-
Notifications
You must be signed in to change notification settings - Fork 73
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: Advise setting GITHUB_TOKEN to avoid rate limits #818
base: main
Are you sure you want to change the base?
Conversation
bb9ef81
to
c78c065
Compare
README.md
Outdated
@@ -115,6 +116,10 @@ By default, this action will try to authenticate Pulumi with the | |||
`PULUMI_ACCESS_TOKEN` then you will need to specify an alternative backend via | |||
the `cloud-url` argument. | |||
|
|||
If you are using any Pulumi plugins then you should also set the `GITHUB_TOKEN` | |||
environment variable in order to avoid hitting GitHub rate limits. You can set | |||
it to the default `${{ secrets.GITHUB_TOKEN }}`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess users need to set a personal GitHub-token?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If by "set", you mean set a repo secret? If so, then no: the GITHUB_TOKEN secret is always added by GitHub automatically: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
However, they would have the option of using another token if they wish.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can clarify that in the text, however. And a link to the above wouldn't hurt.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cobraz: I also just realised it's possible the action could automatically set the GITHUB_TOKEN variable in the process before invoking pulumi, if users don't set it themselves. Actions should always be able to access the github.token
context. I've not looked into this, however.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jbrunton
Will this approach work for GitHub Enterprise?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe also add this link about GITHUB_TOKEN and rate limits as it mentions GH Enterprise https://docs.github.com/en/rest/overview/resources-in-the-rest-api?apiVersion=2022-11-28#requests-from-github-actions
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@1oglop1: Thanks for the suggestion. I updated the PR with that link.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We already set the Github-token, it's used for pull request comments. We can easily reuse that.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
c78c065
to
2161b44
Compare
2161b44
to
714bd69
Compare
Btw, I realise the Pulumi docs for this action would also need updating: https://github.com/pulumi/pulumi-hugo/blob/master/themes/default/content/docs/guides/continuous-delivery/github-actions.md I would be happy to contribute a PR for that too, but I will wait for feedback on this PR first. |
I realised this is likely the easiest fix for #815. (I imagine also related to #810 and #812.)
I say likely because it's a little bit difficult proving a fix for something which only occasionally failed, but in my testing this action has been successful in about a dozen recent runs after setting the GITHUB_TOKEN variable, whereas before I was seeing failures every 3-4 runs.EDIT: In fact, I've tested this more extensively since opening this PR and it's worked every time across dozens of runs.
I'm fairly confident this is the correct fix, however:
get.pulumi.com
(e.g.https://get.pulumi.com/releases/plugins/pulumi-resource-synced-folder-v0.0.9-linux-amd64.tar.gz
), it seems that the Pulumi retry mechanism for downloading plugins isn't robust and sometimes falls back to the wrong server (see discussion in Pulumi plugin 403 error pulumi#11743).EDIT: It might also be possible to find a way for the action to automatically set the GITHUB_TOKEN variable before executing Pulumi, since the
github.token
context should always be available to the action. I've not looked into how straightforward this is, however. And it's probably good to be transparent about how access tokens get used.