Is there a way to track down exactly where this kind of leak is occurring?

warning: rendered YAML will contain a secret value in plaintext

I'm guessing you're trying to render a Kubernetes Secret into YAML? If so that's probably where that warning is coming from. I did a bit of testing myself and any time I define a K8s secret and try to render as YAML I get the same warning. In the docs I see the following:

Any Secret values will appear in plaintext in the rendered manifests. This includes any values marked as secret in Pulumi. A warning will be printed for any secret values being rendered to YAML, but it is your responsibility to protect the rendered files.

Docs link for reference: https://www.pulumi.com/docs/iac/adopting-pulumi/migrating-to-pulumi/from-kubernetes/#rendering-kubernetes-yaml

Yeah, I understand that that's the semantic meaning of the error - I was hoping to trace down the exact attribute on the exact resource in the stack which is throwing the error. I've inspected the resulting yaml manifest myself and there are no secrets in it - my guess is it's an attribute being transitively marked as a secret due to being owned by some other secret value or something.

Amazing - thanks, @hallowed-photographer-31251!