From 2377408ede38fa22a71e992203da2000797acd4c Mon Sep 17 00:00:00 2001
From: Pat Gavlin <pat@pulumi.com>
Date: Mon, 12 May 2025 11:18:13 -0700
Subject: [PATCH] Add an 'export secrets' workflow

This repository has repository-specific secrets that need to be migrated
to ESC. These changes add a GitHub Actions workflow to perform this
migration.
---
 .github/workflows/export-secrets.yml | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 .github/workflows/export-secrets.yml

diff --git a/.github/workflows/export-secrets.yml b/.github/workflows/export-secrets.yml
new file mode 100644
index 000000000000..a08117c316d6
--- /dev/null
+++ b/.github/workflows/export-secrets.yml
@@ -0,0 +1,25 @@
+permissions: write-all # Equivalent to default permissions plus id-token: write
+name: Export secrets to ESC
+on: [ workflow_dispatch ]
+jobs:
+  export-to-esc:
+    runs-on: ubuntu-latest
+    name: export GitHub secrets to ESC
+    steps:
+      - name: Generate a GitHub token
+        id: generate-token
+        uses: actions/create-github-app-token@v1
+        with:
+          app-id: 1256780 # Export Secrets GitHub App
+          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
+      - name: Export secrets to ESC
+        uses: pulumi/esc-export-secrets-action@v1
+        with:
+          organization: pulumi
+          org-environment: imports/github-secrets
+          exclude-secrets: EXPORT_SECRETS_PRIVATE_KEY
+          github-token: ${{ steps.generate-token.outputs.token }}
+          oidc-auth: true
+          oidc-requested-token-type: urn:pulumi:token-type:access_token:organization
+        env:
+          GITHUB_SECRETS: ${{ toJSON(secrets) }}