As I read that page, the mandate is about how to use self-assuming roles, if you have to use them. There is no mandate to use self-assuming roles. I use GH actions, OIDC, etc, and I don't use self-assuming roles.
Also, I use one project to set up the roles used with OIDC. That project does nothing else - there's no reason to, because nothing else is deployed with those roles, they're completely independent of all "functional" projects.
There is no way to have Pulumi use a role for auth purposes that you have created in the same project. You need to split the projects. I think it is likely that you don't need to do any of this, since there have been no other similar queries here.
And the idea of authenticating using one method, then creating a role that allows you to do your work and is allowed assume itself, then unauthenticating from your original method, authenticating with the new role, redundantly assuming that same role before continuing on with your intended work, is more than a little confusing. It seems to make life unnecessarily hard. I would work very hard to eliminate that sort of rigmarole, if I worked at AWS.