Pulumi GitHub Actions

Pulumi's GitHub Actions deploy apps and infrastructure to your cloud of choice, using just your favorite language and GitHub. This includes previewing, validating, and collaborating on proposed deployments in the context of Pull Requests, and triggering deployments or promotions between different environments by merging or directly committing code.

Note: This repository contains samples and additional documentation for using Pulumi's Github Actions Docker container. If you're looking for the code that builds that container, you'll find it here.

Getting Started

To get started with Pulumi's GitHub Actions, check out our documentation.

Demos and Examples

To see some examples of this in action, see the following links:

• Our introductory blog post
• Dockerized Ruby on Rails, in Kubernetes, with hosted Cloud SQL
• Short 90 second video from GitHub Universe Keynote
• Short 90 second video on GitOps and Pull Request workflows
• Longer 7 minute video exploring the ins and outs of Pulumi GitHub Actions in practice

Cloud Providers

Below are some quick tips on using Pulumi's GitHub Actions support with your cloud provider. This typically entails configuring a service principal for unattended access, storing the resulting credentials using GitHub Secrets, and consuming them using the secrets attribute on your workflow's action.

If your cloud of choice isn't listed, that doesn't necessarily mean Pulumi doesn't support it; please see Pulumi's QuickStart page for more complete documentation.

Amazon Web Services (AWS)

For AWS, you'll need to create or use or use an existing IAM user for your action. Please see the Pulumi documentation page for pointers to the relevant AWS documentation for doing this.

As soon as you have an AWS user in hand, you'll set the environment variables AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY using GitHub Secrets, and then consume them in your action:

name: Pulumi
on:
  push:
    branches:
      - master
jobs:
  up:
    name: Update
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: docker://pulumi/actions
        with:
          args: up
        env:
          AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
          AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
          PULUMI_CI: up

Failure to configure this correctly will lead to an error message.

Microsoft Azure

For Azure, you'll need to create or use an existing Azure Service Principal for your action. Please see the Pulumi documentation page for pointers to the relevant Azure documentation for doing this.

As soon as you have a service principal in hand, you'll set the environment variables ARM_SUBSCRIPTION_ID, ARM_CLIENT_ID, ARM_CLIENT_SECRET, and ARM_TENANT_ID using GitHub Secrets, and consume them in your action:

name: Pulumi
on:
  push:
    branches:
      - master
jobs:
  up:
    name: Update
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: docker://pulumi/actions
        with:
          args: up
        env:
          ARM_SUBSCRIPTION_ID: ${{ secrets.ARM_SUBSCRIPTION_ID }}
          ARM_CLIENT_ID: ${{ secrets.ARM_CLIENT_ID }}
          ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
          ARM_TENANT_ID: ${{ secrets.ARM_TENANT_ID }}
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
          PULUMI_CI: up

Failure to configure this correctly will lead to the error message Error building AzureRM Client: Azure CLI Authorization Profile was not found. Please ensure the Azure CLI is installed and then log-in with 'az login'.

Google Cloud Platform

For GCP, you'll need to create or use or use an existing service account key. Please see the Pulumi documentation page for pointers to the relevant GCP documentation for doing this.

As soon as you have credentials in hand, you'll set the environment variable GOOGLE_CREDENTIALS to contain the credentials JSON using GitHub Secrets, and then consume it in your action:

name: Pulumi
on:
  push:
    branches:
      - master
jobs:
  up:
    name: Update
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: docker://pulumi/actions
        with:
          args: up
        env:
          GOOGLE_CREDENTIALS: ${{ secrets.GOOGLE_CREDENTIALS }}
          PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
          PULUMI_CI: up

Failure to configure this correctly will lead to an error message.