I have a question for secrets: The default way adds an encrypted version of the secret to the config file which is safe to be checked in for version control. How can I control access to the secret that only certain users are able to decrypt it? Is this part of pulumi? Or do I need to control access to the github repository?

How can I control access to the secret that only certain users are able to decrypt it?

Depends which secrets system your using. If your using Pulumi Cloud I think secrets decrpytion is tied to being able to read the stack. Although there's an issue about possibly making that finer-grained https://github.com/pulumi/pulumi-cloud-requests/issues/122.

thx - understood