No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

Hey all - we've been adopting Pulumi ESC at <https://dosu.dev/|Dosu> and are wondering if we can use `esc` to set env vars in GitHub Actions too. Has anyone explored this? There are two motivations
• Single source of truth. We don't have to update secrets in multiple places
• Run the same GitHub actions with different env vars. We have deployment action that we'd like to re-use between staging and production. The only difference is the env vars
Any ideas welcome!

the naive approach that comes to mind is running within the run step
```eval $(esc env open $DEPLOY_ENV --format shell)```

solution
```esc env get $DEPLOY_ENV --value dotenv &gt;&gt; "$GITHUB_ENV"```

On the second solution, this might be better:
```esc env open $DEPLOY_ENV --format dotenv &gt;&gt; $GITHUB_ENV```

Also you should check out setting up <https://www.pulumi.com/blog/oidc-trust-relationships/|OIDC trust relationships>.  We are releasing today a <https://github.com/marketplace/actions/pulumi-auth-action|auth GitHub Action> to make this easier to consume, blog is coming out soon.

Thanks <@U05UX43AXSL>! I'll checkout OIDC for GHA - that is much cleaner that what we have currently

For posterity, the final solution require stripping the surrounding value quotes from the `dotenv` format before appending to `$GITHUB_ENV`
```esc env open dosu/staging --format dotenv  | sed  's/="$[^"]*$"/=\1/' | $GITHUB_ENV```