Skip to content

Add PR validation for staging Pulumi component references #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
sekka1 merged 4 commits into from
Dec 10, 2025
Merged

Add PR validation for staging Pulumi component references #9

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
83367d4
Initial plan
Copilot Dec 10, 2025
c8b8593
Add GitHub Actions workflow to check staging Pulumi references
Copilot Dec 10, 2025
521b810
Improve regex pattern for detecting relative paths
Copilot Dec 10, 2025
65f8de4
Add test comment to VPC Pulumi.yaml to trigger workflow validation
Copilot Dec 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
92 changes: 92 additions & 0 deletions .github/workflows/check-staging-pulumi-references.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,92 @@
name: Check Staging Pulumi References

# This workflow validates that staging Pulumi configurations don't use local component references
# Local references (relative paths with @0.0.0) should only be used during development, not in staging

on:
pull_request:
paths:
- 'pulumi/environments/aws/**/*.yaml'

jobs:
check-references:
name: Validate Pulumi Component References
runs-on: ubuntu-latest
Comment on lines +12 to +14
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The job is missing a timeout-minutes configuration. According to GitHub Actions best practices, adding a timeout prevents hung workflows from consuming resources indefinitely. Consider adding "timeout-minutes: 10" to the job definition, similar to the test-sg-component workflow.

Copilot generated this review using guidance from repository custom instructions.
permissions:
contents: read
pull-requests: write

steps:
- name: Checkout code
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2

- name: Check for local path references in Pulumi.yaml files
id: check-local-paths
run: |
echo "Checking for local path references in Pulumi.yaml files..."
EXIT_CODE=0

# Find all Pulumi.yaml files under pulumi/environments/aws/
while IFS= read -r file; do
echo "Checking file: $file"

# Check if the file contains packages with relative paths (starting with ../ or ./)
if grep -E '^\s+\w+:\s+\.\.' "$file"; then
echo "❌ ERROR: Found local path reference in $file"
echo "Local path references (e.g., ../../../../components/aws/vpc@0.0.0) are not allowed in staging."
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message states "are not allowed in staging" but the check on line 41 scans all files under "pulumi/environments/aws/", not just staging. This creates a mismatch between what the message says and what is actually checked. The message should either be updated to match the broader scope, or the search path should be restricted to staging only.

Copilot uses AI. Check for mistakes.
Comment on lines +34 to +36
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment mentions checking for both "../" and "./" but the regex pattern on line 34 only checks for ".." (parent directory references). If the intention is to also block same-directory references starting with "./", the regex pattern should be updated to match both patterns.

Suggested change
if grep -E '^\s+\w+:\s+\.\.' "$file"; then
echo "❌ ERROR: Found local path reference in $file"
echo "Local path references (e.g., ../../../../components/aws/vpc@0.0.0) are not allowed in staging."
if grep -E '^\s+\w+:\s+\.(\.|/)+' "$file"; then
echo "❌ ERROR: Found local path reference in $file"
echo "Local path references (e.g., ../../../../components/aws/vpc@0.0.0 or ./components/aws/vpc@0.0.0) are not allowed in staging."

Copilot uses AI. Check for mistakes.
echo "Please use git URL references instead (e.g., https://github.com/ManagedKube/devops-with-ai.git/pulumi/components/aws/vpc@x.x.x)"
echo ""
EXIT_CODE=1
fi
done < <(find pulumi/environments/aws -type f -name "Pulumi.yaml")
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The find command searches all Pulumi.yaml files under "pulumi/environments/aws/" but the workflow is specifically for staging validation. If other environments (like dev or prod) are added in the future, this check will incorrectly validate them too. Consider restricting the search to staging only by changing the path to "pulumi/environments/aws/staging".

Suggested change
done < <(find pulumi/environments/aws -type f -name "Pulumi.yaml")
done < <(find pulumi/environments/aws/staging -type f -name "Pulumi.yaml")

Copilot uses AI. Check for mistakes.

if [ $EXIT_CODE -eq 0 ]; then
echo "✅ No local path references found in Pulumi.yaml files"
fi

exit $EXIT_CODE

- name: Check for 0.0.0 version in SDK files
id: check-sdk-versions
if: always()
run: |
echo "Checking for 0.0.0 version references in SDK files..."
EXIT_CODE=0

# Check for SDK files matching *-0.0.0.yaml pattern in staging
while IFS= read -r file; do
if [[ -n "$file" ]]; then
echo "❌ ERROR: Found SDK file with 0.0.0 version in filename: $file"
echo "Files matching pattern *-0.0.0.yaml are not allowed in staging."
echo "Please update to a proper semantic version (e.g., component-0.0.1.yaml)"
echo ""
EXIT_CODE=1
fi
done < <(find pulumi/environments/aws/staging -type f -path "*/sdks/*" -name "*-0.0.0.yaml" 2>/dev/null || true)

# Check for version: 0.0.0 inside any SDK YAML files in staging
while IFS= read -r file; do
if grep -q "version: 0.0.0" "$file"; then
echo "❌ ERROR: Found version: 0.0.0 in SDK file: $file"
echo "Version 0.0.0 is not allowed in staging SDK files."
echo "Please update to a proper semantic version (e.g., version: 0.0.1)"
echo ""
EXIT_CODE=1
fi
done < <(find pulumi/environments/aws/staging -type f -path "*/sdks/*" -name "*.yaml" 2>/dev/null || true)

if [ $EXIT_CODE -eq 0 ]; then
echo "✅ No 0.0.0 version references found in SDK files"
fi

exit $EXIT_CODE

- name: Summary
if: always()
run: |
if [ "${{ steps.check-local-paths.outcome }}" = "failure" ] || [ "${{ steps.check-sdk-versions.outcome }}" = "failure" ]; then
echo "❌ Validation failed. Please fix the issues above."
exit 1
else
echo "✅ All checks passed!"
fi
1 change: 1 addition & 0 deletions pulumi/environments/aws/staging/40-vpc/Pulumi.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
name: vpc
description: VPC infrastructure for staging environment
runtime: yaml
# Testing PR validation workflow for local path references
packages:
vpc: ../../../../components/aws/vpc@0.0.0
Copy link

Copilot AI Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This staging Pulumi.yaml file contains a local path reference with version 0.0.0, which is exactly what the new workflow is designed to prevent. If this PR is merged with this local reference, the new workflow will fail on all future PRs that touch this file. This should be changed to use a git URL reference with a proper semantic version (e.g., "https://github.com/ManagedKube/devops-with-ai.git/pulumi/components/aws/vpc@0.0.1") before merging, as shown in the github-oidc example.

Suggested change
vpc: ../../../../components/aws/vpc@0.0.0
vpc: https://github.com/ManagedKube/devops-with-ai.git/pulumi/components/aws/vpc@0.0.1

Copilot uses AI. Check for mistakes.
resources:
Expand Down
Loading