Skip to content

Login to docker in the scan workflow #1290

Login to docker in the scan workflow

Login to docker in the scan workflow #1290

Workflow file for this run

name: CI Build
on:
workflow_dispatch:
inputs:
pulumi_version:
description: The version of Pulumi to use to build the Docker images. Full semver, e.g. "3.18.1".
type: string
repository_dispatch:
types:
- ci-build
pull_request:
paths-ignore:
- "CONTRIBUTING.md"
- "LICENSE"
- "README.md"
# "Push" is a somewhat unintuitive name - the event will fire after a PR is
# merged to the main branch.
push:
branches:
- "main"
concurrency:
# Use github.run_id on main branch
# Use github.event.pull_request.number on pull requests, so it's unique per pull request
# Use github.ref on other branches, so it's unique per branch
group: ${{ github.workflow }}-${{ github.ref == 'refs/heads/main' && github.run_id || github.event.pull_request.number || github.ref }}
cancel-in-progress: true
env:
GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} # Used by test-containers.sh\
# The organization in the Pulumi SaaS service against which the integration
# tests will run:
PULUMI_ORG: "pulumi-test"
DOCKER_ORG: pulumi
PULUMI_VERSION: ${{ github.event.inputs.pulumi_version || github.event.client_payload.ref }}
# Do not depend on C library for the tests.
CGO_ENABLED: "0"
# Azure credentials for the tests
ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
AWS_REGION: "us-west-2"
# GCP
GCP_SERVICE_ACCOUNT_EMAIL: "[email protected]"
GCP_PROJECT_NAME: "pulumi-ci-gcp-provider"
GCP_PROJECT_NUMBER: "895284651812"
GCP_WORKLOAD_IDENTITY_POOL: "pulumi-ci"
GCP_WORKLOAD_IDENTITY_PROVIDER: "pulumi-ci"
GCP_REGION: "us-central1"
GCP_ZONE: "us-central1-a"
jobs:
comment-notification:
if: github.event_name == 'repository_dispatch' && github.event.client_payload.github.payload.issue.number
runs-on: ubuntu-latest
steps:
- name: Create URL to the run output
id: vars
run: echo run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID >> "$GITHUB_OUTPUT"
- name: Update with Result
uses: peter-evans/create-or-update-comment@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
body: |
Please view the results of the Downstream Containers Tests [Here][1]
[1]: ${{ steps.vars.outputs.run-url }}
kitchen-sink:
name: All SDKs image
strategy:
matrix:
go-version: [1.21.x]
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
# If no version of Pulumi is supplied by the incoming event (e.g. in the
# case of a PR or merge to main), we use the latest production version:
- name: Set version to latest
if: ${{ !env.PULUMI_VERSION }}
run: |
echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV
- uses: actions/checkout@master
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Setup docker buildx
uses: docker/setup-buildx-action@v3
with:
install: true
- name: Build
# We only build the "kitchen sink" image for AMD64 as it's rather large
# and we want to steer users to use the single SDK images going forward:
run: |
docker build \
-f docker/pulumi/Dockerfile \
--platform linux/amd64 \
-t ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }} \
--target base \
--build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \
--load \
docker/pulumi
- name: Image Info
run: |
docker image ls ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}
docker history ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}
- name: Build nonroot variant
run: |
docker build \
-f docker/pulumi/Dockerfile \
--platform linux/amd64 \
-t ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot \
--target nonroot \
--build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \
--load \
docker/pulumi
- name: Image Info
run: |
docker image ls ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot
docker history ${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot
- name: Install go
uses: actions/setup-go@v5
with:
go-version: "1.22"
cache-dependency-path: tests/go.sum
- name: Compile tests
working-directory: tests
run: |
GOOS=linux GOARCH=amd64 go test -c -o /tmp/pulumi-test-containers ./...
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 14400 # 4 hours
role-session-name: pulumi-docker-containers@githubActions
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }}
workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER
}}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL
}}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
- name: Tests
# Note we use /src/pulumi-test-containers as entrypoint and not bash to avoid bash
# changing the environment in some way.
run: |
docker run \
-e RUN_CONTAINER_TESTS=true \
-e IMAGE_VARIANT=pulumi \
-e PULUMI_ACCESS_TOKEN=${PULUMI_ACCESS_TOKEN} \
-e PULUMI_ORG=${PULUMI_ORG} \
-e ARM_CLIENT_ID=${ARM_CLIENT_ID} \
-e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \
-e ARM_TENANT_ID=${ARM_TENANT_ID} \
-e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
-e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \
-e AWS_REGION=${AWS_REGION} \
-e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \
-e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \
-e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \
--mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \
--volume /tmp:/src \
--entrypoint /src/pulumi-test-containers \
${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }} \
-test.timeout=1h -test.v
- name: Tests for nonroot variant
run: |
chmod o+r $GOOGLE_APPLICATION_CREDENTIALS
docker run \
-e RUN_CONTAINER_TESTS=true \
-e IMAGE_VARIANT=pulumi-nonroot \
-e PULUMI_ACCESS_TOKEN=${PULUMI_ACCESS_TOKEN} \
-e PULUMI_ORG=${PULUMI_ORG} \
-e ARM_CLIENT_ID=${ARM_CLIENT_ID} \
-e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \
-e ARM_TENANT_ID=${ARM_TENANT_ID} \
-e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
-e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \
-e AWS_REGION=${AWS_REGION} \
-e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \
-e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \
-e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \
--mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \
--volume /tmp:/src \
--entrypoint /src/pulumi-test-containers \
${{ env.DOCKER_ORG }}/pulumi:${{ env.PULUMI_VERSION }}-nonroot \
-test.timeout=1h -test.v
provider-build-environment:
name: Provider Build Environment image
strategy:
matrix:
go-version: [1.21.x]
runs-on: ubuntu-latest
permissions:
id-token: write
steps:
# If no version of Pulumi is supplied by the incoming event (e.g. in the
# case of a PR or merge to main), we use the latest production version:
- name: Set version to latest
if: ${{ !env.PULUMI_VERSION }}
run: |
echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV
- uses: actions/checkout@master
- name: Free Disk Space (Ubuntu)
uses: jlumbroso/free-disk-space@main
with:
tool-cache: false
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Setup docker buildx
uses: docker/setup-buildx-action@v3
with:
install: true
- name: Build
# This image is only built for AMD64 for the same reasons as
# the "kitchen sink" image, listed above.
run: |
docker build \
-f docker/pulumi/Dockerfile \
--platform linux/amd64 \
-t ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }} \
--target build-environment \
--build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \
--load \
docker/pulumi
- name: Image Info
run: |
docker image ls ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}
docker history ${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }}
- name: Install go
uses: actions/setup-go@v5
with:
go-version: "1.22"
cache-dependency-path: tests/go.sum
- name: Compile tests
working-directory: tests
run: |
GOOS=linux GOARCH=amd64 go test -c -o /tmp/pulumi-test-containers ./...
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 14400 # 4 hours
role-session-name: pulumi-docker-containers@githubActions
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }}
workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER
}}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL
}}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
- name: Tests
run: |
docker run \
-e RUN_CONTAINER_TESTS=true \
-e IMAGE_VARIANT=pulumi \
-e PULUMI_ACCESS_TOKEN=${PULUMI_ACCESS_TOKEN} \
-e PULUMI_ORG=${PULUMI_ORG} \
-e ARM_CLIENT_ID=${ARM_CLIENT_ID} \
-e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \
-e ARM_TENANT_ID=${ARM_TENANT_ID} \
-e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
-e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \
-e AWS_REGION=${AWS_REGION} \
-e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \
-e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \
-e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \
--mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \
--volume /tmp:/src \
--entrypoint /src/pulumi-test-containers \
${{ env.DOCKER_ORG }}/pulumi-provider-build-environment:${{ env.PULUMI_VERSION }} \
-test.parallel=1 -test.timeout=1h -test.v
base:
name: Base image
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
os: ["debian", "ubi"]
steps:
# If no version of Pulumi is supplied by the incoming event (e.g. in the
# case of a PR or merge to main), we use the latest production version:
- name: Set version to latest
if: ${{ !env.PULUMI_VERSION }}
run: |
echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV
- uses: actions/checkout@master
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Setup docker buildx
uses: docker/setup-buildx-action@v3
with:
install: true
- name: Build
run: |
docker build \
-f docker/base/Dockerfile.${{ matrix.os }} \
--platform linux/arm64,linux/amd64 \
. \
-t ${{ env.DOCKER_ORG }}/pulumi-base:${{ env.PULUMI_VERSION }}-${{ matrix.os }} \
--build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \
define-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.define-matrix.outputs.matrix }}
steps:
- uses: actions/checkout@master
- name: Define Matrix
id: define-matrix
run: |
echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT"
debian-sdk:
name: Debian SDK images
runs-on: ubuntu-latest
permissions:
id-token: write
needs: define-matrix
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.define-matrix.outputs.matrix) }}
steps:
# If no version of Pulumi is supplied by the incoming event (e.g. in the
# case of a PR or merge to main), we use the latest production version:
- name: Set version to latest
if: ${{ !env.PULUMI_VERSION }}
run: |
echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV
- name: Set image name
run: |
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }}" >> $GITHUB_ENV
- uses: actions/checkout@master
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Setup docker buildx
uses: docker/setup-buildx-action@v3
with:
install: true
- name: Build
run: |
docker build \
-f docker/${{ matrix.sdk }}/Dockerfile.debian \
--platform linux/${{ matrix.arch }} \
-t ${{ env.IMAGE_NAME }} \
--build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \
--build-arg LANGUAGE_VERSION=${{ matrix.language_version }} \
docker/${{ matrix.sdk }} \
--load
- name: Image Info
run: |
docker image ls ${{ env.IMAGE_NAME }}
docker history ${{ env.IMAGE_NAME }}
- name: Install go
uses: actions/setup-go@v5
with:
go-version: "1.22"
cache-dependency-path: tests/go.sum
- name: Compile tests
working-directory: tests
run: |
GOOS=linux GOARCH=${{ matrix.arch }} go test -c -o /tmp/pulumi-test-containers ./...
- name: Set SDKS_TO_TEST (dotnet)
if: ${{ matrix.sdk == 'dotnet' }}
run: echo "SDKS_TO_TEST=csharp" >> $GITHUB_ENV
- name: Set SDKS_TO_TEST (nodejs)
if: ${{ matrix.sdk == 'nodejs' }}
run: echo "SDKS_TO_TEST=typescript" >> $GITHUB_ENV
- name: Set SDKS_TO_TEST (default)
if: ${{ matrix.sdk != 'dotnet' && matrix.sdk != 'nodejs' }}
run: echo "SDKS_TO_TEST=${{ matrix.sdk}}" >> $GITHUB_ENV
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 14400 # 4 hours
role-session-name: pulumi-docker-containers@githubActions
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }}
workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER
}}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL
}}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
- if: ${{ !(matrix.arch == 'arm64' && matrix.sdk == 'dotnet') }}
# We use QEMU to run ARM64 images on AMD64, but .NET Core isn't supported by QEMU, skip
# running the tests for this combination.
# https://gitlab.com/qemu-project/qemu/-/issues/249
name: Tests
run: |
docker run \
-e RUN_CONTAINER_TESTS=true \
-e IMAGE_VARIANT=pulumi-debian-${{ matrix.sdk }} \
-e LANGUAGE_VERSION=${{ matrix.language_version }} \
-e SDKS_TO_TEST=${SDKS_TO_TEST} \
-e PULUMI_ACCESS_TOKEN=${PULUMI_ACCESS_TOKEN} \
-e PULUMI_ORG=${PULUMI_ORG} \
-e ARM_CLIENT_ID=${ARM_CLIENT_ID} \
-e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \
-e ARM_TENANT_ID=${ARM_TENANT_ID} \
-e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
-e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \
-e AWS_REGION=${AWS_REGION} \
-e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \
-e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \
-e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \
--mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \
--volume /tmp:/src \
--entrypoint /src/pulumi-test-containers \
--platform ${{ matrix.arch }} \
${{ env.IMAGE_NAME }} \
-test.parallel=1 -test.timeout=1h -test.v -test.run "TestPulumiTemplateTests|TestEnvironment"
define-ubi-matrix:
runs-on: ubuntu-latest
outputs:
matrix: ${{ steps.define-matrix-sdk-manifests.outputs.matrix }}
steps:
- uses: actions/checkout@master
- name: Define Matrix for UBI SDK Manifests
id: define-matrix-sdk-manifests
run: |
echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py --no-arch) >> "$GITHUB_OUTPUT"
ubi-sdk:
name: UBI SDK images
runs-on: ubuntu-latest
permissions:
id-token: write
needs: define-ubi-matrix
strategy:
fail-fast: false
matrix: ${{ fromJSON(needs.define-ubi-matrix.outputs.matrix) }}
steps:
# If no version of Pulumi is supplied by the incoming event (e.g. in the
# case of a PR or merge to main), we use the latest production version:
- name: Set version to latest
if: ${{ !env.PULUMI_VERSION }}
run: |
echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV
- name: Set image name
run: |
echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-ubi" >> $GITHUB_ENV
- uses: actions/checkout@master
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Setup docker buildx
uses: docker/setup-buildx-action@v3
with:
install: true
- name: Build
# We only build UBI for amd64 due to arm64 builds hanging on `npm
# install -g yarn` with no additional output, plus the apparent
# requirement of a paid subscription in order to file a bug with RedHat.
run: |
docker build \
-f docker/${{ matrix.sdk }}/Dockerfile.ubi \
--platform linux/amd64 \
-t ${{ env.IMAGE_NAME }} \
--build-arg PULUMI_VERSION=${{ env.PULUMI_VERSION }} \
--build-arg LANGUAGE_VERSION=${{ matrix.language_version }} \
docker/${{ matrix.sdk }} \
--load
- name: Image Info
run: |
docker image ls ${{ env.IMAGE_NAME }}
docker history ${{ env.IMAGE_NAME }}
- name: Install go
uses: actions/setup-go@v5
with:
go-version: "1.22"
cache-dependency-path: tests/go.sum
- name: Compile tests
working-directory: tests
run: |
GOOS=linux GOARCH=amd64 go test -c -o /tmp/pulumi-test-containers ./...
- name: Set SDKS_TO_TEST (dotnet)
if: ${{ matrix.sdk == 'dotnet' }}
run: echo "SDKS_TO_TEST=csharp" >> $GITHUB_ENV
- name: Set SDKS_TO_TEST (nodejs)
if: ${{ matrix.sdk == 'nodejs' }}
run: echo "SDKS_TO_TEST=typescript" >> $GITHUB_ENV
- name: Set SDKS_TO_TEST (default)
if: ${{ matrix.sdk != 'dotnet' && matrix.sdk != 'nodejs' }}
run: echo "SDKS_TO_TEST=${{ matrix.sdk}}" >> $GITHUB_ENV
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: ${{ env.AWS_REGION }}
role-duration-seconds: 14400 # 4 hours
role-session-name: pulumi-docker-containers@githubActions
role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
- name: Authenticate with Google Cloud
uses: google-github-actions/auth@v2
with:
service_account: ${{ env.GCP_SERVICE_ACCOUNT_EMAIL }}
workload_identity_provider: projects/${{ env.GCP_PROJECT_NUMBER
}}/locations/global/workloadIdentityPools/${{ env.GCP_WORKLOAD_IDENTITY_POOL
}}/providers/${{ env.GCP_WORKLOAD_IDENTITY_PROVIDER }}
- name: 'Set up Cloud SDK'
uses: 'google-github-actions/setup-gcloud@v2'
- name: Tests
run: |
docker run \
-e RUN_CONTAINER_TESTS=true \
-e IMAGE_VARIANT=pulumi-ubi-${{ matrix.sdk }} \
-e LANGUAGE_VERSION=${{ matrix.language_version }} \
-e SDKS_TO_TEST=${SDKS_TO_TEST} \
-e PULUMI_ACCESS_TOKEN=${PULUMI_ACCESS_TOKEN} \
-e PULUMI_ORG=${PULUMI_ORG} \
-e ARM_CLIENT_ID=${ARM_CLIENT_ID} \
-e ARM_CLIENT_SECRET=${ARM_CLIENT_SECRET} \
-e ARM_TENANT_ID=${ARM_TENANT_ID} \
-e ARM_SUBSCRIPTION_ID=${ARM_SUBSCRIPTION_ID} \
-e AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID} \
-e AWS_SECRET_ACCESS_KEY=${AWS_SECRET_ACCESS_KEY} \
-e AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN} \
-e AWS_REGION=${AWS_REGION} \
-e GCP_PROJECT_NAME=${GCP_PROJECT_NAME} \
-e GCP_PROJECT_NUMBER=${GCP_PROJECT_NUMBER} \
-e GOOGLE_APPLICATION_CREDENTIALS=/src/creds.json \
--mount type=bind,source=$GOOGLE_APPLICATION_CREDENTIALS,target=/src/creds.json \
--volume /tmp:/src \
--entrypoint /src/pulumi-test-containers \
${{ env.IMAGE_NAME }} \
-test.parallel=1 -test.timeout=1h -test.v -test.run "TestPulumiTemplateTests|TestEnvironment"