For example usually you need to create iam roles and policies for services, and that requires IAM access, and if you have IAM access you can give yourself any other access, so there's no point for most use cases. Happy to be educated otherwise but that's been my experience at my last 3 jobs

I was using Gitlab at the time though. With self hosted runners.

On the project I'm currently working on, we do plan to use Github actions, and plan to use Pulumi ESC with OIDC to provision access into the account. Have got ESC with OIDC working with local deployment. If you're on the Pulumi Teams plan though, like us, it creates a restriction around who can have access to the Pulumi org. I.e. only those who are authorised for admin access in the AWS account are given access to the Pulumi account/org. We're hoping they extend RBAC down to the Teams account soon to address this as the Enterprise account pricing is out of reach for most. May look at Pulumi Deployments at some point in the future too.