Completes T14: the two CI pipelines that need Pulumi stack state, which
bootstrap/state/ is gitignored from. Solves the blocker by publishing a
fresh `pulumi stack export` to RustFS after every `up`, then having CI
pull + import it.
- state-publish.sh: ships the stack export to rfs/foundation-ci-state/
foundation-stack.json via a throwaway mc container on foundation-net
(ADR-007), exactly like backup.sh. Secrets inside the export stay
passphrase-encrypted; config travels in the committed (encrypted)
Pulumi.foundation.yaml. run.sh invokes it best-effort after `up`.
- rustfs.ts + Pulumi.foundation.yaml: declare the foundation-ci-state
bucket (created belt-and-suspenders by state-publish on first run).
- pulumi-preview.yml (push/PR): read-only drift/PR check. Pulls + imports
state, materializes the operator key from the SSH_PRIVATE_KEY secret
(the provider + index.ts read it), `pulumi preview` — never `up`. A diff
is informational so the job fails only on a program/preview error.
- backup-verify.yml (weekly + dispatch): reuses backup.sh/restore.sh
unchanged to produce a bundle and restore-verify it from offsite
(CONTRACT_004 §4.6). Imports real state so the bundle's pulumi-state.json
is real, not an empty deployment.
Repo-scoped Actions secrets set via the admin API: PULUMI_CONFIG_PASSPHRASE,
SSH_PRIVATE_KEY, RUSTFS_ACCESS_KEY, RUSTFS_SECRET_KEY. Both pipelines
validated end-to-end in a foundation-ci container on the VM (preview exit 0;
backup-verify RESTORE VERIFY PASS from offsite).
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>