Use ESC secrets

Author: pgavlin

.github/workflows/pr-test.yml

@@ -1,6 +1,7 @@
+permissions:
+  id-token: write
 on:
-  pull_request:
-
+  pull_request: null
 name: PR test
 
 jobs:
@@ -9,21 +10,24 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
 
       - name: Login to Docker Hub as pulumi-bot
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          username: ${{ steps.esc-secrets.outputs.DOCKERHUB_USERNAME }}
+          password: ${{ steps.esc-secrets.outputs.DOCKERHUB_PASSWORD }}
 
       - uses: ./.github/actions/run-self-hosted
         timeout-minutes: 2
         env:
           # When regenerating the license, create a restricted license.
           # That is, create a license that has a max unit of just 1 unless
           # otherwise required.
-          PULUMI_LICENSE_KEY: ${{ secrets.PULUMI_LICENSE_KEY }}
+          PULUMI_LICENSE_KEY: ${{ steps.esc-secrets.outputs.PULUMI_LICENSE_KEY }}
         with:
           compose-args: '-f ./quickstart-docker-compose/all-in-one/docker-compose.yml'
 
@@ -34,4 +38,9 @@ jobs:
           name: service-log
           path: ${{ env.SERVICE_LOG }}
           overwrite: true
-
+env:
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false

.github/workflows/test-with-minio.yml

@@ -1,11 +1,12 @@
+permissions:
+  id-token: write
 # workflow_dispatch allows for manual triggering from the GitHub Actions UI, as well
 # as the API. repository_dispatch allows us to trigger multiple workflows that
 # match on an event_type parameter when triggered via an API call.
 # https://docs.github.com/en/actions/reference/events-that-trigger-workflows
 on:
-  pull_request:
-  workflow_dispatch:
-
+  pull_request: null
+  workflow_dispatch: null
   repository_dispatch:
     types: [integration_tests]
 
@@ -24,12 +25,12 @@ jobs:
       MINIO_HOST: "minio:9000"
       MINIO_BUCKET_NAME: "pulumi-checkpoints"
       MINIO_PP_BUCKET_NAME: "pulumi-policy-packs"
-      # When regenerating the license, create a restricted license.
-      # That is, create a license that has a max unit of just 1 unless
-      # otherwise required.
-      PULUMI_LICENSE_KEY: ${{ secrets.PULUMI_LICENSE_KEY }}
+      ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: PULUMI_LICENSE_KEY=PULUMI_LICENSE_KEY
 
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Set env vars
         run: |
           # There doesn't seem to be a way to map environment variables into other enviroments
@@ -62,8 +63,8 @@ jobs:
       - name: Login to Docker Hub as pulumi-bot
         uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
-          password: ${{ secrets.DOCKERHUB_PASSWORD }}
+          username: ${{ steps.esc-secrets.outputs.DOCKERHUB_USERNAME }}
+          password: ${{ steps.esc-secrets.outputs.DOCKERHUB_PASSWORD }}
 
       - name: Run Minio
         run: |
@@ -124,8 +125,14 @@ jobs:
           # The Slack webhook URL must be specific to the pulumi-service Slack channel.
           # The name of the Slack app is "Pulumi Webhooks". You must have access to it
           # to be able to see it on https://api.slack.com.
-          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
         with:
           text: Minio integration test in pulumi-self-hosted-installers failed for service's latest edge build
           fields: job,workflow
           status: ${{ job.status }}
+env:
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false