Skip to content

Use ESC secrets #1784

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pgavlin wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use ESC secrets #1784

pgavlin wants to merge 1 commit into from

Conversation

@pgavlin
Copy link
Member

@pgavlin pgavlin commented Apr 29, 2025
edited
Loading

These changes migrate this repo's GitHub Actions Workflows to use ESC secrets instead of GitHub Secrets.

The changes are largely mechanical:

  • Common configuration for all ESC actions within a workflow is added to the workflow's environment variables
  • Permissions are expanded as necessary for workflows that do not grant id-token: write permissions
    • read-all permissions are replaced with the union of all explicit read permissions and id-token: write
    • Default permissions are replaced with write-all, which is the equivalent of all explicit write permissions and
      id-token: write
    • Explicit permissions are modified to grant id-token: write
  • A step that fetches ESC secrets and populates environment variables is added to each step that reads secrets
  • Direct references to secrets within the job are replaced with references to the step's outputs

All ESC actions are configured to fetch secrets from a shared ESC environment that contains secrets migrated from GitHub Actions. The ESC action performs its own OIDC exchange to obtain a Pulumi Access Token.

@pgavlin pgavlin requested a review from a team as a code owner April 29, 2025 22:42
@pgavlin pgavlin force-pushed the pgavlin/esc-secrets branch from e99b4f9 to 4e86e25 Compare April 30, 2025 18:35
@pgavlin pgavlin added the impact/no-changelog-required This issue doesn't require a CHANGELOG update label Apr 30, 2025
@pgavlin pgavlin requested a review from komalali April 30, 2025 18:35
@pgavlin pgavlin force-pushed the pgavlin/esc-secrets branch 2 times, most recently from 58cc14f to 6ff59c5 Compare April 30, 2025 19:40
@pgavlin pgavlin force-pushed the pgavlin/esc-secrets branch from 6ff59c5 to 174f475 Compare July 24, 2025 17:32
@pgavlin
These changes migrate this repo's GitHub Actions Workflows to use ESC…
c8705c3 
… secrets instead of GitHub Secrets.

The changes are largely mechanical:

- Common configuration for all ESC actions within a workflow is added to the workflow's environment variables
- Permissions are expanded as necessary for workflows that do not grant `id-token: write` permissions
	- `read-all` permissions are replaced with the union of all explicit read permissions and `id-token: write`
	- Default permissions are replaced with `write-all`, which is the equivalent of all explicit write permissions and
	  `id-token: write`
	- Explicit permissions are modified to grant `id-token: write`
- A step that fetches ESC secrets and populates environment variables is added to each step that reads secrets
- Direct references to secrets within the job are replaced with references to the step's outputs

All ESC actions are configured to fetch secrets from a shared ESC environment that contains secrets migrated from GitHub Actions. The ESC action performs its own OIDC exchange to obtain a Pulumi Access Token.
@pgavlin pgavlin force-pushed the pgavlin/esc-secrets branch from 174f475 to c8705c3 Compare July 24, 2025 18:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@komalali komalali komalali approved these changes

Assignees

No one assigned

Labels

impact/no-changelog-required This issue doesn't require a CHANGELOG update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pgavlin @komalali