pulumi · blampe · Sep 18, 2025 · Sep 15, 2025 · Sep 15, 2025 · Sep 16, 2025
diff --git a/.github/workflows/acceptance-test.yml b/.github/workflows/acceptance-test.yml
@@ -21,9 +21,6 @@ on:
         type: string
         description: Override the version when building
 
-env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
-
 jobs:
   comment-notification:
     runs-on: ubuntu-latest
@@ -34,7 +31,7 @@ jobs:
       - name: Update with Result
         uses: peter-evans/create-or-update-comment@v1
         with:
-          token: ${{ secrets.PULUMI_BOT_TOKEN }}
+          token: ${{ secrets.GITHUB_TOKEN }}
           repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
           issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
           body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"

diff --git a/.github/workflows/autorest-scheduled.yml b/.github/workflows/autorest-scheduled.yml
@@ -11,11 +11,15 @@ jobs:
   version:
     uses: ./.github/workflows/version.yml
     secrets: inherit
+    permissions:
+      id-token: write # For ESC secrets.
 
   build_test:
     uses: ./.github/workflows/build-test.yml
     secrets: inherit
     needs: version
+    permissions:
+      id-token: write # For ESC secrets.
     with:
       ref: ${{ github.ref }}
       version: ${{ needs.version.outputs.version }}

diff --git a/.github/workflows/build-test.yml b/.github/workflows/build-test.yml
@@ -32,35 +32,29 @@ on:
         default: true
 
 env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: azure-native
   PROVIDER_VERSION: ${{ inputs.version }}
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   # TRAVIS_OS_NAME required by https://github.com/pulumi/scripts/blob/master/ci/publish-tfgen-package
   TRAVIS_OS_NAME: linux
-  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e # application id of the "TravisCI" service principal
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-  ARM_CLIENT_CERTIFICATE_PASSWORD_FOR_TEST: ${{ secrets.ARM_CLIENT_CERTIFICATE_PASSWORD }}
   ARM_LOCATION: westus2
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   PULUMI_API: https://api.pulumi-staging.io
   # Feature toggle that's read in provider.go enableAzcoreBackend()
   PULUMI_ENABLE_AZCORE_BACKEND: ${{ inputs.use_azcore }}
-  # This is the content of a ~/.azure/ folder, zipped and base64-encoded, for CLI auth.
+  # AZURE_CLI_FOLDER is the content of a ~/.azure/ folder, zipped and base64-encoded, for CLI auth.
   # If/when the contained refresh token expires, someone with access to our subscription needs to
   # `az login` on their own computer and repeat the steps below.
-  # Generated by using @mikhail's .azure folder and running:
+  # Generated by using @EronWright's .azure folder and running:
   #     cp -R ~/.azure ~/azure
   #     cd ~/azure
   #     rm -rf .DS_Store logs/ commands/* cliextensions/ extensionCommandTree.json
   #     zip -v azure.zip *
   #     base64 --input azure.zip | clipcopy
   #     Paste into repo secret
-  AZURE_CLI_FOLDER: ${{ secrets.AZURE_CLI_FOLDER }}
 
 jobs:
   prerequisites:
@@ -207,6 +201,15 @@ jobs:
           ref: ${{ inputs.ref }}
           submodules: true
 
+      - env:
+          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+          ESC_ACTION_OIDC_AUTH: "true"
+          ESC_ACTION_OIDC_ORGANIZATION: pulumi
+          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+        id: esc-secrets
+        name: Fetch secrets from ESC
+        uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+
       - name: Setup
         uses: ./.github/actions/test-setup
         with:
@@ -216,7 +219,7 @@ jobs:
         # The provider wants the cert as a path to a cert file but GH secrets can only be strings.
         # We store the base64-encoded cert as a secret, decode it here, and write it out to a file.
         run: |
-          echo "${{ secrets.ARM_CLIENT_CERTIFICATE }}" | base64 -d > "${{ runner.temp }}/azure-client-certificate.pfx"
+          echo "${{ steps.esc-secrets.outputs.ARM_CLIENT_CERTIFICATE }}" | base64 -d > "${{ runner.temp }}/azure-client-certificate.pfx"
           echo "ARM_CLIENT_CERTIFICATE_PATH_FOR_TEST=${{ runner.temp }}/azure-client-certificate.pfx" >> "$GITHUB_ENV"
 
       - name: Write .azure.tmp folder
@@ -225,7 +228,7 @@ jobs:
         # tests using it unintentionally since CLI is the fallback auth method.
         run: |
           set -euxo pipefail
-          echo "${{ secrets.AZURE_CLI_FOLDER }}" | base64 -d > "${{ runner.temp }}/azure-cli-folder.zip"
+          echo "${{ steps.esc-secrets.outputs.AZURE_CLI_FOLDER }}" | base64 -d > "${{ runner.temp }}/azure-cli-folder.zip"
           # Unzip it to a temp folder to avoid other tests using it unintentionally (since CLI auth is the fallback method).
           # We only want one specific test to use it.
           unzip -d "$HOME/.azure.tmp" "${{ runner.temp }}/azure-cli-folder.zip"
@@ -313,6 +316,15 @@ jobs:
           ref: ${{ inputs.ref }}
           submodules: true
 
+      - env:
+          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+          ESC_ACTION_OIDC_AUTH: "true"
+          ESC_ACTION_OIDC_ORGANIZATION: pulumi
+          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+        id: esc-secrets
+        name: Fetch secrets from ESC
+        uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+
       - name: Install Languages & Frameworks
         uses: ./.github/actions/install
         with:
@@ -334,7 +346,7 @@ jobs:
         # The provider wants the cert as a path to a cert file but GH secrets can only be strings.
         # We store the base64-encoded cert as a secret, decode it here, and write it out to a file.
         run: |
-          echo "${{ secrets.ARM_CLIENT_CERTIFICATE }}" | base64 -d > "${{ runner.temp }}/azure-client-certificate.pfx"
+          echo "${{ steps.esc-secrets.outputs.ARM_CLIENT_CERTIFICATE }}" | base64 -d > "${{ runner.temp }}/azure-client-certificate.pfx"
           echo "ARM_CLIENT_CERTIFICATE_PATH_FOR_TEST=${{ runner.temp }}/azure-client-certificate.pfx" >> "$GITHUB_ENV"
 
       - name: Write .azure.tmp folder
@@ -343,7 +355,7 @@ jobs:
         # tests using it unintentionally since CLI is the fallback auth method.
         run: |
           set -euxo pipefail
-          echo "${{ secrets.AZURE_CLI_FOLDER }}" | base64 -d > "${{ runner.temp }}/azure-cli-folder.zip"
+          echo "${{ steps.esc-secrets.outputs.AZURE_CLI_FOLDER }}" | base64 -d > "${{ runner.temp }}/azure-cli-folder.zip"
           # Unzip it to a temp folder to avoid other tests using it unintentionally (since CLI auth is the fallback method).
           # We only want one specific test to use it.
           unzip -d "$HOME/.azure.tmp" "${{ runner.temp }}/azure-cli-folder.zip"
@@ -354,6 +366,8 @@ jobs:
         env:
           # specifying this id will cause the OIDC test(s) to run against this AD application
           OIDC_ARM_CLIENT_ID: ${{ inputs.oidc_arm_client_id }}
+          ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
+          ARM_CLIENT_CERTIFICATE_PASSWORD_FOR_TEST: ${{ steps.esc-secrets.outputs.ARM_CLIENT_CERTIFICATE_PASSWORD }}
         run: |
           set -euo pipefail
           cd provider && go test -coverprofile="coverage.txt" -coverpkg=./... -timeout 1h -parallel 16 ./... 2>&1 | tee /tmp/gotest.log
@@ -362,19 +376,30 @@ jobs:
         uses: codecov/codecov-action@v4
         if: inputs.upload_codecov
         env:
-          CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+          CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
 
   dist:
     runs-on: ubuntu-latest
     name: Provider Dist
     needs: prerequisites
+    permissions:
+      id-token: write # required for OIDC auth
     steps:
       - name: Checkout Repo
         uses: actions/checkout@v4
         with:
           submodules: true
           ref: ${{ inputs.ref }}
 
+      - env:
+          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+          ESC_ACTION_OIDC_AUTH: "true"
+          ESC_ACTION_OIDC_ORGANIZATION: pulumi
+          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+        id: esc-secrets
+        name: Fetch secrets from ESC
+        uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+
       - name: Install Languages & Frameworks
         uses: ./.github/actions/install
         with:
@@ -395,10 +420,10 @@ jobs:
       - name: Build dist packages
         run: make dist
         env:
-          AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
-          AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
-          AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
-          AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+          AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
+          AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
+          AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
+          AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
 
       - name: Upload artifacts
         uses: actions/upload-artifact@v4

diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml
@@ -7,8 +7,6 @@ on:
       - edited
 
 env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   PULUMI_API: https://api.pulumi-staging.io
 
 jobs:
@@ -20,9 +18,17 @@ jobs:
         uses: actions/checkout@v4
         with:
           submodules: true
+      - env:
+          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+          ESC_ACTION_OIDC_AUTH: "true"
+          ESC_ACTION_OIDC_ORGANIZATION: pulumi
+          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+        id: esc-secrets
+        name: Fetch secrets from ESC
+        uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
       - uses: peter-evans/slash-command-dispatch@v2
         with:
-          token: ${{ secrets.PULUMI_BOT_TOKEN }}
+          token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
           reaction-token: ${{ secrets.GITHUB_TOKEN }}
           commands: run-acceptance-tests
           permission: write

diff --git a/.github/workflows/master.yml b/.github/workflows/master.yml
@@ -21,10 +21,14 @@ on:
 
 jobs:
   version:
+    permissions:
+      id-token: write # For ESC secrets.
     uses: ./.github/workflows/version.yml
     secrets: inherit
 
   build_test:
+    permissions:
+      id-token: write # For ESC secrets.
     uses: ./.github/workflows/build-test.yml
     secrets: inherit
     needs: version
@@ -40,6 +44,8 @@ jobs:
       retention_days: 30
 
   publish:
+    permissions:
+      id-token: write # For ESC secrets.
     uses: ./.github/workflows/publish.yml
     secrets: inherit
     needs:

diff --git a/.github/workflows/nightly-sdk-generation.yml b/.github/workflows/nightly-sdk-generation.yml
@@ -4,21 +4,10 @@ on:
     - cron: 35 4 * * 1-5
   workflow_dispatch: {}
 env:
-  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: azure-native
-  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
-  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
-  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
   TRAVIS_OS_NAME: linux
-  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
-  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
-  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
-  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   ARM_LOCATION: westus2
   PULUMI_API: https://api.pulumi-staging.io
   PROVIDER_VERSION: 3.0.0-alpha.0+dev
@@ -27,6 +16,9 @@ jobs:
     # Use a more powerful runner to fix pulumi/pulumi-azure-native#2767
     runs-on: pulumi-ubuntu-8core
     name: generate-sdk
+    permissions:
+      contents: write # For PR.
+      id-token: write # For ESC secrets.
     steps:
       # We do a deep checkout so we're able to push later
       - name: Checkout Repo
@@ -35,14 +27,23 @@ jobs:
           submodules: true
           fetch-depth: 0
 
+      - env:
+          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+          ESC_ACTION_OIDC_AUTH: "true"
+          ESC_ACTION_OIDC_ORGANIZATION: pulumi
+          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+        id: esc-secrets
+        name: Fetch secrets from ESC
+        uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+
       - name: Install Languages & Frameworks
         uses: ./.github/actions/install
         with:
           skip_dotnet_and_java: "true"
 
       - uses: azure/login@v2
         with:
-          creds: ${{ secrets.AZURE_RBAC_SERVICE_PRINCIPAL }}
+          creds: ${{ steps.esc-secrets.outputs.AZURE_RBAC_SERVICE_PRINCIPAL }}
 
       - name: Cleanup SDK Folder
         # Remove the per-language folders but preserve the checked-in go.mod
@@ -86,7 +87,7 @@ jobs:
         uses: repo-sync/pull-request@v2.12.1
         with:
           destination_branch: master
-          github_token: ${{ secrets.PULUMI_BOT_TOKEN }}
+          github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
           pr_body: "*Automated PR*"
           pr_title: Automated SDK generation @ azure-rest-api-specs ${{
             steps.vars.outputs.commit-hash }}
@@ -111,7 +112,7 @@ jobs:
         if: steps.create-pr.outputs.has_changed_files && contains(steps.schema-tools.outputs.summary, 'Looking good! No breaking changes found.')
         run: gh pr merge ${{ steps.create-pr.outputs.pr_number }} --squash --auto --repo ${{ github.repository }}
         env:
-          GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+          GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
 
       - if: failure() && github.event_name == 'push'
         name: Notify Slack