Update GitHub Actions workflows. (#851)

This PR was triggered by @t0yv0 generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit
[daf8aba035d6ed8919db6089c780f56cb7fefc69](daf8aba035).

Co-authored-by: Pulumi Bot <bot@pulumi.com>

.gitattributes

@@ -1,4 +1,2 @@
 sdk/**/* linguist-generated=true
-provider/internal/mock*.go linguist-generated=true
-
 .github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/actions/setup-tools/action.yml

@@ -14,7 +14,7 @@ runs:
   using: "composite"
   steps:
     - name: Setup mise
-      uses: jdx/mise-action@590bfd78fa3e93efd2e7ea21d65d397118ac1430
+      uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
       env:
         MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
       with:

.github/aw/actions-lock.json

@@ -0,0 +1,19 @@
+{
+  "entries": {
+    "actions/github-script@v9.0.0": {
+      "repo": "actions/github-script",
+      "version": "v9.0.0",
+      "sha": "3a2844b7e9c422d3c10d287c895573f7108da1b3"
+    },
+    "github/gh-aw-actions/setup@v0.71.5": {
+      "repo": "github/gh-aw-actions/setup",
+      "version": "v0.71.5",
+      "sha": "b8068426813005612b960b5ab0b8bd2c27142323"
+    },
+    "github/gh-aw/actions/setup@v0.71.5": {
+      "repo": "github/gh-aw/actions/setup",
+      "version": "v0.71.5",
+      "sha": "19ac811a4a85389c33b15128e1d7b7d4507f814a"
+    }
+  }
+}

.github/workflows/claude.yml

@@ -56,7 +56,7 @@ jobs:
           PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         run: gh pr checkout "$PR_NUMBER"
       - name: Setup mise
-        uses: jdx/mise-action@590bfd78fa3e93efd2e7ea21d65d397118ac1430
+        uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
         env:
           MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
         with:
@@ -79,7 +79,7 @@ jobs:
           (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude review')) ||
           (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude review'))
         id: claude-review
-        uses: anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 # v1
+        uses: anthropics/claude-code-action@dde2242db6af13460b916652159b6ba19a598f30 # v1
         with:
           anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
           prompt: |
@@ -101,7 +101,7 @@ jobs:
           !contains(github.event.comment.body, '@claude review') &&
           !contains(github.event.review.body, '@claude review')
         id: claude-action
-        uses: anthropics/claude-code-action@476e359e6203e73dad705c8b322e333fabbd7416 # v1
+        uses: anthropics/claude-code-action@dde2242db6af13460b916652159b6ba19a598f30 # v1
         with:
           anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
           # This allows claude to read github action logs

.github/workflows/gh-aw-pr-rereview.md

@@ -1,19 +1,20 @@
 ---
-description: Run PR re-review on explicit maintainer slash command.
-timeout-minutes: 15
-strict: true
 on:
   slash_command:
+    events:
+    - pull_request_comment
+    - pull_request_review_comment
     name: review-again
-    events: [pull_request_comment, pull_request_review_comment]
-imports:
-  - shared/review.md
-  - shared/plugins/code-review/code-review.md
 permissions:
   contents: read
-  pull-requests: read
   id-token: write
-source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-rereview.md@734ef41746387a6818fd8ac3e619c9fd81ac6957
+  pull-requests: read
+imports:
+- shared/review.md
+- shared/plugins/code-review/code-review.md
+description: Run PR re-review on explicit maintainer slash command.
+source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-rereview.md@8a92f53fac170563f7727cacab2dbedb5d5b9e29
+strict: true
+timeout-minutes: 15
 ---
-
 # Internal PR Re-Review (Slash Command)

.github/workflows/gh-aw-pr-review.md

@@ -1,24 +1,25 @@
 ---
-description: Automated PR review for trusted internal contributors.
-timeout-minutes: 15
-strict: true
-permissions:
-  contents: read
-  pull-requests: read
-  id-token: write
 on:
   pull_request:
-    types: [opened]
+    types:
+    - opened
+    - ready_for_review
   workflow_dispatch:
     inputs:
       pr_number:
-        description: "Pull request number to review"
+        description: Pull request number to review
         required: true
         type: string
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: read
 imports:
-  - shared/review.md
+- shared/review.md
-  - shared/plugins/code-review/code-review.md
+- shared/plugins/code-review/code-review.md
-source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@734ef41746387a6818fd8ac3e619c9fd81ac6957
+description: Automated PR review for trusted internal contributors.
+source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@8a92f53fac170563f7727cacab2dbedb5d5b9e29
+strict: true
+timeout-minutes: 15
 ---
-
 # Internal Trusted PR Reviewer

.github/workflows/lint.yml

@@ -49,7 +49,7 @@ jobs:
         private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
         owner: ${{ github.repository_owner }}
     - name: Setup mise
-      uses: jdx/mise-action@590bfd78fa3e93efd2e7ea21d65d397118ac1430
+      uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
       env:
         MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
       with:

.github/workflows/shared/plugins/code-review/code-review.md

@@ -9,8 +9,10 @@ Provide a code review for the given pull request.
 - Only call a tool if it is required to complete the task. Every tool call should have a clear purpose.
 - Use GitHub MCP tools for repository reads. Do not use `gh` CLI commands for repository inspection or for posting review output.
 - Use the workflow PR number as the authoritative target.
+- Review output must be terse and issue-focused. Do not praise the PR, narrate checks that passed, explain why code is correct, or offer "good change" commentary.
 - Use only gh-aw safe outputs for review side effects:
   - `create-pull-request-review-comment` for actionable inline findings on changed lines
+  - `resolve-pull-request-review-thread` for unresolved bot-authored review threads that are now fixed or clearly acknowledged
   - `submit-pull-request-review` for the final review decision
   - `noop` when no action should be taken
 - Use cache-memory only for short-lived continuity and deduplication hints. Treat live PR state and current review threads as the source of truth.
@@ -55,10 +57,11 @@ Note: Do not skip solely because prior automated review comments exist. Use prio
    - The main behavioral changes in the diff
    - Any obvious risk areas worth checking carefully
 
-6. Fetch existing review comments on the PR before preparing any new findings. Use them to identify:
+6. Fetch existing review comments and review threads on the PR before preparing any new findings. Use them to identify:
    - Similar issues already flagged
    - Threads where a human already acknowledged the feedback
    - Comments on code that has changed since the earlier review and may now be stale
+   - Unresolved bot-authored review threads that may now be fixed or obsolete
 
 7. Launch 4 review subagents in parallel. Each agent should return a list of candidate issues, where each issue includes:
    - A concise description
@@ -109,9 +112,24 @@ Note: Do not skip solely because prior automated review comments exist. Use prio
    - Findings that are not on changed lines or cannot be tied to a changed hunk
    - Findings that only came from cache-memory and are not confirmed by the current PR state
 
+   Also create a separate internal list of review threads to resolve. A thread is eligible for resolution only when all of the following are true:
+   - The thread is currently unresolved
+   - The thread was started by this automation or another bot, not by a human reviewer
+   - The underlying issue is fixed in the latest diff, outdated, or explicitly acknowledged by a human as intentionally left as-is
+   - You have high confidence that resolving it will not hide an outstanding real issue
+
+   Never resolve human-authored review threads. When uncertain, leave the thread unresolved.
+
 11. Classify the remaining issues:
    - `Blocking`: correctness, security, regression, data loss, or clear required-rule violations
-   - `Non-blocking`: actionable but not merge-blocking concerns
+   - `Non-blocking`: actionable but not merge-blocking concerns that are still worth interrupting the author for now
+
+   Drop any candidate that is merely:
+   - praise
+   - reassurance
+   - a follow-up idea
+   - a readability suggestion with no concrete risk
+   - an observation that does not require author action
 
 12. Produce a short internal summary of findings for yourself:
    - If issues remain, list the highest-signal ones first
@@ -119,8 +137,9 @@ Note: Do not skip solely because prior automated review comments exist. Use prio
 
 13. If no actionable issues remain, submit exactly one final review with `submit-pull-request-review`:
    - Use `APPROVE`
-   - Briefly state that no issues were found after checking for bugs and `CLAUDE.md` compliance
+   - Use one short sentence only, such as `No actionable issues found.`
    - Do not create inline comments
+   - Do not include praise, summaries of what was checked, or correctness narration
    - Before stopping, write a compact review memory file for this PR containing:
      - review timestamp
      - PR number
@@ -131,21 +150,33 @@ Note: Do not skip solely because prior automated review comments exist. Use prio
 
 14. If actionable issues remain, choose the highest-signal unique issues up to the safe-output comment limit. Create a list of planned inline comments for yourself before posting anything.
 
+   Prefer zero comments over low-signal comments. Non-blocking comments should be rare.
+
 15. Post one inline comment per chosen issue using `create-pull-request-review-comment`. For each comment:
    - Provide a brief description of the issue
    - Explain why it matters
    - Reference the exact changed line
    - Cite the relevant `CLAUDE.md` rule when applicable
    - Keep the comment concise and actionable
+   - Do not post comments that merely suggest optional follow-up cleanup or extra documentation
+   - Do not post comments whose conclusion is that the code is acceptable as-is
    - Do not post duplicate comments for the same issue
 
-16. Submit exactly one final review using `submit-pull-request-review`:
+16. Resolve eligible stale review threads using `resolve-pull-request-review-thread` before submitting the final review.
+   - Resolve only threads from your internal resolution list
+   - Resolve only bot-authored threads
+   - Do not add explanatory comments when resolving
+   - If no threads qualify, do nothing
+
+17. Submit exactly one final review using `submit-pull-request-review`:
    - Use `REQUEST_CHANGES` when at least one blocking issue remains
    - Use `APPROVE` otherwise, including when only non-blocking inline comments were left
    - Do not use `COMMENT` as the final review state
-   - Keep the summary short and aligned with the issues you posted
+   - Keep the summary to one or two short sentences
+   - Do not restate inline comments in the final review; point readers to the inline comments instead
+   - Do not include praise, correctness checklists, or "overall LGTM" framing unless there are zero inline comments and you are using the exact terse approval style above
 
-17. After the final review is submitted, update the PR-specific cache-memory file with a compact record of this review. Store only short-lived operational state such as:
+18. After the final review is submitted, update the PR-specific cache-memory file with a compact record of this review. Store only short-lived operational state such as:
    - review timestamp
    - PR number
    - files reviewed
@@ -163,12 +194,16 @@ Use this list when evaluating issues in Steps 4 and 5 (these are false positives
 - General code quality concerns (e.g., lack of test coverage, general security issues) unless explicitly required in CLAUDE.md
 - Issues mentioned in CLAUDE.md but explicitly silenced in the code (e.g., via a lint ignore comment)
 - Differences that exist only in files classified as generated by `.gitattributes`, unless they expose a real issue in the source workflow, prompt, or other source-of-truth file
+- Explanations that a change is good, correct, well-structured, or acceptable as-is
+- Non-blocking observations that do not require the author to change anything now
+- Requests for extra comments or documentation unless their absence creates a concrete correctness risk
 
 Notes:
 
 - Use GitHub tools for all repository reads. Do not use web fetch.
 - Always operate on the workflow PR target rather than guessing from local git state.
 - Inline comments should only be created for actionable issues on changed lines.
+- If you leave inline comments, the final review should not repeat them.
 - Cache-memory is best-effort and may be missing or stale. Use it to improve continuity, never to override current repository state.
 - When linking to code in an inline comment, use a full GitHub blob URL with a full SHA and a line range, for example: https://github.com/anthropics/claude-code/blob/c21d3c10bc8e898b7ac1a2d745bdc9bc4e423afe/package.json#L10-L15
   - Requires full git sha

.github/workflows/shared/review.md

@@ -16,7 +16,7 @@ steps:
       ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
     id: esc-secrets
     name: Fetch secrets from ESC
-    uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5  # v1.5.0
   - name: Validate ESC secret output
     env:
       ANTHROPIC_API_KEY_FROM_ESC: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
@@ -28,16 +28,21 @@ steps:
 tools:
   cache-memory: true
   github:
-    lockdown: false
     toolsets: [pull_requests, repos]
 safe-outputs:
+  threat-detection: false
   create-pull-request-review-comment:
     max: 12
     side: "RIGHT"
     target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
     target-repo: "${{ github.repository }}"
+  resolve-pull-request-review-thread:
+    max: 12
+    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
+    target-repo: "${{ github.repository }}"
   submit-pull-request-review:
     max: 1
+    allowed-events: [APPROVE, REQUEST_CHANGES, COMMENT]
     target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
   noop:
     max: 1
@@ -56,6 +61,7 @@ Workflow-specific rules:
 - Treat the imported review prompt as the source of the review procedure.
 - Use only gh-aw safe outputs for side effects:
   - `create-pull-request-review-comment` for actionable inline findings on changed lines
+  - `resolve-pull-request-review-thread` for previously reported bot-authored threads that are now fixed or clearly acknowledged
   - `submit-pull-request-review` for the final review
   - `noop` when the PR is not reviewable or required context is missing
 - Submit exactly one final review: