For the users of the Pulumi GitOps operator, how do you solve the problem of being able to see infra diff in a PR before merging it, without granting the CI job access to cloud resources? Can the operator scan PRs and comment the

pulumi preview

output? Or am I limited to running

pulumi preview

within my CI and granting the CI service user read access to my cloud resources and Pulumi state?