How We Eliminated Long-Lived CI Secrets Across 70+ Repos

Supply chain attacks on CI/CD pipelines, particularly through GitHub Actions, are on the rise, with attackers exploiting vulnerabilities by tag poisoning to access sensitive information like environment variables and cloud credentials. To counter this, Pulumi has shifted from using static GitHub Secrets to a dynamic approach using Pulumi ESC and OpenID Connect (OIDC), which involves generating short-lived, cryptographically signed tokens for each workflow run. This method ensures that no static credentials are stored, and any fetched credentials are ephemeral and scoped to specific roles, reducing the risk and impact of potential compromises. By implementing this across over 70 repositories, Pulumi has enhanced their security posture, making it verifiable and auditable, while also providing centralized control and visibility not possible with traditional GitHub Secrets. This strategy minimizes the potential damage from compromised actions by ensuring no long-lived secrets are available for exploitation, thereby limiting the attack's blast radius.