Skip to content

fix(THU-539): make Preview Destroy idempotent when the Pulumi stack is gone #983

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
darkbanjo wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix(THU-539): make Preview Destroy idempotent when the Pulumi stack is gone #983

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 19 additions & 0 deletions .github/workflows/stack-deploy.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -243,7 +243,26 @@
working-directory: deploy/pulumi
run: bun install --frozen-lockfile

# Destroy must be idempotent: the stack may already be gone (manual destroy,
# a prior run that tore it down but still failed, or a PR that never deployed).
# Without this guard `pulumi destroy` errors with "no stack named ... found",
# surfacing a red ✗ on every PR close even though the env is already clean (THU-539).
- name: Check whether the stack still exists
id: stack_check
working-directory: deploy/pulumi
run: |
curl -fsSL https://get.pulumi.com | sh
export PATH="$HOME/.pulumi/bin:$PATH"
if pulumi stack select "${{ inputs.stack_name }}" --non-interactive 2>/dev/null; then
echo "Stack ${{ inputs.stack_name }} exists — proceeding to destroy."
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "Stack ${{ inputs.stack_name }} not found — nothing to destroy."
echo "exists=false" >> "$GITHUB_OUTPUT"

@cursor cursor Bot Jun 12, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Stack check masks real failures

High Severity

The stack existence step treats any non-zero pulumi stack select exit as “stack missing” because stderr is discarded and only the shell if exit status is used. Auth, network, or permission failures are misread as exists=false, so Destroy is skipped and the job succeeds even when the stack still exists and should be torn down.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 5edef0e. Configure here.

fi

Check failure

Code scanning / Semgrep OSS

Semgrep Finding: yaml.github-actions.security.run-shell-injection.run-shell-injection Error

Using variable interpolation ${...} with github context data in a run: step could allow an attacker to inject their own code into the runner. This would allow them to steal secrets and code. github context data can have arbitrary user input and should be treated as untrusted. Instead, use an intermediate environment variable with env: to store the data and use the environment variable in the run: script. Be sure to use double-quotes the environment variable, like this: "$ENVVAR".
Comment on lines +253 to +263
- name: Destroy
if: steps.stack_check.outputs.exists == 'true'
uses: pulumi/actions@8e5e406f4007fca908480587cb9893c07090f58d # v7.0.0
with:
command: destroy
Expand Down
Loading