Hey folks - we're using Pulumi Cloud with Google-backed auth. But we want to be able to do previews of our pulumi changes in Gitlab. It seems like that's not possible as we get an auth failure on the webhook when doing this. Is there a way to get this working?

Are you using GSuite SAML with your Pulumi account? If yes I am not sure that this will work for you given that you are using SAML with Pulumi. But you could try connecting your GitLab identity to your existing Pulumi user. Of course, you should ensure that you connect the right GitLab user that has access to the GitLab project in question. That'll allow Pulumi to use your GitLab access token from your identity to create a Merge Request comment. If you haven't already you should also see the guide about the GitLab integration. Note that if your Project in GitLab is under a group, that will pose another problem since your Pulumi org would also need to use GitLab identity as well. This is for security reasons because Pulumi would need to verify your role in the Group and it can't do that if your Pulumi org is not backed by GitLab identity. An alternative would be switching to GitLab-based auth with Pulumi. You could use SAML with GitLab instead and let Pulumi access be governed by your users still being active on GitLab. That may be an option.

Yeah we use a GitLab group unfortunately.

You will not need to reprovision users in Pulumi, just that you'll want to get them all to first connect a GitLab identity to their Pulumi accounts that they should use to access the org. After that it should be safe to switch over. But only the admin of the group should do the switch over since the admin's access in GitLab is used to lookup certain information that other roles do not have access to. I believe the "Change Requirements" flow in the Pulumi Console does a check to ensure all of your current members also have an identity of the target identity provider you choose.