From 2377408ede38fa22a71e992203da2000797acd4c Mon Sep 17 00:00:00 2001 From: Pat Gavlin Date: Mon, 12 May 2025 11:18:13 -0700 Subject: [PATCH] Add an 'export secrets' workflow This repository has repository-specific secrets that need to be migrated to ESC. These changes add a GitHub Actions workflow to perform this migration. --- .github/workflows/export-secrets.yml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/export-secrets.yml diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml new file mode 100644 index 000000000000..a08117c316d6 --- /dev/null +++ b/.github/workflows/export-secrets.yml @@ -0,0 +1,25 @@ +permissions: write-all # Equivalent to default permissions plus id-token: write +name: Export secrets to ESC +on: [ workflow_dispatch ] +jobs: + export-to-esc: + runs-on: ubuntu-latest + name: export GitHub secrets to ESC + steps: + - name: Generate a GitHub token + id: generate-token + uses: actions/create-github-app-token@v1 + with: + app-id: 1256780 # Export Secrets GitHub App + private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }} + - name: Export secrets to ESC + uses: pulumi/esc-export-secrets-action@v1 + with: + organization: pulumi + org-environment: imports/github-secrets + exclude-secrets: EXPORT_SECRETS_PRIVATE_KEY + github-token: ${{ steps.generate-token.outputs.token }} + oidc-auth: true + oidc-requested-token-type: urn:pulumi:token-type:access_token:organization + env: + GITHUB_SECRETS: ${{ toJSON(secrets) }}