Use ESC secrets

Author: pgavlin

.github/workflows/bucket-cleanup.yml

@@ -3,6 +3,10 @@ env:
   ESC_ACTION_OIDC_ORGANIZATION: pulumi
   ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
   ESC_ACTION_ENVIRONMENT: github-secrets/pulumi-registry
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
   ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
 name: "Scheduled jobs: Bucket cleanup"
 on:
@@ -22,6 +26,9 @@ jobs:
     environment: production
     runs-on: ubuntu-latest
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Fetch secrets from ESC
         id: esc-secrets
         uses: pulumi/esc-action@cf5b30703ffd5ad60cc3a880c09b3a9592b9372d # v1

.github/workflows/export-repo-secrets.yml

@@ -1,17 +1,26 @@
+env:
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
 permissions: write-all # Equivalent to default permissions plus id-token: write
 name: Export secrets to ESC
-on: [ workflow_dispatch ]
+on: [workflow_dispatch]
 jobs:
   export-to-esc:
     runs-on: ubuntu-latest
     name: export GitHub secrets to ESC
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Generate a GitHub token
         id: generate-token
         uses: actions/create-github-app-token@v1
         with:
           app-id: 1256780 # Export Secrets GitHub App
-          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
+          private-key: ${{ steps.esc-secrets.outputs.EXPORT_SECRETS_PRIVATE_KEY }}
       - name: Export secrets to ESC
         uses: pulumi/esc-export-secrets-action@v1
         with: