Learn how Pulumi eliminated static CI secrets across 70+ repos using Pulumi ESC and OIDC, reducing supply chain attack risk with short-lived credentials.

The Pulumi blog provides developers with resources, tutorials, and best practices for infrastructure as code (IaC) and cloud-native development using Pulumi's open-source tools. Developers can learn about deploying and managing infrastructure using familiar programming languages such as JavaScript, TypeScript, Python, and Go. Additionally, the blog covers topics such as cloud architecture patterns, multi-cloud deployments, and serverless computing, enabling developers to build and deploy modern cloud applications with ease.

Pulumi

Pulumi eliminated all long-lived static CI secrets across 70+ provider repositories by replacing GitHub Secrets with short-lived, dynamically fetched credentials using Pulumi ESC and OIDC. The approach chains GitHub-issued OIDC tokens through Pulumi Cloud to fetch ephemeral cloud credentials (AWS, Azure, GCP) at runtime, leaving nothing persistent to steal. The migration was managed centrally via ci-mgmt tooling, giving uniform patterns, centralized audit logging, and single-point credential rotation. In a supply chain attack scenario, a compromised GitHub Action finds no stored secrets and only short-lived tokens scoped to the current run.

How We Eliminated Long-Lived CI Secrets Across 70+ Repos

What happens if a GitHub Action is compromised