Pulumi in CI/CD & securing secrets
Automate up; protect state and secrets.
The safe automation pattern mirrors every mature IaC shop: on a pull request, run pulumi preview and surface the diff for review; on merge, run pulumi up to apply the reviewed change — never an interactive up from a laptop against prod. Pulumi ships CI integrations and a GitHub App that comment the preview directly on the PR, so the change is visible before it lands.
jobs:preview:if: github.event_name == 'pull_request'steps:- uses: pulumi/actions@v5with: { command: preview, stack-name: acme/prod }env: { PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }} }up:if: github.ref == 'refs/heads/main'environment: production # requires approvalsteps:- uses: pulumi/actions@v5with: { command: up, stack-name: acme/prod }
Securing state and secrets
Pulumi automation holds the keys to your cloud, so harden it like the CI/CD course teaches. Use OIDC to get short-lived cloud credentials instead of long-lived keys in CI; back the stack’s secret encryption with a managed KMS key, not a passphrase in an env var; restrict who can read state (Pulumi Cloud RBAC, or a locked-down bucket for self-managed); and gate prod updates behind a protected environment with human approval.