permissions: write-all # Equivalent to default permissions plus id-token: write
name: Export secrets to ESC
on: [workflow_dispatch]
jobs:
  export-to-esc:
    runs-on: ubuntu-latest
    name: export GitHub secrets to ESC
    steps:
      - name: Generate a GitHub token
        id: generate-token
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: 1256780 # Export Secrets GitHub App
          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
      - name: Export secrets to ESC
        uses: pulumi/esc-export-secrets-action@9d6485759b6adff2538ae91f1b77cc96265c9dad # v1
        with:
          organization: pulumi
          org-environment: imports/github-secrets
          exclude-secrets: EXPORT_SECRETS_PRIVATE_KEY
          github-token: ${{ steps.generate-token.outputs.token }}
          oidc-auth: true
          oidc-requested-token-type: urn:pulumi:token-type:access_token:organization
        env:
          GITHUB_SECRETS: ${{ toJSON(secrets) }}