Add Pulumi OIDC token type availability by Pulumi edition (#16149)

* Add OIDC token type availability by Pulumi edition

This commit clarifies which OIDC token types (personal, organization, team) are available for each Pulumi edition (Individual, Team, Enterprise/Business Critical).

Changes:
- Added "Token types by edition" section to main OIDC client page
- Updated GitHub, GKE, and EKS OIDC guides with info notes linking to token types
- Clarified that examples show specific token types but others may be available

Fixes #16019

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Meagan <[email protected]>

* Fix OIDC documentation issues

- Fix parameter name: requested_token_type → requested-token-type
- Add missing comma in TypeScript syntax (kubernetes-eks.md:189)
- Fix capitalization: Github → GitHub
- Add missing newline at end of github.md

Co-authored-by: Meagan <[email protected]>

* Remove unnecessary newline at the end of the GitHub OIDC configuration document

---------

Co-authored-by: claude[bot] <41898282+claude[bot]@users.noreply.github.com>
Co-authored-by: Meagan <[email protected]>
Co-authored-by: Cam <[email protected]>

Author: 3 people

content/docs/administration/access-identity/oidc-client/_index.md

@@ -24,6 +24,16 @@ Pulumi supports establishing trust relationships with third party OIDC providers
 
 For third party services that have capabilities to issue OIDC id_tokens, it is possible to register them as a trusted OIDC Issuer to leverage these tokens to be exchanged by a short-lived Pulumi access token automatically to avoid having to store hardcoded credentials.
 
+## Token types by edition
+
+The available OIDC token types vary depending on your Pulumi edition:
+
+- **Individual**: `personal` tokens only
+- **Team**: `personal` and `organization` tokens
+- **Enterprise and Business Critical**: `personal`, `organization`, and `team` tokens
+
+When configuring authorization policies and requesting tokens, ensure you select a token type that is available for your edition.
+
 ## Configuring trust relationships
 
 ### Register the OIDC issuer

content/docs/administration/access-identity/oidc-client/github.md

@@ -17,6 +17,10 @@ aliases:
 
 This document outlines the steps required to configure Pulumi to accept Github id_tokens to be exchanged by Organization access tokens.
 
+{{< notes type="info" >}}
+This guide demonstrates using `organization` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `personal` or `team` tokens by adjusting the token type in the authorization policies and the `requested-token-type` parameter.
+{{< /notes >}}
+
 ## Prerequisites
 
 * You must be an admin of your Pulumi organization.

content/docs/administration/access-identity/oidc-client/kubernetes-eks.md

@@ -21,6 +21,10 @@ aliases:
 
 This document outlines the steps required to configure Pulumi to accept Elastic Kubernetes Service (EKS) id_tokens to be exchanged for a personal access token. With this configuration, Kubernetes pods authenticate to Pulumi Cloud using OIDC tokens issued by EKS.
 
+{{< notes type="info" >}}
+This guide demonstrates using `personal` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `organization` or `team` tokens by adjusting the token type in the authorization policies and the `requested-token-type` parameter.
+{{< /notes >}}
+
 ## Prerequisites
 
 * You must be an admin of your Pulumi organization.
@@ -184,7 +188,7 @@ const job = new kubernetes.batch.v1.Job("runner", {
     spec: {
         template: {
             spec: {
-                serviceAccountName: "pulumi-service-account"
+                serviceAccountName: "pulumi-service-account",
                 containers: [{
                     name: "runner",
                     image: "pulumi/pulumi:latest",

content/docs/administration/access-identity/oidc-client/kubernetes-gke.md

@@ -19,6 +19,10 @@ This document outlines the steps required to configure Pulumi to accept Google K
 
 See ["Bound Tokens"](https://cloud.google.com/blog/products/containers-kubernetes/kubernetes-bound-service-account-tokens) for more background.
 
+{{< notes type="info" >}}
+This guide demonstrates using `organization` tokens. Depending on your [Pulumi edition](/docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition), you may also use `personal` or `team` tokens by adjusting the token type in the authorization policies and the `requested-token-type` parameter.
+{{< /notes >}}
+
 ## Prerequisites
 
 * You must be an admin of your Pulumi organization.