pulumi-preview.yml

name: Pulumi Preview
on:
  pull_request:
    paths:
      - pulumi/**
      - .github/workflows/pulumi-preview.yml

concurrency:
  group: ghas-erfiume-pulumi-preview-${{ github.ref }}
  cancel-in-progress: true

jobs:
  python-ci-pulumi:
    uses: notdodo/github-actions/.github/workflows/python-ci.yml@python-ci-v0.0.0
    with:
      poetry-version: latest
      python-version: 3.12
      working-directory: "./pulumi"

  pulumi-preview:
    name: Pulumi Preview
    runs-on: ubuntu-latest
    needs: [python-ci-pulumi]
    permissions:
      contents: read
      pull-requests: write
      id-token: write
    defaults:
      run:
        working-directory: ./pulumi
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
        # v4.2.2
        with:
          fetch-depth: 0
      - run: |
          echo "PULUMI_HOME=${GITHUB_WORKSPACE}/.pulumi" >> $GITHUB_ENV
          echo "POETRY_PATH=$([ -f poetry.lock ] && echo ./pulumi || realpath -s --relative-to=${GITHUB_WORKSPACE} ../)" >> $GITHUB_ENV
        working-directory: ./pulumi
      - uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b
        # v5.3.0
        with:
          python-version: 3.12
      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
        # v4.2.0
        with:
          path: ~/.local
          key: poetry-latest
      - uses: snok/install-poetry@76e04a911780d5b312d89783f7b1cd627778900a
        # v1.4.1
        with:
          virtualenvs-create: true
          virtualenvs-in-project: true
          installer-parallel: true
      - id: cache-deps
        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
        # v4.2.0
        with:
          path: |
            ${{ env.POETRY_PATH }}/.venv
            ${{ env.POETRY_PATH }}/.mypy_cache
          key: python-3.12-poetry-${{ hashFiles('**/poetry.lock') }}
          restore-keys: |
            python-3.12-poetry
      - run: poetry install
        if: steps.cache-deps.outputs.cache-hit != 'true'
      - uses: pulumi/auth-actions@80dec0d5e009a11565cbf87d9ef9103fc7d24198
        # v1.0.0
        with:
          organization: notdodo
          # kics-scan ignore-line
          requested-token-type: urn:pulumi:token-type:access_token:personal
          scope: user:notdodo
      - uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
        # v4.2.0
        with:
          path: ${{ env.PULUMI_HOME }}/plugins
          key: python-3.12-pulumi-${{ hashFiles('**/poetry.lock') }}
          restore-keys: |
            python-3.12-pulumi-
      - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
        # v4.0.2
        with:
          role-to-assume: arn:aws:iam::841162699174:role/erfiume-oidc-read
          aws-region: eu-west-1
          retry-max-attempts: 2
      - uses: aws-actions/aws-secretsmanager-get-secrets@1d6311ab61b4856de027ff508aac818ddc1e141b
        # v2.0.7
        with:
          secret-ids: CLOUDFLARE_API_TOKEN, erfiume-gha-cloudflare-read-only
      - uses: pulumi/actions@c7fad9e2f0b79653172b36538b8b34b3c0291952
        # v6.0.0
        with:
          command: preview
          stack-name: notdodo/erfiume/production
          diff: true
          work-dir: ./pulumi
          comment-on-pr: true
          color: always
          suppress-progress: true
          always-include-summary: true