From b405e5a6220d030944f0180e5087773c69505d7f Mon Sep 17 00:00:00 2001
From: Bryce Lampe <bryce@pulumi.com>
Date: Thu, 19 Dec 2024 14:43:47 -0800
Subject: [PATCH] Update sentinel job for native providers (#1241)

p-k has a weird bug
https://github.com/pulumi/pulumi-kubernetes/issues/3382 where we aren't
able to depend on the correct "Sentinel" check.

This updates the native sentinel job to more closely match the bridged
one:

https://github.com/pulumi/ci-mgmt/blob/1243b9e2dff8ae4d4391591bcec61a38daeac0af/provider-ci/test-providers/aws/.github/workflows/run-acceptance-tests.yml#L87-L109

Other native providers don't have this problem, so I don't actually
think this will resolve the issue, but it should at least help rule out
any permission weirdness.

Edit: OK I ran this against p-k here
https://github.com/pulumi/pulumi-kubernetes/pull/3383 and suddenly the
Sentinel check is available to us! So it does seem there's something
wonky about the job's settings.

Before

![image](https://github.com/user-attachments/assets/f7f48998-275a-4d40-9a5b-1be669f3d9b0)

After

![image](https://github.com/user-attachments/assets/9b85be85-2093-4435-b975-4acc2c5a75ee)
---
 .../repo/.github/workflows/run-acceptance-tests.yml      | 3 +++
 .../repo/.github/workflows/run-acceptance-tests.yml      | 3 +++
 .../repo/.github/workflows/run-acceptance-tests.yml      | 3 +++
 .../repo/.github/workflows/run-acceptance-tests.yml      | 3 +++
 .../repo/.github/workflows/run-acceptance-tests.yml      | 3 +++
 .../repo/.github/workflows/run-acceptance-tests.yml      | 3 +++
 .../repo/.github/workflows/run-acceptance-tests.yml      | 3 +++
 native-provider-ci/src/workflows.ts                      | 9 ++++++++-
 8 files changed, 29 insertions(+), 1 deletion(-)

diff --git a/native-provider-ci/providers/aws-native/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/aws-native/repo/.github/workflows/run-acceptance-tests.yml
index ee4b4d1ff..dcc075f82 100644
--- a/native-provider-ci/providers/aws-native/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/aws-native/repo/.github/workflows/run-acceptance-tests.yml
@@ -393,7 +393,10 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
diff --git a/native-provider-ci/providers/command/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/command/repo/.github/workflows/run-acceptance-tests.yml
index 0b450140d..eb79b83a8 100644
--- a/native-provider-ci/providers/command/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/command/repo/.github/workflows/run-acceptance-tests.yml
@@ -353,10 +353,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/providers/docker-build/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/docker-build/repo/.github/workflows/run-acceptance-tests.yml
index 2cc11158c..e9e1b84e2 100644
--- a/native-provider-ci/providers/docker-build/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/docker-build/repo/.github/workflows/run-acceptance-tests.yml
@@ -409,10 +409,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/providers/google-native/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/google-native/repo/.github/workflows/run-acceptance-tests.yml
index ec06f9b6e..3ebb05ef5 100644
--- a/native-provider-ci/providers/google-native/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/google-native/repo/.github/workflows/run-acceptance-tests.yml
@@ -396,7 +396,10 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
diff --git a/native-provider-ci/providers/kubernetes-cert-manager/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/kubernetes-cert-manager/repo/.github/workflows/run-acceptance-tests.yml
index 06792a221..b7a977930 100644
--- a/native-provider-ci/providers/kubernetes-cert-manager/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/kubernetes-cert-manager/repo/.github/workflows/run-acceptance-tests.yml
@@ -390,10 +390,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/providers/kubernetes-ingress-nginx/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/kubernetes-ingress-nginx/repo/.github/workflows/run-acceptance-tests.yml
index 92768120e..5522c1ce6 100644
--- a/native-provider-ci/providers/kubernetes-ingress-nginx/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/kubernetes-ingress-nginx/repo/.github/workflows/run-acceptance-tests.yml
@@ -390,10 +390,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/providers/kubernetes/repo/.github/workflows/run-acceptance-tests.yml b/native-provider-ci/providers/kubernetes/repo/.github/workflows/run-acceptance-tests.yml
index 50342591b..1474cefa6 100644
--- a/native-provider-ci/providers/kubernetes/repo/.github/workflows/run-acceptance-tests.yml
+++ b/native-provider-ci/providers/kubernetes/repo/.github/workflows/run-acceptance-tests.yml
@@ -425,10 +425,13 @@ jobs:
         state: success
         description: Sentinel checks passed
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
     - test
+    - prerequisites
     - lint
   lint:
     runs-on: ubuntu-latest
diff --git a/native-provider-ci/src/workflows.ts b/native-provider-ci/src/workflows.ts
index 83f41aeaa..493932238 100644
--- a/native-provider-ci/src/workflows.ts
+++ b/native-provider-ci/src/workflows.ts
@@ -144,6 +144,7 @@ export function RunAcceptanceTestsWorkflow(
         .addRunsOn(opts.provider),
       test: new TestsJob(name, "test", opts).addDispatchConditional(true),
       sentinel: new EmptyJob("sentinel")
+        .addPermissions({ statuses: "write" })
         .addConditional(
           "github.event_name == 'repository_dispatch' || github.event.pull_request.head.repo.full_name == github.repository"
         )
@@ -164,7 +165,7 @@ function calculateSentinelNeeds(
   requiresLint: boolean,
   provider: string
 ): string[] {
-  const needs: string[] = ["test"];
+  const needs: string[] = ["test", "prerequisites"];
 
   if (requiresLint) {
     needs.push("lint");
@@ -1009,6 +1010,7 @@ export class EmptyJob implements NormalJob {
   name: string;
   if?: string;
   needs?: string[];
+  permissions?: any;
 
   constructor(name: string, params?: Partial<NormalJob>) {
     this.name = name;
@@ -1035,4 +1037,9 @@ export class EmptyJob implements NormalJob {
     this.needs = name;
     return this;
   }
+
+  addPermissions(permissions: any) {
+    this.permissions = permissions;
+    return this;
+  }
 }