Always Preview Before Deploying

Beginner

Every Pulumi deployment must be preceded by a preview. CI/CD pipelines must run 'pulumi preview' on pull requests and require approval before 'pulumi up' on production stacks.

File Patterns

**/.github/****/.gitlab-ci***/Pulumi*.yaml**/pipeline*

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# Always Preview Before Deploying

## Rule
`pulumi preview` MUST run before every `pulumi up`. CI/CD MUST show preview output on pull requests. Production deployments MUST require manual approval after preview review.

## CI/CD Pattern
```yaml
# GitHub Actions
jobs:
  preview:
    if: github.event_name == 'pull_request'
    steps:
      - uses: pulumi/actions@v5
        with:
          command: preview
          stack-name: production
          comment-on-pr: true    # Posts preview as PR comment

  deploy:
    if: github.ref == 'refs/heads/main'
    environment: production      # Requires approval
    steps:
      - uses: pulumi/actions@v5
        with:
          command: up
          stack-name: production
```

## Good Practices
```bash
# Always preview first
pulumi preview --diff
# Review the output carefully
pulumi up

# In CI: preview on PR, deploy on merge
# In manual: preview, review, then up
```

## Bad Practices
```bash
# BAD: Deploy without preview
pulumi up --yes

# BAD: Auto-approve production without review
pulumi up --yes --stack production

# BAD: Skip CI preview step
```

## Enforcement
- CI/CD pipeline requires preview step before deploy
- Production environment requires manual approval
- `pulumi up --yes` only allowed in dev/test stacks
- Preview output posted as PR comment for team review

FAQ

Discussion

Loading comments...

# Always Preview Before Deploying ## Rule `pulumi preview` MUST run before every `pulumi up`. CI/CD MUST show preview output on pull requests. Production deployments MUST require manual approval after preview review. ## CI/CD Pattern ```yaml # GitHub Actions jobs: preview: if: github.event_name == 'pull_request' steps: - uses: pulumi/actions@v5 with: command: preview stack-name: production comment-on-pr: true # Posts preview as PR comment deploy: if: github.ref == 'refs/heads/main' environment: production # Requires approval steps: - uses: pulumi/actions@v5 with: command: up stack-name: production ``` ## Good Practices ```bash # Always preview first pulumi preview --diff # Review the output carefully pulumi up # In CI: preview on PR, deploy on merge # In manual: preview, review, then up ``` ## Bad Practices ```bash # BAD: Deploy without preview pulumi up --yes # BAD: Auto-approve production without review pulumi up --yes --stack production # BAD: Skip CI preview step ``` ## Enforcement - CI/CD pipeline requires preview step before deploy - Production environment requires manual approval - `pulumi up --yes` only allowed in dev/test stacks - Preview output posted as PR comment for team review