Native OIDC token exchange docs and blog

[borisschlosser]

This PR updates docs and adds a blog post about the new native OIDC token exchange capability of the Pulumi CLI introduced here: pulumi/pulumi#20974

[claude]

Documentation Review

I've reviewed the changes in this PR. Overall, the content is well-written and follows most style guidelines, but there are several issues that need to be addressed:

Critical Issues

1. Missing meta image file

• File: content/blog/native-oidc-token-exchange/index.md (line 5)
• Issue: The frontmatter references meta.png, but this file doesn't exist in the content/blog/native-oidc-token-exchange/ directory.
• Action: Either add the meta.png file or remove the meta_image field from the frontmatter.

2. Missing author profile

• File: content/blog/native-oidc-token-exchange/index.md (line 8)
• Issue: The author boris-schlosser must have a corresponding profile file. Verify that data/team/team/boris-schlosser.toml exists.
• Action: If the author profile doesn't exist, create it following the pattern of other author files in that directory.

3. Incorrect link reference format

• File: content/docs/administration/access-identity/oidc-client/kubernetes-eks.md (line 25)
• Issue: The link /docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition appears to be incorrect. Based on the file structure, it should likely be /docs/administration/access-identity/oidc-client/#token-types-by-edition.
• Action: Verify and correct the link path.

4. Duplicate incorrect link reference

• File: content/docs/administration/access-identity/oidc-client/kubernetes-gke.md (line 23)
• Issue: Same as above - /docs/pulumi-cloud/access-management/oidc-client/#token-types-by-edition should likely be /docs/administration/access-identity/oidc-client/#token-types-by-edition.
• Action: Verify and correct the link path.

Style Issues

5. Missing trailing newline

• File: content/docs/iac/cli/commands/pulumi_login.md
• Issue: The file may not end with a newline (difficult to confirm from diff alone, but the diff suggests this).
• Action: Ensure the file ends with a newline character as required by AGENTS.md.

6. Inconsistent capitalization in heading

• File: content/docs/iac/cli/commands/pulumi_login.md (line 87)
• Issue: The heading "## Command" should be in sentence case, but "Command" is a proper noun in this context, so this is acceptable. No action needed.

Content Suggestions

7. Blog post readability

• File: content/blog/native-oidc-token-exchange/index.md (lines 22-31)
• Suggestion: The "Why OIDC token exchange matters" section has a long bulleted list. Consider breaking this into shorter paragraphs or adding a brief introductory sentence before the list for better flow.

8. Example clarity

• File: content/blog/native-oidc-token-exchange/index.md (lines 102-136)
• Suggestion: The Kubernetes example uses TypeScript to define the Job resource. Consider adding a brief note that this is a Pulumi program creating the Job, not a raw Kubernetes manifest, for readers less familiar with Pulumi.

9. Prerequisites link verification

• File: content/blog/native-oidc-token-exchange/index.md (lines 140-146)
• Issue: The "Prerequisites" section mentions configuring OIDC providers in organization settings but doesn't link to specific documentation.
• Suggestion: Add a link to the relevant setup documentation.

Documentation Gaps

As this blog post announces a significant new feature, I checked for corresponding documentation coverage:

✅ Good coverage: The PR updates the following documentation:

• CLI command reference (pulumi_login.md)
• OIDC client integration guide (_index.md)
• Platform-specific guides (GKE and EKS)

The documentation appears comprehensive and well-integrated.

---

Summary

The content is well-written and follows most Pulumi style guidelines. The main issues are:

1. Missing meta image file (critical)
2. Potentially incorrect link paths in Kubernetes docs (critical)
3. Missing author profile verification (critical)

Please address the critical issues before merging. The style suggestions are optional improvements.

If you'd like me to help fix any of these issues, mention me (@claude) with your request.

[pulumi-bot]

Your site preview for commit c9d6cac is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-16803-c9d6cac9.s3-website.us-west-2.amazonaws.com.

[borisschlosser]

Addressed Claude's comments.

[pulumi-bot]

Your site preview for commit c6b1b7c is ready! 🎉

http://www-testing-pulumi-docs-origin-pr-16803-c6b1b7ca.s3-website.us-west-2.amazonaws.com.

[tehsis]

Suggested change

	The new `pulumi login` command accepts OIDC tokens directly:
	The `pulumi login` command now accepts OIDC tokens directly:

pulumi login is not a new command