Use ESC secrets

[pgavlin]

These changes migrate this repo's GitHub Actions Workflows to use ESC secrets instead of GitHub Secrets.

The changes are largely mechanical:

• Common configuration for all ESC actions within a workflow is added to the workflow's environment variables
• Permissions are expanded as necessary for workflows that do not grant id-token: write permissions
  • read-all permissions are replaced with the union of all explicit read permissions and id-token: write
  • Default permissions are replaced with write-all, which is the equivalent of all explicit write permissions and
    id-token: write
  • Explicit permissions are modified to grant id-token: write
• A step that fetches ESC secrets and populates environment variables is added to each step that reads secrets
• Direct references to secrets within the job are replaced with references to the step's outputs

All ESC actions are configured to fetch secrets from a shared ESC environment that contains secrets migrated from GitHub Actions. The ESC action performs its own OIDC exchange to obtain a Pulumi Access Token.

[pulumi-bot]

Your site preview for commit 6e3cf21 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-15584-6e3cf218.s3-website.us-west-2.amazonaws.com.

[pgavlin]

This change is not necessary--mistake when running the rewriter.