Use ESC secrets

pgavlin · pgavlin · commit 615fe389aa9d · 2025-04-30T11:51:16.000-07:00
diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml
@@ -8,13 +8,23 @@ jobs:
   command-dispatch-for-testing:
     runs-on: ubuntu-latest
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - uses: actions/checkout@v2
       - name: Run Build
         uses: peter-evans/slash-command-dispatch@v2
         with:
-          token: ${{ secrets.PULUMI_BOT_TOKEN }}
+          token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}
           commands: run-acceptance-tests
           permission: write
           issue-type: pull-request
           repository: pulumi/pulumi-kubernetes-operator
+env:
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
+permissions: write-all # Equivalent to default permissions plus id-token: write
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -3,25 +3,33 @@ name: Pulumi Kubernetes Operator Release
 on:
   push:
     tags:
-      - v*.*.*     # e.g. v2.0.0
-      - v*.*-*.*   # e.g. v2.0-beta.0
-      - v*.*.*-*.*   # e.g. v2.0.0-beta.1
+      - v*.*.* # e.g. v2.0.0
+      - v*.*-*.* # e.g. v2.0-beta.0
+      - v*.*.*-*.* # e.g. v2.0.0-beta.1
 env:
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
   VERSION: ${{ github.ref_name }}
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: PULUMI_ACCESS_TOKEN=PULUMI_ACCESS_TOKEN
 permissions:
   contents: write
+  id-token: write
 jobs:
   docker:
     name: Build & Push Docker Images
     runs-on: ubuntu-latest
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ steps.esc-secrets.outputs.DOCKER_USERNAME }}
+          password: ${{ steps.esc-secrets.outputs.DOCKER_PASSWORD }}
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
@@ -46,6 +54,9 @@ jobs:
     needs: [docker]
     runs-on: ubuntu-latest
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Checkout
         uses: actions/checkout@v4
       - name: Create a GH release
diff --git a/.github/workflows/run-acceptance-tests.yaml b/.github/workflows/run-acceptance-tests.yaml
@@ -8,15 +8,21 @@ on:
     branches:
       - master
 env:
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-  PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   VERSION: v0.0-${{ github.sha }}
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: PULUMI_BOT_TOKEN=PULUMI_BOT_TOKEN,PULUMI_ACCESS_TOKEN=PULUMI_ACCESS_TOKEN
 jobs:
   build:
     runs-on: ubuntu-latest
     name: Build
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Check out code
         uses: actions/checkout@v4
         with:
@@ -28,8 +34,8 @@ jobs:
       - name: Login to Docker Hub
         uses: docker/login-action@v3
         with:
-          username: ${{ secrets.DOCKER_USERNAME }}
-          password: ${{ secrets.DOCKER_PASSWORD }}
+          username: ${{ steps.esc-secrets.outputs.DOCKER_USERNAME }}
+          password: ${{ steps.esc-secrets.outputs.DOCKER_PASSWORD }}
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
       - name: Build
@@ -42,11 +48,15 @@ jobs:
             pulumi/pulumi-kubernetes-operator:${{ env.VERSION }}
           build-args: |
             VERSION=${{ env.VERSION }}
-  
+
+
   lint:
     runs-on: ubuntu-latest
     name: Lint
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Check out code
         uses: actions/checkout@v4
         with:
@@ -62,6 +72,9 @@ jobs:
     runs-on: ubuntu-latest
     name: Unit tests
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Check out code
         uses: actions/checkout@v4
         with:
@@ -83,12 +96,15 @@ jobs:
         with:
           files: agent/coverage.out,operator/coverage.out
         env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+          CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
 
   e2e-tests:
     runs-on: ubuntu-latest
     name: E2E tests
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Setup cluster
         uses: helm/kind-action@v1
         with:
@@ -108,4 +124,5 @@ jobs:
         uses: stateful/vscode-server-action@v1
         if: failure()
         with:
-          timeout: '360000'       # milliseconds
+          timeout: '360000' # milliseconds
+permissions: write-all # Equivalent to default permissions plus id-token: write
diff --git a/.github/workflows/sync-images.yaml b/.github/workflows/sync-images.yaml
@@ -22,12 +22,20 @@ env:
   DOCKER_USERNAME: pulumi
   OPERATOR_VERSION: ${{ inputs.operator_version || github.event.client_payload.ref }}
   OPERATOR_IMAGE_NAME: pulumi-kubernetes-operator
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
 
 jobs:
   sync-to-ecr:
     name: Pulumi Kubernetes Operator image
     runs-on: ubuntu-latest
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4
         with:
@@ -37,7 +45,7 @@ jobs:
           role-duration-seconds: 3600
           role-external-id: upload-pulumi-release
           role-session-name: pulumi@githubActions
-          role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+          role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
       - name: Login to GitHub Container Registry
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         with:
@@ -59,4 +67,5 @@ jobs:
       - name: Output build summary
         run: |
           SUMMARY=$'# Image Syncing Summary\nSource Image: `pulumi/${{ env.OPERATOR_IMAGE_NAME }}:${{ env.OPERATOR_VERSION }}`\n\nDestination Images:\n- `public.ecr.aws/${{ env.DOCKER_USERNAME }}/${{ env.OPERATOR_IMAGE_NAME }}:${{ env.OPERATOR_VERSION }}`\n- `ghcr.io/${{ env.DOCKER_USERNAME }}/${{ env.OPERATOR_IMAGE_NAME }}:${{ env.OPERATOR_VERSION }}`'
-          echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY
+          echo "$SUMMARY" >> $GITHUB_STEP_SUMMARY
+permissions: write-all # Equivalent to default permissions plus id-token: write
diff --git a/.github/workflows/weekly-pulumi-update.yml b/.github/workflows/weekly-pulumi-update.yml
@@ -5,7 +5,11 @@ name: weekly-pulumi-update
   workflow_dispatch: {}
 
 env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: GITHUB_TOKEN=PULUMI_BOT_TOKEN
 
 jobs:
   update-go-mod:
@@ -15,6 +19,9 @@ jobs:
       matrix:
         goversion: [1.23.x]
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Checkout Repo
         uses: actions/checkout@v2
       - name: Unshallow clone for tags
@@ -63,4 +70,5 @@ jobs:
           pr_title: "Automated pulumi/pulumi upgrade"
           pr_label: "automation/merge"
           pr_allow_empty: true
-          github_token: ${{ secrets.PULUMI_BOT_TOKEN }}
+          github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+permissions: write-all # Equivalent to default permissions plus id-token: write
