# SECURITY: This PR run on untrusted branches when a maintainer comments "/run-acceptance-tests". # # Changes "permissions" and "secrets" should be narrowly scoped and carefully reviewed. # # Reusable workflows, "uses" jobs, *must* specify the main branch. name: dispatched-acceptance-test on: repository_dispatch: types: [run-acceptance-tests-command] permissions: contents: read # Only the 'changelog-comment' job should use this permission. pull-requests: write # To sign artifacts. id-token: write concurrency: group: ${{ github.workflow }}-${{ github.event.client_payload.pull_request.number }} cancel-in-progress: true jobs: info: name: info uses: pulumi/pulumi/.github/workflows/ci-info.yml@master permissions: contents: read with: ref: ${{ github.ref }} is-snapshot: true secrets: inherit comment-notification: runs-on: ubuntu-latest if: ${{ github.event_name == 'repository_dispatch' }} permissions: contents: read pull-requests: write steps: - name: Update with Result uses: peter-evans/create-or-update-comment@v4 with: token: ${{ secrets.PULUMI_BOT_TOKEN }} repository: ${{ github.event.client_payload.github.payload.repository.full_name }} comment-id: ${{ github.event.client_payload.github.payload.comment.id }} issue-number: ${{ github.event.client_payload.github.payload.issue.number }} body: | Please view the results of the acceptance tests [Here](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) ci: name: CI needs: [info] uses: pulumi/pulumi/.github/workflows/ci.yml@master permissions: contents: read # To sign artifacts. id-token: write with: ref: refs/pull/${{ github.event.client_payload.pull_request.number }}/merge version: ${{ needs.info.outputs.version }} lint: true build-all-targets: false test-version-sets: current integration-test-platforms: ubuntu-latest acceptance-test-platforms: '' # We'll only upload coverage artifacts with the periodic-coverage cron workflow. enable-coverage: false secrets: # Scope secrets to the minimum required: PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }} PULUMI_PROD_ACCESS_TOKEN: ${{ secrets.PULUMI_PROD_ACCESS_TOKEN }} AZURE_TENANT_ID: ${{ secrets.AZURE_TENANT_ID }} AZURE_CLIENT_ID: ${{ secrets.AZURE_CLIENT_ID }} AZURE_CLIENT_SECRET: ${{ secrets.AZURE_CLIENT_SECRET }} AZURE_STORAGE_SAS_TOKEN: ${{ secrets.AZURE_STORAGE_SAS_TOKEN }} GCP_SERVICE_ACCOUNT: ${{ secrets.GCP_SERVICE_ACCOUNT }}