chore: replace GitHub secrets with ESC

Author: pgavlin

.github/workflows/pr-tests.yaml

@@ -1,3 +1,5 @@
+permissions:
+  id-token: write
 name: Run Acceptance Tests from PR
 
 on:

.github/workflows/publish-prerelease.yaml

@@ -5,12 +5,9 @@ on:
     tags:
       - v*.*.*-**
 
-env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
-
 permissions:
-  contents: write  # Needed to publish releases
-  packages: write  # If publishing packages
+  contents: write # Needed to publish releases
+  packages: write # If publishing packages
   id-token: write
   actions: read
   attestations: read

.github/workflows/publish-release.yaml

@@ -6,12 +6,9 @@ on:
       - v*.*.*
       - '!v*.*.*-**'
 
-env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
-
 permissions:
-  contents: write  # Needed to publish releases
-  packages: write  # Needed for publishing packages
+  contents: write # Needed to publish releases
+  packages: write # Needed for publishing packages
   id-token: write
   actions: read
   attestations: read
@@ -47,6 +44,21 @@ jobs:
     name: s3 blobs
     runs-on: ubuntu-latest
     steps:
+      - name: Generate Pulumi Access Token
+        id: generate_pulumi_token
+        uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+        with:
+          organization: pulumi
+          requested-token-type: urn:pulumi:token-type:access_token:organization
+          export-environment-variables: false
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
+        env:
+          PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+        with:
+          environment: imports/github-secrets
+          export-environment-variables: false
       - name: Checkout Repo
         uses: actions/checkout@v3
         with:
@@ -60,7 +72,7 @@ jobs:
           role-duration-seconds: 3600
           role-external-id: upload-pulumi-release
           role-session-name: pulumi@githubActions
-          role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+          role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
       - name: Download release artifacts
         run: |
           mkdir -p artifacts
@@ -82,14 +94,29 @@ jobs:
           - name: Dispatch docs workflow
             run-command: pulumictl create cli-docs-build "${{ github.ref_name }}" --event-type "esc-cli"
     steps:
+      - name: Generate Pulumi Access Token
+        id: generate_pulumi_token
+        uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+        with:
+          organization: pulumi
+          requested-token-type: urn:pulumi:token-type:access_token:organization
+          export-environment-variables: false
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
+        env:
+          PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+        with:
+          environment: imports/github-secrets
+          export-environment-variables: false
       - name: Checkout Repo
         uses: actions/checkout@v3
         with:
           ref: ${{ github.ref_name }}
       - name: Install Pulumictl
         uses: jaxxstorm/action-install-gh-release@v1.7.1
         env:
-          GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+          GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
         with:
           repo: pulumi/pulumictl
           tag: v0.0.45

.github/workflows/publish-snapshot.yaml

@@ -8,12 +8,9 @@ on:
       - 'CHANGELOG_PENDING.md'
       - 'README.md'
 
-env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
-
 permissions:
-  contents: write  # Needed to publish releases
-  packages: write  # If publishing packages
+  contents: write # Needed to publish releases
+  packages: write # If publishing packages
   id-token: write
   actions: read
   attestations: read

.github/workflows/stage-lint.yml

@@ -1,17 +1,30 @@
+permissions:
+  id-token: write
 name: Lint
 
 on:
-  workflow_call:
-
+  workflow_call: null
 permissions: read-all
 
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
 jobs:
   lint:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate Pulumi Access Token
+        id: generate_pulumi_token
+        uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+        with:
+          organization: pulumi
+          requested-token-type: urn:pulumi:token-type:access_token:organization
+          export-environment-variables: false
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
+        env:
+          PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+        with:
+          environment: imports/github-secrets
+          export-environment-variables: false
       - name: Checkout Repo
         uses: actions/checkout@v2
       - name: Set up Go 1.23
@@ -25,12 +38,6 @@ jobs:
             echo "::error go.mod not tidy"
             exit 1
           fi
-
-      # We leverage the golangci-lint action to install
-      # and maintain the cache,
-      # but we want to run the command ourselves.
-      # The action doesn't have an install-only mode,
-      # so we'll ask it to print its version only.
       - name: Install golangci-lint
         uses: golangci/golangci-lint-action@v3
         with:
@@ -42,6 +49,21 @@ jobs:
   check-copyright:
     runs-on: ubuntu-latest
     steps:
+      - name: Generate Pulumi Access Token
+        id: generate_pulumi_token
+        uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+        with:
+          organization: pulumi
+          requested-token-type: urn:pulumi:token-type:access_token:organization
+          export-environment-variables: false
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
+        env:
+          PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+        with:
+          environment: imports/github-secrets
+          export-environment-variables: false
       - name: Checkout Repo
         uses: actions/checkout@v2
       - name: Install pulumictl

.github/workflows/stage-publish.yml

@@ -8,17 +8,30 @@ on:
         type: string
 
 permissions:
-  contents: write  # Needed for publishing releases
-  packages: write  # Needed for publishing packages
-
-env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  contents: write # Needed for publishing releases
+  packages: write # Needed for publishing packages
+  id-token: write
 
 jobs:
   publish:
     name: Publish
     runs-on: macos-latest
     steps:
+      - name: Generate Pulumi Access Token
+        id: generate_pulumi_token
+        uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+        with:
+          organization: pulumi
+          requested-token-type: urn:pulumi:token-type:access_token:organization
+          export-environment-variables: false
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
+        env:
+          PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+        with:
+          environment: imports/github-secrets
+          export-environment-variables: false
       - name: Checkout Repo
         uses: actions/checkout@v2
       - name: Unshallow clone for tags

.github/workflows/stage-test.yml

@@ -1,3 +1,5 @@
+permissions:
+  id-token: write
 name: Test
 
 on:
@@ -22,6 +24,21 @@ jobs:
     name: Test
     runs-on: ubuntu-latest
     steps:
+      - name: Generate Pulumi Access Token
+        id: generate_pulumi_token
+        uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+        with:
+          organization: pulumi
+          requested-token-type: urn:pulumi:token-type:access_token:organization
+          export-environment-variables: false
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
+        env:
+          PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+        with:
+          environment: imports/github-secrets
+          export-environment-variables: false
       - name: Checkout Repo
         uses: actions/checkout@v2
         with:
@@ -45,7 +62,7 @@ jobs:
         with:
           fail_ci_if_error: false
           verbose: true
-          token: ${{ secrets.CODECOV_TOKEN }}
+          token: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     strategy:
       fail-fast: false
       matrix: