is it possible to delete the logs for an "activity"? I want a way to clean up potential secrets that might have been printed.

If possible, it's probably better to rotate the secrets

That can address it in this case, but in general I think it would be good to be able to delete the logs from a run.

That gets complicated quickly, right? Because these "logs" are also state differences. Deleting the last state is simple enough, but what about deleting "activity" that wasn't the last state change? What would the implications be? The Pulumi web service is an application built on top of Pulumi's stack/state management. What does expunging it from activity involve? Ideally any trace of the secret, right? Again, what are the implications? I don't know enough to answer these questions, but maybe a Pulumi staff member can.

Yeah, probably not straight forward.. but it should be possible to delete all the logs except latest, right?

Yeah, that's a more likely implementable feature request, to be able to prune older state versions.

Echoing @millions-furniture-75402: Basically, once a secret is written to disk unencrypted, it should be considered compromised and therefore be rotated.

Agree. Removing the logs is only Security Through Obscurity. Can't rely on that!