docs: Advise setting GITHUB_TOKEN to avoid rate limits #818
Conversation
jbrunton
force-pushed
the
readme-github-token
branch
from
bb9ef81
to
c78c065
Compare
jbrunton
changed the title
README.md
Outdated
| @@ -115,6 +116,10 @@ By default, this action will try to authenticate Pulumi with the | |||
| `PULUMI_ACCESS_TOKEN` then you will need to specify an alternative backend via | |||
| the `cloud-url` argument. | |||
|
|
|||
| If you are using any Pulumi plugins then you should also set the `GITHUB_TOKEN` | |||
| environment variable in order to avoid hitting GitHub rate limits. You can set | |||
| it to the default `${{ secrets.GITHUB_TOKEN }}`. | |||
There was a problem hiding this comment.
I guess users need to set a personal GitHub-token?
There was a problem hiding this comment.
If by "set", you mean set a repo secret? If so, then no: the GITHUB_TOKEN secret is always added by GitHub automatically: https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret
However, they would have the option of using another token if they wish.
There was a problem hiding this comment.
I can clarify that in the text, however. And a link to the above wouldn't hurt.
There was a problem hiding this comment.
@cobraz: I also just realised it's possible the action could automatically set the GITHUB_TOKEN variable in the process before invoking pulumi, if users don't set it themselves. Actions should always be able to access the github.token context. I've not looked into this, however.
There was a problem hiding this comment.
@jbrunton
Will this approach work for GitHub Enterprise?
There was a problem hiding this comment.
Maybe also add this link about GITHUB_TOKEN and rate limits as it mentions GH Enterprise https://docs.github.com/en/rest/overview/resources-in-the-rest-api?apiVersion=2022-11-28#requests-from-github-actions
There was a problem hiding this comment.
@1oglop1: Thanks for the suggestion. I updated the PR with that link.
There was a problem hiding this comment.
We already set the Github-token, it's used for pull request comments. We can easily reuse that.
jbrunton
force-pushed
the
readme-github-token
branch
from
c78c065
to
2161b44
Compare
jbrunton
force-pushed
the
readme-github-token
branch
from
2161b44
to
714bd69
Compare
|
Btw, I realise the Pulumi docs for this action would also need updating: https://github.com/pulumi/pulumi-hugo/blob/master/themes/default/content/docs/guides/continuous-delivery/github-actions.md I would be happy to contribute a PR for that too, but I will wait for feedback on this PR first. |
I realised this is likely the easiest fix for #815. (I imagine also related to #810 and #812.)
I say likely because it's a little bit difficult proving a fix for something which only occasionally failed, but in my testing this action has been successful in about a dozen recent runs after setting the GITHUB_TOKEN variable, whereas before I was seeing failures every 3-4 runs.EDIT: In fact, I've tested this more extensively since opening this PR and it's worked every time across dozens of runs.
I'm fairly confident this is the correct fix, however:
get.pulumi.com(e.g.https://get.pulumi.com/releases/plugins/pulumi-resource-synced-folder-v0.0.9-linux-amd64.tar.gz), it seems that the Pulumi retry mechanism for downloading plugins isn't robust and sometimes falls back to the wrong server (see discussion in Pulumi plugin 403 error pulumi#11743).EDIT: It might also be possible to find a way for the action to automatically set the GITHUB_TOKEN variable before executing Pulumi, since the
github.tokencontext should always be available to the action. I've not looked into how straightforward this is, however. And it's probably good to be transparent about how access tokens get used.