This message was deleted.

Further reading of the docs looks like I can control who has what actions on a per stack basis: https://www.pulumi.com/docs/intro/console/collaboration/stack-permissions/

For #2, you can have different stacks for different branches: https://www.pulumi.com/docs/guides/continuous-delivery/github-actions/#branch-mappings This allows you to have a branch for staging, and use master for prod (or something else that fits your workflow better 😇)

Hmm.. that is definitely an option. The only issue I can foresee with that is we currently have a github repo per environment that includes kubernetes yamls. If I were to merge all of the yamls into one repo, the yamls for a preprod cluster would do absolutely nothing when they're merged to the production branch. I think the other option would be to stick with the github repo per environment and create many projects with 1 stack each. For example:

{my_org}/sandbox-{app_name}/sandbox

Hmm that’s a good point, the other thing that could work (if I read the code for the Pulumi Actions correctly) is setting the stack variable. The GitHub Actions container executes this script (https://github.com/pulumi/pulumi/blob/master/dist/actions/entrypoint.sh) so it seems you could set the arg to

up --stack dev

which would update the dev stack