Pulumi has introduced native OIDC token exchange support in its CLI, addressing the security and management challenges associated with long-lived credentials in CI/CD pipelines. This feature allows CI/CD environments like GitHub Actions, GitLab CI, or Kubernetes to authenticate to Pulumi Cloud using short-lived tokens issued by identity providers, eliminating the need to store long-lived credentials as secrets. The OIDC token exchange mitigates risks such as credential exposure, rotation complexity, over-privileged access, and audit trail gaps by offering short-lived, customizable tokens. The process involves using the `pulumi login` command with OIDC tokens, which can be scoped to specific teams or users, and supports integration with various token delivery systems. This enhancement, compatible with Kubernetes clusters like EKS, GKE, and AKS, requires setting up an OIDC provider and configuring authorization policies within Pulumi Cloud. Pulumi encourages users to update to the latest CLI version and adapt their CI/CD workflows to leverage this new functionality for enhanced security in infrastructure automation.