Skip to content

Use ESC secrets #2172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use ESC secrets #2172

wants to merge 1 commit into from

Conversation

pgavlin
Copy link
Member

@pgavlin pgavlin commented Apr 29, 2025
edited
Loading

These changes migrate this repo's GitHub Actions Workflows to use ESC secrets instead of GitHub Secrets.

The changes are largely mechanical:

  • Common configuration for all ESC actions within a workflow is added to the workflow's environment variables
  • Permissions are expanded as necessary for workflows that do not grant id-token: write permissions
    • read-all permissions are replaced with the union of all explicit read permissions and id-token: write
    • Default permissions are replaced with write-all, which is the equivalent of all explicit write permissions and
      id-token: write
    • Explicit permissions are modified to grant id-token: write
  • A step that fetches ESC secrets and populates environment variables is added to each step that reads secrets
  • Direct references to secrets within the job are replaced with references to the step's outputs

All ESC actions are configured to fetch secrets from a shared ESC environment that contains secrets migrated from GitHub Actions. The ESC action performs its own OIDC exchange to obtain a Pulumi Access Token.

@pgavlin pgavlin force-pushed the pgavlin/esc-secrets branch from 4298a09 to f43e8f5 Compare April 30, 2025 18:30
@pgavlin pgavlin requested a review from komalali April 30, 2025 18:30
@pgavlin pgavlin added the impact/no-changelog-required This issue doesn't require a CHANGELOG update label Apr 30, 2025
@pgavlin pgavlin force-pushed the pgavlin/esc-secrets branch 2 times, most recently from 1d7fe8b to fb917bf Compare April 30, 2025 19:38
@pgavlin pgavlin force-pushed the pgavlin/esc-secrets branch from fb917bf to 6799854 Compare July 24, 2025 17:30
@pgavlin
These changes migrate this repo's GitHub Actions Workflows to use ESC…
69cafb6 
… secrets instead of GitHub Secrets.

The changes are largely mechanical:

- Common configuration for all ESC actions within a workflow is added to the workflow's environment variables
- Permissions are expanded as necessary for workflows that do not grant `id-token: write` permissions
	- `read-all` permissions are replaced with the union of all explicit read permissions and `id-token: write`
	- Default permissions are replaced with `write-all`, which is the equivalent of all explicit write permissions and
	  `id-token: write`
	- Explicit permissions are modified to grant `id-token: write`
- A step that fetches ESC secrets and populates environment variables is added to each step that reads secrets
- Direct references to secrets within the job are replaced with references to the step's outputs

All ESC actions are configured to fetch secrets from a shared ESC environment that contains secrets migrated from GitHub Actions. The ESC action performs its own OIDC exchange to obtain a Pulumi Access Token.
@pgavlin pgavlin force-pushed the pgavlin/esc-secrets branch from 6799854 to 69cafb6 Compare July 24, 2025 17:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@komalali komalali komalali approved these changes

Assignees
No one assigned
Labels
impact/no-changelog-required This issue doesn't require a CHANGELOG update
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@pgavlin @komalali