👋 I recently migrated to https://www.pulumi.com/registry/packages/docker-build/ - but it appears that this resource is storing ECR creds in state, and they seem to expire - is this a user error type thing? or one of those issues where a refresh is required to force a creds flush from state before running up? as I wrote this, i came upon --run-program, which might help with the issue 👀 but posting here anyway incase this helps others, or im on the wrong track heres the up command (run via github actions +

pulumi/actions@v6

)

pulumi preview --refresh --exec-agent pulumi/actions@v6 --color auto --exec-kind auto.local --event-log /tmp/automation-logs-preview-jPRIR1/eventlog.txt --stack dev --non-interactive

heres one error

docker-build:index:Image (backend-base):
      warning: failed to get manifest <REMOVED>.<http://dkr.ecr.us-west-2.amazonaws.com/<name>:<tag>@<sha|dkr.ecr.us-west-2.amazonaws.com/<name>:<tag>@<sha>>: request failed: unauthorized [http 403]: {"errors":[{"code":"DENIED","message":"Your authorization token has expired. Reauthenticate and try again."}]}

This was running fine last week, but the long weekend exposed this interesting issue. FWIW, ive had the same problems with RDS root creds noted here

I think

--run-program

is probably what you want -- without it,

refresh

just looks at your state, which means eventually the credentials will expire. With it, Pulumi will run your program again, which will generate a new set of credentials for your provider etc.

that was my hunch as well! thank you! was sad to see it was reverted for the github action 😞

Seems that it broke some stuff due to the default latest version on GH runners, maybe? https://github.com/pulumi/actions/issues/1380