Push secrets cirun

[soapy1]

Add workflow for pushing secrets from 1password to GH for CIRUN_API_KEY. CIRUN_API_KEY is a conda-forge org level secret and only conda-forge/admin-requests should have access to it.

[beckermr]

There is also retainOnDelete: https://www.pulumi.com/docs/iac/concepts/options/retainondelete/#resource-option-retainondelete

[beckermr]

Also we likely want to set the option deleteBeforeReplace to false so that secrets are updated in-plce without disturbing running jobs.

[soapy1]

We should mark reources with protect basically always I think.

Testing this out in my demo repo, turning on protection will not allow updates to be made to the secret.

Enabling retainOnDelete allows updates to be made + doesn't delete the secret when it's removed from the pulumi config.

[beckermr]

@soapy1 LGTM!

What is the order of operations here? Your trial org runs out in two weeks, so should we try and get OSS sponsorship and then merge this? Do we merge now? I am not quite sure.

[soapy1]

Looks like pulumi supports migrating state between backends, so I feel ok about merging this now if we are keen.

@jaimergp what is the outlook on oss sponsorship?

[jaimergp]

what is the outlook on oss sponsorship?

We need to follow https://www.pulumi.com/pricing/open-source-free-tier/, which consists of submitting an issue in https://github.com/pulumi/team-edition-for-open-source/issues. It should not take too long, but from what I can see in the closed issues, it might be a couple weeks. Also, we need some running Pulumi code in the repo to qualify. I say we merge and then I'll submit the OSS sponsorship issue?

[jaimergp]

Also, can we have some documentation in the README? Your demo repo already has some, so I think it's just a matter of copying the relevant bits for future maintainers.

[soapy1]

@beckermr @jaimergp how do y'all want to proceed?

[jaimergp]

What are the open questions? I think we just need the README update. The OSS sponsorship can be requested as soon as we merge here.

[beckermr]

We need to make an org on pulumi in order to request OSS as well.

So once the README work is done, let's merge here and go ahead with making the org and putting in the request?

[soapy1]

README has been added with instructions on how to run locally and with GHA :+1: Merging :rocket: