How We Eliminated Long-Lived CI Secrets Across 70+ Repos

Supply‑chain attacks on CI/CD systems have evolved from simple credential theft to sophisticated tag‑poisoning of popular actions. Traditional pipelines store static API keys and service‑account tokens as GitHub secrets, exposing every workflow run to the same long‑lived credentials. When a malicious action gains access, attackers can exfiltrate these keys and retain privileged access for weeks, often unnoticed. This risk profile has forced organizations to rethink secret management and adopt zero‑trust principles at the build stage.

Pulumi’s solution leverages OpenID Connect (OIDC) and the Pulumi ESC platform to replace static secrets with dynamically generated, short‑lived credentials. A GitHub OIDC token, scoped to the specific repository, branch, and workflow, is exchanged for a Pulumi access token, which then opens an ESC environment. ESC uses OIDC login providers to fetch cloud credentials directly from AWS, Azure, or GCP, each limited by role‑based policies and expiring after minutes. This layered approach enforces least‑privilege access, eliminates secret sprawl, and provides cryptographic proof of each credential request, dramatically reducing the attack surface.

Scaling this model to over 70 repositories required automation. Pulumi’s ci‑mgmt tooling generated uniform workflow files, inserted a single ESC action step, and removed all static secret references. Centralized ESC policies now deliver detailed audit logs, enabling security teams to trace exactly which workflow accessed which secret and when. The single‑point rotation model means updating a shared base environment instantly propagates to every repo, simplifying compliance. As more enterprises adopt OIDC‑based secret delivery, the industry moves toward CI pipelines where secrets are never at rest, setting a new baseline for supply‑chain resilience.