use the new-style ESC action

pgavlin · pgavlin · commit a719b3031669 · 2025-04-27T13:06:41.000-07:00
diff --git a/.github/workflows/pr-tests.yaml b/.github/workflows/pr-tests.yaml
@@ -8,6 +8,7 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   lint:
diff --git a/.github/workflows/publish-prerelease.yaml b/.github/workflows/publish-prerelease.yaml
@@ -6,11 +6,15 @@ on:
       - v*.*.*-**
 
 env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: GITHUB_TOKEN=PULUMI_BOT_TOKEN
 
 permissions:
-  contents: write  # Needed to publish releases
-  packages: write  # If publishing packages
+  contents: write # Needed to publish releases
+  packages: write # If publishing packages
   id-token: write
   actions: read
   attestations: read
diff --git a/.github/workflows/publish-release.yaml b/.github/workflows/publish-release.yaml
@@ -7,11 +7,15 @@ on:
       - '!v*.*.*-**'
 
 env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: GITHUB_TOKEN=PULUMI_BOT_TOKEN
 
 permissions:
-  contents: write  # Needed to publish releases
-  packages: write  # Needed for publishing packages
+  contents: write # Needed to publish releases
+  packages: write # Needed for publishing packages
   id-token: write
   actions: read
   attestations: read
@@ -47,6 +51,9 @@ jobs:
     name: s3 blobs
     runs-on: ubuntu-latest
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Checkout Repo
         uses: actions/checkout@v3
         with:
@@ -60,7 +67,7 @@ jobs:
           role-duration-seconds: 3600
           role-external-id: upload-pulumi-release
           role-session-name: pulumi@githubActions
-          role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+          role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
       - name: Download release artifacts
         run: |
           mkdir -p artifacts
@@ -82,14 +89,17 @@ jobs:
           - name: Dispatch docs workflow
             run-command: pulumictl create cli-docs-build "${{ github.ref_name }}" --event-type "esc-cli"
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Checkout Repo
         uses: actions/checkout@v3
         with:
           ref: ${{ github.ref_name }}
       - name: Install Pulumictl
         uses: jaxxstorm/action-install-gh-release@v2.0.0
         env:
-          GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
         with:
           repo: pulumi/pulumictl
           tag: v0.0.45
diff --git a/.github/workflows/publish-snapshot.yaml b/.github/workflows/publish-snapshot.yaml
@@ -9,11 +9,15 @@ on:
       - 'README.md'
 
 env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: GITHUB_TOKEN=PULUMI_BOT_TOKEN
 
 permissions:
-  contents: write  # Needed to publish releases
-  packages: write  # If publishing packages
+  contents: write # Needed to publish releases
+  packages: write # If publishing packages
   id-token: write
   actions: read
   attestations: read
diff --git a/.github/workflows/stage-publish.yml b/.github/workflows/stage-publish.yml
@@ -8,17 +8,25 @@ on:
         type: string
 
 permissions:
-  contents: write  # Needed for publishing releases
-  packages: write  # Needed for publishing packages
+  contents: write # Needed for publishing releases
+  packages: write # Needed for publishing packages
+  id-token: write
 
 env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: GITHUB_TOKEN=PULUMI_BOT_TOKEN
 
 jobs:
   publish:
     name: Publish
     runs-on: macos-latest
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Checkout Repo
         uses: actions/checkout@v2
       - name: Unshallow clone for tags
diff --git a/.github/workflows/stage-test.yml b/.github/workflows/stage-test.yml
@@ -17,12 +17,16 @@ on:
 
 permissions:
   contents: read
+  id-token: write
 
 jobs:
   test:
     name: Test
     runs-on: ubuntu-latest
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Checkout Repo
         uses: actions/checkout@v2
         with:
@@ -46,9 +50,14 @@ jobs:
         with:
           fail_ci_if_error: false
           verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     strategy:
       fail-fast: false
       matrix:
         go-version: [1.21.x, 1.23.x]
         go-stable: [true]
+env:
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
