We use S3 for our Pulumi state store, which is eventually consistent and Pulumi does not support locking yet for S3.
We use TypeScript project references, which Pulumi does not build. Meaning it's really easy for us to run an old Pulumi program.
Introduce a Pulumi CLI wrapper which ensures our TypeScript projects are built, and also take a lock using DynamoDB
pulumi stack select my-project.my-stack
(we fully qualify our stacks with project names manually to prevent conflicts in our s3 state store).
node ./pulumi.js up