What's the canonical way to inject dynamic configuration? Use case: Our CI/CD process will in two separate runners: 1. build, tag, and push an image with the SHA1 of the repo 2. (in a more privileged runner later) use the SHA1 of the repo as the image tag for a Kubernetes deployment The runner can't mutate the Pulumi config (or commit it) between steps. Is the canonical solution to

pulumi config set

before

pulumi up

... or?

I plan to do the same thing, but our ci process is changing/committing code in the build/test phase: - build/tag images with commit sha - test (assume success here) - git flow start release xxx - bump version numbers in manifests -

pulumi config set version xxx

- retag gcr images from sha with xxx - git flow finish release xxx (pushes code to github) Then we have a different ci job running on merges to

master

-

pulumi up -y

or at least that is the plan at this point.

GitLab CI/CD is designed around immutable/idempotent pipelines (for better or worse), so the runner has a read-only token for pulling

We focused on auto-release and did it with circleci, git-flow, and some custom scripts. All this is definitely dependent on choices you make for your toolchain.