1. Docs
  2. Insights & Governance
  3. Policies
  4. CI/CD Integration

Policy Enforcement in CI/CD

    Pulumi policies integrate with CI/CD pipelines to automatically enforce compliance and security rules on every deployment. When policy packs are enabled for your organization, they run during pulumi preview and pulumi up, including when these commands execute in CI/CD workflows. Non-compliant changes are blocked before they reach production.

    How policy enforcement works in CI/CD

    When your CI/CD pipeline runs Pulumi commands, policy enforcement happens automatically:

    1. The pipeline runs pulumi preview or pulumi up.
    2. Pulumi Cloud downloads the policy packs assigned to the stack via policy groups.
    3. Each policy pack evaluates the proposed infrastructure changes.
    4. If any policy in advisory mode detects a violation, a warning is logged but the operation continues.
    5. If any policy in mandatory mode detects a violation, the operation fails and the pipeline stops.

    You can also run policy packs locally in CI by passing the --policy-pack flag:

    pulumi preview --policy-pack /path/to/policy-pack

    GitHub Actions

    Pulumi provides an official GitHub Action that supports policy enforcement out of the box. When your stack has policy packs enabled in Pulumi Cloud, the action enforces them automatically.

    Caching policy packs

    GitHub Actions downloads policy packs on each workflow run. You can cache the ~/.pulumi/policies directory to avoid re-downloading them and speed up your workflows.

    - name: Cache Pulumi policy packs
  uses: actions/cache@v4
  with:
    path: ~/.pulumi/policies
    key: ${{ runner.os }}-pulumi-policies-${{ hashFiles('**/package.json') }}
    restore-keys: |
      ${{ runner.os }}-pulumi-policies-

    For complete workflow examples including plugin caching, multiple languages, and environment configuration, see the GitHub Actions guide.

    Google Cloud Build

    Google Cloud Build can enforce Pulumi policies using the Pulumi Cloud Builder. Policy packs enabled through Pulumi Cloud are applied automatically during build steps that run pulumi preview or pulumi up.

    For detailed setup instructions, see the Google Cloud Build guide.

    Other CI/CD providers

    Pulumi policies work with any CI/CD system that can run the Pulumi CLI. Policy enforcement requires no special configuration. If your stack has policy packs enabled in Pulumi Cloud, they are enforced automatically. For local policy execution, pass the --policy-pack flag.

    Pulumi provides integration guides for many CI/CD providers:

    For the full list of CI/CD integrations, see the continuous delivery guides.

    Best practices

    • Use policy groups to vary enforcement by environment. Apply stricter (mandatory) policies to production stacks and advisory policies to development stacks. See policy groups for details.
    • Cache policy packs in CI. Caching the ~/.pulumi/policies directory reduces download time on repeated runs.
    • Test policy changes before enforcing. Publish policy pack updates and test them in advisory mode before switching to mandatory enforcement.
    • Run pulumi preview in pull request checks. This catches policy violations early, before changes are merged.