From bot token to per workflow generated token

provider-ci/internal/pkg/generate.go

@@ -73,7 +73,7 @@ func getTemplateDirs(templateName string) ([]string, error) {
 		return []string{"dev-container", "provider", "pulumi-provider", "bridged-provider"}, nil
 	case "external-bridged-provider":
 		// Render more specific templates last to allow them to override more general templates.
-		return []string{"dev-container", "provider", "bridged-provider"}, nil
+		return []string{"dev-container", "provider", "external-provider", "bridged-provider"}, nil
 	default:
 		return nil, fmt.Errorf("unknown template: %s", templateName)
 	}

provider-ci/internal/pkg/templates/bridged-provider/.github/workflows/upgrade-bridge.yml

@@ -1,6 +1,7 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
 name: Upgrade bridge
+
 on:
   repository_dispatch:
     types:
@@ -49,13 +50,19 @@ on:
         required: false
         type: boolean
         default: false
+
 env:
-  GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 jobs:
   upgrade_provider:
     name: upgrade-provider
     runs-on: #{{ if .Config.runner.buildSdk }}##{{- .Config.runner.buildSdk }}##{{ else }}##{{- .Config.runner.default }}##{{ end }}#
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     steps:
     #{{- if .Config.freeDiskSpaceBeforeBuild }}#
     # Run as first step so we don't delete things that have just been installed

provider-ci/internal/pkg/templates/bridged-provider/.upgrade-config.yml

@@ -9,8 +9,11 @@ upstream-provider-name: terraform-provider-#{{ .Config.provider }}#
 #{{- if (index .Config "upstreamProviderOrg") }}#
 upstream-provider-org: #{{ .Config.upstreamProviderOrg }}#
 #{{- end }}#
+#{{- if (eq .Config.organization "pulumi") }}#
 pulumi-infer-version: true
+#{{- end }}#
 remove-plugins: true
 #{{- if (index .Config "javaGenVersion") }}#
 javaVersion: "#{{ .Config.javaGenVersion }}#"
 #{{- end }}#
+pr-assign: #{{ index .Config "pr-assign" }}#

provider-ci/internal/pkg/templates/defaults.config.yaml

@@ -36,6 +36,10 @@ major-version: 2
 # Only set for 5 providers: https://github.com/search?q=org%3Apulumi+path%3A.ci-mgmt.yaml+%22upstream-provider-repo%22&type=code
 #upstream-provider-repo: terraform-provider-xyz
 
+# pr-assign is used in the bridge upgrade config. The value must be a valid Github user name.
+# Defaults to `pulumi-bot` but can be overridden for third-party packages
+pr-assign: pulumi-bot
+
 # lint includes an extra lint job in workflows if enabled (default). Can be set explicit to false.
 # This is false in around 8 provider repos: https://github.com/search?q=org%3Apulumi+path%3A.ci-mgmt.yaml+%22lint%3A+false%22&type=code
 lint: true

provider-ci/internal/pkg/templates/external-provider/.github/workflows/upgrade-provider.yml

@@ -0,0 +1,53 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+name: Upgrade provider
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    # At 05:00 on Monday
+    - cron: 0 5 * * 1
+
+env:
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
+jobs:
+  upgrade_provider:
+    name: upgrade-provider
+    runs-on: #{{ .Config.runner.default }}#
+    steps:
+      #{{- if .Config.freeDiskSpaceBeforeBuild }}#
+      # Run as first step so we don't delete things that have just been installed
+      - name: Free Disk Space (Ubuntu)
+        uses: #{{ .Config.actionVersions.freeDiskSpace }}#
+        with:
+          tool-cache: false
+          swap-storage: false
+          dotnet: false
+      #{{- end }}#
+      - name: Checkout Repo
+        uses: #{{ .Config.actionVersions.checkout }}#
+        #{{- if .Config.checkoutSubmodules }}#
+        with:
+          submodules: #{{ .Config.checkoutSubmodules }}#
+        #{{- end }}#
+      - name: Setup tools
+        uses: ./.github/actions/setup-tools
+        with:
+          tools: pulumictl, pulumicli, #{{ range $index, $element := .Config.languages }}##{{if $index}}#, #{{end}}##{{ $element }}##{{end}}#
+      - name: Install upgrade-provider
+        run: go install github.com/pulumi/upgrade-provider@main
+        shell: bash
+      - name: "Set up git identity: name"
+        run: |
+          git config --global user.name 'Github Actions'
+          git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
+        shell: bash
+      - name: Run upgrade-provider
+        run: upgrade-provider "${{ github.repository }}" --kind="all" #{{ if .Config.javaGenVersion }}#--java-version="#{{ .Config.javaGenVersion }}#"#{{ end }}#
+        shell: bash

provider-ci/test-providers/acme/.ci-mgmt.yaml

@@ -18,3 +18,4 @@ license:
   ignore:
     # Package is licensed under Apache 2.0 but license is not picked up correctly by the license detector
     - github.com/OpenDNS/vegadns2client
+pr-assign: ringods

provider-ci/test-providers/acme/.github/workflows/upgrade-bridge.yml

@@ -1,6 +1,7 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
 name: Upgrade bridge
+
 on:
   repository_dispatch:
     types:
@@ -49,13 +50,19 @@ on:
         required: false
         type: boolean
         default: false
+
 env:
-  GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 jobs:
   upgrade_provider:
     name: upgrade-provider
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4

provider-ci/test-providers/acme/.github/workflows/upgrade-provider.yml

@@ -1,11 +1,23 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+name: Upgrade provider
+
+on:
+  workflow_dispatch: {}
+  schedule:
+    # At 05:00 on Monday
+    - cron: 0 5 * * 1
 
 env:
-  GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+permissions:
+  contents: write
+  issues: write
+  pull-requests: write
+
 jobs:
   upgrade_provider:
-    if: ${{ (github.event.issue.user.login == 'pulumi-bot' && contains(github.event.issue.title, 'Upgrade terraform-provider-')) || github.event_name == 'workflow_dispatch' }}
     name: upgrade-provider
     runs-on: ubuntu-latest
     steps:
@@ -14,21 +26,15 @@ jobs:
       - name: Setup tools
         uses: ./.github/actions/setup-tools
         with:
-          tools: pulumictl, pulumicli, go, nodejs, dotnet, python, java
+          tools: pulumictl, pulumicli, dotnet, go, nodejs, python
       - name: Install upgrade-provider
         run: go install github.com/pulumi/upgrade-provider@main
         shell: bash
       - name: "Set up git identity: name"
         run: |
-          git config --global user.name '[email protected]'
-          git config --global user.email 'bot@pulumi.com'
+          git config --global user.name 'Github Actions'
+          git config --global user.email '41898282+github-actions[bot]@users.noreply.github.com'
         shell: bash
       - name: Run upgrade-provider
         run: upgrade-provider "${{ github.repository }}" --kind="all" 
         shell: bash
-name: Upgrade provider
-on:
-  issues:
-    types:
-      - opened
-  workflow_dispatch: {}

provider-ci/test-providers/acme/.upgrade-config.yml

@@ -3,5 +3,5 @@
 ---
 upstream-provider-name: terraform-provider-acme
 upstream-provider-org: vancluever
-pulumi-infer-version: true
 remove-plugins: true
+pr-assign: ringods

provider-ci/test-providers/aws/.github/workflows/upgrade-bridge.yml

@@ -1,6 +1,7 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
 name: Upgrade bridge
+
 on:
   repository_dispatch:
     types:
@@ -49,13 +50,19 @@ on:
         required: false
         type: boolean
         default: false
+
 env:
-  GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 jobs:
   upgrade_provider:
     name: upgrade-provider
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     steps:
     # Run as first step so we don't delete things that have just been installed
     - name: Free Disk Space (Ubuntu)

provider-ci/test-providers/aws/.upgrade-config.yml

@@ -4,3 +4,4 @@
 upstream-provider-name: terraform-provider-aws
 pulumi-infer-version: true
 remove-plugins: true
+pr-assign: pulumi-bot

provider-ci/test-providers/cloudflare/.github/workflows/upgrade-bridge.yml

@@ -1,6 +1,7 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
 name: Upgrade bridge
+
 on:
   repository_dispatch:
     types:
@@ -49,13 +50,19 @@ on:
         required: false
         type: boolean
         default: false
+
 env:
-  GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 jobs:
   upgrade_provider:
     name: upgrade-provider
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4

provider-ci/test-providers/cloudflare/.upgrade-config.yml

@@ -4,3 +4,4 @@
 upstream-provider-name: terraform-provider-cloudflare
 pulumi-infer-version: true
 remove-plugins: true
+pr-assign: pulumi-bot

provider-ci/test-providers/docker/.github/workflows/upgrade-bridge.yml

@@ -1,6 +1,7 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
 name: Upgrade bridge
+
 on:
   repository_dispatch:
     types:
@@ -49,13 +50,19 @@ on:
         required: false
         type: boolean
         default: false
+
 env:
-  GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 jobs:
   upgrade_provider:
     name: upgrade-provider
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      issues: write
+      pull-requests: write
     steps:
     - name: Checkout Repo
       uses: actions/checkout@v4

provider-ci/test-providers/docker/.upgrade-config.yml

@@ -5,3 +5,4 @@ upstream-provider-name: terraform-provider-docker
 upstream-provider-org: kreuzwerker
 pulumi-infer-version: true
 remove-plugins: true
+pr-assign: pulumi-bot