Add blog post for esc secret rotation webhooks

[seanyeh]

resolves #19651
depends on pulumi/pulumi-pulumiservice#897

Proposed changes

add blog post for ESC secret rotation webhooks

Unreleased product version (optional)

Related issues (optional)

[github-actions]

Social Media Review

content/blog/introducing-esc-secret-rotation-webhooks/index.md

X — missing

LinkedIn — missing

Bluesky — missing

No social copy provided for any platform. Suggested copy drafted below.

---

Suggested copy

X (217/255 chars):

Pulumi ESC can rotate your secrets on a schedule. That's the easy part. The harder part: making sure every service using that credential finds out.

Sean Yeh walks through the new rotation webhooks that close the gap.

LinkedIn (719/2950 chars):

Rotating secrets on a schedule is step one. Step two is making sure every service holding the old credential actually gets the update.

Pulumi ESC can rotate your secrets automatically. What it couldn't do until now was tell your other systems when that happened — leaving a window where a service is still authenticating with a credential that's already been replaced.

Secret rotation webhooks close that window. When ESC rotates an environment's secrets, a webhook fires on success or failure. Notify your Slack channel, trigger a service reload, or catch a failed rotation before it causes an outage.

Sean Yeh walks through how to configure the new triggers in the Pulumi Cloud Console and the Pulumi Service Provider.

Bluesky (238/300 chars):

Pulumi ESC rotates your secrets automatically. What it couldn't do was tell your services when a rotation happened.

Secret rotation webhooks fix that — trigger on success or failure to refresh dependents or catch a failed rotation early.

---

To apply these suggestions, comment: @claude please update the social posts in the frontmatter with the suggested copy from the social media review above

To re-run the social media review after updates, comment: /social-review

Updated for commit fc1795b91a2b171bb9c46b0b5378c36ec5fd7c28 (short: fc1795b) at 2026-06-25 20:29 UTC.

[pulumi-bot]

Your site preview for commit d242482 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19652-d2424822.s3-website.us-west-2.amazonaws.com

[github-actions]

Pre-merge Review — Last updated 2026-06-15T13:32:20Z

Tip

Summary: This PR adds a new blog post announcing ESC secret rotation webhooks, a feature-announcement post under content/blog/ in the same shape as other ESC launch posts (links out to /docs/esc/, the rotators concept, and the webhooks concept). The kind of wrongness that would hurt a reader here is a wrong configuration path (the Pulumi Cloud console steps under Settings → Notifications) or a Pulumi Service Provider code example that doesn't compile. Verification passes that ran: external claim checks across 8 extracted claims, a spot-check of the one cited link, a frontmatter/social sweep, the three code-examples specialists, and the editorial-balance pass. All internal /docs/esc/... links resolve and the cited webhooks doc page exists; the one open item is confirming the exact property names on the service.Webhook snippet.

Review confidence:

Dimension	Level	Notes
mechanics	HIGH	Content-only change; frontmatter parses, no alias/URL collisions, internal links resolve.
facts	MEDIUM	Capability + configuration claims verified; one code-example property set unverifiable.
code correctness	MEDIUM	TypeScript snippet not executed; service.Webhook property names unconfirmed (resource + filters verified).

Investigation log

• Cross-sibling reads: not run (not in a templated section)
• External claim verification: 4 of 8 claims verified (1 unverifiable, 0 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 6 Pass 1, 1 Pass 2 (verified 0, contradicted 0, unverifiable 1), 1 Pass 3 (verified 0, contradicted 0, unverifiable 1).
• Cited-claim spot-checks: 1 of 1 cited claims fetched and compared
• Frontmatter sweep: ran on body + meta_desc + social.{bluesky, linkedin, twitter}
• Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
• Code execution: not run (no static/programs/ change)
• Code-examples checks: ran (3 specialists: structural, existence, body-code-coverage); 0 findings
• Editorial-balance pass: ran (single-subject, N/A)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
0	2	0	0

🔍 Verification trail

8 claims extracted · 4 verified · 1 unverifiable · 0 contradicted

• L3 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "date: 2026-06-17" → ➖ not-a-claim (evidence: The "date" front-matter field in a blog post is metadata authored by the PR author to set the publication date of their own post. It is not a falsifiable assertion about a third-party fact — it is the author's own design choice for when th…; source: repo:content/blog/introducing-esc-secret-rotation-webhooks/index.md L3)
• L24 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "Pulumi ESC can automatically rotate secrets on a schedule so credentials never go stale." → ✅ verified (evidence: The blog post at L24 itself states: "it can automatically rotate secrets on a schedule so credentials never go stale." The /docs/esc/ home page confirms rotation and webhooks are real ESC capabilities, and…; source: repo:content/blog/introducing-esc-secret-rotation-webhooks/index.md)
• L30 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "ESC webhooks can be configured to trigger on either success or failure when ESC rotates an environment's secrets." → ➖ not-a-claim (evidence: The claim at L30 is a description of the feature being introduced in this very blog post ("a webhook can be configured to trigger on either success or failure"). This is the PR author's own design description of the new ESC secret rotation…; source: content/blog/introducing-esc-secret-rotation-webhooks/index.md)
• L34 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "ESC rotation webhooks can be configured via the Pulumi Cloud Console in the ESC Environment's Settings page under Settings -> Notifications, with trigger optio…" → ✅ verified (evidence: The blog post at L34 states: "Using the Pulumi Cloud Console, you can now configure webhooks for 'Environment rotation succeeded' and 'Environment rotation failed' in your ESC Environment's Settings page (under Settings -> **Notificati…; source: content/blog/introducing-esc-secret-rotation-webhooks/index.md)
• L38 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "ESC rotation webhooks can be configured using the Pulumi Service Provider." → ✅ verified (evidence: The blog post at L38 explicitly states "You can also use the Pulumi Service Provider to configure webhooks" and provides a TypeScript code example using service.Webhook with WebhookFilters.EnvironmentRotationSucceeded and `WebhookFilte…; source: repo:content/blog/introducing-esc-secret-rotation-webhooks/index.md; gh api repos/pulumi/pulumi-pulumiservice/contents/sdk/nodejs/webhook.ts)
• L40-49 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "The Pulumi Service Provider service.Webhook resource accepts properties including active, displayName, organizationName, projectName, `environmentNam…" → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L47 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "payloadUrl: 'https://example.com'," → ➖ not-a-claim (evidence: The URL https://example.com appears as a placeholder value in a code/configuration example (payloadUrl field), not as a citation to an external source making a factual assertion. It is a standard documentation placeholder domain, as conf…; source: https://example.com)
• L54 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "The Pulumi ESC webhooks documentation is located at /docs/esc/concepts/webhooks/." → ✅ verified (evidence: The file content/docs/esc/concepts/webhooks.md exists in the pulumi/docs repository (confirmed via GitHub API), which maps directly to the URL path /docs/esc/concepts/webhooks/. The blog post links to this path twice: "With [ESC webh…; source: gh api repos/pulumi/docs/contents/content/docs/esc/concepts — entry: {"name":"webhooks.md","path":"content/docs/esc/concepts/webhooks.md"})

📊 Editorial balance

Single-subject post; balance check N/A.

🚨 Outstanding in this PR

No outstanding findings in this PR.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

• [L40-49] content/blog/introducing-esc-secret-rotation-webhooks/index.md — "The Pulumi Service Provider service.Webhook resource accepts properties including active, displayName, organizationName, projectName, environmentName, payloadUrl, and filters" — verdict: 🤷 unverifiable; the exact property set couldn't be confirmed against the provider SDK. The service.Webhook resource itself and the WebhookFilters.EnvironmentRotationSucceeded / EnvironmentRotationFailed filter values are confirmed (✅ verified at L38 against the pulumi-pulumiservice Node.js SDK), so this is narrowly about the property names in the snippet. Author check: please confirm the TypeScript example compiles as written against the current @pulumi/pulumiservice SDK — in particular that displayName, organizationName, projectName, and environmentName are the correct input names (vs. e.g. name). Not a merge blocker.

Style findings

Found by pattern-based linting; Findings may be false positives.

• line 34: [style] nomenclature — Use Pulumi's canonical spelling: 'Pulumi Cloud console' instead of 'Pulumi Cloud Console' (STYLE-GUIDE.md §Product Names).

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

No items resolved since the last review.

📜 Review history

• 2026-06-15T13:32:20Z — New ESC secret-rotation-webhooks blog post; claims and links verified, no blockers; one ⚠️ asking the author to confirm the service.Webhook snippet property names, plus one style nag (Pulumi Cloud console casing). (6449be5)

---

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

[rgharris]

Never let a rotation fail unnoticed!

Seems like it would be better to call out a positive case here? Maybe:

Refresh dependent services immediately!