On the project I'm currently working on, we do plan to use Github actions, and plan to use Pulumi ESC with OIDC to provision access into the account. Have got ESC with OIDC working with local deployment.
If you're on the Pulumi Teams plan though, like us, it creates a restriction around who can have access to the Pulumi org. I.e. only those who are authorised for admin access in the AWS account are given access to the Pulumi account/org. We're hoping they extend RBAC down to the Teams account soon to address this as the Enterprise account pricing is out of reach for most.
May look at Pulumi Deployments at some point in the future too.