From 1f84ed28a9281f5608e9b25f61fa4afe3f9fd0e5 Mon Sep 17 00:00:00 2001
From: Pat Gavlin <pgavlin@gmail.com>
Date: Thu, 24 Jul 2025 11:30:16 -0600
Subject: [PATCH] Use ESC secrets

---
 .github/workflows/export-repo-secrets.yml | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/export-repo-secrets.yml b/.github/workflows/export-repo-secrets.yml
index e031283..ece9c45 100644
--- a/.github/workflows/export-repo-secrets.yml
+++ b/.github/workflows/export-repo-secrets.yml
@@ -1,17 +1,26 @@
+env:
+  ESC_ACTION_OIDC_AUTH: true
+  ESC_ACTION_OIDC_ORGANIZATION: pulumi
+  ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+  ESC_ACTION_ENVIRONMENT: imports/github-secrets
+  ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: false
 permissions: write-all # Equivalent to default permissions plus id-token: write
 name: Export secrets to ESC
-on: [ workflow_dispatch ]
+on: [workflow_dispatch]
 jobs:
   export-to-esc:
     runs-on: ubuntu-latest
     name: export GitHub secrets to ESC
     steps:
+      - name: Fetch secrets from ESC
+        id: esc-secrets
+        uses: pulumi/esc-action@v1
       - name: Generate a GitHub token
         id: generate-token
         uses: actions/create-github-app-token@v1
         with:
           app-id: 1256780 # Export Secrets GitHub App
-          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
+          private-key: ${{ steps.esc-secrets.outputs.EXPORT_SECRETS_PRIVATE_KEY }}
       - name: Export secrets to ESC
         uses: pulumi/esc-export-secrets-action@v1
         with: