Skip to content

feat(actions): add skip-refresh input to provision-parent-stack#355

Merged
smecsia merged 2 commits into
mainfrom
feat/provision-skip-refresh
Jun 30, 2026
Merged

feat(actions): add skip-refresh input to provision-parent-stack#355
smecsia merged 2 commits into
mainfrom
feat/provision-skip-refresh

Conversation

@universe-ops

Copy link
Copy Markdown
Contributor

The provision-parent-stack action always ran a Pulumi refresh on real (non-dry-run) provisions: executeProvision hard-coded SkipRefresh to previewMode, and neither the action nor ProvisionParentStack read a SKIP_REFRESH signal. The sibling deploy-client-stack action already supported skip-refresh; this brings provision to parity.

  • action.yml: add skip-refresh input (default false) mapped to SKIP_REFRESH env.
  • ProvisionParentStack: read SKIP_REFRESH into OperationConfig.SkipRefresh.
  • executeProvision: honor config.SkipRefresh (SkipRefresh = config.SkipRefresh || previewMode), mirroring executeDeploy.

Refresh stays on by default; opting out is explicit. Note skipping refresh on a parent/infra stack means Pulumi won't reconcile state against the cloud first, so out-of-band drift can cause stale-state surprises — use deliberately.

The provision-parent-stack action always ran a Pulumi refresh on real
(non-dry-run) provisions: executeProvision hard-coded SkipRefresh to previewMode,
and neither the action nor ProvisionParentStack read a SKIP_REFRESH signal. The
sibling deploy-client-stack action already supported skip-refresh; this brings
provision to parity.

- action.yml: add `skip-refresh` input (default false) mapped to SKIP_REFRESH env.
- ProvisionParentStack: read SKIP_REFRESH into OperationConfig.SkipRefresh.
- executeProvision: honor config.SkipRefresh (SkipRefresh = config.SkipRefresh || previewMode),
  mirroring executeDeploy.

Refresh stays on by default; opting out is explicit. Note skipping refresh on a
parent/infra stack means Pulumi won't reconcile state against the cloud first, so
out-of-band drift can cause stale-state surprises — use deliberately.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Signed-off-by: Ilya Sadykov <smecsia@gmail.com>
@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

Semgrep Scan Results

Repository: api | Commit: c1327d4

Check Status Details
❌ Semgrep Failed Check workflow logs

Scanned at 2026-06-30 19:02 UTC

@github-actions

Copy link
Copy Markdown

📊 Statement coverage

Measured on the documented included set (see docs/TESTING.md → Coverage scope). Observe-only — no regression gate is enforced yet.

Scope This PR main baseline Δ
Included set (Gold-tier denominator) 90.3% 90.3% +0.0 pp
Full set (whole repo, transparency) 27.9% 27.9% +0.0 pp

Baseline: main @ adb026b

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown

Security Scan Results

Repository: api | Commit: c1327d4

Check Status Details
✅ Secret Scan Pass No secrets detected
✅ Dependencies (Trivy) Pass 0 total (no critical/high)
✅ Dependencies (Grype) Pass 0 total (no critical/high)
📦 SBOM Generated 523 components (CycloneDX)

Scanned at 2026-06-30 17:48 UTC

@smecsia smecsia added the ci-run label Jun 30, 2026
@smecsia smecsia merged commit 97f2738 into main Jun 30, 2026
32 of 40 checks passed
Cre-eD added a commit that referenced this pull request Jul 1, 2026
The p/ci rule yaml.github-actions.security.gha-curl-pipe-shell re-parses
each workflow run: block as Bash via a metavariable-pattern. GitHub
Actions ${{ }} expressions are not valid Bash, so the sub-parser emits
nondeterministic PartialParsing / Internal matching error engine errors
(24 on our workflows) that the scan action counts in .errors and fails
on - flaky red CI, not real findings. The same commit passed then failed
on consecutive runs (#355), and main went red post-merge for the same
reason.

Suppress it via the disabled-rules input. No coverage lost: the SC
shell-curl-pipe-to-shell rule already flags curl|wget | sh piping in
**/*.yml and **/*.yaml by regex, with no Bash sub-parse.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants