infra/scripts/README.md
infra/scripts/
Cross-stack tooling for the Pulumi setup. Currently just one entry point:
infra/scripts/
Cross-stack tooling for the Pulumi setup. Currently just one entry point:
setup-pulumi.sh
One-time auth bootstrap. Run it once on a dev machine and at the start of any CI job that runs Pulumi. Idempotent — safe to re-run.
It does two things:
- Pulls R2 access keys from Infisical at
/infra/scripts/and stores them locally under the named AWS profile[studyflash-pulumi](in CI, exports them to$GITHUB_ENVinstead). - Runs
pulumi loginwith?profile=studyflash-pulumibaked into the backend URL, so pulumi looks up that profile by name — noAWS_PROFILEshell rc edit, no env var dance.
After this, per-stack package.json scripts only need their own
infisical run --path=/<stack-path>/ -- pulumi <action> to pull stack-specific
provider creds (Chatwoot/Cloudflare/Hetzner/etc.). The R2 + backend setup is
already wired.
GCP KMS auth (for the Pulumi secrets-provider) is host-level:
- Devs:
gcloud auth application-default loginonce. - CI: the existing
.github/actions/gcp-authaction.
First-time dev setup
infisical login --domain=https://infisical.studyflash.ch
gcloud auth application-default login
./infra/scripts/setup-pulumi.sh
After that, in any stack: pnpm preview just works.