From ea93ccb86b217f422288b999f4655457e2ce21a9 Mon Sep 17 00:00:00 2001 From: Nathan Zender Date: Tue, 13 Jan 2026 16:11:29 +0000 Subject: [PATCH 1/7] Add preview comment on PR --- .../action.yml.jinja-base | 28 +++++++++++++++++-- ...umi %}pulumi-aws.yml{% endif %}.jinja-base | 7 +++++ 2 files changed, 32 insertions(+), 3 deletions(-) diff --git a/template/template/.github/actions/{% if template_uses_pulumi %}pulumi_ephemeral_deploy{% endif %}/action.yml.jinja-base b/template/template/.github/actions/{% if template_uses_pulumi %}pulumi_ephemeral_deploy{% endif %}/action.yml.jinja-base index f7e53678..c46df7e4 100644 --- a/template/template/.github/actions/{% if template_uses_pulumi %}pulumi_ephemeral_deploy{% endif %}/action.yml.jinja-base +++ b/template/template/.github/actions/{% if template_uses_pulumi %}pulumi_ephemeral_deploy{% endif %}/action.yml.jinja-base @@ -41,6 +41,11 @@ inputs: default: true required: false description: Whether or not to install the Pulumi CLI + show-preview-comment-on-pr: + type: boolean + default: false + required: false + description: Whether or not to add a comment on to the PR with the pulumi preview details. @@ -74,6 +79,23 @@ runs: aws-region: ${{ inputs.aws-region }} - name: Run CLI - working-directory: ${{ github.workspace }}/${{ inputs.project-dir }} - run: uv run python -m ${{ inputs.deploy-script-module-name }}.${{ inputs.deploy-script-name }} --stack=${{ inputs.stack-name }} ${{ inputs.cli-action }} - shell: bash{% endraw %} + # apparently getting the stdout is nigh impossible in GHA, so this action helps + uses: mathiasvr/command-output@34408ea3d0528273faff3d9e201761ae96106cd0 # ratchet:mathiasvr/command-output@v2.0.0 + id: pulumi-run + with: + # can't use working-directory with this action, so specifying it in the uv command + run: uv --directory ${{ github.workspace }}/${{ inputs.project-dir }} run python -m ${{ inputs.deploy-script-module-name }}.${{ inputs.deploy-script-name }} --stack=${{ inputs.stack-name }} ${{ inputs.cli-action }} + shell: bash + + - name: Comment the Preview on the Pull Request + if: ${{ inputs.show-preview-comment-on-pr == 'true' }} + # pin this sha (v3.0.1) for extra security since this action has some permissions to write to the pull request comments + uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b + with: + message: | + :eyes: **Pulumi Preview for ${{ inputs.deploy-script-module-name }}:** :eyes: + + ```bash + ${{ steps.pulumi-run.outputs.stdout }} + ``` + comment-tag: previewonpr-${{ inputs.deploy-script-module-name }}{% endraw %} diff --git a/template/template/.github/workflows/{% if template_uses_pulumi %}pulumi-aws.yml{% endif %}.jinja-base b/template/template/.github/workflows/{% if template_uses_pulumi %}pulumi-aws.yml{% endif %}.jinja-base index 9356f7be..b924c600 100644 --- a/template/template/.github/workflows/{% if template_uses_pulumi %}pulumi-aws.yml{% endif %}.jinja-base +++ b/template/template/.github/workflows/{% if template_uses_pulumi %}pulumi-aws.yml{% endif %}.jinja-base @@ -86,6 +86,11 @@ on: required: false default: '' type: string + SHOW_PREVIEW_COMMENT_ON_PR: + description: 'Shows the pulumi preview details on the PR, note this is dependent on the pull_request event' + required: false + default: false + type: boolean secrets: iac-github-api-tokens: description: 'API tokens to use for Github IaC deployment when not using AWS Secrets Manager' @@ -99,6 +104,7 @@ env: permissions: id-token: write # needed to assume OIDC roles (e.g. for downloading from CodeArtifact) contents: write # needed for mutex + pull-requests: write # needed to post the preview on the PR as a comment jobs: pulumi: @@ -154,6 +160,7 @@ jobs: deploy-script-name: ${{ inputs.DEPLOY_SCRIPT_NAME }} aws-region: ${{ inputs.AWS_REGION }} aws-account-id: ${{ inputs.AWS_ACCOUNT_ID }} + show-preview-comment-on-pr: ${{ inputs.SHOW_PREVIEW_COMMENT_ON_PR }} timeout-minutes: 5 # apparently timeout-minutes only accepts literal values, it cannot evaluate expressions (e.g. workflow inputs) - name: Refresh From 8dfe40a39c79763842d93016a95d52151c74c609 Mon Sep 17 00:00:00 2001 From: Nathan Zender Date: Tue, 13 Jan 2026 16:20:27 +0000 Subject: [PATCH 2/7] Bring in the check skip duplicate job logic This is useful for when you have both push and pull_request triggers enabled and want to allow for not running push jobs if a pull request is already open. Saving GHA minutes and helping to semi declutter the UI with a bunch of run executions (yes they will still show as skipped) --- .../.github/actions/check-skip-duplicates/action.yaml.jinja-base | 1 + 1 file changed, 1 insertion(+) create mode 120000 template/template/.github/actions/check-skip-duplicates/action.yaml.jinja-base diff --git a/template/template/.github/actions/check-skip-duplicates/action.yaml.jinja-base b/template/template/.github/actions/check-skip-duplicates/action.yaml.jinja-base new file mode 120000 index 00000000..4ecf454b --- /dev/null +++ b/template/template/.github/actions/check-skip-duplicates/action.yaml.jinja-base @@ -0,0 +1 @@ +../../../.github/workflows/get-values.yaml.jinja-base \ No newline at end of file From 9b5504dc71476ebb3bc4d3776a69e1cef0337e8a Mon Sep 17 00:00:00 2001 From: Nathan Zender Date: Tue, 13 Jan 2026 18:32:45 +0000 Subject: [PATCH 3/7] Accidentaly copied the get-values file and thus its symlinked. Fixed that so its not a link anymore --- .../action.yaml.jinja-base | 1 - .../action.yml.jinja-base | 48 +++++++++++++++++++ 2 files changed, 48 insertions(+), 1 deletion(-) delete mode 120000 template/template/.github/actions/check-skip-duplicates/action.yaml.jinja-base create mode 100644 template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base diff --git a/template/template/.github/actions/check-skip-duplicates/action.yaml.jinja-base b/template/template/.github/actions/check-skip-duplicates/action.yaml.jinja-base deleted file mode 120000 index 4ecf454b..00000000 --- a/template/template/.github/actions/check-skip-duplicates/action.yaml.jinja-base +++ /dev/null @@ -1 +0,0 @@ -../../../.github/workflows/get-values.yaml.jinja-base \ No newline at end of file diff --git a/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base new file mode 100644 index 00000000..1cfb2c14 --- /dev/null +++ b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base @@ -0,0 +1,48 @@ +{% raw %}name: Check Skip Duplicates +description: 'Check that will output a variable to allow you to skip duplicate runs. Example: If you have both push and pull_request triggers enabled and you don't want to run 2 jobs for the same commit if a PR is already open you can add this to your jobs to skip that extra execution.' + +outputs: + should-run: + description: 'Flag that determines if this execution should run or not' + value: ${{ steps.check.outputs.should_run }} + +permissions: + pull-requests: read # needed to check if PR exists for current branch + +runs: + using: composite + steps: + - name: Checkout code + uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} + with: + persist-credentials: false + + - name: Check if push has associated open PR + id: check + env: + GH_TOKEN: ${{ github.token }} + run: | + # For non-push events, always run + if [ "${{ github.event_name }}" != "push" ]; then + echo "should_run=true" >> $GITHUB_OUTPUT + echo "Event is ${{ github.event_name }}, will run CI" + exit 0 + fi + + # For push events, check if there's an open PR for this branch + pr_json=$(gh pr list \ + --repo "${{ github.repository }}" \ + --head "${{ github.ref_name }}" \ + --state open \ + --json number \ + --limit 1) + + pr_number=$(echo "$pr_json" | jq -r '.[0].number // ""') + + if [ -n "$pr_number" ]; then + echo "should_run=false" >> $GITHUB_OUTPUT + echo "Push to branch with open PR #$pr_number detected, skipping (PR event will run CI)" + else + echo "should_run=true" >> $GITHUB_OUTPUT + echo "Push to branch without open PR, will run CI" + fi{% endraw %} From cbe2f85b17dd3e0943ce093cb40ddae5cceaad88 Mon Sep 17 00:00:00 2001 From: Nathan Zender Date: Tue, 13 Jan 2026 18:46:13 +0000 Subject: [PATCH 4/7] Needs shell --- .../.github/actions/check-skip-duplicates/action.yml.jinja-base | 1 + 1 file changed, 1 insertion(+) diff --git a/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base index 1cfb2c14..25982e07 100644 --- a/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base +++ b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base @@ -21,6 +21,7 @@ runs: id: check env: GH_TOKEN: ${{ github.token }} + shell: bash run: | # For non-push events, always run if [ "${{ github.event_name }}" != "push" ]; then From efbf643f33a2df53d8d7aa158dc6c5e36178109c Mon Sep 17 00:00:00 2001 From: Nathan Zender Date: Tue, 13 Jan 2026 19:03:28 +0000 Subject: [PATCH 5/7] =?UTF-8?q?Single=20quotes=20are=20good=20and=20bad=20?= =?UTF-8?q?=F0=9F=98=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../.github/actions/check-skip-duplicates/action.yml.jinja-base | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base index 25982e07..329f66fa 100644 --- a/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base +++ b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base @@ -1,5 +1,5 @@ {% raw %}name: Check Skip Duplicates -description: 'Check that will output a variable to allow you to skip duplicate runs. Example: If you have both push and pull_request triggers enabled and you don't want to run 2 jobs for the same commit if a PR is already open you can add this to your jobs to skip that extra execution.' +description: 'Check that will output a variable to allow you to skip duplicate runs. Example: If you have both push and pull_request triggers enabled and you dont want to run 2 jobs for the same commit if a PR is already open you can add this to your jobs to skip that extra execution.' outputs: should-run: From ba82a1a7f8f24a09058cd68fb5841361241b28e5 Mon Sep 17 00:00:00 2001 From: zender Date: Wed, 14 Jan 2026 22:08:15 +0000 Subject: [PATCH 6/7] Cleanup unneeded items --- .../update-devcontainer-hash/action.yml.jinja-base | 3 --- .../actions/check-skip-duplicates/action.yml.jinja-base | 8 -------- 2 files changed, 11 deletions(-) diff --git a/template/.github/actions/update-devcontainer-hash/action.yml.jinja-base b/template/.github/actions/update-devcontainer-hash/action.yml.jinja-base index 9aa0fca3..cdb24e79 100644 --- a/template/.github/actions/update-devcontainer-hash/action.yml.jinja-base +++ b/template/.github/actions/update-devcontainer-hash/action.yml.jinja-base @@ -5,9 +5,6 @@ inputs: description: 'Branch to checkout and update' required: true -permissions: - contents: write - outputs: new-sha: description: 'The SHA of the branch tip after update' diff --git a/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base index 329f66fa..e55828a5 100644 --- a/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base +++ b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base @@ -6,17 +6,9 @@ outputs: description: 'Flag that determines if this execution should run or not' value: ${{ steps.check.outputs.should_run }} -permissions: - pull-requests: read # needed to check if PR exists for current branch - runs: using: composite steps: - - name: Checkout code - uses: actions/checkout@{% endraw %}{{ gha_checkout }}{% raw %} - with: - persist-credentials: false - - name: Check if push has associated open PR id: check env: From 7c210068e6d6ac3dd96d62432064ac367a366a7a Mon Sep 17 00:00:00 2001 From: zender Date: Thu, 15 Jan 2026 16:00:26 +0000 Subject: [PATCH 7/7] Use env vars instead --- .../check-skip-duplicates/action.yml.jinja-base | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base index e55828a5..27fa6792 100644 --- a/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base +++ b/template/template/.github/actions/check-skip-duplicates/action.yml.jinja-base @@ -13,19 +13,22 @@ runs: id: check env: GH_TOKEN: ${{ github.token }} + REF_NAME: ${{ github.ref_name }} + REPO_NAME: ${{ github.repository }} + EVENT_NAME: ${{ github.event_name }} shell: bash run: | # For non-push events, always run - if [ "${{ github.event_name }}" != "push" ]; then + if [ "$EVENT_NAME" != "push" ]; then echo "should_run=true" >> $GITHUB_OUTPUT - echo "Event is ${{ github.event_name }}, will run CI" + echo "Event is $EVENT_NAME, will run CI" exit 0 fi # For push events, check if there's an open PR for this branch pr_json=$(gh pr list \ - --repo "${{ github.repository }}" \ - --head "${{ github.ref_name }}" \ + --repo "$REPO_NAME" \ + --head "$REF_NAME" \ --state open \ --json number \ --limit 1)