Add blog post for esc secret rotation webhooks

[seanyeh]

resolves #19651
depends on pulumi/pulumi-pulumiservice#897

Proposed changes

add blog post for ESC secret rotation webhooks

Unreleased product version (optional)

Related issues (optional)

[github-actions]

Social Media Review

content/blog/introducing-esc-secret-rotation-webhooks/index.md

X — missing

No copy provided. Suggested copy drafted below.

LinkedIn — missing

No copy provided. Suggested copy drafted below.

Bluesky — missing

No copy provided. Suggested copy drafted below.

---

Suggested copy

X (215/255 chars) — drafted from the article:

Rotating secrets is only half the job. Knowing the rotation happened — or failed — is the other half.

ESC rotation webhooks let you trigger Slack alerts, refresh services, or catch failures the moment it completes.

LinkedIn (519/2950 chars) — drafted from the article:

Rotating secrets on a schedule keeps credentials fresh. But a rotation is only useful if the services that depend on it — and the team behind them — actually know it happened.

We just shipped ESC secret rotation webhooks. When ESC rotates a secret in an environment, a webhook fires on success or failure. Use it to alert your team in Slack, trigger a service refresh, or catch a failed rotation before it causes an incident.

Configure it in a few clicks from the ESC Environment Settings page, or wire it up with the Pulumi Service Provider. See the webhooks documentation to get started.

Bluesky (233/300 chars) — drafted from the article:

Rotating secrets automatically is good. Knowing when a rotation fails is better.

ESC rotation webhooks fire on success or failure — trigger a Slack alert, refresh a service, or catch a broken rotation before it takes something down.

Updated for commit 6449be5a19c87a0763d2af1969df14c95995936d (short: 6449be5) at 2026-06-15 13:34 UTC.

[pulumi-bot]

Your site preview for commit 6449be5 is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-19652-6449be5a.s3-website.us-west-2.amazonaws.com

[github-actions]

Pre-merge Review — Last updated 2026-06-15T13:32:20Z

Tip

Summary: This PR adds a new blog post announcing ESC secret rotation webhooks, a feature-announcement post under content/blog/ in the same shape as other ESC launch posts (links out to /docs/esc/, the rotators concept, and the webhooks concept). The kind of wrongness that would hurt a reader here is a wrong configuration path (the Pulumi Cloud console steps under Settings → Notifications) or a Pulumi Service Provider code example that doesn't compile. Verification passes that ran: external claim checks across 8 extracted claims, a spot-check of the one cited link, a frontmatter/social sweep, the three code-examples specialists, and the editorial-balance pass. All internal /docs/esc/... links resolve and the cited webhooks doc page exists; the one open item is confirming the exact property names on the service.Webhook snippet.

Review confidence:

Dimension	Level	Notes
mechanics	HIGH	Content-only change; frontmatter parses, no alias/URL collisions, internal links resolve.
facts	MEDIUM	Capability + configuration claims verified; one code-example property set unverifiable.
code correctness	MEDIUM	TypeScript snippet not executed; service.Webhook property names unconfirmed (resource + filters verified).

Investigation log

• Cross-sibling reads: not run (not in a templated section)
• External claim verification: 4 of 8 claims verified (1 unverifiable, 0 contradicted) · 4 specialists (numerical, cross-reference, capability, framing); 0 cross-specialist corroborations · routed: 0 inline, 6 Pass 1, 1 Pass 2 (verified 0, contradicted 0, unverifiable 1), 1 Pass 3 (verified 0, contradicted 0, unverifiable 1).
• Cited-claim spot-checks: 1 of 1 cited claims fetched and compared
• Frontmatter sweep: ran on body + meta_desc + social.{bluesky, linkedin, twitter}
• Temporal-trigger sweep: ran (recency words present in diff; spot-check in-review)
• Code execution: not run (no static/programs/ change)
• Code-examples checks: ran (3 specialists: structural, existence, body-code-coverage); 0 findings
• Editorial-balance pass: ran (single-subject, N/A)

🚨 Outstanding	⚠️ Low-confidence	💡 Pre-existing	✅ Resolved
0	2	0	0

🔍 Verification trail

8 claims extracted · 4 verified · 1 unverifiable · 0 contradicted

• L3 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "date: 2026-06-17" → ➖ not-a-claim (evidence: The "date" front-matter field in a blog post is metadata authored by the PR author to set the publication date of their own post. It is not a falsifiable assertion about a third-party fact — it is the author's own design choice for when th…; source: repo:content/blog/introducing-esc-secret-rotation-webhooks/index.md L3)
• L24 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "Pulumi ESC can automatically rotate secrets on a schedule so credentials never go stale." → ✅ verified (evidence: The blog post at L24 itself states: "it can automatically rotate secrets on a schedule so credentials never go stale." The /docs/esc/ home page confirms rotation and webhooks are real ESC capabilities, and…; source: repo:content/blog/introducing-esc-secret-rotation-webhooks/index.md)
• L30 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "ESC webhooks can be configured to trigger on either success or failure when ESC rotates an environment's secrets." → ➖ not-a-claim (evidence: The claim at L30 is a description of the feature being introduced in this very blog post ("a webhook can be configured to trigger on either success or failure"). This is the PR author's own design description of the new ESC secret rotation…; source: content/blog/introducing-esc-secret-rotation-webhooks/index.md)
• L34 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "ESC rotation webhooks can be configured via the Pulumi Cloud Console in the ESC Environment's Settings page under Settings -> Notifications, with trigger optio…" → ✅ verified (evidence: The blog post at L34 states: "Using the Pulumi Cloud Console, you can now configure webhooks for 'Environment rotation succeeded' and 'Environment rotation failed' in your ESC Environment's Settings page (under Settings -> **Notificati…; source: content/blog/introducing-esc-secret-rotation-webhooks/index.md)
• L38 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "ESC rotation webhooks can be configured using the Pulumi Service Provider." → ✅ verified (evidence: The blog post at L38 explicitly states "You can also use the Pulumi Service Provider to configure webhooks" and provides a TypeScript code example using service.Webhook with WebhookFilters.EnvironmentRotationSucceeded and `WebhookFilte…; source: repo:content/blog/introducing-esc-secret-rotation-webhooks/index.md; gh api repos/pulumi/pulumi-pulumiservice/contents/sdk/nodejs/webhook.ts)
• L40-49 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "The Pulumi Service Provider service.Webhook resource accepts properties including active, displayName, organizationName, projectName, `environmentNam…" → 🤷 unverifiable (evidence: verification did not converge within 8 turns)
• L47 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "payloadUrl: 'https://example.com'," → ➖ not-a-claim (evidence: The URL https://example.com appears as a placeholder value in a code/configuration example (payloadUrl field), not as a citation to an external source making a factual assertion. It is a standard documentation placeholder domain, as conf…; source: https://example.com)
• L54 in content/blog/introducing-esc-secret-rotation-webhooks/index.md "The Pulumi ESC webhooks documentation is located at /docs/esc/concepts/webhooks/." → ✅ verified (evidence: The file content/docs/esc/concepts/webhooks.md exists in the pulumi/docs repository (confirmed via GitHub API), which maps directly to the URL path /docs/esc/concepts/webhooks/. The blog post links to this path twice: "With [ESC webh…; source: gh api repos/pulumi/docs/contents/content/docs/esc/concepts — entry: {"name":"webhooks.md","path":"content/docs/esc/concepts/webhooks.md"})

📊 Editorial balance

Single-subject post; balance check N/A.

🚨 Outstanding in this PR

No outstanding findings in this PR.

⚠️ Low-confidence

Review each and resolve as appropriate — these don't block the PR.

• [L40-49] content/blog/introducing-esc-secret-rotation-webhooks/index.md — "The Pulumi Service Provider service.Webhook resource accepts properties including active, displayName, organizationName, projectName, environmentName, payloadUrl, and filters" — verdict: 🤷 unverifiable; the exact property set couldn't be confirmed against the provider SDK. The service.Webhook resource itself and the WebhookFilters.EnvironmentRotationSucceeded / EnvironmentRotationFailed filter values are confirmed (✅ verified at L38 against the pulumi-pulumiservice Node.js SDK), so this is narrowly about the property names in the snippet. Author check: please confirm the TypeScript example compiles as written against the current @pulumi/pulumiservice SDK — in particular that displayName, organizationName, projectName, and environmentName are the correct input names (vs. e.g. name). Not a merge blocker.

Style findings

Found by pattern-based linting; Findings may be false positives.

• line 34: [style] nomenclature — Use Pulumi's canonical spelling: 'Pulumi Cloud console' instead of 'Pulumi Cloud Console' (STYLE-GUIDE.md §Product Names).

💡 Pre-existing issues in touched files (optional)

No pre-existing issues in touched files.

✅ Resolved since last review

No items resolved since the last review.

📜 Review history

• 2026-06-15T13:32:20Z — New ESC secret-rotation-webhooks blog post; claims and links verified, no blockers; one ⚠️ asking the author to confirm the service.Webhook snippet property names, plus one style nag (Pulumi Cloud console casing). (6449be5)

---

Need a re-review? Want to dispute a finding? Mention @claude and include #update-review.
(For ad-hoc questions or fixes, just @claude — no hashtag.)

[rgharris]

Never let a rotation fail unnoticed!

Seems like it would be better to call out a positive case here? Maybe:

Refresh dependent services immediately!