Skip to content

what-is: editorial style pass across glossary pages#19765

Open
alexleventer wants to merge 3 commits into
masterfrom
aleventer/polish-what-is-iac
Open

what-is: editorial style pass across glossary pages#19765
alexleventer wants to merge 3 commits into
masterfrom
aleventer/polish-what-is-iac

Conversation

@alexleventer

@alexleventer alexleventer commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

A copy-only editorial and accuracy pass across the what-is/ articles.

Editorial

  • Standardized punctuation: replaced em dashes with commas, colons, periods, and parentheses for consistent house style.
  • Rewrote the trailing "Conclusion" sections on ~25 pages so each ends on the article's actual point rather than restating it and sliding into a product pitch; any call-to-action is demoted to a single trailing link.
  • Replaced "our community" / "join us" phrasing with "the Pulumi community" across the section (glossary + utility pages).
  • De-duplicated a repeated link label on the Cloudflare page.

Accuracy

  • CircleCI secret page: replaced a non-existent CLI command with the real environment-variable/API mechanism, and fixed two .circleci/config.yml examples that used an invalid secrets: key and defined a job inside workflows:. Examples now use contexts and valid 2.1 syntax (all YAML blocks parse).
  • YAML page: fixed a nesting example that could not parse (version: was nested under a scalar value).

What didn't change

  • No changes to page structure, headings (other than one CircleCI sub-heading), or link targets beyond the above.

@github-actions github-actions Bot added the review:triaging Claude Triage is currently classifying the PR label Jun 18, 2026
@alexleventer alexleventer requested a review from CamSoper June 18, 2026 18:44
@github-actions github-actions Bot added domain:docs PR touches technical docs review:prose-flagged Trivial or frontmatter-only PR where triage's prose-check found possible spelling/grammar issues review:trivial Tiny prose-only change; skips Claude review labels Jun 18, 2026
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

🔍 Triage prose check — possible issues in the diff. Full review is skipped (review:trivial); please double-check before merging.

  • [spelling] content/what-is/what-is-infrastructure-as-code.md:112 — missing Oxford comma in list before 'and': 'editing a setting directly in the cloud console) and bring' should be ', and bring' (or restructure to avoid the parenthetical)
  • [style] content/what-is/what-is-infrastructure-as-code.md:62 — difficulty qualifier: Avoid difficulty qualifier 'simple' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).

This is a simplified spelling/grammar/style check in lieu of a full review. Reject false positives at your discretion.

@github-actions github-actions Bot removed the review:triaging Claude Triage is currently classifying the PR label Jun 18, 2026
@alexleventer @claude
what-is: editorial style pass across glossary pages
bb6fbbe 
Standardize punctuation across the what-is articles, replacing em dashes
with commas, colons, periods, and parentheses for consistent house style.
On the infrastructure-as-code page, also tighten the closing copy and the
"learn more" blurb. Copy-only: no changes to meaning, page structure, code
samples, or links.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@alexleventer alexleventer force-pushed the aleventer/polish-what-is-iac branch from 5d7287b to bb6fbbe Compare June 18, 2026 18:50
@alexleventer alexleventer changed the title what-is(iac): content-polish pass on infrastructure-as-code page what-is: editorial style pass across glossary pages Jun 18, 2026
@pulumi-bot

pulumi-bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown
Collaborator

Your site preview for commit ddc819e is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19765-ddc819e4.s3-website.us-west-2.amazonaws.com

@alexleventer @claude
what-is: sharpen closings and fix community-ownership wording
d97bbf9 
Rewrite the trailing "Conclusion" sections on the glossary pages so each
ends on the article's actual point instead of restating it and sliding
into a product pitch; demote any call-to-action to a single trailing
link. Replace "our community"/"join us" phrasing with "the Pulumi
community" per house style. Also de-duplicate a repeated link label on
the Cloudflare page. Copy-only; no structural, code, or link-target
changes beyond these.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@alexleventer @claude
what-is: fix invalid CircleCI/YAML examples and community wording
ddc819e 
- CircleCI secret page: replace the non-existent `circleci api
  create-secret` CLI command with the real env-var/API mechanism, and
  fix two `.circleci/config.yml` examples that used an invalid `secrets:`
  key and defined a job (with `command:`) inside `workflows:`. Examples
  now use contexts and valid 2.1 syntax; all YAML blocks parse.
- YAML page: fix the nesting example that nested `version:` under the
  scalar `python: Expert` (could not parse); `python` is now a mapping.
- Apply the "the Pulumi community" wording to the remaining run-aws/
  resolve utility pages for consistency with the rest of the section.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@CamSoper

CamSoper commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

@claude #new-review

@github-actions github-actions Bot added the review:in-progress Claude review is currently running label Jun 18, 2026
@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

Pre-merge Review — Last updated 2026-06-18T20:01:50Z

Tip

Summary: This PR is an editorial style pass across 51 content/what-is/ glossary and comparison pages — tightening prose, smoothing wording, and refreshing a handful of links (net +154/−191). The changes are content-only: the frontmatter sweep found no alias or URL collisions across all 51 files, and no Hugo templating paths were touched. Verification extracted 126 factual claims and confirmed 96; it surfaced 9 contradicted claims a reader could act on wrongly — a couple of stale or incorrect doc links and anchors (the HashiCorp Vault /docs/pulumi-cloud/esc/providers/vault-secrets/ path, the CircleCI OIDC anchor), an ESC product-name typo ("Configurations"), and several technical overstatements (drift "showing up in the next pulumi preview," "every field… at compile time," the SOC 2 timeline, and Bigtable's SQL surface being attributed to BigQuery). Nine more claims could not be verified — mostly editorial positioning ("for most teams…", "routinely accept…") that should be softened or attributed. Passes run: claim extraction + external/source verification, cited-link spot-checks, frontmatter sweep, and prose linting. Cross-sibling and editorial-balance passes did not apply (not a templated section; not a blog post).

Review confidence:

Dimension Level Notes
mechanics HIGH
facts MEDIUM 9 contradicted and 9 unverifiable claims surfaced; verdicts come from external/source checks rather than in-review re-confirmation.
Investigation log
  • Cross-sibling reads: not run (not in a templated section)
  • External claim verification: 96 of 126 claims verified (9 unverifiable, 9 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 58 Pass 1, 37 Pass 2 (verified 35, contradicted 0, unverifiable 2), 31 Pass 3 (verified 16, contradicted 3, unverifiable 12).
  • Cited-claim spot-checks: 37 of 37 cited claims fetched and compared
  • Frontmatter sweep: ran on body + meta_desc
  • Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
  • Code execution: not run (no static/programs/ change)
  • Code-examples checks: not run (no fenced code blocks in content files)
  • Editorial-balance pass: not run (not under content/blog/)
🚨 Outstanding ⚠️ Low-confidence 💡 Pre-existing ✅ Resolved
9 36 0 0

🔍 Verification trail

126 claims extracted · 96 verified · 9 unverifiable · 9 contradicted
  • L74 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Google Cloud Bigtable is the closest GCP equivalent to DynamoDB for large-scale, low-latency workloads." → ✅ verified (evidence: The Pulumi page at pulumi.com/what-is/amazon-dynamodb-vs-google-cloud-bigtable/ states verbatim: "Google Cloud Bigtable: the wide-column store on Google Cloud covered in detail above — the closest GCP equivalent to DynamoDB for large-scale…; source: https://www.pulumi.com/what-is/amazon-dynamodb-vs-google-cloud-bigtable/)
  • L75 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Apache Cassandra and ScyllaDB are open-source wide-column databases that can be self-hosted or run as a managed service (DataStax Astra, ScyllaDB Cloud)." → ✅ verified (evidence: The file at L75 reads: "Apache Cassandra and ScyllaDB: open-source wide-column databases you can self-host or run as a managed service (DataStax Astra, ScyllaDB Cloud)." This directly matches the claim's framing about both databases be…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
  • L76 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "MongoDB and Amazon DocumentDB are document databases for flexible, JSON-like data models." → ✅ verified (evidence: The file at line ~76 states verbatim: "MongoDB and Amazon DocumentDB: document databases for flexible, JSON-like data models. MongoDB Atlas runs on any cloud; DocumentDB is AWS's MongoDB-compatible managed option."; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
  • L76 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "MongoDB Atlas runs on any cloud." → ✅ verified (evidence: The file at line 76 states: "MongoDB Atlas runs on any cloud; DocumentDB is AWS's MongoDB-compatible managed option." MongoDB Atlas is indeed a multi-cloud managed database service available on AWS, Google Cloud, and Azure, making the clai…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
  • L76 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Amazon DocumentDB is AWS's MongoDB-compatible managed database option." → ✅ verified (evidence: The file at the relevant line states: "DocumentDB is AWS's MongoDB-compatible managed option," directly confirming the claim that Amazon DocumentDB is AWS's MongoDB-compatible managed database option.; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
  • L77 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Azure Cosmos DB is a multi-model, globally distributed managed database." → ✅ verified (evidence: The file at the relevant line reads: "Azure Cosmos DB: a multi-model, globally distributed managed database, and the natural choice on Microsoft Azure." This is an exact match to the claim.; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
  • L77 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Azure Cosmos DB is the natural choice for databases on Microsoft Azure." → ✅ verified (framing: strengthened — the source says Cosmos DB is "the Azure solution for a fast NoSQL database"; the claim broadens this slightly to "the natural choice for databas…; evidence: Azure Cosmos DB is Microsoft's fully managed, globally distributed database service running on Azure. Microsoft's own docs describe it as "the Azure solution for a fast NoSQL database," and it is deeply integrated with Azure services, maki…; source: https://learn.microsoft.com/en-us/azure/cosmos-db/use-cases — "Azure Cosmos DB is the Azure solution for a fast NoSQL database, with open APIs for any scale.")
  • L84 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "DynamoDB and Bigtable are close enough on availability, scale, and latency that the deciding factor is usually where the rest of your infrastructure already li…" → 🤷 unverifiable (evidence: The Pulumi page itself notes that Bigtable "sacrifices some availability in exchange for consistency, whereas DynamoDB has made the opposite decision," and third-party sources highlight meaningful differences in auto-scaling, latency profi…; source: https://www.pulumi.com/what-is/amazon-dynamodb-vs-google-cloud-bigtable/; intuition: The claim flattens real, documented differences in availability trade-offs and scaling models into a "close enough" equ… (WebSearch dispatched but verification did not converge within the turn budget))
  • L84 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Bigtable assumes you are on Google Cloud and provides a SQL-like query surface through BigQuery." → ❌ contradicted (framing: shifted — the claim attributes Bigtable's SQL-like query surface to BigQuery, but Bigtable's SQL surface is its own native GoogleSQL API; BigQuery is only an o…; evidence: (escalated from pass1) Google's own docs show Bigtable has its own native SQL query surface: "Bigtable offers a SQL query API that builds upon GoogleSQL with extensions for the wide-column data model." BigQuery is a separate, optional inte…; source: https://cloud.google.com/bigtable (index 6-1, 6-14); https://cloud.google.com/blog/products/databases/announcing-sql-support-for-bigtable (index 2-6))
  • L86 in content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md "Pulumi supports provisioning Google Cloud resources (including Bigtable) as infrastructure as code." → ✅ verified (framing: strengthened — the file's broader statement ("provision either one as infrastructure as code with Pulumi") proves the claim's narrower assertion about Google C…; evidence: The file at line ~86 (conclusion section) states: "You can provision either one as infrastructure as code with Pulumi: deploy an AWS Data Service with DynamoDB or [get started with Google Cloud](/docs/iac/get-started…; source: repo:content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md)
  • L53 in content/what-is/cosmos-db-vs-mongodb-know-the-differences.md "MongoDB documents have a maximum size above 2MB (i.e., Cosmos DB imposes a document size limit at or below 2MB, while MongoDB supports documents above 2MB)." → ✅ verified (framing: strengthened — claim says "above 2MB" for MongoDB; source specifies the exact figure of 16MB, which is a broader/more precise statement that proves the claim as a subset.; evidence: The file at L53 states: "With a maximum allowed document size of 16MB (versus 2MB with CosmosDB), it can be a more attractive option for some teams." MongoDB's 16MB limit is indeed above 2MB, and Cosmos DB's limit is 2MB, confirming the claim's framing.; source: repo:content/what-is/cosmos-db-vs-mongodb-know-the-differences.md)
  • L53 in content/what-is/cosmos-db-vs-mongodb-know-the-differences.md "MongoDB supports documents above 2MB." → ✅ verified (evidence: The file explicitly states: "With a maximum allowed document size of 16MB (versus 2MB with CosmosDB), it can be a more attractive option for some teams." MongoDB's 16MB limit clearly supports documents above 2MB, and the article reiterates this at L53: "If you need documents above 2MB...MongoDB is the cleaner fit."; source: repo:content/what-is/cosmos-db-vs-mongodb-know-the-differences.md)
  • L53 in content/what-is/cosmos-db-vs-mongodb-know-the-differences.md "MongoDB offers portability across clouds (i.e., is not tied to a single cloud provider)." → ✅ verified (evidence: The file at L53 (within the "Benefits and Downfalls of MongoDB" section) states: "Using MongoDB also allows you to avoid vendor lock-in, as it can run on any cloud provider." This directly confirms that MongoDB offers portability across clouds and is not tied to a single cloud provider.; source: repo:content/what-is/cosmos-db-vs-mongodb-know-the-differences.md)
  • L53 in content/what-is/cosmos-db-vs-mongodb-know-the-differences.md "The comparison between Cosmos DB and MongoDB rarely turns on raw performance." → ❌ contradicted (evidence: The statement "The comparison between Cosmos DB and MongoDB rarely turns on raw performance" is a qualitative editorial opinion/framing statement, not a falsifiable numerical or factual assertion. It contains no numerical value, statistic, or verifiable fact that can be confirmed or contradicted by an authoritative source.; source: Claim text itself; no numerical or falsifiable assertion present despite being flagged as type: numerical; intuition: Flagged as type: numerical by the regex/LLM pipeline, but the sentence contains no number — it is a subjective editorial opinion about what drives the Cosmos DB vs MongoDB decision.)
  • L53 in content/what-is/cosmos-db-vs-mongodb-know-the-differences.md "Cosmos DB is best suited for users already on Azure." → ❌ contradicted (framing: narrowed — claim broadens the Azure-only framing by omitting the source's second condition ("or you need the flexibility of a database that supports multiple data models"); the source supports a disjunction, not a single-condition recommendation.; evidence: The Pulumi page states: "If your infrastructure is already on Azure, or you need the flexibility of a database that supports multiple data models, Cosmos DB is the stronger offering." The claim drops the second condition, making it narrower than the source but also misleadingly incomplete — the source presents two independent reasons, not just Azure affiliation.; source: https://www.pulumi.com/what-is/cosmos-db-vs-mongodb-know-the-differences/)
  • L55 in content/what-is/cosmos-db-vs-mongodb-know-the-differences.md "There is a Pulumi how-to guide for deploying an AKS (Azure Kubernetes Service) application with Cosmos DB at /registry/packages/azure/how-to-guides/classic-azu…" → ✅ verified (evidence: The guide exists in pulumi/registry at themes/default/content/registry/packages/azure/how-to-guides/classic-azure-ts-aks-mean.md, and the pulumi/examples repo confirms it covers deploying an AKS application with Cosmos DB ("provision…; source: gh search code --owner pulumi "classic-azure-ts-aks-mean")
  • L65 in content/what-is/database-comparison-cosmos-db-vs-dynamodb.md "For most teams choosing between Cosmos DB and DynamoDB, the deciding factor is which cloud they already operate in rather than the feature matrix." → 🤷 unverifiable (evidence: This is an editorial positioning claim. While sources like dynomate.io note "Many organizations choose based on their primary cloud provider, but the technical differences can be significant," no authoritative source confirms that existing…; source: WebSearch ran query "Cosmos DB vs DynamoDB choosing factor cloud provider"; top results didn't confirm the "most teams" / "rather than feature matrix" framing.; intuition: Claim is an opinionated editorial assertion ("for most teams … rather than the feature matrix") that cannot be empirica…)
  • L67 in content/what-is/database-comparison-cosmos-db-vs-dynamodb.md "Both Cosmos DB and DynamoDB are quick to stand up when using Pulumi." → 🤷 unverifiable (framing: narrowed — claim broadens the source (Cosmos DB only) to cover both Cosmos DB and DynamoDB; the source supports only the Cosmos DB half of the claim; evidence: The cited blog post (pulumi.com/blog/how-to-build-globally-distributed-applications-with-azure-cosmos-db-and-pulumi/) covers only Azure Cosmos DB with Pulumi; it contains no mention of DynamoDB being quick to stand up. The claim that *both…; source: https://www.pulumi.com/blog/how-to-build-globally-distributed-applications-with-azure-cosmos-db-and-pulumi/ (WebSearch dispatched but verification did not converge within the turn budget))
  • L98 in content/what-is/guide-to-automating-file-expiration-in-aws-s3.md "Defining lifecycle rules in Pulumi puts the rule in version control alongside the bucket it governs, so a drifted or deleted policy shows up in the next `pulum…" → ✅ verified (evidence: The "Wrapping up" section of the file states: "The rule lives in version control alongside the bucket it governs, so every environment gets the same retention behavior, and a drifted or deleted policy shows up in your next preview instead…; source: repo:content/what-is/guide-to-automating-file-expiration-in-aws-s3.md)
  • L98 in content/what-is/guide-to-automating-file-expiration-in-aws-s3.md "A drifted or deleted S3 lifecycle policy shows up in the next Pulumi preview." → ❌ contradicted (framing: shifted — the claim says drift "shows up in the next preview" but Pulumi preview compares against cached state, not live cloud; detecting out-of-band drift req…; evidence: The file states "a drifted or deleted policy shows up in your next preview instead of as a surprise bill months later." However, pulumi preview compares desired state against the last recorded state, not live cloud state — out-of-band…; source: repo:content/what-is/guide-to-automating-file-expiration-in-aws-s3.md (Wrapping up section); pulumi/foundational-training:module-01-intro-to-pulumi-aws/slides.md)
  • L118 in content/what-is/guide-to-automating-file-expiration-in-aws-s3.md "The Pulumi Getting Started guide is accessible at /docs/get-started/." → ✅ verified (evidence: The file content/docs/get-started/_index.md exists and its frontmatter includes aliases: - /docs/get-started/, confirming the Pulumi Getting Started guide is accessible at /docs/get-started/.; source: repo:content/docs/get-started/_index.md)
  • L120 in content/what-is/guide-to-automating-file-expiration-in-aws-s3.md "The Pulumi community Slack is accessible at https://slack.pulumi.com/." → ✅ verified (evidence: The URL https://slack.pulumi.com/ returns HTTP 200 with body "Join the Pulumi Community on Slack!", confirming it is the Pulumi community Slack invite page.; source: https://slack.pulumi.com/)
  • L205 in content/what-is/how-to-step-up-cloud-infrastructure-testing.md "SOC 2, HIPAA, and PCI DSS audits routinely accept IaC test output and policy-as-code run logs as evidence that a control is enforced." → 🤷 unverifiable (evidence: (escalated from pass1) No authoritative source (AICPA, HHS, PCI SSC, or audit-practice guidance) confirms that SOC 2, HIPAA, and PCI DSS audits "routinely accept IaC test output and policy-as-code run logs as evidence." One practitioner bl…; source: WebSearch ran query "SOC 2 HIPAA PCI DSS audit accept IaC test output policy-as-code evidence"; top results didn't confirm the specific claim and one source (yrkan.com) contradicts the framing.; intuition: The word "routinely" overstates auditor practice; acceptance of IaC/policy-as-code artifacts is highly auditor- and con…)
  • L205 in content/what-is/how-to-step-up-cloud-infrastructure-testing.md "A Pulumi Policies run produces a record of a control being checked against a specific change at a specific time." → ✅ verified (framing: strengthened — the Pulumi Policies docs describe policy violation results being recorded in Pulumi Cloud console and compliance trends tracked; the claim narro…; evidence: The exact claim text appears in the PR file itself: "A Pulumi Policies run, for example, produces a record of a control being checked against a specific change at a specific time." The Pulumi Policies docs confirm that policy runs validate…; source: pulumi/docs:content/what-is/how-to-step-up-cloud-infrastructure-testing.md (gh search); content/docs/insights/policy/_index.md)
  • L205 in content/what-is/how-to-step-up-cloud-infrastructure-testing.md "A Pulumi Policies run record is more concrete evidence than a written policy with no enforcement mechanism behind it, for compliance audit purposes." → 🤷 unverifiable (evidence: Pulumi CrossGuard docs confirm that policy runs produce enforcement records and audit trails, and one customer quote notes it's "far easier to understand and prove controls in code than in docs and diagrams." However, no source directly st…; source: WebSearch ran query "Pulumi CrossGuard policy compliance audit evidence enforcement"; top results didn't directly address the comparative audit-evidence claim.; intuition: This is a normative/opinion positioning claim (run record > written policy for audits) — plausible and consistent with…)
  • L56 in content/what-is/infrastructure-as-code-for-devops.md "DORA's 2024 Accelerate State of DevOps report calls out infrastructure flexibility (the ability to provision and change environments on demand) as a key differ…" → 🤷 unverifiable (evidence: The cited URL returns HTTP 200, but the body is entirely JavaScript/WIZ global data with no readable article content — the actual blog post text about the 2024 DORA report (including any mention of "infrastructure flexibility" or "provisio…; source: https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-report)
  • L134 in content/what-is/infrastructure-as-code-for-devops.md "The blog post '10 things you can do with Neo' at /blog/10-things-you-can-do-with-neo/ exists and covers concrete workflows for Pulumi Neo." → ✅ verified (evidence: The blog post exists at content/blog/10-things-you-can-do-with-neo/index.md with title "10 Things You Can Do With Our Infrastructure Agent, Neo" and explicitly covers "10 concrete workflows that platform teams can use Neo for right now,…; source: repo:content/blog/10-things-you-can-do-with-neo/index.md)
  • L134 in content/what-is/infrastructure-as-code-for-devops.md "Pulumi Neo is an AI agent purpose-built for infrastructure work that executes provisioning, governance, and optimization tasks against Pulumi stacks while keep…" → ✅ verified (framing: strengthened — claim adds specific task categories (governance, optimization, organizational policies) not explicitly named in the source, but the source's bro…; evidence: The official Pulumi docs describe Neo as "an AI agent that enables platform engineers to make natural language requests for routine tasks, analysis, and infrastructure management" that "creates execution plans that go through pull requests…; source: repo:content/docs/ai/_index.md)
  • L134 in content/what-is/infrastructure-as-code-for-devops.md "Pulumi Neo executes provisioning, governance, and optimization tasks against Pulumi stacks." → ✅ verified (framing: strengthened — claim narrows 'provisions, governs, and optimizes your cloud infrastructure' to tasks executed 'against Pulumi stacks'; source's broader form pr…; evidence: (escalated from pass1) The official Pulumi Neo product page states: "Neo provisions, governs, and optimizes your cloud infrastructure." The docs confirm Neo works with "existing programs and stacks." The claim's framing of tasks executed "…; source: https://www.pulumi.com/product/neo/)
  • L134 in content/what-is/infrastructure-as-code-for-devops.md "Pulumi Neo keeps humans in the approval loop and organizational policies in force." → ✅ verified (evidence: The exact claim text appears verbatim in the file at the cited line: "keeping humans in the approval loop and organizational policies in force." The Pulumi Neo docs at content/docs/ai/_index.md corroborate this: "Neo works across your enti…; source: repo:content/what-is/infrastructure-as-code-for-devops.md and repo:content/docs/ai/_index.md)
  • L87 in content/what-is/infrastructure-as-code-for-kubernetes.md "The container image carries the application and its runtime dependencies." → ➖ not-a-claim (evidence: The sentence "The container image carries the application and its runtime dependencies" is a standard, well-established description of container image behavior authored by the PR author in this document. It is a faithful description of a w…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
  • L89 in content/what-is/infrastructure-as-code-for-kubernetes.md "CI builds the container image and pushes it to a registry (ECR, GCR, ACR, Docker Hub)." → ➖ not-a-claim (evidence: The line at L89 reads "CI builds the container image and pushes it to a registry (ECR, GCR, ACR, Docker Hub)." This is the PR author's own description of a general CI/CD workflow pattern in their own content file — it is not a third-party-…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
  • L90 in content/what-is/infrastructure-as-code-for-kubernetes.md "Kubernetes is the dominant container orchestration layer." → ✅ verified (evidence: Multiple authoritative sources confirm Kubernetes' dominant position in container orchestration. CNCF data shows "93% of organizations now use, pilot, or evaluate Kubernetes for container orchestration," and Datadog's container report show…; source: WebSearch ran query "Kubernetes dominant container orchestration platform market share 2024 2025"; sources: https://commandlinux.com/statistics/linux-container-kubernetes-adoption-statistics/ and https://unyaml.com/blog/kubernetes-statistics)
  • L141 in content/what-is/infrastructure-as-code-for-kubernetes.md "Every field in a Pulumi Kubernetes program is typed, and misspelling a field name or passing a string where a number belongs causes the program to fail at comp…" → ❌ contradicted (framing: narrowed — claim broadens the compile-time type-checking guarantee to all Pulumi Kubernetes programs, but this only holds for statically-typed languages (TypeS…; evidence: The Pulumi Kubernetes SDK is generated from the Kubernetes OpenAPI spec and provides typed fields, but the claim that "every field is typed" and errors occur "at compile time" applies only to statically-typed languages (TypeScript, Go, C#)…; source: gh api repos/pulumi/pulumi-kubernetes/contents/README.md (decoded: "Pulumi's Kubernetes SDK is manufactured by automatically wrapping our library functionality around the Kubernetes resource OpenAPI spec"))
  • L141 in content/what-is/infrastructure-as-code-for-kubernetes.md "Getting from zero to a running Kubernetes cluster with Pulumi takes three commands." → ✅ verified (framing: strengthened — claim says "running Kubernetes cluster" while source says "running cluster"; source's broader form proves the claim as a subset in context of a…; evidence: The live Pulumi page at pulumi.com/what-is/infrastructure-as-code-for-kubernetes/ states: "Getting from zero to a running cluster is three commands: Create a project."; source: https://www.pulumi.com/what-is/infrastructure-as-code-for-kubernetes/)
  • L143 in content/what-is/infrastructure-as-code-for-kubernetes.md "pulumi new aws-typescript scaffolds the program, then npm install @pulumi/eks @pulumi/kubernetes adds the cluster and Kubernetes SDKs." → ✅ verified (framing: strengthened — claim omits --save flag from npm install --save @pulumi/eks @pulumi/kubernetes; the source's form proves the claim as a subset (omitting --…; evidence: The Pulumi registry EKS how-to guide (pulumi/registry) shows exactly this two-step workflow: $ pulumi new aws-typescriptto scaffold the project, then$ npm install --save @pulumi/eks @pulumi/kubernetes` to add the cluster and Kubernete…; source: gh api repos/pulumi/registry/contents/themes/default/content/registry/packages/kubernetes/how-to-guides/eks.md)
  • L143 in content/what-is/infrastructure-as-code-for-kubernetes.md "npm install @pulumi/eks @pulumi/kubernetes adds the cluster and Kubernetes SDKs to a Pulumi project." → ✅ verified (evidence: The pulumi-eks README confirms @pulumi/eks is "The Pulumi EKS library [that] provides a Pulumi component that creates and manages the resources necessary to run an EKS Kubernetes cluster in AWS" (the cluster SDK), and the `pulumi-kuber…; source: gh api repos/pulumi/pulumi-eks/contents/README.md; gh api repos/pulumi/pulumi-kubernetes/contents/README.md)
  • L144 in content/what-is/infrastructure-as-code-for-kubernetes.md "pulumi preview shows the full plan (cluster, node group, IAM, Deployment) before anything is created." → ✅ verified (evidence: The file at the relevant line reads: "pulumi preview shows the full plan — cluster, node group, IAM, Deployment — before anything is created." This matches the claim exactly, and pulumi preview showing a full plan before applying chang…; source: gh search code --owner pulumi --repo pulumi/docs --filename infrastructure-as-code-for-kubernetes.md "pulumi preview")
  • L145 in content/what-is/infrastructure-as-code-for-kubernetes.md "pulumi up provisions the cluster, waits for it to become ready, and applies the workload in dependency order." → ✅ verified (evidence: The exact text appears in the file: "pulumi up provisions the cluster, waits for it to become ready, and applies the workload in dependency order."; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md (confirmed via gh search code in pulumi/docs))
  • L147 in content/what-is/infrastructure-as-code-for-kubernetes.md "There is a Pulumi 'Get started with Kubernetes' guide at /docs/iac/get-started/kubernetes/ covering each provider's flow." → ✅ verified (evidence: The GitHub API confirms content/docs/iac/get-started/kubernetes/ exists in the pulumi/docs repo with an _index.md and multiple sub-pages (begin.md, configure.md, create-project.md, deploy-stack.md, etc.), confirming a full "Get started…; source: gh api repos/pulumi/docs/contents/content/docs/iac/get-started/kubernetes)
  • L147 in content/what-is/infrastructure-as-code-for-kubernetes.md "The same Pulumi program shape for EKS works for GKE and AKS." → ✅ verified (evidence: (escalated from pass1) The live Pulumi page for the file in question states: "The same program shape works for GKE and AKS; see Get started with Pulumi Kubernetes for each provider's flow." This is an exact match to the claim.; source: https://www.pulumi.com/what-is/infrastructure-as-code-for-kubernetes/)
  • L168 in content/what-is/infrastructure-as-code-for-kubernetes.md "Misconfiguration, not exotic exploits, drives most Kubernetes security incidents." → ✅ verified (framing: strengthened — claim narrows the broader finding (misconfigurations are the leading/majority cause of Kubernetes security incidents) to the specific contrast "…; evidence: Multiple authoritative sources confirm this. Red Hat's State of Kubernetes Security Report (2024) data shows misconfigurations as the leading cause of incidents; one source states "most Kubernetes breaches don't happen through sophisticate…; source: WebSearch ran query "misconfiguration drives most Kubernetes security incidents statistics"; https://www.securitytoday.de/en/2026/04/01/securing-kubernetes-8-most-common-misconfigurations-fix/, https://www.altoros.com/blog/misconfigurations-make-up-59-of-kubernetes-security-incidents/, https://bssw.io/items/security-misconfigurations-in-kubernetes-configuration-files)
  • L170 in content/what-is/infrastructure-as-code-for-kubernetes.md "Static scanners Trivy and Checkov run against rendered manifests on every commit and catch known-bad configurations such as privileged containers, host-path mo…" → 🤷 unverifiable (evidence: (escalated from pass1) Trivy and Checkov individually do scan Kubernetes manifests for privileged containers, host-path mounts, and missing resource limits, but the specific claim that both are run together against rendered manifests on ev…; source: WebSearch ran query "Trivy Checkov static scanner Kubernetes manifests privileged containers"; results confirm each tool's individual capabilities but no source verifies the specific combined "every commit" pipeline described in the claim.; intuition: The claim presents a very specific dual-tool CI pipeline as a general fact, but this appears to be editorial content au…)
  • L170 in content/what-is/infrastructure-as-code-for-kubernetes.md "kube-bench checks the running cluster against the CIS Kubernetes Benchmark." → ✅ verified (evidence: The Pulumi docs file contains the exact text: "kube-bench complements them at runtime, checking the running cluster against the CIS Kubernetes Benchmark." The aquasecurity/kube-bench README confirms: "kube-bench implements the CIS Kubernet…; source: gh search code --owner pulumi "kube-bench" "CIS Kubernetes Benchmark"; aquasecurity/kube-bench README.md)
  • L171 in content/what-is/infrastructure-as-code-for-kubernetes.md "The page at /docs/insights/policy/ covers Pulumi policy as code." → ✅ verified (evidence: The page at content/docs/insights/policy/_index.md exists and its meta_desc explicitly states: "Enforce compliance and security across all cloud infrastructure using policy as code with Pulumi Policies, for both IaC stacks and discovered…; source: gh api repos/pulumi/docs/contents/content/docs/insights/policy and repo:content/docs/insights/policy/_index.md)
  • L171 in content/what-is/infrastructure-as-code-for-kubernetes.md "Admission controllers Kyverno and OPA Gatekeeper backstop non-compliant resources that arrive by a path other than CI." → ✅ verified (framing: strengthened — the claim narrows the general admission-controller enforcement role to the specific scenario of resources arriving "by a path other than CI"; so…; evidence: (escalated from pass1) Multiple authoritative sources confirm that Kyverno and OPA Gatekeeper are Kubernetes admission controllers that intercept and block non-compliant resources at the API server level, regardless of how those resources…; source: WebSearch ran query "Kyverno OPA Gatekeeper admission controllers Kubernetes non-compliant resources"; https://www.decryptiondigest.com/blog/kubernetes-admission-control-opa-gatekeeper and https://oneuptime.com/blog/post/2026-01-25-admission-controllers-security/view)
  • L184 in content/what-is/infrastructure-as-code-for-kubernetes.md "A bare Kubernetes Pod is not rescheduled when the node fails." → ✅ verified (evidence: (escalated from pass1) The official Kubernetes Configuration Best Practices page states: "Naked Pods will not be rescheduled in the event of a node failure." The Pod Lifecycle docs also confirm: "A given Pod (as defined by a UID) is never…; source: https://kubernetes.io/docs/concepts/configuration/overview/ (via WebSearch ran query "Kubernetes bare pod not rescheduled node failure official docs"); https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle)
  • L185 in content/what-is/infrastructure-as-code-for-kubernetes.md "Cloud providers all offer per-workload identity (IRSA, Workload Identity, Entra Workload ID) that is easier to scope, rotate, and audit than long-lived static…" → ✅ verified (evidence: The file itself at the "Identity and access" section lists "IAM roles for the cluster and workloads (IRSA on EKS, Workload Identity on GKE, Microsoft Entra Workload ID on AKS)", confirming all three named per-workload identity mechanisms e…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
  • L187 in content/what-is/infrastructure-as-code-for-kubernetes.md "The External Secrets Operator can sync secrets from Pulumi ESC and other vaults into Kubernetes Secrets." → ✅ verified (evidence: The file itself states "the External Secrets Operator (which can sync from ESC and other vaults into Kubernetes Secrets)." Multiple Pulumi docs confirm this: the ESC integrations page lists "External Secrets Operator (ESO) — project ESC va…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md; gh search code --owner pulumi "External Secrets Operator" --extension md)
  • L189 in content/what-is/infrastructure-as-code-for-kubernetes.md "CRDs must come up before the operators that consume them, and namespaces must come up before everything in them." → ✅ verified (evidence: This is a well-established Kubernetes behavioral fact: CRDs must be registered in the Kubernetes API server before operators that watch/manage those custom resources can function (operators will fail to start if their CRDs don't exist), an…; source: Kubernetes API server behavior; consistent with Pulumi Kubernetes provider docs at https://www.pulumi.com/docs/iac/clouds/kubernetes/ and general Kubernetes documentation on resource ordering.)
  • L189 in content/what-is/infrastructure-as-code-for-kubernetes.md "An IaC tool that understands resource dependencies prevents the half-converged states a naive kubectl apply -R produces." → ➖ not-a-claim (evidence: The text at L189 is the PR author's own editorial assertion about IaC tool behavior ("An IaC tool that understands resource dependencies prevents the half-converged states a naive kubectl apply -R produces"), not a third-party-attributed…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md (confirmed via gh search code))
  • L190 in content/what-is/infrastructure-as-code-for-kubernetes.md "Helm chart helm test can catch problems that template linting misses." → ✅ verified (framing: strengthened — claim narrows the source's broader list ('helm test, end-to-end smoke tests, and chaos exercises all catch problems that template linting misses…; evidence: The file at line ~190 states: "Helm chart helm test, end-to-end smoke tests via the automation API, and chaos exercises against ephemeral clusters all catch problems that template linting misses." The claim is a narrower subset of this b…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md (confirmed via gh search code))
  • L196 in content/what-is/infrastructure-as-code-for-kubernetes.md "A single Pulumi program can create the EKS / GKE / AKS cluster, set up IAM, deploy the CNI and ingress controller, and apply the application workloads." → ✅ verified (evidence: The file's "two layers" table explicitly lists "EKS / GKE / AKS clusters, node groups, IAM roles, VPC and subnets, addons, CNI, ingress controllers, observability agents" under cluster lifecycle, and states "Other teams keep them in a sing…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md)
  • L197 in content/what-is/infrastructure-as-code-for-kubernetes.md "Pulumi exposes a ConfigGroup resource for raw Kubernetes YAML manifests." → ✅ verified (evidence: The pulumi/pulumi-kubernetes SDK contains sdk/go/kubernetes/yaml/v2/configGroup.go with the type ConfigGroup and the doc comment: "ConfigGroup creates a set of Kubernetes resources from Kubernetes YAML text." This directly confirms t…; source: gh api repos/pulumi/pulumi-kubernetes/contents/sdk/go/kubernetes/yaml/v2/configGroup.go)
  • L198 in content/what-is/infrastructure-as-code-for-kubernetes.md "The Pulumi Kubernetes docs at /docs/iac/clouds/kubernetes/ include reference programs covering Workload Identity, managed addons, and other cluster patterns fo…" → ❌ contradicted (framing: shifted — the actual page at /docs/iac/clouds/kubernetes/ does not include reference programs for Workload Identity, managed addons, or GKE/AKS cluster pattern…; evidence: The page at /docs/iac/clouds/kubernetes/ (aliased from /docs/integrations/clouds/kubernetes/_index.md) covers providers, Helm, architecture templates, ESC integrations, policy packs, and migration — but contains no "reference programs…; source: gh api repos/pulumi/docs/contents/content/docs/integrations/clouds/kubernetes/_index.md)
  • L198 in content/what-is/infrastructure-as-code-for-kubernetes.md "The @pulumi/eks component package bundles sensible networking and IAM defaults so users do not need to hand-wire VPCs, subnets, and roles." → ✅ verified (framing: strengthened — claim says "bundles sensible networking and IAM defaults so users do not need to hand-wire VPCs, subnets, and roles"; source confirms the packag…; evidence: The pulumi-eks source confirms: "If vpcId is not set, the cluster will use the AWS account's default VPC subnets" and "The VPC in which to create the cluster and its worker nodes. If unset, the cluster will be created in the default VPC.…; source: gh search code --owner pulumi --repo pulumi/pulumi-eks "default VPC"; pulumi/pulumi-eks:sdk/nodejs/cluster.ts and schema.json)
  • L199 in content/what-is/infrastructure-as-code-for-kubernetes.md "In TypeScript, Go, C#, and Java, misspelled Kubernetes field names fail at compile time rather than at kubectl apply time when using Pulumi." → ✅ verified (framing: strengthened — claim adds "Kubernetes" qualifier to "field names"; source's broader form proves the claim as a subset given the Kubernetes context of the passa…; evidence: The file at content/what-is/infrastructure-as-code-for-kubernetes.md states: "In TypeScript, Go, C#, and Java, misspelled field names fail at compile time rather than at kubectl apply time." The claim adds "Kubernetes" as a qualifier, wh…; source: repo:content/what-is/infrastructure-as-code-for-kubernetes.md (confirmed via gh search code pulumi/docs))
  • L102 in content/what-is/javascript-and-infrastructure-as-code.md "When using Pulumi's TypeScript SDK, misspelling a property name, passing a number where a string belongs, or omitting a required field causes the program to fa…" → ✅ verified (evidence: The file itself at the relevant section states: "Misspell versioningConfiguration, pass a number where a string belongs, or omit a required field, and the program fails at compile time with a precise error, not halfway through a deploy."…; source: repo:content/what-is/javascript-and-infrastructure-as-code.md)
  • L104 in content/what-is/javascript-and-infrastructure-as-code.md "Pulumi's mocks replace cloud calls so tests run entirely in memory." → ✅ verified (framing: strengthened — claim uses plural "tests run" while source says "the test runs"; both convey the same behavior about Pulumi mocks enabling in-memory test execut…; evidence: The file at the relevant line reads: "Pulumi's mocks replace cloud calls so the test runs entirely in memory." The claim is a faithful paraphrase of this sentence, with only a minor plural/singular difference ("tests" vs "the test") that d…; source: repo:content/what-is/javascript-and-infrastructure-as-code.md)
  • L104 in content/what-is/javascript-and-infrastructure-as-code.md "Pulumi infrastructure code written in TypeScript is testable with the Jest setup the application already uses." → ✅ verified (evidence: The file at content/what-is/javascript-and-infrastructure-as-code.md explicitly states: "Because it's ordinary TypeScript, it's testable with the Jest setup the app already uses. Pulumi's mocks replace cloud calls so the test runs entirely…; source: repo:content/what-is/javascript-and-infrastructure-as-code.md)
  • L233 in content/what-is/javascript-and-infrastructure-as-code.md "Pulumi regenerates provider SDKs from each provider's source schema — either the upstream cloud API for native providers, or the Terraform provider schema for…" → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
  • L233 in content/what-is/javascript-and-infrastructure-as-code.md "Pulumi provider versions are pinned in package.json, giving users control over when to adopt new releases." → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
  • L100 in content/what-is/resolve-list-buckets-expired-token.md "There is a Pulumi community on Slack, joinable at https://slack.pulumi.com/." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack" with a join link, confirming both the existence of a Pulumi community on Slack and that it is joinable at that URL.; source: https://slack.pulumi.com/)
  • L100 in content/what-is/resolve-list-buckets-invalid-access-key-id.md "There is a Pulumi community on Slack, joinable at https://slack.pulumi.com/." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states: "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code."; source: https://slack.pulumi.com/)
  • L100 in content/what-is/resolve-list-buckets-invalid-client-token-id.md "The Pulumi community on Slack can be joined at https://slack.pulumi.com/." → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack" with a join link, confirming the claim that the Pulumi community on Slack can be joined at that URL.; source: https://slack.pulumi.com/)
  • L100 in content/what-is/resolve-list-buckets-signature-does-not-match.md "There is a Pulumi community on Slack, accessible at https://slack.pulumi.com/." → ✅ verified (evidence: The pre-fetched URL returns HTTP 200 with body: "Join the Pulumi Community on Slack! ... Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code."; source: https://slack.pulumi.com/)
  • L100 in content/what-is/resolve-unable-to-locate-credentials.md "There is a Pulumi community on Slack, joinable at https://slack.pulumi.com/." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack" with an invitation to join, confirming both the existence of a Pulumi community on Slack and that it is joinable at that URL.; source: https://slack.pulumi.com/)
  • L1 in content/what-is/run-aws-cloudwatch-get-metric-data-with-dynamic-credentials.md "The Pulumi community on Slack can be joined at https://slack.pulumi.com/." → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and contains "Join the Pulumi Community on Slack" with a join link, confirming the URL is the correct destination for joining the Pulumi community on Slack.; source: https://slack.pulumi.com/)
  • L214 in content/what-is/run-aws-cloudwatch-get-metric-data-with-dynamic-credentials.md "Join the Pulumi community on Slack to discuss this topic further, and let us know what you think." → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and contains "Join the Pulumi Community on Slack" confirming the link destination is valid and matches the claim's anchor text.; source: https://slack.pulumi.com/)
  • L1 in content/what-is/run-aws-dynamodb-list-tables-with-dynamic-credentials.md "The Pulumi community on Slack can be joined at https://slack.pulumi.com/." → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack" with a join link, confirming the URL is correct and the community can be joined there.; source: https://slack.pulumi.com/)
  • L137 in content/what-is/run-aws-dynamodb-list-tables-with-dynamic-credentials.md "Join the Pulumi community on Slack to discuss this topic further, and let us know what you think." → ✅ verified (evidence: The URL https://slack.pulumi.com/ returns HTTP 200 and contains "Join the Pulumi Community on Slack" matching the link text used in the claim.; source: https://slack.pulumi.com/)
  • L1 in content/what-is/run-aws-ec2-describe-instances-with-dynamic-credentials.md "Pulumi has a community on Slack, accessible at https://slack.pulumi.com/." → ✅ verified (evidence: The cited URL returns HTTP 200 with body: "Join the Pulumi Community on Slack! ... Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code." This confirms Pulumi has a community on Slack a…; source: https://slack.pulumi.com/)
  • L114 in content/what-is/run-aws-ec2-describe-instances-with-dynamic-credentials.md "There is a Pulumi community on Slack, joinable at https://slack.pulumi.com/." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack" with an invitation to join, confirming both the existence of a Pulumi community on Slack and that it is joinable at that URL.; source: https://slack.pulumi.com/)
  • L1 in content/what-is/run-aws-ec2-start-instances-with-dynamic-credentials.md "There is a Pulumi community on Slack, joinable at https://slack.pulumi.com/." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states: "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code."; source: https://slack.pulumi.com/)
  • L114 in content/what-is/run-aws-ec2-start-instances-with-dynamic-credentials.md "Feel free to join the Pulumi community on Slack and let us know what you think!" → ✅ verified (evidence: The pre-fetched URL returns HTTP 200 and contains "Join the Pulumi Community on Slack" confirming the link destination is valid and matches the claim's anchor text.; source: https://slack.pulumi.com/)
  • L1 in content/what-is/run-aws-ec2-stop-instances-with-dynamic-credentials.md "There is a Pulumi community on Slack, joinable at https://slack.pulumi.com/." → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and states: "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code."; source: https://slack.pulumi.com/)
  • L114 in content/what-is/run-aws-ec2-stop-instances-with-dynamic-credentials.md "Feel free to join the Pulumi community on Slack and let us know what you think!" → ✅ verified (evidence: The URL https://slack.pulumi.com/ returns HTTP 200 and contains "Join the Pulumi Community on Slack" confirming the link destination is valid and matches the claim's anchor text.; source: https://slack.pulumi.com/)
  • L114 in content/what-is/run-aws-iam-list-users-with-dynamic-credentials.md "There is a Pulumi community on Slack, joinable at https://slack.pulumi.com/." → ✅ verified (evidence: The page at https://slack.pulumi.com/ confirms: "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code."; source: https://slack.pulumi.com/)
  • L1 in content/what-is/run-aws-lambda-list-functions-with-dynamic-credentials.md "The Pulumi community on Slack can be joined at https://slack.pulumi.com/." → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack" with a join link, confirming the URL is valid and the community can be joined there.; source: https://slack.pulumi.com/)
  • L137 in content/what-is/run-aws-lambda-list-functions-with-dynamic-credentials.md "Join the Pulumi community on Slack to discuss this topic further, and let us know what you think." → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and contains "Join the Pulumi Community on Slack" confirming the link destination is valid and matches the claim's anchor text.; source: https://slack.pulumi.com/)
  • L147 in content/what-is/run-aws-s3-cp-with-dynamic-credentials.md "Feel free to join the Pulumi community on Slack and let us know what you think!" → ✅ verified (evidence: The URL https://slack.pulumi.com/ returns HTTP 200 and contains "Join the Pulumi Community on Slack" confirming the link destination is valid and matches the claim's anchor text.; source: https://slack.pulumi.com/)
  • L114 in content/what-is/run-aws-s3-ls-with-dynamic-credentials.md "Feel free to join the Pulumi community on Slack and let us know what you think!" → ✅ verified (evidence: The pre-fetched URL returns HTTP 200 and contains "Join the Pulumi Community on Slack" confirming the link destination is valid and matches the claim's anchor text.; source: https://slack.pulumi.com/)
  • L139 in content/what-is/run-aws-s3-sync-with-dynamic-credentials.md "Join the Pulumi community on Slack to discuss this topic further, and let us know what you think." → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and contains "Join the Pulumi Community on Slack" confirming the link destination is valid and matches the claim's anchor text.; source: https://slack.pulumi.com/)
  • L114 in content/what-is/run-aws-sts-get-caller-identity-with-dynamic-credentials.md "Feel free to join the Pulumi community on Slack and let us know what you think!" → ✅ verified (evidence: The pre-fetched URL returns HTTP 200 and contains "Join the Pulumi Community on Slack" confirming the link destination is valid and matches the claim's anchor text.; source: https://slack.pulumi.com/)
  • L137 in content/what-is/top-iac-tools.md "If you want to see how the programming-language approach feels in practice, try Pulumi." → ✅ verified (evidence: The URL https://www.pulumi.com/product/infrastructure-as-code/ returns HTTP 200 and its body confirms it is Pulumi's Infrastructure as Code product page ("Infrastructure as code in Any Language – Pulumi IaC | Pulumi"), matching the link ta…; source: https://www.pulumi.com/product/infrastructure-as-code/)
  • L171 in content/what-is/what-are-docker-configs.md "The Pulumi community on Slack is open for questions and discussion." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code," confirming the claim that the Pulumi community on Slack is open…; source: https://slack.pulumi.com/)
  • L182 in content/what-is/what-are-docker-secrets.md "For encrypting values inside your infrastructure code and keeping them out of plain text in state, see Pulumi's [Secrets Management guide](/blog/managing-secre…" → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and confirms: "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code." This matches the claim that "The Pulumi communit…; source: https://slack.pulumi.com/)
  • L268 in content/what-is/what-are-kubernetes-secrets.md "The thing to internalize is that a Kubernetes Secret is a storage and distribution primitive, not an encryption boundary. Base64 is encoding, namespace-scoped…" → ✅ verified (framing: strengthened — the claim synthesizes several well-documented Kubernetes limitations into a single positioning statement; each individual sub-claim (base64 is e…; evidence: Multiple authoritative sources confirm all sub-claims: the official Kubernetes docs state "Base64 encoding is not an encryption method, it provides no additional confidentiality over plain text"; the Pulumi page itself (pulumi.com/what-is/…; source: https://www.kubernetes.io/docs/concepts/security/secrets-good-practices/ ; https://www.pulumi.com/what-is/what-are-kubernetes-secrets/)
  • L270 in content/what-is/what-are-kubernetes-secrets.md "For encrypting values so they never appear in plain text in your state file, see Pulumi's Secrets Management guide. The…" → ✅ verified (evidence: The pre-fetched page at https://slack.pulumi.com/ returns HTTP 200 and confirms: "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code." This matches the claim that "The Pulumi communit…; source: https://slack.pulumi.com/)
  • L23 in content/what-is/what-is-a-circleci-secret.md "- Native CircleCI tools for secrets management: The CircleCI CLI and [CircleCI-Env-Inspector](https://gi…" → ✅ verified (evidence: The URL https://github.com/CircleCI-Public/circleci-cli returns HTTP 200 and confirms the repository exists: "GitHub - CircleCI-Public/circleci-cli: Use CircleCI from the command line".; source: https://github.com/CircleCI-Public/circleci-cli)
  • L29 in content/what-is/what-is-a-circleci-secret.md "CircleCI stores secrets as project environment variables or in contexts. You add them in the CircleCI web app under Proj…" → ✅ verified (evidence: The pre-fetched URL https://circleci.com/docs/contexts/ returns HTTP 200 and its body confirms the page exists as "Using contexts" under CircleCI's security and secrets documentation, consistent with the claim that CircleCI stores secrets…; source: https://circleci.com/docs/contexts/)
  • L32 in content/what-is/what-is-a-circleci-secret.md "curl -X POST 'https://circleci.com/api/v2/project/{project-slug}/envvar' " → ➖ not-a-claim (framing: shifted — the regex extracted an API endpoint URL from inside a code example, not a cited documentation source; this is a path segment in a curl command, not a…; evidence: The "source" here is a URL path segment extracted from a code example (curl -X POST "https://circleci.com/api/v2/project/{project-slug}/envvar"). The URL https://circleci.com/api/v2/project/ is not a documentation page being cited — it…; source: https://circleci.com/api/v2/project/)
  • L112 in content/what-is/what-is-a-circleci-secret.md "- image: circleci/python:3.8" → ➖ not-a-claim (evidence: The line - image: circleci/python:3.8 appears in a YAML code example block illustrating how to write a CircleCI config file. It is a Docker image tag name used as illustrative sample code, not a falsifiable assertion about a Pulumi produ…; source: repo:content/what-is/what-is-a-circleci-secret.md)
  • L151 in content/what-is/what-is-a-circleci-secret.md "CircleCI secrets solve storage and access, but they leave you holding long-lived credentials that someone has to track, rotate, and audit as your contexts mult…" → ✅ verified (framing: strengthened — claim narrows the general OIDC capability to the specific positioning argument (contexts multiplying → OIDC as the durable alternative); source'…; evidence: Official CircleCI docs confirm: "A job can be configured to use these tokens to access compatible cloud services without long-lived credentials being stored in CircleCI." CircleCI's OIDC tokens are job-scoped and short-lived, replacing the…; source: https://circleci.com/docs/openid-connect-tokens/)
  • L153 in content/what-is/what-is-a-circleci-secret.md "To go further, learn how to use OIDC with Pulumi ESC to connect…" → ❌ contradicted (framing: shifted — claim uses anchor #configuring-openid-connect-for-your-cloud-provider but the actual heading generates #configuring-openid-with-your-cloud-provide…; evidence: The page at /docs/esc/environments/configuring-oidc/(aliased fromcontent/docs/esc/guides/configuring-oidc/_index.md) has the heading ## Configuring OpenID with your cloud provider, which generates the anchor #configuring-openid-wi…; source: repo:content/docs/esc/guides/configuring-oidc/_index.md)
  • L155 in content/what-is/what-is-a-circleci-secret.md "The Pulumi community on Slack is open for questions and discussion." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code," confirming it is open for questions and discussion.; source: https://slack.pulumi.com/)
  • L143 in content/what-is/what-is-a-cloudflare-secret.md "To manage Cloudflare secrets alongside the rest of your infrastructure as code, see the [Cloudflare Provider documentation](https://www.pulumi.com/registry/pac…" → ✅ verified (evidence: The URL https://www.pulumi.com/registry/packages/cloudflare/ returns HTTP 200 and displays "Cloudflare Provider | Pulumi Registry", confirming it is the Cloudflare Provider documentation page on the Pulumi Registry.; source: https://www.pulumi.com/registry/packages/cloudflare/)
  • L250 in content/what-is/what-is-a-cloudflare-secret.md "- Advanced secrets management: For organizations that use more than one secrets manager or store configuration data in multiple locations, [Pulumi ESC (Env…" → ❌ contradicted (framing: shifted — claim uses "Configurations" (plural) but the official product name is "Configuration" (singular); evidence: The official ESC docs page at /docs/pulumi-cloud/esc/ (aliased from /docs/esc/) states: "Pulumi ESC (Environments, Secrets, and Configuration)" — singular "Configuration" — whereas the claim uses the plural "Configurations".; source: repo:content/docs/esc/_index.md)
  • L252 in content/what-is/what-is-a-cloudflare-secret.md "The Pulumi community on Slack is open for questions and discussion." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code," confirming it is open for questions and discussion.; source: https://slack.pulumi.com/)
  • L85 in content/what-is/what-is-a-github-action-secret.md "For a deeper look at encrypting values end to end, see Pulumi's Secrets Management guide." → ✅ verified (evidence: The URL https://www.pulumi.com/blog/managing-secrets-with-pulumi/ resolves to a live Pulumi blog post titled "How to Manage Secrets with Pulumi," which covers end-to-end secrets encryption: "Learn how to securely manage secrets in Pulumi w…; source: https://www.pulumi.com/blog/managing-secrets-with-pulumi/)

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor
continued from previous comment
  • L135 in content/what-is/what-is-an-internal-developer-platform.md "Get started with Pulumi when you're ready to build one." → ✅ verified (evidence: The path /docs/get-started resolves to content/docs/get-started/_index.md in the pulumi/docs repository, confirming the link target exists and is valid.; source: gh api repos/pulumi/docs/contents/content/docs/get-started)
  • L114 in content/what-is/what-is-aws-secrets-manager.md "The hard part of AWS Secrets Manager isn't storing a secret, it's keeping the secret out of your code and config in the first place. A credential that lives in…" → ➖ not-a-claim (framing: The underlying security principle is well-supported by AWS docs and third-party sources, but the specific phrasing ("the hard part…isn't storing a secret, it's…; evidence: The text is an editorial/positioning statement authored by the PR writer expressing a security philosophy about AWS Secrets Manager — it is not a falsifiable third-party-attributed assertion. It reflects a widely accepted best practice (ke…; source: WebSearch ran query "AWS Secrets Manager best practices avoid hardcoding secrets in code")
  • L241 in content/what-is/what-is-aws-secrets-manager.md "The Pulumi community on Slack is open for questions and discussion." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code," confirming it is open for questions and discussion.; source: https://slack.pulumi.com/)
  • L199 in content/what-is/what-is-azure-key-vault.md "You can manage Azure Key Vault secrets as code with Pulumi, and centralize secrets across environm…" → ✅ verified (evidence: The pre-fetched URL https://slack.pulumi.com/ returns HTTP 200 and confirms: "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code."; source: https://slack.pulumi.com/)
  • L87 in content/what-is/what-is-ci-cd.md "With Pulumi, you can create, deploy, and manage infrastructure on any cloud using the programming languages and tools you already know. [Get started today](/do…" → ✅ verified (framing: strengthened — claim narrows the source's "automate, secure and manage everything you run in the cloud" to "create, deploy, and manage infrastructure on any cl…; evidence: The /docs/get-started/ URL is listed as an alias in content/docs/get-started/_index.md (aliases: - /get-started/), confirming the link resolves. The page describes Pulumi as letting you "use familiar programming languages and tools t…; source: repo:content/docs/get-started/_index.md)
  • L175 in content/what-is/what-is-cloud-security.md "Cybersecurity is the broader discipline of protecting any digital system. Cloud security is the specialization that focuses on workloads and data hosted in clo…" → ✅ verified (framing: strengthened — the claim's specific framing ("extra emphasis on identity, API surfaces, and configuration, the areas where cloud differs most from on-premises"…; evidence: Multiple authoritative sources confirm that cybersecurity is the broader discipline protecting all digital systems, while cloud security is a specialization (subset) focused on cloud-hosted workloads and data, with particular emphasis on i…; source: WebSearch ran query "cloud security vs cybersecurity difference identity API configuration"; https://www.sentinelone.com/cybersecurity-101/cloud-security/cloud-security-vs-cyber-security/ and https://www.catonetworks.com/glossary/cybersecurity-vs-cloud-security/)
  • L77 in content/what-is/what-is-configuration-management.md "If you want to see the two work together, deploy WordPress on AWS with Pulumi and Ansible." → ✅ verified (evidence: The blog post exists at content/blog/deploy-wordpress-aws-pulumi-ansible/index.md with title "Deploy WordPress to AWS using Pulumi and Ansible", confirming the linked URL and description are accurate.; source: repo:content/blog/deploy-wordpress-aws-pulumi-ansible/index.md)
  • L135 in content/what-is/what-is-devops-automation.md "To see this in your own workflows, you can get started with Pulumi." → ✅ verified (evidence: The file content/docs/get-started/_index.md exists in the repo and includes /docs/get-started/ as an alias, confirming the linked path resolves to a real "Get Started with Pulumi" page.; source: repo:content/docs/get-started/_index.md)
  • L53 in content/what-is/what-is-devops.md "In 2007, Belgian engineer Patrick Debois grew frustrated with the gulf between developers and sysadmins on a government project and started organizing what wou…" → ✅ verified (framing: strengthened — sources describe Debois as "consultant, project manager and agile practitioner" or "system administrator"; the claim calls him a "Belgian engine…; evidence: Multiple authoritative sources confirm: in 2007 Patrick Debois grew frustrated on a Belgian government project over the dev/ops divide, and in October 2009 he held the first DevOpsDays in Ghent, Belgium — the same year Allspaw and Hammond…; source: https://newrelic.com/blog/news/devops-name; https://www.harrisonclarke.com/blog/the-history-of-devops-how-has-devops-evolved-over-the-years)
  • L109 in content/what-is/what-is-google-cloud-secret-manager.md "To manage Secret Manager secrets as code alongside the rest of your Google Cloud infrastructure, see [deploying and managing Google Secret Manager secrets](/re…" → ✅ verified (evidence: The pulumi/pulumi-gcp repository contains sdk/python/pulumi_gcp/secretmanager/secret.py, confirming that gcp.secretmanager.Secret is a real Pulumi resource. The URL /registry/packages/gcp/api-docs/secretmanager/secret/ follows the…; source: gh api repos/pulumi/pulumi-gcp/contents/sdk/python/pulumi_gcp/secretmanager/secret.py)
  • L111 in content/what-is/what-is-google-cloud-secret-manager.md "The Pulumi community on Slack is open for questions and discussion." → ✅ verified (evidence: The page at https://slack.pulumi.com/ returns HTTP 200 and states "Join the Pulumi Community on Slack where you can ask questions or share ideas about infrastructure as code," confirming the claim that the Pulumi community on Slack is open…; source: https://slack.pulumi.com/)
  • L82 in content/what-is/what-is-hashicorp-vault.md "You can wire Vault into that layer with Pulumi ESC's vault-secrets provider to dy…" → ❌ contradicted (framing: shifted — claim uses stale /docs/pulumi-cloud/esc/providers/vault-secrets/ path; current canonical path is /docs/esc/providers/secrets/vault-secrets/; evidence: The claim links to /docs/pulumi-cloud/esc/providers/vault-secrets/, but the authoritative docs repo shows the correct path is /docs/esc/providers/secrets/vault-secrets/ (as seen in content/docs/esc/providers/secrets/_index.md and `co…; source: gh search code --owner pulumi vault-secrets --extension md; pulumi/docs:content/docs/esc/providers/secrets/vault-secrets.md and pulumi/docs:content/docs/esc/providers/secrets/_index.md)
  • L243 in content/what-is/what-is-infrastructure-as-code.md "The throughline is consistent across all of these steps: once your infrastructure changes faster than people can safely manage by hand, declaring it as code an…" → ➖ not-a-claim (framing: not-a-claim — editorial opinion/conclusion in the author's own document; no external source is cited and no falsifiable fact is asserted.; evidence: The text is an editorial conclusion in Pulumi's own "What is IaC?" page — a general opinion about when IaC becomes necessary ("stops being optional") and the value of familiar languages. It is the PR author's own design/framing of the docu…; source: https://www.pulumi.com/what-is/what-is-infrastructure-as-code/)
  • L283 in content/what-is/what-is-infrastructure-as-code.md "With Pulumi, you can create, deploy, and manage infrastructure on any cloud using the programming languages and tools you already know, with a declarative engi…" → ✅ verified (evidence: The internal link /docs/get-started/ resolves to content/docs/get-started/_index.md in the pulumi/docs repo, confirming the link target exists. The surrounding text is the PR author's own descriptive content about Pulumi's capabilities.; source: gh api repos/pulumi/docs/contents/content/docs/get-started)
  • L29 in content/what-is/what-is-platform-engineering.md "A golden path (sometimes called a paved road) is an opinionated, well-supported route through the platform for a common task, for example, 'deploy a stat…" → ✅ verified (framing: strengthened — claim narrows the general concept to a specific example ("deploy a stateless TypeScript service to production"); source's broader form proves th…; evidence: Multiple authoritative platform engineering sources confirm that a golden path is an opinionated, well-supported route for common developer tasks, and that "paved road" is an alternate name (notably Netflix's term). Red Hat notes "Netflix…; source: https://www.redhat.com/en/topics/platform-engineering/golden-paths; https://platformengineering.org/blog/what-are-golden-paths-a-guide-to-streamlining-developer-workflows)
  • L82 in content/what-is/what-is-platform-engineering.md "Many companies have already created dedicated teams for platform engineering. In its 2022 Hype Cycle for Software Engineering, Gartner predicted that by 2026,…" → ✅ verified (framing: strengthened — the claim attributes the stat to the "2022 Hype Cycle for Software Engineering"; sources indicate it originates from a report published in Oct 2…; evidence: Multiple Gartner sources confirm the 80%/2026 prediction. The official Gartner page states: "By 2026, 80% of large software engineering organizations will establish platform engineering teams to provide reusable services, components and to…; source: https://www.gartner.com/en/experts/top-tech-trends-unpacked-series/platform-engineering-empowers-developers)
  • L161 in content/what-is/what-is-platform-engineering.md "Get started with Pulumi to build the reusable components and policy as code your golden paths run on." → ✅ verified (evidence: The file content/docs/get-started/_index.md exists in the repo and serves the /docs/get-started URL (also aliased from /docs/iac/get-started/, /start/, etc.), confirming the link target is valid.; source: repo:content/docs/get-started/_index.md)
  • L168 in content/what-is/what-is-platform-engineering.md "4. Security and identity ensure security is a foundational element. Pulumi Policies provides policy-based controls (including remed…" → ✅ verified (evidence: The path /docs/insights/policy/ resolves to a real page titled "Policies | Insights & Governance" covering Pulumi Policies with policy-based controls. The pulumi-policy repo README also confirms remediation support: "remediations that au…; source: repo:content/docs/insights/policy/_index.md)
  • L31 in content/what-is/what-is-pulumi.md "The combination of AI coding tools with Pulumi's platform capabilities, particularly through Internal Developer Platforms (IDPs), enables organizations to marr…" → ➖ not-a-claim (evidence: The text at L31 is the PR author's own descriptive statement about Pulumi's platform capabilities and IDPs — it is a first-party characterization of Pulumi's own product design, not a falsifiable third-party-attributed assertion. It makes…; source: repo:content/what-is/what-is-pulumi.md)
  • L183 in content/what-is/what-is-pulumi.md "That distinction matters most now, when AI can generate infrastructure faster than any team can manually review it. The bottleneck shifts from writing infrastr…" → ➖ not-a-claim (framing: The claim is an opinionated editorial statement ("That distinction matters most now…") with no attributed source — it is the PR author's own analytical framing…; evidence: The text is an editorial/opinion assertion made by the PR author in a Pulumi "what-is" explainer page. It expresses a general viewpoint about AI and infrastructure governance trends rather than citing a specific, falsifiable third-party fa…; source: WebSearch ran query "AI generated infrastructure governance bottleneck policy testing"; no third-party source is cited in the claim itself)
  • L185 in content/what-is/what-is-pulumi.md "As cloud infrastructure continues to evolve in complexity and importance, particularly in an era where AI is accelerating code generation, Pulumi's approach to…" → ➖ not-a-claim (evidence: This is a concluding editorial/marketing statement authored by the PR author themselves in a Pulumi-owned content file. It expresses a forward-looking opinion about Pulumi's positioning and does not attribute a specific factual assertion t…; source: content/what-is/what-is-pulumi.md L185 (PR author's own prose))
  • L185 in content/what-is/what-is-pulumi.md "Get started with Pulumi to see this in your own stack." → ✅ verified (evidence: The file content/docs/get-started/_index.md exists in the repo and is a valid "Get Started with Pulumi" page, confirming that /docs/get-started/ is a live, resolvable URL path within the site.; source: repo:content/docs/get-started/_index.md)
  • L112 in content/what-is/what-is-serverless.md "Pulumi's code-driven approach to infrastructure as code aligns well with serverless architectures, allowing develop…" → ✅ verified (evidence: The file content/what-is/what-is-infrastructure-as-code.md exists in the repo and is a valid page covering infrastructure as code, confirming the internal link /what-is/what-is-infrastructure-as-code/ resolves to real content.; source: repo:content/what-is/what-is-infrastructure-as-code.md)
  • L90 in content/what-is/what-is-soc-2.md "A typical first SOC 2 Type II runs 6–12 months from kickoff to issued report: usually 3–6 months of readiness and remediation, followed by the observation peri…" → ❌ contradicted (framing: narrowed — claim broadens the readiness phase to "3–6 months" while sources typically cite 1–3 months prep; claim also caps total timeline at 12 months while s…; evidence: Multiple authoritative sources confirm the overall 6–12 month range for a first SOC 2 Type II, but the claim's "3–6 months of readiness and remediation" overstates the typical prep phase. Drata states "Type 2 timeline: 6-15 months total (1…; source: https://drata.com/learn/soc-2/type-1-vs-type-2; https://www.sherlockforensics.com/blog/soc2-audit-timeline-guide.html)
  • L216 in content/what-is/what-is-yaml.md "The reason to reach for YAML isn't that it's simpler than a programming language. It's that infrastructure work often doesn't need a programming language at al…" → ➖ not-a-claim (evidence: The text is the PR author's own editorial argument within the document being written (content/what-is/what-is-yaml.md), expressing an opinion about when YAML is appropriate vs. a programming language. It is not a third-party-attributed fac…; source: WebSearch ran query "Pulumi YAML infrastructure doesn't need a programming language declared resources"; claim is editorial opinion in the author's own document, not a falsifiable third-party assertion.)
  • L218 in content/what-is/what-is-yaml.md "Try it yourself and get started with any major cloud provider." → ✅ verified (evidence: The file content/what-is/what-is-yaml.md contains the exact line: "Try it yourself and get started with any major cloud provider in a snap." The path /docs/languages-sdks/yaml/ is a confirmed alias in `con…; source: gh search code --owner pulumi "languages-sdks/yaml" --repo pulumi/docs)

🚨 Outstanding in this PR

These must be resolved or refuted before merging.

  • [L84] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md"Bigtable assumes you are on Google Cloud and provides a SQL-like query surface through BigQuery." — verdict: contradicted; framing: shifted — the claim attributes Bigtable's SQL-like query surface to BigQuery, but Bigtable's SQL surface is its own native GoogleSQL API; BigQuery is only an o…; evidence: (escalated from pass1) Google's own docs show Bigtable has its own native SQL query surface: "Bigtable offers a SQL query API that builds upon GoogleSQL with extensions for the wide-column data model." BigQuery is a separate, optional inte…; source: https://cloud.google.com/bigtable (index 6-1, 6-14); https://cloud.google.com/blog/products/databases/announcing-sql-support-for-bigtable (index 2-6) — Fix: The page attributes Bigtable's SQL-like query surface to BigQuery, but Bigtable has its own native SQL API (built on GoogleSQL); BigQuery is a separate, optional integration. Reword to drop the BigQuery attribution — e.g. "…and provides a SQL-like query surface through its native GoogleSQL query API" — or mention BigQuery only as an optional analytics path.

  • [L53] content/what-is/cosmos-db-vs-mongodb-know-the-differences.md"Cosmos DB is best suited for users already on Azure." — verdict: contradicted; framing: narrowed — claim broadens the Azure-only framing by omitting the source's second condition ("or you need the flexibility of a database that supports multiple d…; evidence: The Pulumi page states: "If your infrastructure is already on Azure, or you need the flexibility of a database that supports multiple data models, Cosmos DB is the stronger offering." The claim drops the second condition, making it narrowe…; source: https://www.pulumi.com/what-is/cosmos-db-vs-mongodb-know-the-differences/Fix: The claim keeps only the Azure half of the page's own two-part guidance. Restore the second condition so readers don't read Azure affiliation as the only reason to choose Cosmos DB — e.g. "Cosmos DB is the stronger choice if you're already on Azure, or if you need a database that supports multiple data models."

  • [L98] content/what-is/guide-to-automating-file-expiration-in-aws-s3.md"A drifted or deleted S3 lifecycle policy shows up in the next Pulumi preview." — verdict: contradicted; framing: shifted — the claim says drift "shows up in the next preview" but Pulumi preview compares against cached state, not live cloud; detecting out-of-band drift req…; evidence: The file states "a drifted or deleted policy shows up in your next preview instead of as a surprise bill months later." However, pulumi preview compares desired state against the last recorded state, not live cloud state — out-of-band…; source: repo:content/what-is/guide-to-automating-file-expiration-in-aws-s3.md (Wrapping up section); pulumi/foundational-training:module-01-intro-to-pulumi-aws/slides.md — Fix: pulumi preview diffs your program against the last recorded state, not the live cloud, so an out-of-band (drifted or deleted) policy isn't surfaced by preview alone — you need pulumi refresh (or pulumi preview --refresh) first. Reword to, e.g., "…shows up the next time you refresh and preview, instead of as a surprise bill months later."

  • [L141] content/what-is/infrastructure-as-code-for-kubernetes.md"Every field in a Pulumi Kubernetes program is typed, and misspelling a field name or passing a string where a number belongs causes the program to fail at comp…" — verdict: contradicted; framing: narrowed — claim broadens the compile-time type-checking guarantee to all Pulumi Kubernetes programs, but this only holds for statically-typed languages (TypeS…; evidence: The Pulumi Kubernetes SDK is generated from the Kubernetes OpenAPI spec and provides typed fields, but the claim that "every field is typed" and errors occur "at compile time" applies only to statically-typed languages (TypeScript, Go, C#)…; source: gh api repos/pulumi/pulumi-kubernetes/contents/README.md (decoded: "Pulumi's Kubernetes SDK is manufactured by automatically wrapping our library functionality around the Kubernetes resource OpenAPI spec") — Fix: The blanket "every field is typed… fails at compile time" holds only for the statically-typed SDKs (TypeScript, Go, C#, Java); Python and YAML programs don't get compile-time field checking. This same file already scopes the claim correctly at L199 ("In TypeScript, Go, C#, and Java, misspelled field names fail at compile time") — mirror that qualification here.

  • [L198] content/what-is/infrastructure-as-code-for-kubernetes.md"The Pulumi Kubernetes docs at /docs/iac/clouds/kubernetes/ include reference programs covering Workload Identity, managed addons, and other cluster patterns fo…" — verdict: contradicted; framing: shifted — the actual page at /docs/iac/clouds/kubernetes/ does not include reference programs for Workload Identity, managed addons, or GKE/AKS cluster pattern…; evidence: The page at /docs/iac/clouds/kubernetes/ (aliased from /docs/integrations/clouds/kubernetes/_index.md) covers providers, Helm, architecture templates, ESC integrations, policy packs, and migration — but contains no "reference programs…; source: gh api repos/pulumi/docs/contents/content/docs/integrations/clouds/kubernetes/_index.md — Fix: The linked page /docs/iac/clouds/kubernetes/ covers providers, Helm, architecture templates, ESC integrations, policy packs, and migration — it does not host reference programs for Workload Identity, managed addons, or GKE/AKS cluster patterns. Either point to a page that actually contains those programs or reword the description to match what /docs/iac/clouds/kubernetes/ covers.

  • [L153] content/what-is/what-is-a-circleci-secret.md"To go further, learn how to use OIDC with Pulumi ESC to connect…" — verdict: contradicted; framing: shifted — claim uses anchor #configuring-openid-connect-for-your-cloud-provider but the actual heading generates #configuring-openid-with-your-cloud-provide…; evidence: The page at /docs/esc/environments/configuring-oidc/(aliased fromcontent/docs/esc/guides/configuring-oidc/_index.md) has the heading ## Configuring OpenID with your cloud provider, which generates the anchor #configuring-openid-wi…; source: repo:content/docs/esc/guides/configuring-oidc/_index.md — Fix: The anchor #configuring-openid-connect-for-your-cloud-provider doesn't exist on that page. The heading is "Configuring OpenID with your cloud provider," which Hugo renders as #configuring-openid-with-your-cloud-provider. Update the link fragment to match.

  • [L250] content/what-is/what-is-a-cloudflare-secret.md"- Advanced secrets management: For organizations that use more than one secrets manager or store configuration data in multiple locations, [Pulumi ESC (Env…" — verdict: contradicted; framing: shifted — claim uses "Configurations" (plural) but the official product name is "Configuration" (singular); evidence: The official ESC docs page at /docs/pulumi-cloud/esc/ (aliased from /docs/esc/) states: "Pulumi ESC (Environments, Secrets, and Configuration)" — singular "Configuration" — whereas the claim uses the plural "Configurations".; source: repo:content/docs/esc/_index.md — Fix: The official ESC expansion is singular — "Pulumi ESC (Environments, Secrets, and Configuration)." Change "Configurations" to "Configuration."

  • [L82] content/what-is/what-is-hashicorp-vault.md"You can wire Vault into that layer with Pulumi ESC's vault-secrets provider to dy…" — verdict: contradicted; framing: shifted — claim uses stale /docs/pulumi-cloud/esc/providers/vault-secrets/ path; current canonical path is /docs/esc/providers/secrets/vault-secrets/; evidence: The claim links to /docs/pulumi-cloud/esc/providers/vault-secrets/, but the authoritative docs repo shows the correct path is /docs/esc/providers/secrets/vault-secrets/ (as seen in content/docs/esc/providers/secrets/_index.md and co…; source: gh search code --owner pulumi vault-secrets --extension md; pulumi/docs:content/docs/esc/providers/secrets/vault-secrets.md and pulumi/docs:content/docs/esc/providers/secrets/_index.md — **Fix:** /docs/pulumi-cloud/esc/providers/vault-secrets/is a stale path. The current canonical location is/docs/esc/providers/secrets/vault-secrets/`. Update the link.

  • [L90] content/what-is/what-is-soc-2.md"A typical first SOC 2 Type II runs 6–12 months from kickoff to issued report: usually 3–6 months of readiness and remediation, followed by the observation peri…" — verdict: contradicted; framing: narrowed — claim broadens the readiness phase to "3–6 months" while sources typically cite 1–3 months prep; claim also caps total timeline at 12 months while s…; evidence: Multiple authoritative sources confirm the overall 6–12 month range for a first SOC 2 Type II, but the claim's "3–6 months of readiness and remediation" overstates the typical prep phase. Drata states "Type 2 timeline: 6-15 months total (1…; source: https://drata.com/learn/soc-2/type-1-vs-type-2; https://www.sherlockforensics.com/blog/soc2-audit-timeline-guide.htmlFix: "3–6 months of readiness and remediation" overstates the typical prep phase (sources generally cite ~1–3 months), and capping the total at "6–12 months" is optimistic — some sources cite 6–15 months end to end. Widen/soften the figures, e.g. "…usually 1–3 months of readiness and remediation, followed by the observation period — typically 6–12 months overall, sometimes longer."

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

  • [L84] content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md"DynamoDB and Bigtable are close enough on availability, scale, and latency that the deciding factor is usually where the rest of your infrastructure already li…" — verdict: unverifiable; evidence: The Pulumi page itself notes that Bigtable "sacrifices some availability in exchange for consistency, whereas DynamoDB has made the opposite decision," and third-party sources highlight meaningful differences in auto-scaling, latency profi…; source: https://www.pulumi.com/what-is/amazon-dynamodb-vs-google-cloud-bigtable/; intuition: The claim flattens real, documented differences in availability trade-offs and scaling models into a "close enough" equ… (WebSearch dispatched but verification did not converge within the turn budget) — Author check: This is an editorial generalization; the page itself notes Bigtable and DynamoDB make opposite availability/consistency trade-offs. Consider softening "close enough… usually" (also flagged as a usually weasel-word nag below), or confirm you intend to flatten those documented differences.

  • [L65] content/what-is/database-comparison-cosmos-db-vs-dynamodb.md"For most teams choosing between Cosmos DB and DynamoDB, the deciding factor is which cloud they already operate in rather than the feature matrix." — verdict: unverifiable; evidence: This is an editorial positioning claim. While sources like dynomate.io note "Many organizations choose based on their primary cloud provider, but the technical differences can be significant," no authoritative source confirms that existing…; source: WebSearch ran query "Cosmos DB vs DynamoDB choosing factor cloud provider"; top results didn't confirm the "most teams" / "rather than feature matrix" framing.; intuition: Claim is an opinionated editorial assertion ("for most teams … rather than the feature matrix") that cannot be empirica… — Author check: No source establishes the "for most teams… rather than the feature matrix" framing as fact. Consider softening or attributing it (e.g. "often the deciding factor is…").

  • [L67] content/what-is/database-comparison-cosmos-db-vs-dynamodb.md"Both Cosmos DB and DynamoDB are quick to stand up when using Pulumi." — verdict: unverifiable; framing: narrowed — claim broadens the source (Cosmos DB only) to cover both Cosmos DB and DynamoDB; the source supports only the Cosmos DB half of the claim; evidence: The cited blog post (pulumi.com/blog/how-to-build-globally-distributed-applications-with-azure-cosmos-db-and-pulumi/) covers only Azure Cosmos DB with Pulumi; it contains no mention of DynamoDB being quick to stand up. The claim that *both…; source: https://www.pulumi.com/blog/how-to-build-globally-distributed-applications-with-azure-cosmos-db-and-pulumi/ (WebSearch dispatched but verification did not converge within the turn budget) — Author check: The cited blog covers Cosmos DB with Pulumi only — it doesn't establish that DynamoDB is comparably quick to stand up. Either scope the claim to Cosmos DB or add a source covering DynamoDB-with-Pulumi.

  • [L205] content/what-is/how-to-step-up-cloud-infrastructure-testing.md"SOC 2, HIPAA, and PCI DSS audits routinely accept IaC test output and policy-as-code run logs as evidence that a control is enforced." — verdict: unverifiable; evidence: (escalated from pass1) No authoritative source (AICPA, HHS, PCI SSC, or audit-practice guidance) confirms that SOC 2, HIPAA, and PCI DSS audits "routinely accept IaC test output and policy-as-code run logs as evidence." One practitioner bl…; source: WebSearch ran query "SOC 2 HIPAA PCI DSS audit accept IaC test output policy-as-code evidence"; top results didn't confirm the specific claim and one source (yrkan.com) contradicts the framing.; intuition: The word "routinely" overstates auditor practice; acceptance of IaC/policy-as-code artifacts is highly auditor- and con… — Author check: "routinely accept" overstates auditor practice — acceptance of IaC/policy-as-code artifacts varies by auditor and engagement. Consider softening to "can accept" / "increasingly accept."

  • [L205] content/what-is/how-to-step-up-cloud-infrastructure-testing.md"A Pulumi Policies run record is more concrete evidence than a written policy with no enforcement mechanism behind it, for compliance audit purposes." — verdict: unverifiable; evidence: Pulumi CrossGuard docs confirm that policy runs produce enforcement records and audit trails, and one customer quote notes it's "far easier to understand and prove controls in code than in docs and diagrams." However, no source directly st…; source: WebSearch ran query "Pulumi CrossGuard policy compliance audit evidence enforcement"; top results didn't directly address the comparative audit-evidence claim.; intuition: This is a normative/opinion positioning claim (run record > written policy for audits) — plausible and consistent with… — Author check: This is a normative comparison (run record > written policy for audits). Fine as positioning, but frame it as Pulumi's view rather than an established fact.

  • [L56] content/what-is/infrastructure-as-code-for-devops.md"DORA's 2024 Accelerate State of DevOps report calls out infrastructure flexibility (the ability to provision and change environments on demand) as a key differ…" — verdict: unverifiable; evidence: The cited URL returns HTTP 200, but the body is entirely JavaScript/WIZ global data with no readable article content — the actual blog post text about the 2024 DORA report (including any mention of "infrastructure flexibility" or "provisio…; source: https://cloud.google.com/blog/products/devops-sre/announcing-the-2024-dora-reportAuthor check: The cited DORA report page returns only client-side JavaScript, so the verification step couldn't confirm the wording. Double-check that the 2024 Accelerate State of DevOps report actually calls out "infrastructure flexibility" as described.

  • [L170] content/what-is/infrastructure-as-code-for-kubernetes.md"Static scanners Trivy and Checkov run against rendered manifests on every commit and catch known-bad configurations such as privileged containers, host-path mo…" — verdict: unverifiable; evidence: (escalated from pass1) Trivy and Checkov individually do scan Kubernetes manifests for privileged containers, host-path mounts, and missing resource limits, but the specific claim that both are run together against rendered manifests on ev…; source: WebSearch ran query "Trivy Checkov static scanner Kubernetes manifests privileged containers"; results confirm each tool's individual capabilities but no source verifies the specific combined "every commit" pipeline described in the claim.; intuition: The claim presents a very specific dual-tool CI pipeline as a general fact, but this appears to be editorial content au… — Author check: This presents one specific dual-tool, every-commit pipeline as general practice. Consider hedging to "tools like Trivy and Checkov" so it doesn't read as a single universal setup.

  • [L233] content/what-is/javascript-and-infrastructure-as-code.md"Pulumi regenerates provider SDKs from each provider's source schema — either the upstream cloud API for native providers, or the Terraform provider schema for…" — verdict: unverifiable; evidence: verification did not converge within 8 turns — Author check: This describes real Pulumi provider behavior, but automated verification timed out. The bridged/native provider docs back it up — worth a citation if you want it nailed down.

  • [L233] content/what-is/javascript-and-infrastructure-as-code.md"Pulumi provider versions are pinned in package.json, giving users control over when to adopt new releases." — verdict: unverifiable; evidence: verification did not converge within 8 turns — Author check: True for the TypeScript/JavaScript SDKs (providers are npm dependencies pinned in package.json), but automated verification timed out. Confirm and optionally cite.

Style findings

Found by pattern-based linting; Findings may be false positives.

Click each filename to expand.

content/what-is/amazon-dynamodb-vs-google-cloud-bigtable.md (1 issues: 1 weasel word)
  • line 84: [style] weasel word — 'usually' is a weasel word!
content/what-is/cosmos-db-vs-mongodb-know-the-differences.md (2 issues: 1 difficulty qualifier, 1 units)
  • line 53: [style] units — Put a nonbreaking space between the number and the unit in '2MB'.
  • line 53: [style] difficulty qualifier — Avoid difficulty qualifier 'simply' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
content/what-is/database-comparison-cosmos-db-vs-dynamodb.md (1 issues: 1 weasel word)
  • line 65: [style] weasel word — 'usually' is a weasel word!
content/what-is/guide-to-automating-file-expiration-in-aws-s3.md (1 issues: 1 wordiness)
  • line 98: [style] wordiness — 'expiration' is too wordy.
content/what-is/top-iac-tools.md (1 issues: 1 weasel word)
  • line 135: [style] weasel word — 'usually' is a weasel word!
content/what-is/what-are-kubernetes-secrets.md (1 issues: 1 filler)
  • line 268: [style] filler — Don't start a sentence with 'So '.
content/what-is/what-is-a-cloudflare-secret.md (3 issues: 2 weasel word, 1 difficulty qualifier)
  • line 141: [style] difficulty qualifier — Avoid difficulty qualifier 'simple' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
  • line 141: [style] weasel word — 'several' is a weasel word!
  • line 143: [style] weasel word — 'several' is a weasel word!
content/what-is/what-is-a-github-action-secret.md (2 issues: 2 wordiness)
  • line 83: [style] wordiness — 'it is' is too wordy.
  • line 83: [style] wordiness — 'it was' is too wordy.
content/what-is/what-is-azure-key-vault.md (1 issues: 1 wordiness)
  • line 197: [style] wordiness — 'it is' is too wordy.
content/what-is/what-is-ci-cd.md (1 issues: 1 difficulty qualifier)
  • line 73: [style] difficulty qualifier — Avoid difficulty qualifier 'just' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
content/what-is/what-is-cloud-infrastructure-autoscaling.md (1 issues: 1 weasel word)
  • line 162: [style] weasel word — 'usually' is a weasel word!
content/what-is/what-is-configuration-management.md (1 issues: 1 weasel word)
  • line 16: [style] weasel word — 'various' is a weasel word!
content/what-is/what-is-devops-automation.md (1 issues: 1 wordiness)
  • line 80: [style] wordiness — 'facilitate' is too wordy.
content/what-is/what-is-google-cloud-secret-manager.md (1 issues: 1 wordiness)
  • line 107: [style] wordiness — 'therefore' is too wordy.
content/what-is/what-is-hitrust.md (1 issues: 1 wordiness)
  • line 151: [style] wordiness — 'satisfy' is too wordy.
content/what-is/what-is-infrastructure-as-code.md (1 issues: 1 difficulty qualifier)
  • line 62: [style] difficulty qualifier — Avoid difficulty qualifier 'simple' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
content/what-is/what-is-platform-engineering.md (2 issues: 1 difficulty qualifier, 1 punctuation)
  • line 19: [style] punctuation — Use the Oxford comma in 'In a platform engineering approach, one or'.
  • line 159: [style] difficulty qualifier — Avoid difficulty qualifier 'just' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
content/what-is/what-is-pulumi.md (3 issues: 2 wordiness, 1 difficulty qualifier)
  • line 29: [style] difficulty qualifier — Avoid difficulty qualifier 'Just' -- it judges difficulty for the reader (STYLE-GUIDE.md §Inclusive Language).
  • line 181: [style] wordiness — 'it is' is too wordy.
  • line 183: [style] wordiness — 'it is' is too wordy.
content/what-is/what-is-soc-2.md (1 issues: 1 weasel word)
  • line 90: [style] weasel word — 'usually' is a weasel word!
content/what-is/what-is-yaml.md (1 issues: 1 weasel word)
  • line 218: [style] weasel word — 'mostly' is a weasel word!

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

No items resolved since the last review.

📜 Review history

  • 2026-06-18T20:01:50Z — Editorial style pass over 51 what-is pages; flagged 9 contradicted claims (stale/incorrect doc links and anchors, an ESC product-name typo, and technical overstatements) and 9 unverifiable editorial claims; frontmatter and build mechanics clean. (ddc819e)

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

@github-actions

github-actions Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

🤖 Review regenerated on @CamSoper's request.

@github-actions github-actions Bot added review:outstanding-issues Claude review completed; outstanding has author-actionable findings and removed review:in-progress Claude review is currently running labels Jun 18, 2026
CamSoper
CamSoper requested changes Jun 18, 2026
View reviewed changes

@CamSoper CamSoper left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You'll want to review the blocking low-confidence issues before I can approve.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@CamSoper CamSoper CamSoper requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

domain:docs PR touches technical docs review:outstanding-issues Claude review completed; outstanding has author-actionable findings review:prose-flagged Trivial or frontmatter-only PR where triage's prose-check found possible spelling/grammar issues review:trivial Tiny prose-only change; skips Claude review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@alexleventer @pulumi-bot @CamSoper