ubx apply from a developer’s laptop works fine when you’re the only person touching the infrastructure. The moment a second engineer joins, you need a shared, auditable, automatable pipeline. The standard pattern is PR-plan / merge-apply: when a pull request is opened, the CI pipeline runs ubx plan and posts the output as a PR comment so reviewers can see exactly what will change before approving. When the PR merges to main, the pipeline runs ubx apply automatically. This creates a clear audit trail, prevents “it worked on my machine” surprises, ensures every production change goes through review, and makes rollback straightforward (revert the commit, CI applies the revert). This tutorial is the complete, working GitHub Actions workflow — not pseudocode, but the actual YAML you’d commit to .github/workflows/.
What you’ll learn
- The PR-plan / merge-apply GitHub Actions pattern for ubx
- How to post
ubx planoutput as a PR comment - How environment protection rules gate
ubx applyto reviewed changes only
Why this matters
A CI pipeline that runs
ubx validate on every push and ubx apply on every merge to main is the minimum viable infrastructure pipeline. It costs nothing extra, prevents most classes of production outage from accidental or unreviewed changes, and gives you a searchable history of every change in your CI logs.The source code
How it works
Pull request triggers the plan job
Any PR targeting
main triggers the plan job. It runs ubx validate (fast, no state access), then ubx plan --out plan.ubx (requires AWS credentials and S3 state access). The plan output is captured to plan-output.txt and posted as a PR comment.The plan file is uploaded as an artifact
--out plan.ubx saves the plan to a file. The artifact is uploaded with a name tied to the commit SHA — plan-${{ github.sha }}. This links the exact plan that was reviewed to the exact commit that was approved.Common mistakes
Run it
What you learned
The PR-plan / merge-apply pattern gives every change a review step before production
ubx plan --out plan.ubx saves the plan for upload as a CI artifactenvironment: production in GitHub Settings adds a required-reviewer gate before applyNext steps
Plan approval workflow
Apply from a saved plan file for two-step approval
Shared apply history
Track every CI apply in a shared audit log
Full runnable example: github.com/ubiquex/ubx-examples/52-ci-cd-github-actions-plan-apply

