bulky-oil-97030
05/09/2025, 12:50 PMpulumi up
via the pulumi/actions@v6
github action.
I've switched authentication to the pulumi Github OIDC client with the pulumi/auth-actions@v1
action.
My organzation is on a Pulumi Team plan, and a Github free plan.
Authetication works, but for some reason, secrets cannot be correctly deciphered.
When I run the same action with an access token, everything works fine.
Here's the relevant part of the workflow:
- name: Perform pulumi login :key:
uses: pulumi/auth-actions@v1
with:
organization: my-pulumi-org
requested-token-type: urn:pulumi:token-type:access_token:personal
scope: user:my-technical-user
export-environment-variables: true
- if: inputs.state == 'up'
name: Provision :rocket:
uses: pulumi/actions@v6
# # When I run with an access token, everything works
# env:
# PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
with:
command: up
stack-name: ${{ inputs.stage }}
work-dir: path/to/stack
upsert: true
And here's the corresponding Github actions log output
Run pulumi/actions@v6
with:
command: up
stack-name: dev
work-dir: path/to/stack
upsert: true
comment-on-pr: false
comment-on-summary: false
github-token: ***
expect-no-changes: false
diff: false
exclude-dependents: false
target-dependents: false
refresh: false
remove: false
edit-pr-comment: true
color: auto
exclude-protected: false
suppress-outputs: false
suppress-progress: false
always-include-summary: false
continue-on-error: false
log-flow: false
debug: false
env:
pythonLocation: /opt/hostedtoolcache/Python/3.13.3/x64
PKG_CONFIG_PATH: /opt/hostedtoolcache/Python/3.13.3/x64/lib/pkgconfig
Python_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.3/x64
Python2_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.3/x64
Python3_ROOT_DIR: /opt/hostedtoolcache/Python/3.13.3/x64
LD_LIBRARY_PATH: /opt/hostedtoolcache/Python/3.13.3/x64/lib
PULUMI_ACCESS_TOKEN: ***
Configured range:
/usr/local/bin/pulumi version
v3.166.0
warning: A new version of Pulumi is available. To upgrade from version '3.166.0' to '3.169.0', visit <https://pulumi.com/docs/install/> for manual instructions and release notes.
Pulumi version 3.166.0 is already installed on this machine. Skipping download
Logging into the Pulumi Cloud backend.
pulumi up on dev
Updating (dev)
View Live: <https://app.pulumi.com/my-technical-user/my-project/dev/updates/4>
/home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:81
: new CommandError(result);
^
CommandError: code: -2
stdout:
stderr: Command failed with exit code 255: pulumi up --yes --skip-preview --exec-agent pulumi/actions@v6 --color auto --exec-kind auto.local --stack dev --non-interactive
error: failed to decrypt configuration key 'thesecret:token': [400] Bad Request: invalid ciphertext
Updating (dev)
View Live: <https://app.pulumi.com/my-technical-user/my-project/dev/updates/4>
err?: Error: Command failed with exit code 255: pulumi up --yes --skip-preview --exec-agent pulumi/actions@v6 --color auto --exec-kind auto.local --stack dev --non-interactive
error: failed to decrypt configuration key 'thesecret:token': [400] Bad Request: invalid ciphertext
Updating (dev)
View Live: <https://app.pulumi.com/my-technical-user/my-project/dev/updates/4>
at Object.createCommandError (/home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/errors.js:81:1)
at exec (/home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/cmd.js:186:1)
at processTicksAndRejections (node:internal/process/task_queues:95:5)
at Stack.runPulumiCmd (/home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/stack.js:902:1)
at Stack.up (/home/runner/work/_actions/pulumi/actions/v6/webpack:/pulumi-github-action/node_modules/@pulumi/pulumi/automation/stack.js:257:1)
little-cartoon-10569
05/11/2025, 9:22 PMbulky-oil-97030
05/20/2025, 10:46 AMbulky-oil-97030
05/20/2025, 10:47 AMcan you confirm that the access token you're getting via the OIDC auth is for the same user as the access token that works?Do you mean the same as in "Has similar claims, same audience, etc."? Haven't checked that yet. Right now we'll continue working with the static API token.
little-cartoon-10569
05/20/2025, 9:42 PMbulky-oil-97030
05/21/2025, 12:51 PMlittle-cartoon-10569
05/21/2025, 9:56 PMbulky-oil-97030
05/22/2025, 6:51 AM