-
Notifications
You must be signed in to change notification settings - Fork 46
155 lines (128 loc) · 4.44 KB
/
preview.yml
File metadata and controls
155 lines (128 loc) · 4.44 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Preview
on:
pull_request:
branches:
- main
permissions:
contents: read
pull-requests: write
env:
PULUMI_VERSION: "3.197.0"
jobs:
preview:
name: Preview Changes
runs-on: ubuntu-latest
# Skip preview for fork PRs - they don't have access to secrets
if: github.event.pull_request.head.repo.full_name == github.repository
environment: production
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Setup Node.js
uses: actions/setup-node@v4
with:
node-version: '22'
cache: 'npm'
- name: Setup Pulumi
uses: pulumi/actions@v6
with:
pulumi-version: ${{ env.PULUMI_VERSION }}
- name: Cache Pulumi plugins
uses: actions/cache@v4
with:
path: ~/.pulumi/plugins
key: pulumi-plugins-${{ hashFiles('Pulumi.yaml') }}
restore-keys: |
pulumi-plugins-
- name: Install Pulumi packages
env:
GITHUB_TOKEN: ${{ github.token }}
run: pulumi install
- name: Install dependencies
run: npm ci
- name: Run validation
run: npm run check
- name: Authenticate to Google Cloud
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_PROD_SERVICE_ACCOUNT_KEY }}
- name: Preview changes
id: preview
env:
PULUMI_PASSPHRASE: ${{ secrets.PULUMI_PROD_PASSPHRASE }}
GITHUB_TOKEN: ${{ secrets.PULUMI_GITHUB_TOKEN }}
DISCORD_BOT_TOKEN: ${{ secrets.DISCORD_BOT_TOKEN }}
DISCORD_GUILD_ID: ${{ secrets.DISCORD_GUILD_ID }}
run: |
echo "$PULUMI_PASSPHRASE" > passphrase.prod.txt
pulumi login gs://mcp-access-prod-pulumi-state
# Build config flags for Discord if secrets are available
CONFIG_FLAGS=""
if [ -n "$DISCORD_GUILD_ID" ]; then
CONFIG_FLAGS="$CONFIG_FLAGS --config discord:guildId=$DISCORD_GUILD_ID"
fi
if [ -n "$DISCORD_BOT_TOKEN" ]; then
CONFIG_FLAGS="$CONFIG_FLAGS --config discord:botToken=$DISCORD_BOT_TOKEN"
fi
# Run preview and capture output
set +e
PREVIEW_OUTPUT=$(PULUMI_CONFIG_PASSPHRASE_FILE=passphrase.prod.txt pulumi preview --stack prod --diff $CONFIG_FLAGS 2>&1)
PREVIEW_EXIT_CODE=$?
set -e
# Save output for comment
echo "exit_code=$PREVIEW_EXIT_CODE" >> $GITHUB_OUTPUT
# Write preview to file (handles multiline)
echo "$PREVIEW_OUTPUT" > preview_output.txt
# Also print to logs
echo "$PREVIEW_OUTPUT"
# Exit with preview exit code
exit $PREVIEW_EXIT_CODE
- name: Comment on PR
if: always()
uses: actions/github-script@v7
with:
script: |
const fs = require('fs');
let output = '';
try {
output = fs.readFileSync('preview_output.txt', 'utf8');
} catch (e) {
output = 'Failed to read preview output';
}
// Truncate if too long for GitHub comment
const maxLength = 60000;
if (output.length > maxLength) {
output = output.substring(0, maxLength) + '\n\n... (truncated)';
}
const body = `## Pulumi Preview
<details>
<summary>Click to expand preview output</summary>
\`\`\`
${output}
\`\`\`
</details>
`;
// Find existing comment
const { data: comments } = await github.rest.issues.listComments({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
});
const botComment = comments.find(c =>
c.user.type === 'Bot' && c.body.includes('## Pulumi Preview')
);
if (botComment) {
await github.rest.issues.updateComment({
owner: context.repo.owner,
repo: context.repo.repo,
comment_id: botComment.id,
body: body
});
} else {
await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.issue.number,
body: body
});
}