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -111,6 +113,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -168,6 +173,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/pull-request.yml b/provider-ci/test-providers/cloudflare/.github/workflows/pull-request.yml index c8dce0d5b6..7bb38bf7d2 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/pull-request.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/pull-request.yml @@ -27,6 +27,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@v2 with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml index f76a2992c3..66998502c4 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/release.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/release.yml @@ -88,6 +88,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/release_command.yml b/provider-ci/test-providers/cloudflare/.github/workflows/release_command.yml index 2a8fff366c..4029f32a79 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/release_command.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/release_command.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/resync-build.yml b/provider-ci/test-providers/cloudflare/.github/workflows/resync-build.yml index 14a121ce99..298e40a201 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/resync-build.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/resync-build.yml @@ -28,11 +28,15 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: actions/checkout@v4 with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/run-acceptance-tests.yml b/provider-ci/test-providers/cloudflare/.github/workflows/run-acceptance-tests.yml index 58fc81359d..3a28297991 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/run-acceptance-tests.yml @@ -132,6 +132,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ env.PR_COMMIT_SHA }} + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@v4 diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-bridge.yml b/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-bridge.yml index 0c47364cab..639cbed527 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-bridge.yml @@ -59,6 +59,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-provider.yml b/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-provider.yml index d8d681a5e8..f86516650f 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-provider.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/upgrade-provider.yml @@ -25,6 +25,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/cloudflare/.github/workflows/verify-release.yml b/provider-ci/test-providers/cloudflare/.github/workflows/verify-release.yml index bfe4faaefa..1d2219a284 100644 --- a/provider-ci/test-providers/cloudflare/.github/workflows/verify-release.yml +++ b/provider-ci/test-providers/cloudflare/.github/workflows/verify-release.yml @@ -72,6 +72,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/build_provider.yml b/provider-ci/test-providers/docker/.github/workflows/build_provider.yml index 69bf40b0e0..e9448588d4 100644 --- a/provider-ci/test-providers/docker/.github/workflows/build_provider.yml +++ b/provider-ci/test-providers/docker/.github/workflows/build_provider.yml @@ -31,6 +31,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/build_sdk.yml b/provider-ci/test-providers/docker/.github/workflows/build_sdk.yml index cd903d668e..8bdc9f0797 100644 --- a/provider-ci/test-providers/docker/.github/workflows/build_sdk.yml +++ b/provider-ci/test-providers/docker/.github/workflows/build_sdk.yml @@ -57,6 +57,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Cache examples generation uses: actions/cache@v4 with: diff --git a/provider-ci/test-providers/docker/.github/workflows/command-dispatch.yml b/provider-ci/test-providers/docker/.github/workflows/command-dispatch.yml index d9c927f78f..9b68cdaaf1 100644 --- a/provider-ci/test-providers/docker/.github/workflows/command-dispatch.yml +++ b/provider-ci/test-providers/docker/.github/workflows/command-dispatch.yml @@ -39,6 +39,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: peter-evans/slash-command-dispatch@v4 with: commands: | diff --git a/provider-ci/test-providers/docker/.github/workflows/community-moderation.yml b/provider-ci/test-providers/docker/.github/workflows/community-moderation.yml index 4c3414b904..2afb297c25 100644 --- a/provider-ci/test-providers/docker/.github/workflows/community-moderation.yml +++ b/provider-ci/test-providers/docker/.github/workflows/community-moderation.yml @@ -9,6 +9,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - id: schema_changed name: Check for diff in schema uses: dorny/paths-filter@v2 diff --git a/provider-ci/test-providers/docker/.github/workflows/license.yml b/provider-ci/test-providers/docker/.github/workflows/license.yml index 7bf7ad1404..79e2055c32 100644 --- a/provider-ci/test-providers/docker/.github/workflows/license.yml +++ b/provider-ci/test-providers/docker/.github/workflows/license.yml @@ -46,6 +46,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/lint.yml b/provider-ci/test-providers/docker/.github/workflows/lint.yml index 5f4f82a4ac..ae2e8815a2 100644 --- a/provider-ci/test-providers/docker/.github/workflows/lint.yml +++ b/provider-ci/test-providers/docker/.github/workflows/lint.yml @@ -46,6 +46,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Install go uses: actions/setup-go@v5 with: diff --git a/provider-ci/test-providers/docker/.github/workflows/master.yml b/provider-ci/test-providers/docker/.github/workflows/master.yml index d5a6681f6d..64de7e8195 100644 --- a/provider-ci/test-providers/docker/.github/workflows/master.yml +++ b/provider-ci/test-providers/docker/.github/workflows/master.yml @@ -71,6 +71,8 @@ jobs: swap-storage: false - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: @@ -151,6 +153,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/prerelease.yml b/provider-ci/test-providers/docker/.github/workflows/prerelease.yml index 40fc22da47..aad3a563c3 100644 --- a/provider-ci/test-providers/docker/.github/workflows/prerelease.yml +++ b/provider-ci/test-providers/docker/.github/workflows/prerelease.yml @@ -95,6 +95,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/prerequisites.yml b/provider-ci/test-providers/docker/.github/workflows/prerequisites.yml index 77dd32b5f1..b4527a4f10 100644 --- a/provider-ci/test-providers/docker/.github/workflows/prerequisites.yml +++ b/provider-ci/test-providers/docker/.github/workflows/prerequisites.yml @@ -59,6 +59,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - uses: pulumi/provider-version-action@v1 id: provider-version with: @@ -91,7 +93,7 @@ jobs: EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64) { echo "SCHEMA_CHANGES<<$EOF"; - schema-tools compare -r github://api.github.com/pulumi -p docker -o ${{ inputs.default_branch }} -n --local-path=provider/cmd/pulumi-resource-docker/schema.json; + schema-tools compare -r github://api.github.com/pulumi -p docker -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-docker/schema.json; echo "$EOF"; } >> "$GITHUB_ENV" - if: inputs.is_pr && inputs.is_automated == false diff --git a/provider-ci/test-providers/docker/.github/workflows/publish.yml b/provider-ci/test-providers/docker/.github/workflows/publish.yml index 1a8eaf1073..812ece1cda 100644 --- a/provider-ci/test-providers/docker/.github/workflows/publish.yml +++ b/provider-ci/test-providers/docker/.github/workflows/publish.yml @@ -62,6 +62,8 @@ jobs: run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1 - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -87,7 +89,7 @@ jobs: merge-multiple: true - name: Calculate checksums working-directory: dist - run: shasum ./*.tar.gz > pulumi-docker_${{ inputs.version }}_checksums.txt + run: shasum ./*.tar.gz > "pulumi-docker_${{ inputs.version }}_checksums.txt" - name: Get Schema Change Summary id: schema-summary shell: bash @@ -124,6 +126,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push back to the repo + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: @@ -181,6 +186,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Clean up release labels uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/docker/.github/workflows/pull-request.yml b/provider-ci/test-providers/docker/.github/workflows/pull-request.yml index 71c51bc57d..faac179a98 100644 --- a/provider-ci/test-providers/docker/.github/workflows/pull-request.yml +++ b/provider-ci/test-providers/docker/.github/workflows/pull-request.yml @@ -40,6 +40,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Comment PR uses: thollander/actions-comment-pull-request@v2 with: diff --git a/provider-ci/test-providers/docker/.github/workflows/release.yml b/provider-ci/test-providers/docker/.github/workflows/release.yml index 014f734c55..4a56b7b8d2 100644 --- a/provider-ci/test-providers/docker/.github/workflows/release.yml +++ b/provider-ci/test-providers/docker/.github/workflows/release.yml @@ -101,6 +101,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/release_command.yml b/provider-ci/test-providers/docker/.github/workflows/release_command.yml index 2a8fff366c..4029f32a79 100644 --- a/provider-ci/test-providers/docker/.github/workflows/release_command.yml +++ b/provider-ci/test-providers/docker/.github/workflows/release_command.yml @@ -12,6 +12,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Should release PR uses: pulumi/action-release-by-pr-label@main with: diff --git a/provider-ci/test-providers/docker/.github/workflows/resync-build.yml b/provider-ci/test-providers/docker/.github/workflows/resync-build.yml index 714210ddd8..99d38561bf 100644 --- a/provider-ci/test-providers/docker/.github/workflows/resync-build.yml +++ b/provider-ci/test-providers/docker/.github/workflows/resync-build.yml @@ -41,11 +41,15 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so we can push a new branch. + persist-credentials: true - name: Checkout repo uses: actions/checkout@v4 with: path: ci-mgmt repository: pulumi/ci-mgmt + persist-credentials: false - id: run-url name: Create URL to the run output run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT" diff --git a/provider-ci/test-providers/docker/.github/workflows/run-acceptance-tests.yml b/provider-ci/test-providers/docker/.github/workflows/run-acceptance-tests.yml index 0c531a8a01..a04ee60ba7 100644 --- a/provider-ci/test-providers/docker/.github/workflows/run-acceptance-tests.yml +++ b/provider-ci/test-providers/docker/.github/workflows/run-acceptance-tests.yml @@ -145,6 +145,7 @@ jobs: uses: actions/checkout@v4 with: ref: ${{ env.PR_COMMIT_SHA }} + persist-credentials: false - name: Checkout p/examples if: matrix.testTarget == 'pulumiExamples' uses: actions/checkout@v4 diff --git a/provider-ci/test-providers/docker/.github/workflows/upgrade-bridge.yml b/provider-ci/test-providers/docker/.github/workflows/upgrade-bridge.yml index 0c47364cab..639cbed527 100644 --- a/provider-ci/test-providers/docker/.github/workflows/upgrade-bridge.yml +++ b/provider-ci/test-providers/docker/.github/workflows/upgrade-bridge.yml @@ -59,6 +59,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/upgrade-provider.yml b/provider-ci/test-providers/docker/.github/workflows/upgrade-provider.yml index d8d681a5e8..f86516650f 100644 --- a/provider-ci/test-providers/docker/.github/workflows/upgrade-provider.yml +++ b/provider-ci/test-providers/docker/.github/workflows/upgrade-provider.yml @@ -25,6 +25,9 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + # Persist credentials so upgrade-provider can push a new branch. + persist-credentials: true - name: Setup tools uses: ./.github/actions/setup-tools with: diff --git a/provider-ci/test-providers/docker/.github/workflows/verify-release.yml b/provider-ci/test-providers/docker/.github/workflows/verify-release.yml index 16708eb59b..c256de52a4 100644 --- a/provider-ci/test-providers/docker/.github/workflows/verify-release.yml +++ b/provider-ci/test-providers/docker/.github/workflows/verify-release.yml @@ -85,6 +85,8 @@ jobs: steps: - name: Checkout Repo uses: actions/checkout@v4 + with: + persist-credentials: false - name: Setup tools uses: ./.github/actions/setup-tools with: