feat: add Pulumi PAT to nomad-server

cdunster · cdunster · commit f34013bcc6e7 · 2025-02-03T10:42:32.000+01:00
diff --git a/Pulumi.github.yaml b/Pulumi.github.yaml
@@ -1,3 +1,5 @@
 config:
   holochain:automationUserToken:
     secure: AAABAMlBFfkdQybCGmTBT99+prfFkJ/NBtu6+S2gpnH/6XkYEAPrVM6B8/9aVLsgwqP7tLUCvEaLvHs84Nky2iPOYRS4XEaI
+  holochain:hra2PulumiAccessToken:
+    secure: AAABAESpY2fKLjLgiRFaQqZ1pE+H+SFfYbkKo2jKidYtZQT5KK26u3VKW/jmlG6JQTHebMt+M1OSgYk/Bt8r8UDjKbma6gbcwr/K6w==
diff --git a/README.md b/README.md
@@ -34,3 +34,24 @@ configured to use it. You can do this by running:
 ```bash
 pulumi up
 ```
+
+### Rotating the Pulumi access token
+
+The secret `hra2PulumiAccessToken` can be used to give repositories access to
+Pulumi itself so that changes can be deployed in the CI.
+
+To rotate the token, you can run the following command:
+
+```bash
+pulumi config set --secret hra2PulumiAccessToken <new-token>
+```
+
+This value is encrypted by Pulumi and stored in `Pulumi.github.yaml`.
+
+Then you will need to ask Pulumi to deploy the token to projects that are
+configured to use it. You can do this by getting a PR merged into `main` and
+allowing the CI to deploy it or by manually running:
+
+```bash
+pulumi up
+```
diff --git a/main.go b/main.go
@@ -513,6 +513,9 @@ func main() {
 		if err = AddAutomationUserSecret(ctx, conf, "nomad-server"); err != nil {
 			return err
 		}
+		if err = AddPulumiAccessTokenSecret(ctx, conf, "nomad-server"); err != nil {
+			return err
+		}
 
 		return nil
 	})
@@ -702,3 +705,17 @@ func AddAutomationUserSecret(ctx *pulumi.Context, cfg *config.Config, repository
 
 	return nil
 }
+
+func AddPulumiAccessTokenSecret(ctx *pulumi.Context, cfg *config.Config, repository string) error {
+	_, err := github.NewActionsSecret(ctx, fmt.Sprintf("%s-pulumi-access-token", repository), &github.ActionsSecretArgs{
+		Repository: pulumi.String(repository),
+		SecretName: pulumi.String("HRA2_PULUMI_ACCESS_TOKEN"),
+		// The GitHub API only accepts encrypted values. This will be encrypted by the provider before being sent.
+		PlaintextValue: cfg.RequireSecret("hra2PulumiAccessToken"),
+	}, pulumi.DeleteBeforeReplace(true), pulumi.IgnoreChanges([]string{"encryptedValue"}))
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
