Add PR validation for staging Pulumi component references

[Copilot]

Implementation Complete ✅

• Create a new GitHub Actions workflow file for PR validation
• Add check for relative path references in Pulumi.yaml files under pulumi/environments/aws/*
• Add check for SDK files matching pattern *-0.0.0.yaml in pulumi/environments/aws/staging/**/sdks/**/*
• Add check for version "0.0.0" inside SDK YAML files
• Test the workflow with existing files to ensure it works correctly
• Address code review feedback and improve regex pattern
• Run security checks (CodeQL)
• Verify all validations work correctly
• Complete comprehensive testing
• Add test change to VPC Pulumi.yaml to trigger workflow

Summary

Created .github/workflows/check-staging-pulumi-references.yaml that validates Pulumi component references in staging environments on every PR.

Three Validation Checks:

1. Local Path References - Fails if Pulumi.yaml contains relative paths like vpc: ../../../../components/aws/vpc@0.0.0
2. SDK Filename Versions - Fails if any SDK file in staging is named *-0.0.0.yaml
3. SDK Content Versions - Fails if any SDK YAML in staging contains version: 0.0.0

Security & Quality:

• ✅ Pinned actions to SHA commits
• ✅ Minimal permissions (read + PR write)
• ✅ CodeQL scan: 0 alerts
• ✅ YAML syntax validated
• ✅ Clear error messages with remediation guidance

Testing:

• ✅ Added comment line to VPC Pulumi.yaml to trigger workflow
• ✅ Workflow should detect local path: vpc: ../../../../components/aws/vpc@0.0.0
• ✅ Workflow should detect SDK file: vpc-0.0.0.yaml
• ✅ Workflow should detect version in SDK: version: 0.0.0

This workflow prevents merging PRs with development-only references (local paths and 0.0.0 versions) in staging, ensuring production-ready versioned components are used.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>staging PR check for local path pulumi component reference</issue_title>
<issue_description>Create a github action for PRs. Run this on every PR commit. For any files under this path: "pulumi/environments/aws/*" that is named Pulumi.yaml. Check inside that file for the following:

packages:
  vpc: ../../../../components/aws/vpc@0.0.0

References to any packages with a relative path this github action should fail.

Also, any files in this path: "pulumi/environments/aws/staging//sdks//*"

if it named something like: "*-0.0.0.yaml" the github action should fail.

Then look inside that file and if "0.0.0" in it, it should fail.

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes staging PR check for local path pulumi component reference #8

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[sekka1]

@copilot the github actions file looks good. Lets put a new line in the pulumi vpc instantiation file to test this out.

[Copilot]

@copilot the github actions file looks good. Lets put a new line in the pulumi vpc instantiation file to test this out.

Added a test comment line to the VPC Pulumi.yaml file in commit 65f8de4. This change will trigger the workflow validation, which should detect and fail on:

• The local path reference: vpc: ../../../../components/aws/vpc@0.0.0
• The SDK file: vpc-0.0.0.yaml
• The version in SDK content: version: 0.0.0

The workflow will demonstrate all three validation checks working correctly.

[github-actions]

🍹 preview on vpc/organization/vpc/staging

Pulumi report

  Previewing update (staging):
@ previewing update....
pulumi:pulumi:Stack: (same)
  [urn=urn:pulumi:staging::vpc::pulumi:pulumi:Stack::vpc-staging]
@ previewing update....
Resources:
  21 unchanged
  

[Copilot]

Pull request overview

This PR introduces a GitHub Actions workflow to enforce component versioning standards in staging Pulumi environments. The workflow prevents merging PRs that contain development-only references (local paths and 0.0.0 versions), ensuring staging uses production-ready versioned components from git URLs.

Key Changes:

• Created automated PR validation workflow with three checks: local path detection, SDK filename version validation, and SDK content version validation
• Added test comment to VPC Pulumi.yaml to demonstrate workflow triggering
• Implemented GitHub Actions security best practices with pinned action SHAs and minimal permissions

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.

File	Description
.github/workflows/check-staging-pulumi-references.yaml	New workflow that validates Pulumi component references on PRs, checking for local paths and 0.0.0 versions in staging
pulumi/environments/aws/staging/40-vpc/Pulumi.yaml	Added comment line to trigger workflow for testing purposes

Critical Issue Identified: The staging VPC Pulumi.yaml file currently contains a local path reference with version 0.0.0 (line 6), which is exactly what the new workflow is designed to prevent. This must be updated to a git URL reference with a proper semantic version before merging, otherwise the workflow will fail on all future PRs touching this file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This staging Pulumi.yaml file contains a local path reference with version 0.0.0, which is exactly what the new workflow is designed to prevent. If this PR is merged with this local reference, the new workflow will fail on all future PRs that touch this file. This should be changed to use a git URL reference with a proper semantic version (e.g., "https://github.com/ManagedKube/devops-with-ai.git/pulumi/components/aws/vpc@0.0.1") before merging, as shown in the github-oidc example.

Suggested change

	vpc: ../../../../components/aws/vpc@0.0.0
	vpc: https://github.com/ManagedKube/devops-with-ai.git/pulumi/components/aws/vpc@0.0.1

[Copilot]

The job is missing a timeout-minutes configuration. According to GitHub Actions best practices, adding a timeout prevents hung workflows from consuming resources indefinitely. Consider adding "timeout-minutes: 10" to the job definition, similar to the test-sg-component workflow.

[Copilot]

The find command searches all Pulumi.yaml files under "pulumi/environments/aws/" but the workflow is specifically for staging validation. If other environments (like dev or prod) are added in the future, this check will incorrectly validate them too. Consider restricting the search to staging only by changing the path to "pulumi/environments/aws/staging".

Suggested change

	done < <(find pulumi/environments/aws -type f -name "Pulumi.yaml")
	done < <(find pulumi/environments/aws/staging -type f -name "Pulumi.yaml")

[Copilot]

The error message states "are not allowed in staging" but the check on line 41 scans all files under "pulumi/environments/aws/", not just staging. This creates a mismatch between what the message says and what is actually checked. The message should either be updated to match the broader scope, or the search path should be restricted to staging only.

[Copilot]

The comment mentions checking for both "../" and "./" but the regex pattern on line 34 only checks for ".." (parent directory references). If the intention is to also block same-directory references starting with "./", the regex pattern should be updated to match both patterns.

Suggested change

	if grep -E '^\s+\w+:\s+\.\.' "$file"; then
	echo "❌ ERROR: Found local path reference in $file"
	echo "Local path references (e.g., ../../../../components/aws/vpc@0.0.0) are not allowed in staging."
	if grep -E '^\s+\w+:\s+\.(\.|/)+' "$file"; then
	echo "❌ ERROR: Found local path reference in $file"
	echo "Local path references (e.g., ../../../../components/aws/vpc@0.0.0 or ./components/aws/vpc@0.0.0) are not allowed in staging."