Hello guys, I've been trying to write a CI/CD flow for my

Pulumi

project. First step is previewing the changes when a pr is created. When that pr is merged I use

Pulumi

up in order to deploy the changes, with workload identity service account I created specifically in GCP.

name: Pulumi CI
on:
  pull_request:
    paths-ignore:
      - 'services/foo-**'
jobs:
  preview:
    name: Preview
    permissions:
      contents: 'read'
      id-token: 'write'
    runs-on: ubuntu-latest
    strategy:
      matrix:
        stack-name: [gcp-staging]
    steps:
      - uses: actions/checkout@v3
        with:
          persist-credentials: false
          fetch-depth: 0
      - uses: actions/setup-python@v5
        with:
          python-version: 3.11

      - name: Configure AWS credentials
        uses: aws-actions/configure-aws-credentials@v2
        with:
          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
          aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
          aws-region: us-east-2

      - id: gcp-auth
        name: Authenticate with Google Cloud
        uses: google-github-actions/auth@v2
        with:
          # token_format: access_token
          # workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_POOL_ID }}
          workload_identity_provider: projects/ID/locations/global/workloadIdentityPools/pulumi/providers/pulumi-ci
          service_account: pulumi-ci-sa@${{ secrets.GCP_PROJECT }}.iam.gserviceaccount.com
          # access_token_lifetime: 300s

      - uses: simenandre/setup-gke-gcloud-auth-plugin@v1
      - run: pip install -r clusters/pulumi/requirements.txt
      - uses: pulumi/actions@v4
        with:
          command: preview
          cloud-url: <gs://pulumi-backend/>
          work-dir: clusters/pulumi/
          comment-on-pr: true
          stack-name: ${{ matrix.stack-name }}
        env:
          GOOGLE_OAUTH_ACCESS_TOKEN: ${{ steps.gcp-auth.outputs.access_token }}
          # PULUMI_ACCESS_TOKEN: "nosecret"
          PULUMI_CONFIG_PASSPHRASE: ""
          PULUMI_BACKEND_URL: <gs://pulumi-backend/>

The environment is

Kubernetes

based, an operating cluster which i deployed via my local machine on GCP. When I run

pulumi preview/update

from my machine, there are no apparent issues. I've encountered an issue with the preview step, it fails with this error message regarding the `ingress-nginx-controller`:

kubernetes:core/v1:Service (ingress_nginx_controller):
  error: Preview failed: 2 errors occurred:
   	* Resource 'ingress-nginx-controller' was created but failed to initialize
   	* Service does not target any Pods. Selected Pods may not be ready, or field '.spec.selector' may not match labels on any Pods

Any leads on what can be the reason?