Changing the github token in the stack config doesn't have any effect

[pierskarsenbarg]

Hello!

• Vote on this issue by adding a 👍 reaction
• To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already)

Issue details

It looks like we store the (encrypted) GitHub token in the stack as part of the provider and if the token is changed in the stack config we don't update the value. This means that if the original token no longer exists (if it expires or is deleted) then you can't perform any more updates.

Steps to reproduce

1. Create an access token (https://github.com/settings/tokens)
2. Create a new Pulumi project (I used Typescript here) and install the GitHub provider
3. Add the token to the stack config (pulumi config set github:token <token> --secret)
4. Add the following to your index.ts:

import * as github from "@pulumi/github";

const repo = new github.Repository("my-test-repo", {
    name: "my-test-repo"
})

5. Run pulumi up
6. Create a new access token (https://github.com/settings/tokens) and set that to be the token in the stack
7. Delete the origin token
8. Run pulumi refresh

(You can also run pulumi stack export after step 5 and then see that it doesn't update in the stack json)

Expected: Pulumi would use the new access token
Actual: Pulumi continues to use the old (deleted) access token as part of the provider.

[guineveresaenger]

Hi @pierskarsenbarg -

I attempted to repro this and it turns out it is only pulumi refresh that is showing this behavior. pulumi up works just fine, and moreover, after a successful pulumi up with the new token (and old ones deleted), pulumi refresh is working just fine.

Console output after setting the secret:

@guin:github-203🦉 pulumi refresh
Previewing refresh (dev)

View Live: https://app.pulumi.com/guinevere/github-203/dev/previews/834bf9b3-e503-4305-8b33-5ffffa5fcfbc

     Type                        Name            Plan        Info
     pulumi:pulumi:Stack         github-203-dev              1 error
 ~   └─ github:index:Repository  my-test-repo    refresh     1 error
 
Diagnostics:
  pulumi:pulumi:Stack (github-203-dev):
    error: preview failed
 
  github:index:Repository (my-test-repo):
    error: Preview failed: refreshing urn:pulumi:dev::github-203::github:index/repository:Repository::my-test-repo: GET https://api.github.com/repos/guinandjamiesawesomeorg/my-test-repo: 401 Bad credentials []

@guin:github-203🦉 pulumi up
Previewing update (dev)

View Live: https://app.pulumi.com/guinevere/github-203/dev/previews/dffe7f7a-ca96-46fc-a1ae-afa484f2dcde

     Type                 Name            Plan     
     pulumi:pulumi:Stack  github-203-dev           
 
Resources:
    2 unchanged

Do you want to perform this update? yes
Updating (dev)

View Live: https://app.pulumi.com/guinevere/github-203/dev/updates/6

     Type                 Name            Status     
     pulumi:pulumi:Stack  github-203-dev             
 
Resources:
    2 unchanged

Duration: 2s

@guin:github-203🦉 pulumi refresh
Previewing refresh (dev)

View Live: https://app.pulumi.com/guinevere/github-203/dev/previews/777703d8-7d34-472f-95f8-fc8eb99dccdc

     Type                        Name            Plan     
     pulumi:pulumi:Stack         github-203-dev           
     └─ github:index:Repository  my-test-repo             
 
Resources:
    2 unchanged

Do you want to perform this refresh?
Do you want to perform this refresh?
Do you want to perform this refresh?
No resources will be modified as part of this refresh; just your stack's state will be. yes
Refreshing (dev)

View Live: https://app.pulumi.com/guinevere/github-203/dev/updates/7

     Type                        Name            Status     
     pulumi:pulumi:Stack         github-203-dev             
     └─ github:index:Repository  my-test-repo               
 
Resources:
    2 unchanged

Duration: 1s

I did not see any differnece between setting the token as an env var or via pulumi config set but my guess is that this is something to do with pulumi refresh not this particular provider.

[iwahbe]

This is an instance of pulumi/pulumi#4981.

[iwahbe]

By setting the token via an env var: GITHUB_TOKEN instead of with pulumi config, you can work around this issue. That is current best practice until pulumi/pulumi#4981 is closed.

[VenelinMartinov]

I suspect #578 was actually a regression here: #613

We had a similar issue in GCP

EDIT: Maybe not, could not repro an issue with expired credentials.