For the users of the Pulumi GitOps operator, how do you solve the problem of being able to see infra diff in a PR before merging it, without granting the CI job access to cloud resources? Can the operator scan PRs and comment the
output? Or am I limited to running
within my CI and granting the CI service user read access to my cloud resources and Pulumi state?