diff --git a/.github/workflows/export-repo-secrets.yml b/.github/workflows/export-repo-secrets.yml
index e031283..ece9c45 100644
--- a/.github/workflows/export-repo-secrets.yml
+++ b/.github/workflows/export-repo-secrets.yml
@@ -1,17 +1,26 @@
+env:
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
 permissions: write-all # Equivalent to default permissions plus id-token: write
 name: Export secrets to ESC
-on: [ workflow_dispatch ]
+on: [workflow_dispatch]
 jobs:
   export-to-esc:
     runs-on: ubuntu-latest
     name: export GitHub secrets to ESC
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Generate a GitHub token
         id: generate-token
         uses: actions/create-github-app-token@v1
         with:
           app-id: 1256780 # Export Secrets GitHub App
-          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
+          private-key: ${{ steps.esc-secrets.outputs.EXPORT_SECRETS_PRIVATE_KEY }}
       - name: Export secrets to ESC
         uses: pulumi/esc-export-secrets-action@v1
         with: