Run cdk diff on PR builds (or manual infra-diff builds)

[douglasnaphas]

It'll run in the receiving repo's AWS account, and show prospective changes without making them.

[douglasnaphas]

Change committed, PR build added, closing.

[douglasnaphas]

On PR gh-345, in this repo douglasnaphas/madliberation, I had a button asking for approval for the PR build to run (not to approve the PR, to approve the running of the PR build).

[douglasnaphas]

Actually, stackname may complicate this. I'm not sure what GITHUB_REPOSITORY and GITHUB_REF will be when the PR build runs in the target repo, though it looks from these docs like at least GITHUB_REF will be different from what it would need to be in order for the build to be producing a meaningful diff to the master/main/prod deployment.

Anyway, it looks like the builds run with the sending repo's secrets, which is not what I want.

[douglasnaphas]

What I think I'm seeing is the effect of this:

With the exception of GITHUB_TOKEN, secrets are not passed to the runner when a workflow is triggered from a forked repository. The permissions for the GITHUB_TOKEN in forked repositories is read-only. For more information, see "Authenticating with the GITHUB_TOKEN."

So it may be infeasible to diff to the prod stack on PR, though there are other Actions triggering events starting with pull_request.

[douglasnaphas]

It's not a good idea to try to diff stacks on PR from forks using the base repo's secrets.

There's a good case for setting it up so that a repo owner can see a PR into their base repo, check out the contributor's branch within the base repo, and run a build diffing the stacks all within the base repo, using the base repo's secrets. This happens with a build on: pull_request when the PR is from a branch within the base repo. I'd like to see if Actions can let you specify inputs, so you could do something like run a build within the base repo where you specify the branch that you want to cdk diff to the main branch.