Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support plugins from private Pulumi repos #9185

Merged
merged 11 commits into from Mar 14, 2022
Merged

Support plugins from private Pulumi repos #9185

merged 11 commits into from Mar 14, 2022

Conversation

Frassle
Copy link
Member

@Frassle Frassle commented Mar 12, 2022
edited

Description

This makes a few changes to our github authentication flow.

  1. We only look at the GITHUB_TOKEN environment variable now. GITHUB_ACTOR and GITHUB_PERSONAL_ACCESS_TOKEN are no longer used.
  2. The token is sent via the Authorization header instead of Authentication, as documented at https://docs.github.com/en/rest/overview/resources-in-the-rest-api#authentication
  3. We try to use this env var even when accessing the pulumi repos.

This allows us to develop plugins in private repos but continue to use our standard plugin flow.

Checklist

  • I have added tests that prove my fix is effective or that my feature works
  • Yes, there are changes in this PR that warrants bumping the Pulumi Service API version

@Frassle
Support plugins from private Pulumi repos
7ccbd77 
This uses the same environment vars that we we're using for experimental private repos. That is GITHUB_TOKEN or GITHUB_ACTOR and GITHUB_PERSONAL_ACCESS_TOKEN.

This allows us to develop plugins in private repos but continue to use our standard plugin flow.
Frassle
Frassle commented Mar 12, 2022
View reviewed changes
sdk/go/common/workspace/plugins.go
@@ -196,47 +196,36 @@ type githubSource struct {
name string
kind PluginKind

tokenType string
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tokenType was always "token" so I've just trimmed it out

@Frassle
Copy link
Member Author

Frassle commented Mar 12, 2022

cc @patriziobruno, you may want to test this is ok for your workflows.

t0yv0
t0yv0 reviewed Mar 14, 2022
View reviewed changes
sdk/go/common/workspace/plugins_test.go
@@ -281,7 +282,11 @@ func newMockReadCloserString(data string) (io.ReadCloser, int64, error) {

//nolint:paralleltest // mutates environment variables
func TestPluginDownload(t *testing.T) {
expectedBytes := []byte{1, 2, 3}
token := "RaNd0m70K3n_"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not an actual token is it?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lol no, but we don't actually care about the format of the token we just pass it straight through to the http header

t0yv0
t0yv0 reviewed Mar 14, 2022
View reviewed changes
sdk/go/common/workspace/plugins.go
if ghToken == "" {
tokenType = ""
paToken = os.Getenv("GITHUB_PERSONAL_ACCESS_TOKEN")
actor = os.Getenv("GITHUB_ACTOR")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe consider warning if these env vars are detected as set? To help users transition that might rely on this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

GITHUB_PERSONAL_ACCESS_TOKEN is an envvar we made up so I can warn on that pretty safely.

t0yv0
t0yv0 approved these changes Mar 14, 2022
View reviewed changes
Copy link
Member

@t0yv0 t0yv0 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, very timely.

@patriziobruno
Copy link
Contributor

@Frassle, I love the new version, but it doesn't build on my machine and can't test it. I'm not sure I can use this workflow outside a github action without basic auth.

@Frassle
Copy link
Member Author

Frassle commented Mar 14, 2022

I'm not sure I can use this workflow outside a github action without basic auth.

I tested setting GITHUB_TOKEN to my personal access token and sending in the Authorization header and that let me download our private releases so I think this should work. This will be in the release this week so if it does break you just open an issue and we investigate quickly.

@patriziobruno
Copy link
Contributor

@Frassie, I concur, I've just tried curling api.github.com with my personal access token used as GITHUB_TOKEN and it worked.

@Frassle Frassle merged commit 874d127 into master Mar 14, 2022
@pulumi-bot pulumi-bot deleted the fraser/privatePlugins branch March 14, 2022 21:14
@Frassle Frassle mentioned this pull request Jul 14, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@t0yv0 t0yv0 t0yv0 approved these changes

@AaronFriel AaronFriel Awaiting requested review from AaronFriel

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@Frassle @patriziobruno @t0yv0