This message was deleted.

is it consistently failing in

preview

even after you've authenticated with ECR?

Yes. The github action has the following

- name: configure aws credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-region: us-east-2
          role-to-assume: arn:aws:iam::[account id]:role/[pulumi role]
          role-session-name: pulumi-up
          role-duration-seconds: 900

      - name: Use Node.js
        uses: actions/setup-node@v3
        with:
          node-version: 16

      - run: yarn install --frozen-lockfile
        working-directory: ${{ env.PULUMI_WORKING_DIRECTORY }}

      - name: PR previews
        if: ${{ github.event_name == 'pull_request' }}
        uses: pulumi/actions@v3
        with:
          command: preview
          comment-on-pr: true
          stack-name: ${{ env.PULUMI_STACK_NAME }}
          work-dir: ${{ env.PULUMI_WORKING_DIRECTORY }}
          github-token: ${{ secrets.GITHUB_TOKEN }}

      - name: Apply infrastructure update
        if: ${{ github.event_name == 'push' }}
        uses: pulumi/actions@v3
        with:
          command: up
          stack-name: ${{ env.PULUMI_STACK_NAME }}
          work-dir: ${{ env.PULUMI_WORKING_DIRECTORY }}

so the

up

step should have the same authentication as the

preview

step, right?

yeah

up

and

preview

should have the same auth unless

preview

runs code that adds additional auth. if it does not it's puzzling why there is a difference but a main issue here is your github actions workflow does not do ECR login. configuring aws credentials isn't enough to pull from a private ECR repo

ah, thanks for that!

yeah i'm not sure what's up with that 🤷 possibly you are using shared non-ephemeral runners and the

up

jobs just happened to use runners that were already authenticated with ECR from another job?

that possibility is a little worrying