Hello, how do you set

pulumi config

inside the CI pipeline? This seems to be a problem that config has to be present before CI runs but this presents another problem that the config value is already exposed to the code which has not been merged yet. Is there any recommendation to avoid this problem?

problem that config has to be present before CI runs

We expect that to often be the case. E.g. how many vms to deploy should normally be a decision made by an engineer and gone through review before hitting CI.

that the config value is already exposed to the code which has not been merged yet.

I don't understand this statement? Is this a worry about auth tokens/secrets being picked up by public PRs?

I'm worried about the fact that the stack config has to be changed before PR was review is done otherwise

pulumi preview

step in CI will fail reading the config value. (not a problem for plaintext values, no need to run

pulumi config set

but it is a problem with secrets) Also what if there are 2 PRs working on the same project? then the config is available for both branches example: Branch A:

pulumi config set variable_A valueA

Branch B:

pulumi config set variable_B valueB

above case is not a problem, however this may be a problem: example: Branch A:

pulumi config set variable_A valueA

Branch B:

pulumi config set variable_A valueB

after this running

pulumi config

inside the branch A, returns

valueB

stack config has to be changed before PR was review is done

I mean so does the code, this is one of the reasons config is pulled from local files not from the service. So that the checked out files for code and config stay in sync.

Thanks, it works as expected, as long as someone in the branch won't run

pulumi up

but that that point I'd be changing the global state so it makes sense.