lint

.ci-mgmt.yaml

@@ -4,26 +4,23 @@ major-version: 0
 providerDefaultBranch: main
 providerVersion: github.com/pulumi/pulumi-docker-build/provider.Version
 aws: true
-modulePath: .
 gcp: true
 sdkModuleDir: sdk/go/dockerbuild
 parallel: 3
-esc:
-    enabled: true
 envOverride:
-    AWS_REGION: us-west-2
-    PULUMI_API: "https://api.pulumi-staging.io"
-    ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-    ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-    ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-    ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-    AZURE_LOCATION: westus
-    DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-    GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
-    GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
-    GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
-    GOOGLE_PROJECT: pulumi-ci-gcp-provider
-    GOOGLE_PROJECT_NUMBER: 895284651812
-    GOOGLE_REGION: us-central1
-    GOOGLE_ZONE: us-central1-a
-    DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
+  AWS_REGION: us-west-2
+  PULUMI_API: "https://api.pulumi-staging.io"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: 895284651812
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}

.config/mise.test.toml

@@ -1,3 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-
-# Overrides for test workflows -- currently empty.

.config/mise.toml

@@ -1,35 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-# You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
-
-[env]
-_.vfox-pulumi = { module_path = "." } # Sets GO_VERSION_MISE and PULUMI_VERSION_MISE
-PULUMI_HOME = "{{config_root}}/.pulumi"
-
-[tools]
-
-# Runtimes
-# TODO: we may not need 'get_env' once https://github.com/jdx/mise/discussions/6339 is fixed
-go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}"
-node = '20.19.5'
-python = '3.11.8'
-"vfox:version-fox/vfox-dotnet" = "8.0.20" # vfox backend doesn't work on Windows, gives "error converting Lua table to PreInstall (no version returned from vfox plugin)" https://github.com/jdx/mise/discussions/5876 https://github.com/jdx/mise/discussions/5550
-# Corretto version used as Java SE/OpenJDK version no longer offered
-java = 'corretto-11'
-
-# Executable tools
-"github:pulumi/pulumi" = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
-"github:pulumi/pulumictl" = '0.0.50'
-"github:pulumi/schema-tools" = "0.6.0"
-"aqua:gradle/gradle-distributions" = '7.6.6'
-golangci-lint = "1.64.8" # See note about about overrides if you need to customize this.
-"npm:yarn" = "1.22.22"
-
-[settings]
-experimental = true # Required for Go binaries (e.g. pulumictl).
-lockfile = false
-http_retries = 3
-pin = true # `mise use` should pin versions instead of defaulting to latest.
-fetch_remote_versions_cache = "24h" # Mise queries versions even if they're pinned to confirm they exist. Reduce GitHub API calls by doing that less often.
-
-[plugins]
-vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"

.github/ISSUE_TEMPLATE/bug.yaml

@@ -1,69 +0,0 @@
-name: Bug Report
-description: Report something that's not working correctly
-labels: ["kind/bug", "needs-triage"]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this bug report! 
-        You can also ask questions on our [Community Slack](https://slack.pulumi.com/).
-  - type: textarea
-    id: what-happened
-    attributes:
-      label: Describe what happened
-      description: Please summarize what happened, including what Pulumi commands you ran, as well as
-        an inline snippet of any relevant error or console output.
-    validations:
-      required: true
-  - type: textarea
-    id: sample-program
-    attributes:
-      label: Sample program
-      description: |
-        <details><summary>Provide a reproducible sample program</summary>
-        If this is a bug you encountered while running a Pulumi command, please provide us with a minimal, 
-        self-contained Pulumi program that reproduces this behavior so that we can investigate on our end. 
-        Without a functional reproduction, we will not be able to prioritize this bug.
-        **Note:** If the program output is more than a few lines, please send us a Gist or a link to a file.
-        </details>
-    validations:
-      required: true
-  - type: textarea
-    id: log-output
-    attributes:
-      label: Log output
-      description: |
-        <details><summary>How to Submit Logs</summary>
-        If this is something that is dependent on your environment, please also provide us with the output of
-        `pulumi up --logtostderr --logflow -v=10` from the root of your project.
-        We may also ask you to supply us with debug output following [these steps](https://www.pulumi.com/docs/using-pulumi/pulumi-packages/debugging-provider-packages/).
-        **Note:** If the log output is more than a few lines, please send us a Gist or a link to a file.
-        </details>
-  - type: textarea
-    id: resources
-    attributes:
-      label: Affected Resource(s)
-      description: Please list the affected Pulumi Resource(s) or Function(s).
-    validations:
-      required: false
-  - type: textarea
-    id: versions
-    attributes:
-      label: Output of `pulumi about`
-      description: Provide the output of `pulumi about` from the root of your project.
-    validations:
-      required: true
-  - type: textarea
-    id: ctx
-    attributes:
-      label: Additional context
-      description: Anything else you would like to add?
-    validations:
-      required: false
-  - type: textarea
-    id: voting
-    attributes:
-      label: Contributing
-      value: |
-        Vote on this issue by adding a 👍 reaction. 
-        To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

.github/ISSUE_TEMPLATE/epic.md

@@ -1,35 +0,0 @@
----
-name: Epic
-about: Tracks a shippable unit of work
-title: '[Epic] {your-title-here}'
-labels: kind/epic
-projects: ['pulumi/32']
-assignees: ''
-type: Epic
----
-
-## Overview
-<!-- Start with a one- to three-sentence summary that should be understandable by any Pulumian or community member, even those without any context on the work. -->
-
-## Key KPIs
-<!-- What KPIs should this Epic will move; what could we measure to observe that this project was successful? -->
-
-## Key Stakeholders
-- Product and Engineering: <!-- Teams and individuals involved in the design and implementation -->
-- Documentation: <!-- Representative from the docs team -->
-- Marketing/Partnerships: <!-- Representative from the Marketing team -->
-- Customers: <!-- [Tracking Issue](add-link-and-uncomment) -->
-
-## Key Deliverables
-<!-- List any discrete chunks of work or milestones that are planned in the epic (eg. subcomponent A, dogfood release, beta, etc.) -->
-
-### References 📔
-
-<!-- Any project that is more than one iteration should have a Project Board using this [template](https://github.com/orgs/pulumi/projects/131).  -->
-- [ ] Project View <!-- [Link](add-link-and-uncomment) -->
-- [ ] PR/FAQ <!-- [Link](add-link-and-uncomment) -->
-- [ ] Design Doc <!-- [Link](add-link-and-uncomment) -->
-- [ ] UX Designs <!-- [Link](add-link-and-uncomment) -->
-- [ ] Decision Log <!-- [Link](add-link-and-uncomment) -->
-
-<!-- Work items should be added to the project board linked above  -->

.github/actions/download-provider/action.yml

@@ -1,19 +0,0 @@
-name: Download Provider Binary
-description: Downloads the provider binary artifact and restores executable permissions
-
-runs:
-  using: "composite"
-  steps:
-    - name: Download provider
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
-      with:
-        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
-        path: ${{ github.workspace }}/bin
-
-    - name: UnTar provider binaries
-      shell: bash
-      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
-
-    - name: Restore Binary Permissions
-      shell: bash
-      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;

.github/actions/download-sdk/action.yml

@@ -1,20 +0,0 @@
-name: Download SDK
-description: Downloads and extracts SDK artifacts for a specific language
-
-inputs:
-  language:
-    description: 'The SDK language to download (nodejs, python, dotnet, java)'
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Download SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
-      with:
-        name: ${{ inputs.language }}-sdk.tar.gz
-        path: ${{ github.workspace }}/sdk/
-
-    - name: UnTar SDK folder
-      shell: bash
-      run: tar -zxf ${{ github.workspace }}/sdk/${{ inputs.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ inputs.language }}

.github/actions/esc-action/action.yaml

@@ -1,12 +0,0 @@
-name: "Load secrets"
-description: |
-  This is a temporary action which assists with our migration to ESC. Instead
-  of surrounding every step that references secrets with an "if ESC" block, we
-  instead modify those steps to consume their secrets from this step's outputs.
-  Then, later, we can replace this action with esc-action to actually load
-  secrets from ESC.
-inputs: {}
-outputs: {}
-runs:
-  using: "node20"
-  main: "index.js"

.github/actions/esc-action/index.js

@@ -1,14 +0,0 @@
-const fs = require("fs");
-
-const file = process.env["GITHUB_OUTPUT"];
-var stream = fs.createWriteStream(file, { flags: "a" });
-
-for (const [name, value] of Object.entries(process.env)) {
-  try {
-    stream.write(`${name}<<EEEOOOFFF\n${value}\nEEEOOOFFF\n`); // << syntax accommodates multiline strings.
-  } catch (err) {
-    console.log(`error: failed to set output for ${name}: ${err.message}`);
-  }
-}
-
-stream.end();

.github/actions/setup-tools/action.yml

@@ -1,42 +0,0 @@
-name: Setup Tools
-description: Installs all tools (Go, Node, Python, .NET, Java, Pulumi, etc.) using mise
-
-inputs:
-  cache:
-    description: Enable caching
-    required: false
-    default: "false"
-  github_token:
-    description: GitHub token
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Setup mise
-      uses: blampe/mise-action@blampe/plugins
-      env:
-        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
-      with:
-        version: 2026.1.1
-        cache_save: ${{ inputs.cache }}
-        github_token: ${{ inputs.github_token }}
-        plugin_install: https://github.com/pulumi/vfox-pulumi
-
-    - name: Setup Go Cache
-      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
-      with:
-        cache: ${{ inputs.cache }}
-        cache-dependency-path: |
-          provider/*.sum
-          upstream/*.sum
-          sdk/go/*.sum
-          sdk/*.sum
-          *.sum
-
-    - name: Setup Node
-      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
-      with:
-        # we don't set node-version because we install with mise.
-        # this step is needed to setup npm auth
-        registry-url: https://registry.npmjs.org

.github/workflows/build.yml

@@ -1,6 +1,6 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
-name: main # For consistency with bridged providers.
+name: build
 on:
   push:
     branches:
@@ -15,20 +15,43 @@ on:
     - "**"
   workflow_dispatch: {}
 env:
+  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
+    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
+    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -37,49 +60,34 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-
 jobs:
   prerequisites:
     runs-on: ubuntu-latest
     name: prerequisites
-    permissions:
-      id-token: write # For ESC secrets.
-      pull-requests: write # For schema check comment.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        cache: 'true'
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/schema-tools
     - name: Build codegen binaries
@@ -89,15 +97,13 @@ jobs:
     - if: github.event_name == 'pull_request'
       name: Check Schema is Valid
       run: >-
-        {
-          echo 'SCHEMA_CHANGES<<EOF';
+        echo 'SCHEMA_CHANGES<<EOF' >> $GITHUB_ENV
 
-          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+        schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json >> $GITHUB_ENV
 
-          echo 'EOF';
-        } >> "$GITHUB_ENV"
+        echo 'EOF' >> $GITHUB_ENV
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -122,42 +128,74 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar provider binaries
       run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-      env:
-        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
-        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
-        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
       env:
-        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in building provider prerequisites
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   build_sdks:
     needs: prerequisites
     runs-on: pulumi-ubuntu-8core
@@ -171,42 +209,61 @@ jobs:
         - go
         - java
     name: build_sdks
-    permissions:
-      pull-requests: write # For Renovate SDK updates.
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Generate SDK
       run: make generate_${{ matrix.language }}
     - name: Build SDK
@@ -217,65 +274,67 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
         retention-days: 30
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure while building SDKs
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
-
-  tag_release_if_labeled_needs_release:
-    name: Tag release if labeled as needs-release
-    needs: publish
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - name: check if this commit needs release
-      if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
-      uses: pulumi/action-release-by-pr-label@main
-      with:
-        command: "release-if-needed"
-        repo: ${{ github.repository }}
-        commit: ${{ github.sha }}
-        slack_channel: C02MGR8JVST
-      env:
-        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
   test:
     runs-on: pulumi-ubuntu-8core
     needs:
@@ -293,47 +352,74 @@ jobs:
     name: test
     permissions:
       contents: read
-      id-token: write # For ESC secrets and Pulumi access token OIDC.
+      id-token: write
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: ./.github/actions/download-sdk
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
-        language: ${{ matrix.language }}
+        name: ${{ matrix.language }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: UnTar SDK folder
+      if: ${{ matrix.language != 'yaml' }}
+      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
+        github.workspace}}/sdk/${{ matrix.language}}
     - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+      run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
     - name: Install Node dependencies
       run: yarn global add typescript
     - run: dotnet nuget add source ${{ github.workspace }}/nuget
@@ -352,13 +438,13 @@ jobs:
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
+      uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      uses: google-github-actions/auth@7b53cdc2a387814ed14eec026287aac689ae8c9b # v2.1.9
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -366,7 +452,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -379,55 +465,32 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in SDK tests
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish:
     runs-on: ubuntu-latest
     needs: test
     name: publish
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
     - name: Clear GitHub Actions Ubuntu runner disk space
       uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
       with:
@@ -437,84 +500,82 @@ jobs:
         haskell: true
         swap-storage: true
         large-packages: false
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
-        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
-        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         role-duration-seconds: 7200
         role-session-name: ${{ env.PROVIDER }}@githubActions
         role-external-id: upload-pulumi-release
-        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
       env:
         GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
-        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
       with:
         args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
         version: latest
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing binaries
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_sdk:
     runs-on: ubuntu-latest
     needs: publish
     name: publish_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Checkout Scripts Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: ci-scripts
         repository: pulumi/scripts
     - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: python-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -522,7 +583,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
         ${{github.workspace}}/sdk/python
     - name: Download dotnet SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: dotnet-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -530,7 +591,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
         ${{github.workspace}}/sdk/dotnet
     - name: Download nodejs SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: nodejs-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -542,26 +603,38 @@ jobs:
     - name: Publish SDKs
       run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
       env:
-        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         PYPI_PUBLISH_ARTIFACTS: all
-        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
-        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
-        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing SDK
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   lint:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      with:
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Disarm go:embed directives to enable linters that compile source code
+      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
+        's/go:embed/ goembed/g'
+    - name: golangci-lint provider pkg
+      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+      with:
+        version: ${{ env.GOLANGCI_LINT_VERSION }}
+        args: -c ../.golangci.yml
+        working-directory: provider
     name: lint
-    uses: ./.github/workflows/lint.yml
-    secrets: inherit
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/claude.yml

@@ -1,135 +0,0 @@
-name: Claude Code
-
-on:
-  # Responds to @claude mentions in comments.
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  issues:
-    types: [opened]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  claude:
-    # Only run when @claude is mentioned by a trusted user (OWNER, MEMBER, or COLLABORATOR)
-    # Note: the claude-code-action can only be triggered by users with write access to the repository so this is extra
-    # see https://github.com/anthropics/claude-code-action/blob/main/docs/security.md
-    if: |
-      (github.event_name == 'issue_comment' &&
-        contains(github.event.comment.body, '@claude') &&
-        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
-      (github.event_name == 'pull_request_review_comment' &&
-        contains(github.event.comment.body, '@claude') &&
-        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
-      (github.event_name == 'pull_request_review' &&
-        contains(github.event.review.body, '@claude') &&
-        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) ||
-      (github.event_name == 'issues' &&
-        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
-        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association))
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-      id-token: write
-      actions: read
-    steps:
-      - env:
-          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-          ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-          ESC_ACTION_OIDC_AUTH: "true"
-          ESC_ACTION_OIDC_ORGANIZATION: pulumi
-          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-        id: esc-secrets
-        name: Fetch secrets from ESC
-        uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
-        with:
-          fetch-depth: 0
-      - name: Checkout PR head (if applicable)
-        if: ${{ github.event.pull_request.number || (github.event.issue.pull_request && github.event.issue.number) }}
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-        run: gh pr checkout "$PR_NUMBER"
-      - name: Setup mise
-        uses: blampe/mise-action@blampe/plugins
-        env:
-          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
-        with:
-          version: 2026.1.1
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          plugin_install: https://github.com/pulumi/vfox-pulumi
-          # only saving the cache in the prerequisites job
-          cache_save: false
-      - name: Prepare local workspace
-        # this runs install_plugins and upstream
-        run: make prepare_local_workspace
-      - name: Run Claude Code Review
-        # Comment must contain '@claude review'
-        if: |
-          (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude review')) ||
-          (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude review')) ||
-          (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude review'))
-        id: claude-review
-        uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
-        with:
-          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
-          prompt: |
-            REPO: ${{ github.repository }}
-            PR NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-
-            Review this pull request using the provider-code-review skill for guidelines.
-            The PR branch is already checked out in the current working directory.
-
-            Use `gh pr comment` for top-level feedback.
-            Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues.
-            Only post GitHub comments - don't submit review text as messages.
-          # Taken from https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md
-          claude_args: |
-            --allowedTools "Skill,Bash(gh issue view *),Bash(gh search *),Bash(gh issue list *),Bash(gh pr comment *),Bash(gh pr diff *),Bash(gh pr view *),Bash(gh pr list *),mcp__github_inline_comment__create_inline_comment"
-      - name: Run Claude Code
-        # Comment must contain '@claude', but not '@claude review'
-        if: |
-          !contains(github.event.comment.body, '@claude review') &&
-          !contains(github.event.review.body, '@claude review')
-        id: claude-action
-        uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
-        with:
-          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
-          # This allows claude to read github action logs
-          additional_permissions: |
-            actions: read
-          # Sandbox settings: --allowedTools controls which tools Claude can invoke,
-          # but the sandbox also enforces OS-level filesystem restrictions. Edit()
-          # rules in permissions.allow control all bash filesystem writes (mkdir,
-          # output redirection, etc.), not just the Edit tool. Without these, commands
-          # like `mkdir .pulumi` or `cmd > file.txt` would be blocked by the sandbox.
-          settings: |
-            {
-              "permissions": {
-                "allow": ["Edit(./**)", "Edit(/tmp/**)"]
-              }
-            }
-          claude_args: |
-            --max-turns 50
-            --allowedTools "Skill,Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(upgrade-provider *),Bash(./scripts/upstream.sh *),Bash(git *),Bash(GIT_EDITOR=* git *),Bash(make *),Bash(gh *),Bash(mkdir *),Bash(go install *),Bash(ls *),Bash(test *),Bash(cat *),Bash(pwd),Bash(head *),Bash(tail *),Bash(tee *),Bash(rg *),Bash(grep *),Bash(sed *),Bash(awk *),Bash(find *)"
-        # If the claude action fails you don't get any logs on what claude was doing
-        # Uploading the artifact allows you to download the artifact from the UI
-      - name: Upload Claude review output on failure
-        if: failure() && steps.claude-review.outputs.execution_file
-        uses: actions/upload-artifact@v4
-        with:
-          name: claude-review-execution-log
-          path: ${{ steps.claude-review.outputs.execution_file }}
-          retention-days: 7
-      - name: Upload Claude output on failure
-        if: failure() && steps.claude-action.outputs.execution_file
-        uses: actions/upload-artifact@v4
-        with:
-          name: claude-execution-log
-          path: ${{ steps.claude-action.outputs.execution_file }}
-          retention-days: 7

.github/workflows/command-dispatch.yml

@@ -1,11 +1,42 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
+name: command-dispatch
+on:
+  issue_comment:
+    types:
+    - created
+    - edited
 env:
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  TRAVIS_OS_NAME: linux
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  GOVERSION: "1.21.x"
+  NODEVERSION: "20.x"
+  PYTHONVERSION: "3.11.8"
+  DOTNETVERSION: "8.0.x"
+  JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -14,42 +45,21 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
-
 jobs:
   command-dispatch-for-testing:
-    name: command-dispatch-for-testing
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
+    name: command-dispatch-for-testing
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        persist-credentials: false    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: peter-evans/slash-command-dispatch@5c11dc7efead556e3bdabf664302212f79eb26fa # v5
+        lfs: true
+    - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4.0.0
       with:
-        commands: |
-          run-acceptance-tests
-          release
-        issue-type: pull-request
-        permission: write
+        token: ${{ secrets.PULUMI_BOT_TOKEN }}
         reaction-token: ${{ secrets.GITHUB_TOKEN }}
+        commands: run-acceptance-tests
+        permission: write
+        issue-type: pull-request
         repository: pulumi/pulumi-docker-build
-        token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
-name: command-dispatch
-on:
-  issue_comment:
-    types:
-    - created
-    - edited
+    if: ${{ github.event.issue.pull_request }}

.github/workflows/comment-on-stale-issues.yml

@@ -1,44 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-name: "Comment on stale issues"
-
-on:
-  workflow_dispatch: {}
-  schedule:
-  - cron: "46 4 * * *" # run once per day
-
-jobs:
-  cleanup:
-    runs-on: ubuntu-latest
-    name: Stale issue job
-    steps:
-    - uses: pose/stale-issue-cleanup@d2922f61fc5669f4154408689f9bb2a981996112
-      with:
-        issue-types: issues # only look at issues (ignore pull-requests)
-
-        # Setting messages to an empty string causes the automation to skip that category
-        ancient-issue-message: "Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still experiencing this issue, could you leave a quick comment to let us know so we can prioritize it?"
-        ancient-pr-message: ""
-        stale-issue-message: ""
-        stale-pr-message: ""
-
-        # These labels are required
-        stale-issue-label: awaiting-feedback # somewhat confusingly, this is also used for when labeling "ancient" issues
-        exempt-issue-labels: kind/enhancement,kind/task,kind/epic,kind/engineering, awaiting-upstream # only run on kind/bug for now, ignore awaiting-upstream too.
-        stale-pr-label: no-pr-activity # unused because we aren't processing PRs
-        exempt-pr-labels: awaiting-approval # unused because we aren't processing PRs
-        response-requested-label: response-requested # unused because we don't set a "stale-issue-message" above
-
-        # Issue timing
-        days-before-close: 10000 # this action lacks the option not to close, so just set this indefinitly far in the future
-        days-before-ancient: 180 # 6 months
-
-        # If you don't want to mark a issue as being ancient based on a
-        # threshold of "upvotes", you can set this here. An "upvote" is
-        # the total number of +1, heart, hooray, and rocket reactions
-        # on an issue.
-        minimum-upvotes-to-exempt: 2
-
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        loglevel: DEBUG
-        # Set dry-run to true to not perform label or close actions.
-        dry-run: true

.github/workflows/community-moderation.yml

@@ -1,43 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-
-jobs:
-  warn_codegen:
-    name: warn_codegen
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        persist-credentials: false
-    - id: schema_changed
-      name: Check for diff in schema
-      uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-      with:
-        filters: "changed: 'provider/cmd/**/schema.json'"
-    - id: sdk_changed
-      if: steps.schema_changed.outputs.changed == 'false'
-      name: Check for diff in sdk/**
-      uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2
-      with:
-        filters: "changed: 'sdk/**'"
-    - if: steps.sdk_changed.outputs.changed == 'true' &&
-        github.event.pull_request.head.repo.full_name != github.repository
-      name: Send codegen warning as comment on PR
-      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
-      with:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        message: >
-          Hello and thank you for your pull request! :heart: :sparkles:
-
-          It looks like you're directly modifying files in the language SDKs, many of which are autogenerated.
-
-          Be sure any files you're editing do not begin with a code generation warning.
-
-          For generated files, you will need to make changes in `resources.go` instead, and [generate the code](https://github.com/pulumi/${{ github.event.repository.name }}/blob/master/CONTRIBUTING.md#committing-generated-code).
-name: warn-codegen
-on:
-  pull_request_target:
-    branches:
-    - main
-    types:
-    - opened

.github/workflows/export-repo-secrets.yml

@@ -1,25 +0,0 @@
-permissions: write-all # Equivalent to default permissions plus id-token: write
-name: Export secrets to ESC
-on: [workflow_dispatch]
-jobs:
-  export-to-esc:
-    runs-on: ubuntu-latest
-    name: export GitHub secrets to ESC
-    steps:
-      - name: Generate a GitHub token
-        id: generate-token
-        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
-        with:
-          app-id: 1256780 # Export Secrets GitHub App
-          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
-      - name: Export secrets to ESC
-        uses: pulumi/esc-export-secrets-action@9d6485759b6adff2538ae91f1b77cc96265c9dad # v1
-        with:
-          organization: pulumi
-          org-environment: imports/github-secrets
-          exclude-secrets: EXPORT_SECRETS_PRIVATE_KEY
-          github-token: ${{ steps.generate-token.outputs.token }}
-          oidc-auth: true
-          oidc-requested-token-type: urn:pulumi:token-type:access_token:organization
-        env:
-          GITHUB_SECRETS: ${{ toJSON(secrets) }}

.github/workflows/lint.yml

@@ -1,57 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
-
-name: lint
-
-on:
-  workflow_call:
-    inputs: {}
-
-env:
-  PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  GOVERSION: "1.21.x"
-  NODEVERSION: "20.x"
-  PYTHONVERSION: "3.11.8"
-  DOTNETVERSION: "8.0.x"
-  JAVAVERSION: "11"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  AWS_REGION: us-west-2
-  AZURE_LOCATION: westus
-  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
-  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
-  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
-  GOOGLE_PROJECT: pulumi-ci-gcp-provider
-  GOOGLE_PROJECT_NUMBER: "895284651812"
-  GOOGLE_REGION: us-central1
-  GOOGLE_ZONE: us-central1-a
-  PULUMI_API: https://api.pulumi-staging.io
-
-jobs:
-  lint:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        lfs: true
-        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
-      with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Disarm go:embed directives to enable linters that compile source code
-      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
-        's/go:embed/ goembed/g'
-    - name: golangci-lint provider pkg
-      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
-      with:
-        install-mode: none # Handled by mise.
-        working-directory: .
-    name: lint
-    if: github.event_name == 'repository_dispatch' ||
-      github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/prerelease.yml

@@ -6,20 +6,43 @@ on:
     tags:
     - v*.*.*-**
 env:
+  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
+    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
+    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -29,49 +52,34 @@ env:
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
   IS_PRERELEASE: true
-
 jobs:
   prerequisites:
     runs-on: ubuntu-latest
     name: prerequisites
-    permissions:
-      id-token: write # For ESC secrets.
-      pull-requests: write # For schema check comment.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        cache: 'true'
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/schema-tools
     - name: Build codegen binaries
@@ -81,15 +89,13 @@ jobs:
     - if: github.event_name == 'pull_request'
       name: Check Schema is Valid
       run: >-
-        {
-          echo 'SCHEMA_CHANGES<<EOF';
+        echo 'SCHEMA_CHANGES<<EOF' >> $GITHUB_ENV
 
-          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+        schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json >> $GITHUB_ENV
 
-          echo 'EOF';
-        } >> "$GITHUB_ENV"
+        echo 'EOF' >> $GITHUB_ENV
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -114,42 +120,74 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar provider binaries
       run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-      env:
-        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
-        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
-        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
       env:
-        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in building provider prerequisites
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   build_sdks:
     needs: prerequisites
     runs-on: pulumi-ubuntu-8core
@@ -163,42 +201,61 @@ jobs:
         - go
         - java
     name: build_sdks
-    permissions:
-      pull-requests: write # For Renovate SDK updates.
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Generate SDK
       run: make generate_${{ matrix.language }}
     - name: Build SDK
@@ -209,29 +266,66 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure while building SDKs
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   test:
     runs-on: pulumi-ubuntu-8core
     needs:
@@ -249,47 +343,74 @@ jobs:
     name: test
     permissions:
       contents: read
-      id-token: write # For ESC secrets and Pulumi access token OIDC.
+      id-token: write
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: ./.github/actions/download-sdk
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
-        language: ${{ matrix.language }}
+        name: ${{ matrix.language }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: UnTar SDK folder
+      if: ${{ matrix.language != 'yaml' }}
+      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
+        github.workspace}}/sdk/${{ matrix.language}}
     - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+      run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
     - name: Install Node dependencies
       run: yarn global add typescript
     - run: dotnet nuget add source ${{ github.workspace }}/nuget
@@ -308,13 +429,13 @@ jobs:
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
+      uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      uses: google-github-actions/auth@7b53cdc2a387814ed14eec026287aac689ae8c9b # v2.1.9
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -322,7 +443,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -335,55 +456,32 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in SDK tests
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish:
     runs-on: ubuntu-latest
     needs: test
     name: publish
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
     - name: Clear GitHub Actions Ubuntu runner disk space
       uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
       with:
@@ -393,84 +491,82 @@ jobs:
         haskell: true
         swap-storage: true
         large-packages: false
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
-        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
-        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         role-duration-seconds: 7200
         role-session-name: ${{ env.PROVIDER }}@githubActions
         role-external-id: upload-pulumi-release
-        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
       env:
         GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
-        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
       with:
         args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
         version: latest
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing binaries
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_sdk:
     runs-on: ubuntu-latest
     needs: publish
     name: publish_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Checkout Scripts Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: ci-scripts
         repository: pulumi/scripts
     - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: python-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -478,7 +574,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
         ${{github.workspace}}/sdk/python
     - name: Download dotnet SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: dotnet-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -486,7 +582,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
         ${{github.workspace}}/sdk/dotnet
     - name: Download nodejs SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: nodejs-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -498,98 +594,83 @@ jobs:
     - name: Publish SDKs
       run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
       env:
-        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         PYPI_PUBLISH_ARTIFACTS: all
-        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing SDK
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_java_sdk:
     runs-on: ubuntu-latest
     continue-on-error: true
     needs: publish
     name: publish_java_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
     - name: Download java SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: java-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
     - name: Uncompress java SDK
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
-      with:
-        gradle-version: "7.6"
     - name: Publish Java SDK
-      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
       env:
         PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
+      with:
+        arguments: publishToSonatype closeAndReleaseSonatypeStagingRepository
+        build-root-directory: ./sdk/java
+        gradle-version: 7.4.1
   publish_go_sdk:
     runs-on: ubuntu-latest
     name: publish-go-sdk
     needs: publish_sdk
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Download go SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: go-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/

.github/workflows/pull-request.yml

@@ -3,14 +3,52 @@
 name: pull-request
 on:
   pull_request_target: {}
-
+env:
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  TRAVIS_OS_NAME: linux
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  GOVERSION: "1.21.x"
+  NODEVERSION: "20.x"
+  PYTHONVERSION: "3.11.8"
+  DOTNETVERSION: "8.0.x"
+  JAVAVERSION: "11"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  AWS_REGION: us-west-2
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
 jobs:
   comment-on-pr:
     runs-on: ubuntu-latest
     name: comment-on-pr
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
     - name: Comment PR

.github/workflows/release.yml

@@ -7,20 +7,43 @@ on:
     - v*.*.*
     - "!v*.*.*-**"
 env:
+  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
+    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
+    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -29,49 +52,34 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-
 jobs:
   prerequisites:
     runs-on: ubuntu-latest
     name: prerequisites
-    permissions:
-      id-token: write # For ESC secrets.
-      pull-requests: write # For schema check comment.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        cache: 'true'
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/schema-tools
     - name: Build codegen binaries
@@ -81,15 +89,13 @@ jobs:
     - if: github.event_name == 'pull_request'
       name: Check Schema is Valid
       run: >-
-        {
-          echo 'SCHEMA_CHANGES<<EOF';
+        echo 'SCHEMA_CHANGES<<EOF' >> $GITHUB_ENV
 
-          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+        schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json >> $GITHUB_ENV
 
-          echo 'EOF';
-        } >> "$GITHUB_ENV"
+        echo 'EOF' >> $GITHUB_ENV
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -114,42 +120,74 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar provider binaries
       run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-      env:
-        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
-        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
-        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
       env:
-        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in building provider prerequisites
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   build_sdks:
     needs: prerequisites
     runs-on: pulumi-ubuntu-8core
@@ -163,42 +201,61 @@ jobs:
         - go
         - java
     name: build_sdks
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Generate SDK
       run: make generate_${{ matrix.language }}
     - name: Build SDK
@@ -209,29 +266,66 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure while building SDKs
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   test:
     runs-on: pulumi-ubuntu-8core
     needs:
@@ -249,47 +343,74 @@ jobs:
     name: test
     permissions:
       contents: read
-      id-token: write # For ESC secrets.
+      id-token: write
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: ./.github/actions/download-sdk
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
-        language: ${{ matrix.language }}
+        name: ${{ matrix.language }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: UnTar SDK folder
+      if: ${{ matrix.language != 'yaml' }}
+      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
+        github.workspace}}/sdk/${{ matrix.language}}
     - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+      run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
     - name: Install Node dependencies
       run: yarn global add typescript
     - run: dotnet nuget add source ${{ github.workspace }}/nuget
@@ -308,13 +429,13 @@ jobs:
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
+      uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      uses: google-github-actions/auth@7b53cdc2a387814ed14eec026287aac689ae8c9b # v2.1.9
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -322,7 +443,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -335,55 +456,32 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
-      env:
-        GTIHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in SDK tests
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish:
     runs-on: ubuntu-latest
     needs: test
     name: publish
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
     - name: Clear GitHub Actions Ubuntu runner disk space
       uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
       with:
@@ -393,84 +491,82 @@ jobs:
         haskell: true
         swap-storage: true
         large-packages: false
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
-        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
-        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         role-duration-seconds: 7200
         role-session-name: ${{ env.PROVIDER }}@githubActions
         role-external-id: upload-pulumi-release
-        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
       env:
         GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
-        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
       with:
         args: -p 3 release --clean --timeout 60m0s
         version: latest
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing binaries
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_sdk:
     runs-on: ubuntu-latest
     needs: publish
     name: publish_sdks
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Checkout Scripts Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: ci-scripts
         repository: pulumi/scripts
     - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: python-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -478,7 +574,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
         ${{github.workspace}}/sdk/python
     - name: Download dotnet SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: dotnet-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -486,7 +582,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
         ${{github.workspace}}/sdk/dotnet
     - name: Download nodejs SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: nodejs-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -498,98 +594,83 @@ jobs:
     - name: Publish SDKs
       run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
       env:
-        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         PYPI_PUBLISH_ARTIFACTS: all
-        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing SDK
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_java_sdk:
     runs-on: ubuntu-latest
     continue-on-error: true
     needs: publish
     name: publish_java_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
     - name: Download java SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: java-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
     - name: Uncompress java SDK
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
-      with:
-        gradle-version: "7.6"
     - name: Publish Java SDK
-      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
       env:
         PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
+      with:
+        arguments: publishToSonatype closeAndReleaseSonatypeStagingRepository
+        build-root-directory: ./sdk/java
+        gradle-version: 7.4.1
   publish_go_sdk:
     runs-on: ubuntu-latest
     name: publish-go-sdk
     needs: publish_sdk
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Download go SDK
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: go-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -609,36 +690,14 @@ jobs:
   dispatch_docs_build:
     runs-on: ubuntu-latest
     needs: publish_go_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
-    - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
     - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/pulumictl
     - name: Dispatch Event
       run: pulumictl create docs-build pulumi-${{ env.PROVIDER }}
-        "${GITHUB_REF#refs/tags/}"
+        ${GITHUB_REF#refs/tags/}
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     name: dispatch_docs_build

.github/workflows/release_command.yml

@@ -1,54 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-
-name: release-command
-on:
-  repository_dispatch:
-    types:
-    - release-command
-jobs:
-  should_release:
-    name: Should release PR
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        persist-credentials: false    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - name: Should release PR
-      uses: pulumi/action-release-by-pr-label@main
-      with:
-        command: "should-release"
-        repo: ${{ github.repository }}
-        pr: ${{ github.event.client_payload.pull_request.number }}
-        version: ${{ github.event.client_payload.slash_command.args.all }}
-        slack_channel: ${{ steps.esc-secrets.outputs.RELEASE_OPS_STAGING_SLACK_CHANNEL }}
-      env:
-        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - if: failure()
-      name: Notify failure
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
-        body: |
-          "release command failed: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-    - if: success()
-      name: Notify success
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
-        reaction-type: hooray

.github/workflows/run-acceptance-tests.yml

@@ -10,20 +10,36 @@ on:
     - CHANGELOG.md
   workflow_dispatch: {}
 env:
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -32,75 +48,54 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
   PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 jobs:
   comment-notification:
-    if: github.event_name == 'repository_dispatch'
     runs-on: ubuntu-latest
     name: comment-notification
     steps:
+    - name: Create URL to the run output
+      id: vars
+      run: echo
+        run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
+        >> "$GITHUB_OUTPUT"
+    - name: Update with Result
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      with:
+        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
+        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
+    if: github.event_name == 'repository_dispatch'
+  prerequisites:
+    runs-on: ubuntu-latest
+    name: prerequisites
+    steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
         persist-credentials: false
         ref: ${{ env.PR_COMMIT_SHA }}
-    - name: Create URL to the run output
-      id: vars
-      run: echo
-        "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
-        >> "$GITHUB_OUTPUT"
-    - name: Update with Result
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
-        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
-  prerequisites:
-    runs-on: ubuntu-latest
-    name: prerequisites
-    permissions:
-      id-token: write # For ESC secrets.
-      pull-requests: write # For schema check comment.
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        lfs: true
-        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        cache: 'true'
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/schema-tools
     - name: Build codegen binaries
@@ -110,15 +105,13 @@ jobs:
     - if: github.event_name == 'pull_request'
       name: Check Schema is Valid
       run: >-
-        {
-          echo 'SCHEMA_CHANGES<<EOF';
+        echo 'SCHEMA_CHANGES<<EOF' >> $GITHUB_ENV
 
-          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+        schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json >> $GITHUB_ENV
 
-          echo 'EOF';
-        } >> "$GITHUB_ENV"
+        echo 'EOF' >> $GITHUB_ENV
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -143,22 +136,18 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
-      # This worktree check is a safeguard against someone forgetting to
-      # re-build and commit locally, but we handle that commit automatically in
-      # the case of dependency bumps.
-      continue-on-error: ${{ contains(github.actor, 'renovate') }}
-    - name: Commit SDK changes for Renovate
-      if: steps.worktreeClean.outcome == 'failure' &&
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
         'pull_request'
       shell: bash
       run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
         git config --global user.email "bot@pulumi.com"
 
         git config --global user.name "pulumi-bot"
@@ -173,27 +162,23 @@ jobs:
 
 
         # Apply and add our changes, but don't commit any files we expect to
+
         # always change due to versioning.
 
         git stash pop
 
-        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json
+        git add sdk
 
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
 
-        git commit -m 'Commit SDK for Renovate'
 
         # Push with pulumi-bot credentials to trigger a re-run of the
+
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
@@ -202,30 +187,23 @@ jobs:
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-      env:
-        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
-        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
-        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
       env:
-        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in building provider prerequisites
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
   build_sdks:
@@ -241,44 +219,54 @@ jobs:
         - go
         - java
     name: build_sdks
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
         persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        ref: ${{ env.PR_COMMIT_SHA }}
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -298,19 +286,18 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
-      continue-on-error: ${{ contains(github.actor, 'renovate') }}
-    - name: Commit SDK changes for Renovate
-      if: steps.worktreeClean.outcome == 'failure' &&
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
         'pull_request'
       shell: bash
       run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
         git config --global user.email "bot@pulumi.com"
 
         git config --global user.name "pulumi-bot"
@@ -323,48 +310,43 @@ jobs:
 
         git checkout "origin/$HEAD_REF"
 
+
         # Apply and add our changes, but don't commit any files we expect to
+
         # always change due to versioning.
 
         git stash pop
 
-        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json
+        git add sdk
 
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
 
-        git commit -m 'Commit SDK for Renovate'
 
         # Push with pulumi-bot credentials to trigger a re-run of the
+
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
         retention-days: 30
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure while building SDKs
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
   test:
@@ -387,39 +369,52 @@ jobs:
       id-token: write
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
         persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        ref: ${{ env.PR_COMMIT_SHA }}
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -431,7 +426,7 @@ jobs:
         -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
+      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
       with:
         name: ${{ matrix.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -440,7 +435,7 @@ jobs:
       run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
         github.workspace}}/sdk/${{ matrix.language}}
     - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+      run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
     - name: Install Node dependencies
       run: yarn global add typescript
     - run: dotnet nuget add source ${{ github.workspace }}/nuget
@@ -459,13 +454,13 @@ jobs:
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
+      uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      uses: google-github-actions/auth@7b53cdc2a387814ed14eec026287aac689ae8c9b # v2.1.9
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -473,7 +468,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -486,40 +481,21 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in SDK tests
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
   sentinel:
     runs-on: ubuntu-latest
     name: sentinel
     steps:
-    - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        lfs: true
-        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Mark workflow as successful
-      uses: guibranco/github-status-action-v2@631f55ea0251f0fb284525ad86c30e9f7a8dd284 # v1.1.14
+      uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
       with:
         authToken: ${{ secrets.GITHUB_TOKEN }}
         context: Sentinel
@@ -528,7 +504,6 @@ jobs:
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
     permissions:
       statuses: write
-      id-token: write # For ESC secrets.
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
@@ -539,23 +514,25 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
         persist-credentials: false
         ref: ${{ env.PR_COMMIT_SHA }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
     - name: Disarm go:embed directives to enable linters that compile source code
       run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
         's/go:embed/ goembed/g'
     - name: golangci-lint provider pkg
       uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
       with:
-        install-mode: none # Handled by mise.
-        working-directory: .
+        version: ${{ env.GOLANGCI_LINT_VERSION }}
+        args: -c ../.golangci.yml
+        working-directory: provider
     name: lint
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/weekly-pulumi-update.yml

@@ -8,19 +8,34 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -29,36 +44,38 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
-
 jobs:
   weekly-pulumi-update:
     runs-on: ubuntu-latest
-    permissions: write-all
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
-      id: app-auth
+        lfs: true
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
     - name: Update Pulumi/Pulumi
       id: gomod
       run: >-
@@ -68,9 +85,9 @@ jobs:
 
         git checkout -b update-pulumi/${{ github.run_id }}-${{ github.run_number }}
 
-        gh repo view pulumi/pulumi --json latestRelease --jq .latestRelease.tagName | sed 's/^v//' > .pulumi.version
+        for MODFILE in $(find . -name go.mod); do pushd $(dirname $MODFILE); go get github.com/pulumi/pulumi/pkg/v3 github.com/pulumi/pulumi/sdk/v3; go mod tidy; popd; done
 
-        VERSION=$(cat .pulumi.version) find . -name go.mod -execdir sh -c 'go get github.com/pulumi/pulumi/pkg/v3@v${VERSION} github.com/pulumi/pulumi/sdk/v3@v${VERSION}; go mod tidy' \;
+        gh repo view pulumi/pulumi --json latestRelease --jq .latestRelease.tagName | sed 's/^v//' > .pulumi.version
 
         git update-index -q --refresh
 
@@ -115,7 +132,7 @@ jobs:
 
         # See https://github.com/cli/cli/issues/6485#issuecomment-2560935183 for --head workaround
 
-        gh pr create -t "$msg" -b "$msg" --head "$(git branch --show-current)"
+        gh pr create -t "$msg" -b "$msg" --head $(git branch --show-current)
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     name: weekly-pulumi-update

.gitignore

@@ -7,7 +7,6 @@
 **/.ionide
 **/.vscode
 *.swp
-.pulumi
 Pulumi.*.yaml
 yarn.lock
 ci-scripts

.golangci.yml

@@ -40,7 +40,7 @@ linters-settings:
       - blank # Blank section: contains all blank imports.
       - default # Default section: contains all imports that could not be matched to another section type.
       - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
-      - prefix(github.com/pulumi/pulumi-docker-build) # Custom section: local imports
+      - prefix(github.com/pulumi/pulumi-dockerbuild/) # Custom section: local imports
     custom-order: true
   gocritic:
     enable-all: true

.goreleaser.yml

@@ -1,4 +1,5 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
 project_name: pulumi-docker-build
 builds:
 - id: build-provider

.pulumi.version

@@ -1 +1 @@
-3.192.0
+3.165.0

CHANGELOG.md

@@ -1,34 +1,8 @@
 ## Unreleased
 
-## Changed
-
-- Arguments `CacheFromGitHubActions.URL` and `CacheFromGitHubActions.Token` have been removed. If the previous behaviour is desired, set the `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_TOKEN` environment variables. (https://github.com/pulumi/pulumi-docker-build/issues/75)
-
-## 0.0.14 (2025-09-30)
-
-### Fixed
-
-- A warning is no longer emitted for the reserved `__internal` key. (https://github.com/pulumi/pulumi-docker-build/issues/579)
-
-## 0.0.13 (2025-08-27)
-
 ### Changed
 
-- Docker Build Cloud and `exec` errors are more helpful. (https://github.com/pulumi/pulumi-docker-build/issues/549)
-
-### Fixed
-
-- The provider is no longer replaced on version changes. (https://github.com/pulumi/pulumi-docker-build/issues/581)
-
-## 0.0.12 (2025-05-16)
-
-### Changed
-
-- Upgraded pulumi-go-provider to v1.0.0-rc2.
-
-### Fixed
-
-- Builds now respect cancellation. (https://github.com/pulumi/pulumi-docker-build/issues/533, https://github.com/pulumi/pulumi-docker-build/pull/522)
+- Respond to cancel for exec builds. (<https://github.com/pulumi/pulumi-docker-build/pull/522>)
 
 ## 0.0.11 (2025-04-11)
 

Makefile

@@ -17,9 +17,8 @@ WORKING_DIR      := $(shell pwd)
 EXAMPLES_DIR     := ${WORKING_DIR}/examples/yaml
 TESTPARALLELISM  := 4
 
-PULUMI           := pulumi
-GOGLANGCILINT    := golangci-lint
-GOTEST           := go test
+PULUMI           := bin/pulumi
+GOGLANGCILINT    := bin/golangci-lint
 
 # Override during CI using `make [TARGET] PROVIDER_VERSION=""` or by setting a PROVIDER_VERSION environment variable
 # Local & branch builds will just used this fixed default version unless specified
@@ -47,10 +46,10 @@ provider_debug::
 	(cd provider && go build -o $(WORKING_DIR)/bin/${PROVIDER} -gcflags="all=-N -l" -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
 
 test_provider:: # Required by CI
-	${GOTEST} -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
+	go test -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
 
 test_examples: install_nodejs_sdk install_dotnet_sdk
-	${GOTEST} -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
+	go test -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
 
 test_all:: test_provider test_examples
 
@@ -64,26 +63,38 @@ examples/yaml:
 	rm -rf ${WORKING_DIR}/examples/yaml/app
 	cp -r ${WORKING_DIR}/examples/app ${WORKING_DIR}/examples/yaml/app
 
-examples/go: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/go: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,go)
 	@git checkout examples/go/go.mod
 
-examples/nodejs: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/nodejs: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,nodejs)
 	@git checkout examples/nodejs/package.json
 
-examples/python: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/python: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,python)
 	@git checkout examples/python/requirements.txt
 
-examples/dotnet: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/dotnet: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,dotnet)
 	@git checkout examples/dotnet/provider-docker-build.csproj
 
-examples/java: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/java: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,java)
 	@git checkout examples/java/pom.xml
 
+${PULUMI}: go.sum
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/pkg/v3/cmd/pulumi
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-java/pkg/cmd/pulumi-language-java
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-yaml/cmd/pulumi-converter-yaml
+
+${GOGLANGCILINT}: go.sum
+	GOBIN=${WORKING_DIR}/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@8b37f14
+
 define pulumi_login
     export PULUMI_CONFIG_PASSPHRASE=asdfqwerty1234; \
     pulumi login --local;
@@ -91,7 +102,7 @@ endef
 
 define example
 	rm -rf ${WORKING_DIR}/examples/$(1)
-	pulumi convert \
+	$(PULUMI) convert \
 		--cwd ${WORKING_DIR}/examples/yaml \
 		--logtostderr \
 		--generate-only \
@@ -129,7 +140,7 @@ build:: provider sdk/dotnet sdk/go sdk/nodejs sdk/python sdk/java ${SCHEMA_PATH}
 only_build:: build
 
 .PHONY: lint
-lint:
+lint: ${GOGLANGCILINT}
 	${GOGLANGCILINT} run --fix -c .golangci.yml
 
 install:: install_nodejs_sdk install_dotnet_sdk
@@ -176,7 +187,7 @@ generate_dotnet: sdk/dotnet # Required by CI
 build_dotnet: # Required by CI
 
 ${SCHEMA_PATH}: bin/${PROVIDER}
-	pulumi package get-schema ./bin/${PROVIDER} | jq 'del(.version)' > $(SCHEMA_PATH)
+	pulumi package get-schema bin/${PROVIDER} | jq 'del(.version)' > $(SCHEMA_PATH)
 
 bin/${PROVIDER}: $(shell find ./provider -name '*.go') go.mod
 	(cd provider && go build -o ../bin/${PROVIDER} -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
@@ -194,9 +205,9 @@ sdk: sdk/python sdk/nodejs sdk/java sdk/python sdk/go sdk/dotnet
 .PHONY: sdk/*
 
 sdk/python: TMPDIR := $(shell mktemp -d)
-sdk/python: bin/${PROVIDER}
+sdk/python: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/python
-	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language python -o ${TMPDIR}
+	$(PULUMI) package gen-sdk bin/$(PROVIDER) --language python -o ${TMPDIR}
 	cp README.md ${TMPDIR}/python/
 	cd ${TMPDIR}/python/ && \
 		rm -rf ./bin/ ../python.bin/ && cp -R . ../python.bin && mv ../python.bin ./bin && \
@@ -207,9 +218,9 @@ sdk/python: bin/${PROVIDER}
 	mv -f ${TMPDIR}/python ${WORKING_DIR}/sdk/.
 
 sdk/nodejs: TMPDIR := $(shell mktemp -d)
-sdk/nodejs: bin/${PROVIDER}
+sdk/nodejs: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/nodejs
-	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
+	$(PULUMI) package gen-sdk bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
 	cp README.md LICENSE ${TMPDIR}/nodejs
 	cd ${TMPDIR}/nodejs/ && \
 		yarn install && \
@@ -219,9 +230,9 @@ sdk/nodejs: bin/${PROVIDER}
 
 sdk/go: TMPDIR := $(shell mktemp -d)
 sdk/go: PATH := "$(WORKING_DIR)/bin:$(PATH)"
-sdk/go: bin/${PROVIDER}
+sdk/go: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/go
-	PATH=$(PATH) $(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language go -o ${TMPDIR}
+	PATH=$(PATH) $(PULUMI) package gen-sdk bin/$(PROVIDER) --language go -o ${TMPDIR}
 	cp go.mod ${TMPDIR}/go/dockerbuild/go.mod
 	cd ${TMPDIR}/go/dockerbuild && \
 		go mod edit -module=github.com/pulumi/pulumi-${PACK}/${PACKDIR}/go/dockerbuild && \
@@ -229,9 +240,9 @@ sdk/go: bin/${PROVIDER}
 	mv -f ${TMPDIR}/go ${WORKING_DIR}/sdk/go
 
 sdk/dotnet: TMPDIR := $(shell mktemp -d)
-sdk/dotnet: bin/${PROVIDER}
+sdk/dotnet: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/dotnet
-	$(PULUMI) package gen-sdk ./bin/${PROVIDER} --language dotnet -o ${TMPDIR}
+	$(PULUMI) package gen-sdk bin/${PROVIDER} --language dotnet -o ${TMPDIR}
 	cd ${TMPDIR}/dotnet/ && \
 		echo "$(VERSION_GENERIC)" > version.txt && \
 		dotnet build
@@ -239,9 +250,9 @@ sdk/dotnet: bin/${PROVIDER}
 
 sdk/java: PACKAGE_VERSION := $(shell pulumictl convert-version --language generic -v "$(VERSION_GENERIC)")
 sdk/java: TMPDIR := $(shell mktemp -d)
-sdk/java: bin/${PROVIDER}
+sdk/java: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/java
-	$(PULUMI) package gen-sdk --language java ./bin/${PROVIDER} -o ${TMPDIR}
+	$(PULUMI) package gen-sdk --language java bin/${PROVIDER} -o ${TMPDIR}
 	cd ${TMPDIR}/java/ && gradle --console=plain build
 	mv -f ${TMPDIR}/java ${WORKING_DIR}/sdk/.
 

bin/pulumi-language-python-exec

@@ -0,0 +1,204 @@
+#!/usr/bin/env python
+# Copyright 2016-2018, Pulumi Corporation.  All rights reserved.
+
+import argparse
+import asyncio
+from typing import Optional
+import logging
+import os
+import sys
+import traceback
+import runpy
+from concurrent.futures import ThreadPoolExecutor
+
+# The user might not have installed Pulumi yet in their environment - provide a high-quality error message in that case.
+try:
+    import pulumi
+    import pulumi.runtime
+except ImportError:
+    # For whatever reason, sys.stderr.write is not picked up by the engine as a message, but 'print' is. The Python
+    # langhost automatically flushes stdout and stderr on shutdown, so we don't need to do it here - just trust that
+    # Python does the sane thing when printing to stderr.
+    print(traceback.format_exc(), file=sys.stderr)
+    print("""
+It looks like the Pulumi SDK has not been installed. Have you run pip install?
+If you are running in a virtualenv, you must run pip install -r requirements.txt from inside the virtualenv.""", file=sys.stderr)
+    sys.exit(1)
+
+# use exit code 32 to signal to the language host that an error message was displayed to the user
+PYTHON_PROCESS_EXITED_AFTER_SHOWING_USER_ACTIONABLE_MESSAGE_CODE = 32
+
+def get_abs_module_path(mod_path):
+    path, ext = os.path.splitext(mod_path)
+    if not ext:
+        path = os.path.join(path, '__main__')
+    return os.path.abspath(path)
+
+
+def _get_user_stacktrace(user_program_abspath: str) -> str:
+    '''grabs the current stacktrace and truncates it to show the only stacks pertaining to a user's program'''
+    tb = traceback.extract_tb(sys.exc_info()[2])
+
+    for frame_index, frame in enumerate(tb):
+        # loop over stack frames until we reach the main program
+        # then return the traceback truncated to the user's code
+        cur_module = frame[0]
+        if get_abs_module_path(user_program_abspath) == get_abs_module_path(cur_module):
+            # we have detected the start of a user's stack trace
+            remaining_frames = len(tb)-frame_index
+
+            # include remaining frames from the bottom by negating
+            return traceback.format_exc(limit=-remaining_frames)
+
+    # we did not detect a __main__ program, return normal traceback
+    return traceback.format_exc()
+
+def _set_default_executor(loop, parallelism: Optional[int]):
+    '''configure this event loop to respect the settings provided.'''
+    if parallelism is None:
+        return
+    parallelism = max(parallelism, 1)
+    exec = ThreadPoolExecutor(max_workers=parallelism)
+    loop.set_default_executor(exec)
+
+if __name__ == "__main__":
+    # Parse the arguments, program name, and optional arguments.
+    ap = argparse.ArgumentParser(description='Execute a Pulumi Python program')
+    ap.add_argument('--project', help='Set the project name')
+    ap.add_argument('--stack', help='Set the stack name')
+    ap.add_argument('--parallel', help='Run P resource operations in parallel (default=none)')
+    ap.add_argument('--dry_run', help='Simulate resource changes, but without making them')
+    ap.add_argument('--pwd', help='Change the working directory before running the program')
+    ap.add_argument('--monitor', help='An RPC address for the resource monitor to connect to')
+    ap.add_argument('--engine', help='An RPC address for the engine to connect to')
+    ap.add_argument('--tracing', help='A Zipkin-compatible endpoint to send tracing data to')
+    ap.add_argument('--organization', help='Set the organization name')
+    ap.add_argument('PROGRAM', help='The Python program to run')
+    ap.add_argument('ARGS', help='Arguments to pass to the program', nargs='*')
+    args = ap.parse_args()
+
+    # If any config variables are present, parse and set them, so subsequent accesses are fast.
+    config_env = pulumi.runtime.get_config_env()
+    if hasattr(pulumi.runtime, "get_config_secret_keys_env") and hasattr(pulumi.runtime, "set_all_config"):
+        # If the pulumi SDK has `get_config_secret_keys_env` and `set_all_config`, use them
+        # to set the config and secret keys.
+        config_secret_keys_env = pulumi.runtime.get_config_secret_keys_env()
+        pulumi.runtime.set_all_config(config_env, config_secret_keys_env)
+    else:
+        # Otherwise, fallback to setting individual config values.
+        for k, v in config_env.items():
+            pulumi.runtime.set_config(k, v)
+
+    # Configure the runtime so that the user program hooks up to Pulumi as appropriate.
+    # New versions of pulumi python support setting organization, old versions do not
+    try:
+        settings = pulumi.runtime.Settings(
+            monitor=args.monitor,
+            engine=args.engine,
+            project=args.project,
+            stack=args.stack,
+            parallel=int(args.parallel),
+            dry_run=args.dry_run == "true",
+            organization=args.organization,
+        )
+    except TypeError:
+        settings = pulumi.runtime.Settings(
+            monitor=args.monitor,
+            engine=args.engine,
+            project=args.project,
+            stack=args.stack,
+            parallel=int(args.parallel),
+            dry_run=args.dry_run == "true"
+        )
+
+    pulumi.runtime.configure(settings)
+
+    # Finally, swap in the args, chdir if needed, and run the program as if it had been executed directly.
+    sys.argv = [args.PROGRAM] + args.ARGS
+    if args.pwd is not None:
+        os.chdir(args.pwd)
+
+    successful = False
+
+    try:
+        # The docs for get_running_loop are somewhat misleading because they state:
+        # This function can only be called from a coroutine or a callback. However, if the function is
+        # called from outside a coroutine or callback (the standard case when running `pulumi up`), the function
+        # raises a RuntimeError as expected and falls through to the exception clause below.
+        loop = asyncio.get_running_loop()
+    except RuntimeError:
+        loop = asyncio.new_event_loop()
+        asyncio.set_event_loop(loop)
+    
+    # Configure the event loop to respect the parallelism value provided as input.
+    _set_default_executor(loop, settings.parallel)
+
+    # We are (unfortunately) suppressing the log output of asyncio to avoid showing to users some of the bad things we
+    # do in our programming model.
+    #
+    # Fundamentally, Pulumi is a way for users to build asynchronous dataflow graphs that, as their deployments
+    # progress, resolve naturally and eventually result in the complete resolution of the graph. If one node in the
+    # graph fails (i.e. a resource fails to create, there's an exception in an apply, etc.), part of the graph remains
+    # unevaluated at the time that we exit.
+    #
+    # asyncio abhors this. It gets very upset if the process terminates without having observed every future that we
+    # have resolved. If we are terminating abnormally, it is highly likely that we are not going to observe every single
+    # future that we have created. Furthermore, it's *harmless* to do this - asyncio logs errors because it thinks it
+    # needs to tell users that they're doing bad things (which, to their credit, they are), but we are doing this
+    # deliberately.
+    #
+    # In order to paper over this for our users, we simply turn off the logger for asyncio. Users won't see any asyncio
+    # error messages, but if they stick to the Pulumi programming model, they wouldn't be seeing any anyway.
+    logging.getLogger("asyncio").setLevel(logging.CRITICAL)
+    exit_code = 1
+    try:
+        # record the location of the user's program to return user tracebacks
+        user_program_abspath = os.path.abspath(args.PROGRAM)
+        def run():
+            try:
+                runpy.run_path(args.PROGRAM, run_name='__main__')
+            except ImportError as e:
+                def fix_module_file(m: str) -> str:
+                    # Work around python 11 reporting "<frozen runpy>" rather
+                    # than runpy.__file__ in the traceback.
+                    return runpy.__file__ if m == "<frozen runpy>" else m
+
+                # detect if the main pulumi python program does not exist
+                stack_modules = [fix_module_file(f.filename) for f in traceback.extract_tb(e.__traceback__)]
+                unique_modules = set(module for module in stack_modules)
+                last_module_name = stack_modules[-1]
+
+                # we identify a missing program error if
+                # 1. the only modules in the stack trace are
+                #   - `pulumi-language-python-exec`
+                #   - `runpy`
+                # 2. the last function in the stack trace is in the `runpy` module
+                if unique_modules == {
+                            __file__, # the language runtime itself
+                            runpy.__file__,
+                        } and last_module_name == runpy.__file__ :
+                    # this error will only be hit when the user provides a directory
+                    # the engine has a check to determine if the `main` file exists and will fail early
+
+                    # if a language runtime receives a directory, it's the language's responsibility to determine
+                    # whether the provided directory has a pulumi program
+                    pulumi.log.error(f"unable to find main python program `__main__.py` in `{user_program_abspath}`")
+                    sys.exit(PYTHON_PROCESS_EXITED_AFTER_SHOWING_USER_ACTIONABLE_MESSAGE_CODE)
+                else:
+                    raise e
+
+        coro = pulumi.runtime.run_in_stack(run)
+        loop.run_until_complete(coro)
+        exit_code = 0
+    except pulumi.RunError as e:
+        pulumi.log.error(str(e))
+    except Exception:
+        error_msg = "Program failed with an unhandled exception:\n" + _get_user_stacktrace(user_program_abspath)
+        pulumi.log.error(error_msg)
+        exit_code = PYTHON_PROCESS_EXITED_AFTER_SHOWING_USER_ACTIONABLE_MESSAGE_CODE
+    finally:
+        loop.close()
+        sys.stdout.flush()
+        sys.stderr.flush()
+
+    sys.exit(exit_code)

docs/_index.md

@@ -1,428 +0,0 @@
----
-title: Docker Build
-meta_desc: Provides an overview of the Docker Build Provider for Pulumi.
-layout: package
----
-
-The Docker Build provider leverages [buildx and BuildKit](https://docs.docker.com/build/architecture/) to build modern Docker images with Pulumi.
-
-Not to be confused with the earlier
-[Docker](../docker) provider, which is still
-appropriate for managing resources unrelated to building images.
-
-| Provider               | Use cases                                                               |
-| ----------------       | ----------------------------------------------------------------------- |
-| `@pulumi/docker-build` | Anything related to building images with `docker build`.                |
-| `@pulumi/docker`       | Everything else -- including running containers and creating networks.  |
-
-## Example
-
-If your Pulumi program has a directory called `app` alongside it, containing a
-file named "Dockerfile" (which can be as simple as `FROM alpine` for the
-purpose of example), then the code below shows how to build a multi-platform
-image, publish it to a remote AWS ECR registry, and use an [inline
-cache](https://docs.docker.com/build/cache/backends/inline/) to speed up
-subsequent builds.
-
-{{< chooser language "typescript,python,csharp,go,yaml,java" / >}}
-
-{{% choosable language typescript %}}
-
-```typescript
-import * as aws from "@pulumi/aws";
-import * as docker_build from "@pulumi/docker-build";
-
-// Create an ECR repository for pushing.
-const ecrRepository = new aws.ecr.Repository("ecr-repository", {});
-
-// Grab auth credentials for ECR.
-const authToken = aws.ecr.getAuthorizationTokenOutput({
-    registryId: ecrRepository.registryId,
-});
-
-// Build and push an image to ECR with inline caching.
-const myImage = new docker_build.Image("my-image", {
-    // Tag our image with our ECR repository's address.
-    tags: [pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`],
-    context: {
-        location: "./app",
-    },
-    // Use the pushed image as a cache source.
-    cacheFrom: [{
-        registry: {
-            ref: pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`,
-        },
-    }],
-    // Include an inline cache with our pushed image.
-    cacheTo: [{
-        inline: {},
-    }],
-    // Build a multi-platform image manifest for ARM and AMD.
-    platforms: [
-        "linux/amd64",
-        "linux/arm64",
-    ],
-    // Push the final result to ECR.
-    push: true,
-    // Provide our ECR credentials.
-    registries: [{
-        address: ecrRepository.repositoryUrl,
-        password: authToken.password,
-        username: authToken.userName,
-    }],
-});
-
-// Export a ref for the pushed images so we can deploy it.
-export const ref = myImage.ref;
-```
-
-{{% /choosable %}}
-
-{{% choosable language python %}}
-
-```python
-import pulumi
-import pulumi_aws as aws
-import pulumi_docker_build as docker_build
-
-# Create an ECR repository for pushing.
-ecr_repository = aws.ecr.Repository("ecr-repository")
-
-# Grab auth credentials for ECR.
-auth_token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
-
-# Build and push an image to ECR with inline caching.
-my_image = docker_build.Image("my-image",
-    # Tag our image with our ECR repository's address.
-    tags=[ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest")],
-    context=docker_build.BuildContextArgs(
-        location="./app",
-    ),
-    # Use the pushed image as a cache source.
-    cache_from=[docker_build.CacheFromArgs(
-        registry=docker_build.CacheFromRegistryArgs(
-            ref=ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest"),
-        ),
-    )],
-    # Include an inline cache with our pushed image.
-    cache_to=[docker_build.CacheToArgs(
-        inline=docker_build.CacheToInlineArgs(),
-    )],
-    # Build a multi-platform image manifest for ARM and AMD.
-    platforms=[
-        docker_build.Platform.LINUX_AMD64,
-        docker_build.Platform.LINUX_ARM64,
-    ],
-    # Push the final result to ECR.
-    push=True,
-    # Provide our ECR credentials.
-    registries=[docker_build.RegistryArgs(
-        address=ecr_repository.repository_url,
-        password=auth_token.password,
-        username=auth_token.user_name,
-    )],
-)
-
-# Export a ref for the pushed images so we can deploy it.
-pulumi.export("ref", my_image.ref)
-```
-
-{{% /choosable %}}
-
-{{% choosable language csharp %}}
-
-```csharp
-using System.Collections.Generic;
-using System.Linq;
-using Pulumi;
-using Aws = Pulumi.Aws;
-using DockerBuild = Pulumi.DockerBuild;
-
-return await Deployment.RunAsync(() =>
-{
-    // Create an ECR repository for pushing.
-    var ecrRepository = new Aws.Ecr.Repository("ecr-repository");
-
-    // Grab auth credentials for ECR.
-    var authToken = Aws.Ecr.GetAuthorizationToken.Invoke(new()
-    {
-        RegistryId = ecrRepository.RegistryId,
-    });
-
-    // Build and push an image to ECR with inline caching.
-    var myImage = new DockerBuild.Image("my-image", new()
-    {
-        // Tag our image with our ECR repository's address.
-        Tags = new[]
-        {
-            ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
-        },
-        Context = new DockerBuild.Inputs.BuildContextArgs
-        {
-            Location = "./app",
-        },
-        // Use the pushed image as a cache source.
-        CacheFrom = new[]
-        {
-            new DockerBuild.Inputs.CacheFromArgs
-            {
-                Registry = new DockerBuild.Inputs.CacheFromRegistryArgs
-                {
-                    Ref = ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
-                },
-            },
-        },
-        // Include an inline cache with our pushed image.
-        CacheTo = new[]
-        {
-            new DockerBuild.Inputs.CacheToArgs
-            {
-                Inline = null,
-            },
-        },
-        // Build a multi-platform image manifest for ARM and AMD.
-        Platforms = new[]
-        {
-            DockerBuild.Platform.Linux_amd64,
-            DockerBuild.Platform.Linux_arm64,
-        },
-        // Push the final result to ECR.
-        Push = true,
-        // Provide our ECR credentials.
-        Registries = new[]
-        {
-            new DockerBuild.Inputs.RegistryArgs
-            {
-                Address = ecrRepository.RepositoryUrl,
-                Password = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.Password),
-                Username = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.UserName),
-            },
-        },
-    });
-
-    // Export a ref for the pushed images so we can deploy it.
-    return new Dictionary<string, object?>
-    {
-        ["ref"] = myImage.Ref,
-    };
-});
-
-```
-
-{{% /choosable %}}
-
-{{% choosable language go %}}
-
-```go
-package main
-
-import (
-    "fmt"
-
-    "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
-    "github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
-    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
-)
-
-func main() {
-    pulumi.Run(func(ctx *pulumi.Context) error {
-        // Create an ECR repository for pushing.
-        ecrRepository, err := ecr.NewRepository(ctx, "ecr-repository", nil)
-        if err != nil {
-            return err
-        }
-
-        // Grab auth credentials for ECR.
-        authToken := ecr.GetAuthorizationTokenOutput(ctx, ecr.GetAuthorizationTokenOutputArgs{
-            RegistryId: ecrRepository.RegistryId,
-        }, nil)
-
-        // Build and push an image to ECR with inline caching.
-        myImage, err := dockerbuild.NewImage(ctx, "my-image", &dockerbuild.ImageArgs{
-            // Tag our image with our ECR repository's address.
-            Tags: pulumi.StringArray{
-                ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
-                    return fmt.Sprintf("%v:latest", repositoryUrl), nil
-                }).(pulumi.StringOutput),
-            },
-            Context: &dockerbuild.BuildContextArgs{
-                Location: pulumi.String("./app"),
-            },
-            // Use the pushed image as a cache source.
-            CacheFrom: dockerbuild.CacheFromArray{
-                &dockerbuild.CacheFromArgs{
-                    Registry: &dockerbuild.CacheFromRegistryArgs{
-                        Ref: ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
-                            return fmt.Sprintf("%v:latest", repositoryUrl), nil
-                        }).(pulumi.StringOutput),
-                    },
-                },
-            },
-            // Include an inline cache with our pushed image.
-            CacheTo: dockerbuild.CacheToArray{
-                &dockerbuild.CacheToArgs{
-                    Inline: nil,
-                },
-            },
-            // Build a multi-platform image manifest for ARM and AMD.
-            Platforms: dockerbuild.PlatformArray{
-                dockerbuild.Platform_Linux_amd64,
-                dockerbuild.Platform_Linux_arm64,
-            },
-            // Push the final result to ECR.
-            Push: pulumi.Bool(true),
-            // Provide our ECR credentials.
-            Registries: dockerbuild.RegistryArray{
-                &dockerbuild.RegistryArgs{
-                    Address: ecrRepository.RepositoryUrl,
-                    Password: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
-                        return &authToken.Password, nil
-                    }).(pulumi.StringPtrOutput),
-                    Username: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
-                        return &authToken.UserName, nil
-                    }).(pulumi.StringPtrOutput),
-                },
-            },
-        })
-        if err != nil {
-            return err
-        }
-
-        // Export a ref for the pushed images so we can deploy it.
-        ctx.Export("ref", myImage.Ref)
-        return nil
-    })
-}
-```
-
-{{% /choosable %}}
-
-{{% choosable language yaml %}}
-
-```yaml
-description: Push to AWS ECR with caching
-name: ecr
-outputs:
-    ref: ${my-image.ref}
-resources:
-    # Create an ECR repository for pushing.
-    ecr-repository:
-        type: aws:ecr:Repository
-
-    # Build and push an image to ECR with inline caching.
-    my-image:
-        type: docker-build:Image
-        properties:
-            # Tag our image with our ECR repository's address.
-            tags:
-                - ${ecr-repository.repositoryUrl}:latest
-            context:
-                location: ./app
-            # Use the pushed image as a cache source.
-            cacheFrom:
-                - registry:
-                    ref: ${ecr-repository.repositoryUrl}:latest
-            # Include an inline cache with our pushed image.
-            cacheTo:
-                - inline: {}
-            # Build a multi-platform image manifest for ARM and AMD.
-            platforms:
-                - linux/amd64
-                - linux/arm64
-            # Push the final result to ECR.
-            push: true
-            # Provide our ECR credentials.
-            registries:
-                - address: ${ecr-repository.repositoryUrl}
-                  password: ${auth-token.password}
-                  username: ${auth-token.userName}
-
-runtime: yaml
-variables:
-    auth-token:
-        # Grab auth credentials for ECR.
-        fn::aws:ecr:getAuthorizationToken:
-            registryId: ${ecr-repository.registryId}
-```
-
-{{% /choosable %}}
-
-{{% choosable language java %}}
-
-```java
-package myapp;
-
-import com.pulumi.Context;
-import com.pulumi.Pulumi;
-import com.pulumi.core.Output;
-import com.pulumi.aws.ecr.Repository;
-import com.pulumi.aws.ecr.EcrFunctions;
-import com.pulumi.aws.ecr.inputs.GetAuthorizationTokenArgs;
-import com.pulumi.dockerbuild.Image;
-import com.pulumi.dockerbuild.ImageArgs;
-import com.pulumi.dockerbuild.inputs.CacheFromArgs;
-import com.pulumi.dockerbuild.inputs.CacheFromRegistryArgs;
-import com.pulumi.dockerbuild.inputs.CacheToArgs;
-import com.pulumi.dockerbuild.inputs.CacheToInlineArgs;
-import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import com.pulumi.dockerbuild.inputs.RegistryArgs;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Map;
-import java.io.File;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-
-public class App {
-    public static void main(String[] args) {
-        Pulumi.run(App::stack);
-    }
-
-    public static void stack(Context ctx) {
-        // Create an ECR repository for pushing.
-        var ecrRepository = new Repository("ecrRepository");
-
-        // Grab auth credentials for ECR.
-        final var authToken = EcrFunctions.getAuthorizationToken(GetAuthorizationTokenArgs.builder()
-            .registryId(ecrRepository.registryId())
-            .build());
-
-        // Build and push an image to ECR with inline caching.
-        var myImage = new Image("myImage", ImageArgs.builder()
-            // Tag our image with our ECR repository's address.
-            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
-            .context(BuildContextArgs.builder()
-                .location("./app")
-                .build())
-            // Use the pushed image as a cache source.
-            .cacheFrom(CacheFromArgs.builder()
-                .registry(CacheFromRegistryArgs.builder()
-                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
-                    .build())
-                .build())
-            // Include an inline cache with our pushed image.
-            .cacheTo(CacheToArgs.builder()
-                .inline()
-                .build())
-            // Build a multi-platform image manifest for ARM and AMD.
-            .platforms(
-                "linux/amd64",
-                "linux/arm64")
-            // Push the final result to ECR.
-            .push(true)
-            // Provide our ECR credentials.
-            .registries(RegistryArgs.builder()
-                .address(ecrRepository.repositoryUrl())
-                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
-                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
-                .build())
-            .build());
-
-        ctx.export("ref", myImage.ref());
-    }
-}
-```
-
-{{% /choosable %}}
-
-{{< /chooser >}}

docs/installation-configuration.md

@@ -1,33 +0,0 @@
----
-title: Docker-Build Installation & Configuration
-meta_desc: Provides an overview on how to configure the Pulumi Docker-Build Provider.
-layout: package
----
-
-The Pulumi Docker-build provider builds modern Docker images with [buildx](https://docs.docker.com/reference/cli/docker/buildx/) and [BuildKit](https://docs.docker.com/build/buildkit/).
-
-## Installation
-
-The Docker-Build provider is available as a package in all Pulumi languages:
-
-* JavaScript/TypeScript: [`@pulumi/docker-build`](https://www.npmjs.com/package/@pulumi/docker-build)
-* Python: [`pulumi-docker-build`](https://pypi.org/project/pulumi-docker-build/)
-* Go: [`github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild`](https://github.com/pulumi/pulumi-docker-build)
-* .NET: [`Pulumi.DockerBuild`](https://www.nuget.org/packages/Pulumi.DockerBuild)
-* Java: [`com.pulumi/docker-build`](https://central.sonatype.com/artifact/com.pulumi/docker-build)
-
-## Configuring The Provider
-
-### Host
-
-The `DOCKER_HOST` environment variable can be used to specify a custom build daemon's location.
-
-```bash
-$ export DOCKER_HOST=tcp://127.0.0.1:2376/
-```
-
-This can also be specified in your stack's configuration:
-
-```bash
-$ pulumi config set docker-build:host tcp://127.0.0.1:2376/
-```

examples/go/go.mod

@@ -1,39 +1,40 @@
 module provider-docker-build
 
-go 1.24.7
+go 1.23.1
 
-toolchain go1.24.13
+toolchain go1.24.2
 
 require (
-	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12
-	github.com/pulumi/pulumi/sdk/v3 v3.209.0
+	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.11
+	github.com/pulumi/pulumi/sdk/v3 v3.165.0
 )
 
 require (
 	dario.cat/mergo v1.0.1 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/ProtonMail/go-crypto v1.2.0 // indirect
+	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/charmbracelet/bubbles v0.21.0 // indirect
+	github.com/charmbracelet/bubbles v0.20.0 // indirect
 	github.com/charmbracelet/bubbletea v1.3.4 // indirect
-	github.com/charmbracelet/colorprofile v0.3.0 // indirect
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
 	github.com/charmbracelet/x/ansi v0.8.0 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/cheggaaa/pb v1.0.29 // indirect
-	github.com/cloudflare/circl v1.6.1 // indirect
+	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
-	github.com/go-git/go-git/v5 v5.16.0 // indirect
+	github.com/go-git/go-git/v5 v5.14.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/glog v1.2.4 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
@@ -57,40 +58,39 @@ require (
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
-	github.com/pgavlin/fx/v2 v2.0.10 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.21.0 // indirect
+	github.com/pulumi/esc v0.13.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
-	github.com/sergi/go-diff v1.4.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.10.1 // indirect
-	github.com/spf13/pflag v1.0.9 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/zclconf/go-cty v1.16.2 // indirect
-	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
-	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.38.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/grpc v1.72.1 // indirect
-	google.golang.org/protobuf v1.36.6 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.37.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+	google.golang.org/grpc v1.71.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/frand v1.5.1 // indirect

examples/go/go.sum

@@ -1,12 +1,14 @@
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/ProtonMail/go-crypto v1.2.0 h1:+PhXXn4SPGd+qk76TlEePBfOfivE0zkWFenhGhFLzWs=
-github.com/ProtonMail/go-crypto v1.2.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
+github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw=
+github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
@@ -21,12 +23,12 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/charmbracelet/bubbles v0.21.0 h1:9TdC97SdRVg/1aaXNVWfFH3nnLAwOXr8Fn6u6mfQdFs=
-github.com/charmbracelet/bubbles v0.21.0/go.mod h1:HF+v6QUR4HkEpz62dx7ym2xc71/KBHg+zKwJtMw+qtg=
+github.com/charmbracelet/bubbles v0.20.0 h1:jSZu6qD8cRQ6k9OMfR1WlM+ruM8fkPWkHvQWD9LIutE=
+github.com/charmbracelet/bubbles v0.20.0/go.mod h1:39slydyswPy+uVOHZ5x/GjwVAFkCsV8IIVy+4MhzwwU=
 github.com/charmbracelet/bubbletea v1.3.4 h1:kCg7B+jSCFPLYRA52SDZjr51kG/fMUEoPoZrkaDHyoI=
 github.com/charmbracelet/bubbletea v1.3.4/go.mod h1:dtcUCyCGEX3g9tosuYiut3MXgY/Jsv9nKVdibKKRRXo=
-github.com/charmbracelet/colorprofile v0.3.0 h1:KtLh9uuu1RCt+Hml4s6Hz+kB1PfV3wi++1h5ia65yKQ=
-github.com/charmbracelet/colorprofile v0.3.0/go.mod h1:oHJ340RS2nmG1zRGPmhJKJ/jf4FPNNk0P39/wBPA1G0=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
 github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
@@ -37,8 +39,8 @@ github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQ
 github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/cheggaaa/pb v1.0.29 h1:FckUN5ngEk2LpvuG0fw1GEFx6LtyY2pWI/Z2QgCnEYo=
 github.com/cheggaaa/pb v1.0.29/go.mod h1:W40334L7FMC5JKWldsTWbdGjLo0RxUKK73K+TuPxX30=
-github.com/cloudflare/circl v1.6.1 h1:zqIqSPIndyBh1bjLVVDHMPpVKqp8Su/V+6MeDzzQBQ0=
-github.com/cloudflare/circl v1.6.1/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
+github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
+github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
 github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
@@ -67,8 +69,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
 github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.16.0 h1:k3kuOEpkc0DeY7xlL6NaaNg39xdgQbtH5mwCafHO9AQ=
-github.com/go-git/go-git/v5 v5.16.0/go.mod h1:4Ge4alE/5gPs30F2H1esi2gPd69R0C39lolkucHBOp8=
+github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60=
+github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj9ItW3Wk5k=
 github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
 github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
@@ -144,8 +146,6 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pgavlin/fx v0.1.6 h1:r9jEg69DhNoCd3Xh0+5mIbdbS3PqWrVWujkY76MFRTU=
 github.com/pgavlin/fx v0.1.6/go.mod h1:KWZJ6fqBBSh8GxHYqwYCf3rYE7Gp2p0N8tJp8xv9u9M=
-github.com/pgavlin/fx/v2 v2.0.10 h1:ggyQ6pB+lEQEbEae48Wh/X221eLOamMD7i01ISe88u4=
-github.com/pgavlin/fx/v2 v2.0.10/go.mod h1:M/nF/ooAOy+NUBooYYXl2REARzJ/giPJxfMs8fINfKc=
 github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
 github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
@@ -157,31 +157,33 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.21.0 h1:TR8Ff22SU+z8cooTmUKkmk2FltXW/wDPrIwI9BP88Vk=
-github.com/pulumi/esc v0.21.0/go.mod h1:mkghIFn/TvN3XnP4jmCB4U5BG1I4UjGluARi39ckrCE=
-github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12 h1:uzmw+0iic764m0Yvh4I/jRV1x3q49dVh5Ctq9RllsQ8=
-github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12/go.mod h1:6zFMe786NvFDO03BVJwdw1R/Yms4F6vAU49iBHo8zbQ=
-github.com/pulumi/pulumi/sdk/v3 v3.209.0 h1:Ti0FohAset2HEgogTxTOWoyvQd2N2+pkTSIn5DW3W7s=
-github.com/pulumi/pulumi/sdk/v3 v3.209.0/go.mod h1:qBMg01woyYVNqNDJXpFL1e5gdN7oQQvCNNNtfq1gsEo=
+github.com/pulumi/esc v0.13.0 h1:O2MPR2koScaQ2fXwyer8Q3Dd7z+DCnaDfsgNl5mVNMk=
+github.com/pulumi/esc v0.13.0/go.mod h1:IIQo6W6Uzajt6f1RW4QvNxIRDlbK3TNQysnrwBHNo3U=
+github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.11 h1:16T7aYBGcMs7oMGcRHzRO9ETHit0xVYgPRBkaFu6T3M=
+github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.11/go.mod h1:Uxxd/MM83Wys2lfpbfqvY8KUmnbU9mePbxbwEda/+SM=
+github.com/pulumi/pulumi/sdk/v3 v3.165.0 h1:cglplKZOJDpqH8wa/2J250G9az/sE9eKp9fS2bC+vi8=
+github.com/pulumi/pulumi/sdk/v3 v3.165.0/go.mod h1:GAaHrdv3kWJHbzkFFFflGbTBQXUYu6SF1ZCo+O9jo44=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=
+github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
-github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
-github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
-github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
-github.com/spf13/pflag v1.0.9 h1:9exaQaMOCwffKiiiYk6/BndUBv+iRViNW+4lEMi0PvY=
-github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
@@ -189,6 +191,7 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
 github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
@@ -207,45 +210,45 @@ github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70
 github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
-go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
-go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
-go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
-go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
-go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
 go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
 go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
-go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
-golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -261,34 +264,34 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
+golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
+golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
-google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
-google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 h1:iK2jbkWL86DXjEx0qiHcRE9dE4/Ahua5k6V8OWFb//c=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
+google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -298,6 +301,7 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 lukechampine.com/frand v1.5.1 h1:fg0eRtdmGFIxhP5zQJzM1lFDbD6CUfu/f+7WgAZd5/w=

examples/nodejs/package.json

@@ -5,6 +5,6 @@
   },
   "dependencies": {
     "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.219.0"
+    "@pulumi/pulumi": "3.165.0"
   }
 }

examples/nodejs_test.go

@@ -181,9 +181,8 @@ func TestConfig(t *testing.T) {
 	require.NoError(t, err)
 
 	test := integration.ProgramTestOptions{
-		Dir:                    path.Join(cwd, "tests", "config"),
-		Dependencies:           []string{"@pulumi/docker-build"},
-		SkipEmptyPreviewUpdate: true,
+		Dir:          path.Join(cwd, "tests", "config"),
+		Dependencies: []string{"@pulumi/docker-build"},
 	}
 
 	integration.ProgramTest(t, &test)

examples/python/__main__.py

@@ -5,151 +5,151 @@ config = pulumi.Config()
 docker_hub_password = config.require("dockerHubPassword")
 multi_platform = docker_build.Image("multiPlatform",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.multiPlatform",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.multiPlatform",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     platforms=[
         docker_build.Platform.PLAN9_AMD64,
         docker_build.Platform.PLAN9_386,
     ])
 registry_push = docker_build.Image("registryPush",
     push=False,
-    context={
-        "location": "./app",
-    },
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     tags=["docker.io/pulumibot/buildkit-e2e:example"],
-    exports=[{
-        "registry": {
-            "oci_media_types": True,
-            "push": False,
-        },
-    }],
-    registries=[{
-        "address": "docker.io",
-        "username": "pulumibot",
-        "password": docker_hub_password,
-    }])
+    exports=[docker_build.ExportArgs(
+        registry=docker_build.ExportRegistryArgs(
+            oci_media_types=True,
+            push=False,
+        ),
+    )],
+    registries=[docker_build.RegistryArgs(
+        address="docker.io",
+        username="pulumibot",
+        password=docker_hub_password,
+    )])
 cached = docker_build.Image("cached",
     push=False,
-    context={
-        "location": "./app",
-    },
-    cache_to=[{
-        "local": {
-            "dest": "tmp/cache",
-            "mode": docker_build.CacheMode.MAX,
-        },
-    }],
-    cache_from=[{
-        "local": {
-            "src": "tmp/cache",
-        },
-    }])
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    cache_to=[docker_build.CacheToArgs(
+        local=docker_build.CacheToLocalArgs(
+            dest="tmp/cache",
+            mode=docker_build.CacheMode.MAX,
+        ),
+    )],
+    cache_from=[docker_build.CacheFromArgs(
+        local=docker_build.CacheFromLocalArgs(
+            src="tmp/cache",
+        ),
+    )])
 build_args = docker_build.Image("buildArgs",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.buildArgs",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.buildArgs",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     build_args={
         "SET_ME_TO_TRUE": "true",
     })
 extra_hosts = docker_build.Image("extraHosts",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.extraHosts",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.extraHosts",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     add_hosts=["metadata.google.internal:169.254.169.254"])
 ssh_mount = docker_build.Image("sshMount",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.sshMount",
-    },
-    context={
-        "location": "./app",
-    },
-    ssh=[{
-        "id": "default",
-    }])
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.sshMount",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    ssh=[docker_build.SSHArgs(
+        id="default",
+    )])
 secrets = docker_build.Image("secrets",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.secrets",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.secrets",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     secrets={
         "password": "hunter2",
     })
 labels = docker_build.Image("labels",
     push=False,
-    context={
-        "location": "./app",
-    },
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     labels={
         "description": "This image will get a descriptive label 👍",
     })
 target = docker_build.Image("target",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.target",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.target",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     target="build-me")
 named_contexts = docker_build.Image("namedContexts",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.namedContexts",
-    },
-    context={
-        "location": "./app",
-        "named": {
-            "golang:latest": {
-                "location": "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984",
-            },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.namedContexts",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+        named={
+            "golang:latest": docker_build.ContextArgs(
+                location="docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984",
+            ),
         },
-    })
+    ))
 remote_context = docker_build.Image("remoteContext",
     push=False,
-    context={
-        "location": "https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile",
-    })
+    context=docker_build.BuildContextArgs(
+        location="https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile",
+    ))
 remote_context_with_inline = docker_build.Image("remoteContextWithInline",
     push=False,
-    dockerfile={
-        "inline": """FROM busybox
+    dockerfile=docker_build.DockerfileArgs(
+        inline="""FROM busybox
 COPY hello.c ./
 """,
-    },
-    context={
-        "location": "https://github.com/docker-library/hello-world.git",
-    })
+    ),
+    context=docker_build.BuildContextArgs(
+        location="https://github.com/docker-library/hello-world.git",
+    ))
 inline = docker_build.Image("inline",
     push=False,
-    dockerfile={
-        "inline": """FROM alpine
+    dockerfile=docker_build.DockerfileArgs(
+        inline="""FROM alpine
 RUN echo "This uses an inline Dockerfile! 👍"
 """,
-    })
+    ))
 docker_load = docker_build.Image("dockerLoad",
     push=False,
-    context={
-        "location": "./app",
-    },
-    exports=[{
-        "docker": {
-            "tar": True,
-        },
-    }])
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    exports=[docker_build.ExportArgs(
+        docker=docker_build.ExportDockerArgs(
+            tar=True,
+        ),
+    )])
 pulumi.export("platforms", multi_platform.platforms)

examples/tests/caching/package.json

@@ -4,6 +4,6 @@
     "@types/node": "^20.0.0"
   },
   "dependencies": {
-    "@pulumi/pulumi": "3.219.0"
+    "@pulumi/pulumi": "3.165.0"
   }
 }

examples/tests/config/package.json

@@ -4,6 +4,6 @@
     "@types/node": "^20.0.0"
   },
   "dependencies": {
-    "@pulumi/pulumi": "3.219.0"
+    "@pulumi/pulumi": "3.165.0"
   }
 }

examples/upgrade-node/package.json

@@ -5,6 +5,6 @@
   },
   "dependencies": {
     "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.219.0"
+    "@pulumi/pulumi": "3.165.0"
   }
 }

go.mod

@@ -1,6 +1,6 @@
 module github.com/pulumi/pulumi-docker-build
 
-go 1.24.7
+go 1.24.1
 
 require (
 	github.com/aws/aws-sdk-go v1.55.5
@@ -9,33 +9,41 @@ require (
 	github.com/docker/buildx v0.22.0
 	github.com/docker/cli v28.0.4+incompatible
 	github.com/docker/docker v28.0.1+incompatible
+	github.com/golangci/golangci-lint v1.59.1
 	github.com/moby/buildkit v0.20.1
 	github.com/moby/patternmatcher v0.6.0
 	github.com/muesli/reflow v0.3.0
 	github.com/otiai10/copy v1.14.0
-	github.com/pulumi/providertest v0.6.0
-	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.100.0
-	github.com/pulumi/pulumi-go-provider v1.3.0
-	github.com/pulumi/pulumi-java/pkg v1.16.0
-	github.com/pulumi/pulumi/pkg/v3 v3.219.1-0.20260208071218-1bd84f1343e1
-	github.com/pulumi/pulumi/sdk/v3 v3.219.1-0.20260208071218-1bd84f1343e1
+	github.com/pulumi/providertest v0.3.1
+	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250507122953-af68281fea7f
+	github.com/pulumi/pulumi-go-provider v1.0.0-rc1.0.20250508214503-b09e1ae91a79
+	github.com/pulumi/pulumi-java/pkg v1.11.0
+	github.com/pulumi/pulumi-yaml v1.17.0
+	github.com/pulumi/pulumi/pkg/v3 v3.169.0
+	github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250508095305-a4bdc94d01aa
+	github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250508095305-a4bdc94d01aa
+	github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250508095305-a4bdc94d01aa
+	github.com/pulumi/pulumi/sdk/v3 v3.169.0
 	github.com/regclient/regclient v0.7.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.14.0
-	github.com/stretchr/testify v1.11.1
+	github.com/stretchr/testify v1.10.0
+	github.com/theupdateframework/notary v0.7.0
 	github.com/tonistiigi/fsutil v0.0.0-20250113203817-b14e27f4135a
 	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4
-	go.opentelemetry.io/otel/metric v1.36.0
-	go.opentelemetry.io/otel/sdk v1.36.0
-	go.opentelemetry.io/otel/trace v1.36.0
-	go.uber.org/mock v0.6.0
-	golang.org/x/crypto v0.47.0
-	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792
+	go.opentelemetry.io/otel/metric v1.35.0
+	go.opentelemetry.io/otel/sdk v1.35.0
+	go.opentelemetry.io/otel/trace v1.35.0
+	go.uber.org/mock v0.5.0
+	golang.org/x/crypto v0.38.0
+	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
 	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
+	4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
+	4d63.com/gochecknoglobals v0.2.1 // indirect
 	cloud.google.com/go v0.112.1 // indirect
 	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	cloud.google.com/go/iam v1.1.6 // indirect
@@ -44,54 +52,95 @@ require (
 	cloud.google.com/go/longrunning v0.5.5 // indirect
 	cloud.google.com/go/storage v1.39.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
+	github.com/4meepo/tagalign v1.3.4 // indirect
+	github.com/Abirdcfly/dupword v0.0.14 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 // indirect
+	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
+	github.com/Antonboom/errname v0.1.13 // indirect
+	github.com/Antonboom/nilnil v0.1.9 // indirect
+	github.com/Antonboom/testifylint v1.3.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
 	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/Crocmagnon/fatcontext v0.2.2 // indirect
+	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/OpenPeeDeeP/depguard/v2 v2.2.0 // indirect
 	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/alecthomas/chroma v0.10.0 // indirect
+	github.com/alecthomas/chroma/v2 v2.13.0 // indirect
+	github.com/alecthomas/go-check-sumtype v0.1.4 // indirect
+	github.com/alexkohler/nakedret/v2 v2.0.4 // indirect
+	github.com/alexkohler/prealloc v1.0.0 // indirect
+	github.com/alingse/asasalint v0.0.11 // indirect
 	github.com/apparentlymart/go-cidr v1.0.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/ashanbrown/forbidigo v1.6.0 // indirect
+	github.com/ashanbrown/makezero v1.1.1 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.8 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.17 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
 	github.com/aws/smithy-go v1.20.3 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bkielbasa/cyclop v1.2.1 // indirect
+	github.com/blizzy78/varnamelen v0.8.0 // indirect
+	github.com/bombsimon/wsl/v4 v4.2.1 // indirect
+	github.com/breml/bidichk v0.2.7 // indirect
+	github.com/breml/errchkjson v0.3.6 // indirect
+	github.com/butuzov/ireturn v0.3.0 // indirect
+	github.com/butuzov/mirror v1.2.0 // indirect
+	github.com/catenacyber/perfsprint v0.7.1 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cenkalti/backoff/v5 v5.0.2 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/charithe/durationcheck v0.0.10 // indirect
 	github.com/charmbracelet/bubbles v0.21.0 // indirect
 	github.com/charmbracelet/bubbletea v1.3.4 // indirect
 	github.com/charmbracelet/colorprofile v0.3.0 // indirect
+	github.com/charmbracelet/glamour v0.6.0 // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
 	github.com/charmbracelet/x/ansi v0.8.0 // indirect
 	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
 	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/chavacava/garif v0.1.0 // indirect
 	github.com/cheggaaa/pb v1.0.29 // indirect
+	github.com/ckaznocha/intrange v0.1.2 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/compose-spec/compose-go/v2 v2.4.8 // indirect
 	github.com/containerd/console v1.0.4 // indirect
 	github.com/containerd/containerd/api v1.8.0 // indirect
-	github.com/containerd/containerd/v2 v2.0.7 // indirect
+	github.com/containerd/containerd/v2 v2.0.3 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
@@ -99,37 +148,61 @@ require (
 	github.com/containerd/platforms v1.0.0-rc.1 // indirect
 	github.com/containerd/ttrpc v1.2.7 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/curioswitch/go-reassign v0.2.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/daixiang0/gci v0.13.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/deckarep/golang-set/v2 v2.5.0 // indirect
+	github.com/denis-tingaikin/go-header v0.5.0 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
+	github.com/dlclark/regexp2 v1.11.0 // indirect
 	github.com/docker/cli-docs-tool v0.9.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/edsrzf/mmap-go v1.2.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/erikgeiser/promptkit v0.9.0 // indirect
+	github.com/ettle/strcase v0.2.0 // indirect
 	github.com/fatih/color v1.17.0 // indirect
+	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/firefart/nonamedreturns v1.0.5 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fvbommel/sortorder v1.0.1 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
+	github.com/fzipp/gocyclo v0.6.0 // indirect
+	github.com/ghostiam/protogetter v0.3.6 // indirect
+	github.com/go-critic/go-critic v0.11.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
 	github.com/go-git/go-billy/v5 v5.6.2 // indirect
 	github.com/go-git/go-git/v5 v5.16.0 // indirect
 	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
 	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/go-test/deep v1.1.1 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-toolsmith/astcast v1.1.0 // indirect
+	github.com/go-toolsmith/astcopy v1.1.0 // indirect
+	github.com/go-toolsmith/astequal v1.2.0 // indirect
+	github.com/go-toolsmith/astfmt v1.1.0 // indirect
+	github.com/go-toolsmith/astp v1.1.0 // indirect
+	github.com/go-toolsmith/strparse v1.1.0 // indirect
+	github.com/go-toolsmith/typep v1.1.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
+	github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gofrs/uuid v4.2.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
@@ -137,19 +210,33 @@ require (
 	github.com/golang/glog v1.2.4 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
+	github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e // indirect
+	github.com/golangci/misspell v0.6.0 // indirect
+	github.com/golangci/modinfo v0.3.4 // indirect
+	github.com/golangci/plugin-module-register v0.1.1 // indirect
+	github.com/golangci/revgrep v0.5.3 // indirect
+	github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/google/wire v0.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.2 // indirect
+	github.com/gordonklaus/ineffassign v0.1.0 // indirect
+	github.com/gorilla/css v1.0.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.26.3 // indirect
+	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
+	github.com/gostaticanalysis/comment v1.4.2 // indirect
+	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
+	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -160,27 +247,59 @@ require (
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.6 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
 	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
 	github.com/hashicorp/vault/api v1.12.0 // indirect
+	github.com/hexops/gotextdiff v1.0.3 // indirect
 	github.com/iancoleman/strcase v0.3.0 // indirect
+	github.com/ijc/Gotty v0.0.0-20170406111628-a8b993ba6abd // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/in-toto/in-toto-golang v0.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/iwdgo/sigintwindows v0.2.2 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jgautheron/goconst v1.7.1 // indirect
+	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
+	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
+	github.com/jjti/go-spancheck v0.6.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/julz/importas v0.1.0 // indirect
+	github.com/karamaru-alpha/copyloopvar v1.1.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/kisielk/errcheck v1.7.0 // indirect
+	github.com/kkHAIKE/contextcheck v1.1.5 // indirect
 	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/kulti/thelper v0.6.3 // indirect
+	github.com/kunwardeep/paralleltest v1.0.10 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/kyoh86/exportloopref v0.1.11 // indirect
+	github.com/lasiar/canonicalheader v1.1.1 // indirect
+	github.com/ldez/gomoddirectives v0.2.4 // indirect
+	github.com/ldez/tagliatelle v0.5.0 // indirect
+	github.com/leonklingele/grouper v1.1.2 // indirect
 	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/lufeee/execinquery v1.2.1 // indirect
+	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/macabu/inamedparam v0.1.3 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/maratori/testableexamples v1.0.0 // indirect
+	github.com/maratori/testpackage v1.1.1 // indirect
+	github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
 	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/mgechev/revive v1.3.7 // indirect
+	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
+	github.com/microcosm-cc/bluemonday v1.0.21 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
@@ -190,6 +309,7 @@ require (
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/moby v26.1.5+incompatible // indirect
 	github.com/moby/spdystream v0.4.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
@@ -199,100 +319,169 @@ require (
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/moricho/tparallel v0.3.1 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/nakabonne/nestif v0.3.1 // indirect
 	github.com/natefinch/atomic v1.0.1 // indirect
+	github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d // indirect
+	github.com/nishanths/exhaustive v0.12.0 // indirect
+	github.com/nishanths/predeclared v0.2.2 // indirect
+	github.com/nunnatsa/ginkgolinter v0.16.2 // indirect
 	github.com/nxadm/tail v1.4.11 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/petar-dambovaliev/aho-corasick v0.0.0-20230725210150-fb29fc3c913e // indirect
+	github.com/pgavlin/diff v0.0.0-20230503175810-113847418e2e // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
-	github.com/pgavlin/fx/v2 v2.0.10 // indirect
 	github.com/pgavlin/goldmark v1.1.33-0.20200616210433-b5eb04559386 // indirect
+	github.com/pgavlin/text v0.0.0-20240821195002-b51d0990e284 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/polyfloyd/go-errorlint v1.5.2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.21.0 // indirect
+	github.com/pulumi/esc v0.13.0 // indirect
 	github.com/pulumi/inflector v0.2.1 // indirect
+	github.com/quasilyte/go-ruleguard v0.4.2 // indirect
+	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
+	github.com/quasilyte/gogrep v0.5.0 // indirect
+	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
+	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/ryancurrah/gomodguard v1.3.2 // indirect
+	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
+	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
+	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.26.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
+	github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/segmentio/encoding v0.4.1 // indirect
-	github.com/sergi/go-diff v1.4.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b // indirect
+	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/shirou/gopsutil/v3 v3.24.5 // indirect
+	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 // indirect
+	github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546 // indirect
+	github.com/sivchari/containedctx v1.0.3 // indirect
+	github.com/sivchari/tenv v1.7.1 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/sonatard/noctx v0.0.2 // indirect
+	github.com/sourcegraph/appdash-data v0.0.0-20151005221446-73f23eafcf67 // indirect
+	github.com/sourcegraph/go-diff v0.7.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.10.1 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.12.0 // indirect
+	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
+	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
+	github.com/tdakkota/asciicheck v0.2.0 // indirect
+	github.com/tetafro/godot v1.4.16 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
+	github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect
+	github.com/timonwong/loggercheck v0.9.4 // indirect
+	github.com/tklauser/go-sysconf v0.3.12 // indirect
+	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect
+	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
 	github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205 // indirect
 	github.com/tonistiigi/jaeger-ui-rest v0.0.0-20250211190051-7d4944a45bb6 // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/tonistiigi/vt100 v0.0.0-20240514184818-90bafcd6abab // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
-	github.com/ulikunitz/xz v0.5.15 // indirect
+	github.com/ulikunitz/xz v0.5.12 // indirect
+	github.com/ultraware/funlen v0.1.0 // indirect
+	github.com/ultraware/whitespace v0.1.1 // indirect
+	github.com/uudashr/gocognit v1.1.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xen0n/gosmopolitan v1.2.2 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/zclconf/go-cty v1.16.3 // indirect
+	github.com/yagipy/maintidx v1.0.0 // indirect
+	github.com/yeya24/promlinter v0.3.0 // indirect
+	github.com/ykadowak/zerologlint v0.1.5 // indirect
+	github.com/yuin/goldmark v1.5.2 // indirect
+	github.com/yuin/goldmark-emoji v1.0.1 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	github.com/zclconf/go-cty v1.16.2 // indirect
+	gitlab.com/bosi/decorder v0.4.2 // indirect
+	go-simpler.org/musttag v0.12.2 // indirect
+	go-simpler.org/sloglint v0.7.1 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
-	go.opentelemetry.io/otel v1.36.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.36.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.36.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 // indirect
 	go.opentelemetry.io/otel/sdk/metric v1.34.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.6.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.pennock.tech/tabular v1.1.3 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	gocloud.dev v0.37.0 // indirect
 	gocloud.dev/secrets/hashivault v0.37.0 // indirect
-	golang.org/x/mod v0.31.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
-	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/term v0.39.0 // indirect
-	golang.org/x/text v0.33.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.169.0 // indirect
 	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/grpc v1.72.1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
+	google.golang.org/grpc v1.71.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	honnef.co/go/tools v0.4.7 // indirect
 	k8s.io/api v0.31.2 // indirect
 	k8s.io/apimachinery v0.31.2 // indirect
 	k8s.io/client-go v0.31.2 // indirect
@@ -301,6 +490,7 @@ require (
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
 	lukechampine.com/frand v1.5.1 // indirect
 	mvdan.cc/gofumpt v0.6.0 // indirect
+	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect

provider/cmd/pulumi-resource-docker-build/main.go

@@ -16,9 +16,8 @@
 package main
 
 import (
-	"github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil"
-
 	"github.com/pulumi/pulumi-docker-build/provider"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil"
 )
 
 func main() {

provider/cmd/pulumi-resource-docker-build/schema.json

@@ -12,6 +12,9 @@
   "license": "Apache-2.0",
   "repository": "https://github.com/pulumi/pulumi-docker-build",
   "publisher": "Pulumi",
+  "meta": {
+    "moduleFormat": "(.*)"
+  },
   "language": {
     "csharp": {
       "packageReferences": {
@@ -152,12 +155,32 @@
       ]
     },
     "docker-build:index:CacheFromGitHubActions": {
-      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
       "properties": {
         "scope": {
           "type": "string",
           "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
           "default": "buildkit"
+        },
+        "token": {
+          "type": "string",
+          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
+          "default": "",
+          "defaultInfo": {
+            "environment": [
+              "ACTIONS_RUNTIME_TOKEN"
+            ]
+          },
+          "secret": true
+        },
+        "url": {
+          "type": "string",
+          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
+          "default": "",
+          "defaultInfo": {
+            "environment": [
+              "ACTIONS_CACHE_URL"
+            ]
+          }
         }
       },
       "type": "object"
@@ -261,8 +284,8 @@
       },
       "type": "object",
       "required": [
-        "region",
-        "bucket"
+        "bucket",
+        "region"
       ]
     },
     "docker-build:index:CacheMode": {
@@ -347,7 +370,6 @@
       ]
     },
     "docker-build:index:CacheToGitHubActions": {
-      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
       "properties": {
         "ignoreError": {
           "type": "boolean",
@@ -363,6 +385,27 @@
           "type": "string",
           "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
           "default": "buildkit"
+        },
+        "token": {
+          "type": "string",
+          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
+          "default": "",
+          "defaultInfo": {
+            "environment": [
+              "ACTIONS_RUNTIME_TOKEN"
+            ]
+          },
+          "secret": true
+        },
+        "url": {
+          "type": "string",
+          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
+          "default": "",
+          "defaultInfo": {
+            "environment": [
+              "ACTIONS_CACHE_URL"
+            ]
+          }
         }
       },
       "type": "object"
@@ -536,8 +579,8 @@
       },
       "type": "object",
       "required": [
-        "region",
-        "bucket"
+        "bucket",
+        "region"
       ]
     },
     "docker-build:index:CompressionType": {
@@ -1041,14 +1084,9 @@
             "DOCKER_HOST"
           ]
         }
-      },
-      "registries": {
-        "type": "array",
-        "items": {
-          "$ref": "#/types/docker-build:index:Registry"
-        }
       }
     },
+    "type": "object",
     "inputProperties": {
       "host": {
         "type": "string",
@@ -1208,10 +1246,11 @@
           "description": "Set the target build stage(s) to build.\n\nIf not specified all targets will be built by default.\n\nEquivalent to Docker's `--target` flag."
         }
       },
+      "type": "object",
       "required": [
-        "push",
-        "digest",
         "contextHash",
+        "digest",
+        "push",
         "ref"
       ],
       "inputProperties": {
@@ -1371,10 +1410,11 @@
           "description": "The tag to apply to the index."
         }
       },
+      "type": "object",
       "required": [
-        "tag",
+        "ref",
         "sources",
-        "ref"
+        "tag"
       ],
       "inputProperties": {
         "push": {
@@ -1399,8 +1439,8 @@
         }
       },
       "requiredInputs": [
-        "tag",
-        "sources"
+        "sources",
+        "tag"
       ]
     }
   }

provider/internal/cache.go

@@ -17,7 +17,6 @@ package internal
 import (
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 
 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -149,20 +148,33 @@ func (c CacheWithOCI) String() string {
 
 // CacheFromGitHubActions pulls cache manifests from the GitHub actions cache.
 type CacheFromGitHubActions struct {
+	URL   string `pulumi:"url,optional"`
+	Token string `pulumi:"token,optional" provider:"secret"`
 	Scope string `pulumi:"scope,optional"`
 }
 
 // Annotate sets docstrings on CacheFromGitHubActions.
 func (c *CacheFromGitHubActions) Annotate(a infer.Annotator) {
-	a.Describe(&c, dedent(`
-		Recommended for use with GitHub Actions workflows.
-
-		An action like "crazy-max/ghaction-github-runtime" is recommended to expose
-		appropriate credentials to your GitHub workflow.
-	`))
-
+	a.SetDefault(&c.URL, "", "ACTIONS_CACHE_URL")
+	a.SetDefault(&c.Token, "", "ACTIONS_RUNTIME_TOKEN")
 	a.SetDefault(&c.Scope, "buildkit")
 
+	a.Describe(&c.URL, dedent(`
+		The cache server URL to use for artifacts.
+
+		Defaults to "$ACTIONS_CACHE_URL", although a separate action like
+		"crazy-max/ghaction-github-runtime" is recommended to expose this
+		environment variable to your jobs.
+	`))
+	a.Describe(&c.Token, dedent(`
+		The GitHub Actions token to use. This is not a personal access tokens
+		and is typically generated automatically as part of each job.
+
+		Defaults to "$ACTIONS_RUNTIME_TOKEN", although a separate action like
+		"crazy-max/ghaction-github-runtime" is recommended to expose this
+		environment variable to your jobs.
+
+	`))
 	a.Describe(&c.Scope, dedent(`
 		The scope to use for cache keys. Defaults to "buildkit".
 
@@ -179,12 +191,11 @@ func (c *CacheFromGitHubActions) String() string {
 	if c.Scope != "" {
 		parts = append(parts, "scope="+c.Scope)
 	}
-	// Preserving backwards compatibility with the old behaviour.
-	if token := os.Getenv("ACTIONS_RUNTIME_TOKEN"); token != "" {
-		parts = append(parts, "token="+token)
+	if c.Token != "" {
+		parts = append(parts, "token="+c.Token)
 	}
-	if url := os.Getenv("ACTIONS_CACHE_URL"); url != "" {
-		parts = append(parts, "url="+url)
+	if c.URL != "" {
+		parts = append(parts, "url="+c.URL)
 	}
 	return strings.Join(parts, ",")
 }
@@ -448,7 +459,7 @@ func (c CacheFrom) String() string {
 	return join(c.Local, c.Registry, c.GHA, c.AZBlob, c.S3, c.Raw)
 }
 
-func (c CacheFrom) validate(_ bool) (*controllerapi.CacheOptionsEntry, error) {
+func (c CacheFrom) validate(preview bool) (*controllerapi.CacheOptionsEntry, error) {
 	if strings.Count(c.String(), "type=") > 1 {
 		return nil, errors.New("cacheFrom should only specify one cache type")
 	}
@@ -672,7 +683,7 @@ func (c CacheTo) String() string {
 	return join(c.Inline, c.Local, c.Registry, c.GHA, c.AZBlob, c.S3, c.Raw)
 }
 
-func (c CacheTo) validate(_ bool) (*controllerapi.CacheOptionsEntry, error) {
+func (c CacheTo) validate(preview bool) (*controllerapi.CacheOptionsEntry, error) {
 	if strings.Count(c.String(), "type=") > 1 {
 		return nil, errors.New("cacheTo should only specify one cache type")
 	}

provider/internal/cache_test.go

@@ -24,15 +24,14 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
-//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 func TestCacheString(t *testing.T) {
+	t.Parallel()
 	gzip := Gzip
 
 	tests := []struct {
-		name    string
-		arrange func(t *testing.T)
-		given   fmt.Stringer
-		want    string
+		name  string
+		given fmt.Stringer
+		want  string
 	}{
 		{
 			name: "s3",
@@ -56,37 +55,7 @@ func TestCacheString(t *testing.T) {
 		{
 			name:  "gha",
 			given: CacheTo{GHA: &CacheToGitHubActions{}},
-			arrange: func(t *testing.T) {
-				t.Setenv("ACTIONS_CACHE_URL", "")
-				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
-			},
-			want: "type=gha",
-		},
-		{
-			name: "gha-default-envs",
-			arrange: func(t *testing.T) {
-				t.Setenv("ACTIONS_CACHE_URL", "https://example.com")
-				t.Setenv("ACTIONS_RUNTIME_TOKEN", "token")
-			},
-			given: CacheTo{GHA: &CacheToGitHubActions{
-				CacheFromGitHubActions: CacheFromGitHubActions{
-					Scope: "scope",
-				},
-			}},
-			want: "type=gha,scope=scope,token=token,url=https://example.com",
-		},
-		{
-			name: "gha-with-scope",
-			arrange: func(t *testing.T) {
-				t.Setenv("ACTIONS_CACHE_URL", "")
-				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
-			},
-			given: CacheTo{GHA: &CacheToGitHubActions{
-				CacheFromGitHubActions: CacheFromGitHubActions{
-					Scope: "scope",
-				},
-			}},
-			want: "type=gha,scope=scope",
+			want:  "type=gha",
 		},
 		{
 			name:  "from-local",
@@ -152,12 +121,9 @@ func TestCacheString(t *testing.T) {
 		},
 	}
 
-	//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.arrange != nil {
-				tt.arrange(t)
-			}
+			t.Parallel()
 
 			actual := tt.given.String()
 			assert.Equal(t, tt.want, actual)

provider/internal/cli.go

@@ -57,11 +57,11 @@ type cli struct {
 	auths map[string]cfgtypes.AuthConfig
 	host  *host
 
-	in       string       // stdin
-	r, w     *os.File     // stdout
-	err      bytes.Buffer // stderr
-	dumplogs bool         // if true then tail() will re-log status messages
-	builder  Builder      // for mocking build daemon responses
+	in       string        // stdin
+	r, w     *os.File      // stdout
+	err      bytes.Buffer  // stderr
+	dumplogs bool          // if true then tail() will re-log status messages
+	done     chan struct{} // signaled when all logs have been forwarded to the engine.
 }
 
 // Cli wraps the Docker interface for mock generation.
@@ -120,12 +120,11 @@ func wrap(host *host, registries ...Registry) (*cli, error) {
 	}
 
 	wrapped := &cli{
-		Cli:     docker,
-		host:    host,
-		auths:   auths,
-		r:       r,
-		w:       w,
-		builder: defaultBuilder{},
+		Cli:   docker,
+		host:  host,
+		auths: auths,
+		r:     r,
+		w:     w,
 	}
 
 	return wrapped, nil
@@ -164,6 +163,14 @@ func (c *cli) rc() *regclient.RegClient {
 // tail is meant to be called as a goroutine and will pipe output from the CLI
 // back to the Pulumi engine. Requires a corresponding call to close.
 func (c *cli) tail(ctx context.Context) {
+	c.done = make(chan struct{}, 1)
+	defer func() {
+		c.done <- struct{}{}
+		if err := recover(); err != nil {
+			fmt.Fprintf(os.Stderr, "recovered: %s\n", err)
+		}
+	}()
+
 	b := bytes.Buffer{}
 
 	s := bufio.NewScanner(c.r)
@@ -187,7 +194,11 @@ func (c *cli) tail(ctx context.Context) {
 
 // close flushes any outstanding logs and cleans up resources.
 func (c *cli) Close() error {
-	return errors.Join(c.w.Close(), c.r.Close())
+	err := errors.Join(c.w.Close(), c.r.Close())
+	if c.done != nil {
+		<-c.done
+	}
+	return err
 }
 
 // execBuild performs a build by os.Exec'ing the docker-buildx binary.

provider/internal/client.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-//go:generate go run go.uber.org/mock/mockgen -typed -package internal -source client.go -destination mockclient_test.go --self_package github.com/pulumi/pulumi-docker-build/provider/internal -imports buildx=github.com/docker/buildx/build
+//go:generate go run go.uber.org/mock/mockgen -typed -package internal -source client.go -destination mockclient_test.go --self_package github.com/pulumi/pulumi-docker-build/provider/internal
 
 package internal
 
@@ -26,7 +26,6 @@ import (
 
 	"github.com/distribution/reference"
 	buildx "github.com/docker/buildx/build"
-	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/commands"
 	controllerapi "github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/util/confutil"
@@ -63,36 +62,6 @@ type Client interface {
 	SupportsMultipleExports() bool
 }
 
-// registryGetter is something that can return a list of [Registry].
-type registryGetter interface {
-	GetRegistries() []Registry
-}
-
-// clientF builds a Docker client. The order of registryGetters is significant.
-// We typically prefer credentials from args, then provider config, then the
-// host. Provide them to this function in order of increasing priority: host,
-// config, args.
-//
-// We ignore state because if its creds differ from those in args then they are
-// likely volatile and also likely expired.
-type clientF func(context.Context, *host, ...registryGetter) (Client, error)
-
-// RealClientF builds a real Docker client with auth layered on top of the
-// host's latent credentials.
-func RealClientF(_ context.Context, host *host, getters ...registryGetter) (Client, error) {
-	auths := []Registry{}
-	for _, rg := range getters {
-		auths = append(auths, rg.GetRegistries()...)
-	}
-	return wrap(host, auths...)
-}
-
-func mockClientF(c Client) clientF {
-	return func(context.Context, *host, ...registryGetter) (Client, error) {
-		return c, nil
-	}
-}
-
 // Build encapsulates all of the user-provider build parameters and options.
 type Build interface {
 	BuildOptions() controllerapi.BuildOptions
@@ -154,15 +123,9 @@ func (c *cli) Build(
 	if err != nil {
 		return nil, fmt.Errorf("creating printer: %w", err)
 	}
-
 	defer func() {
-		// Wait for logs to flush if the build finished, but not if we're
-		// exiting early.
-		if ctx.Err() == nil {
-			_ = printer.Wait()
-		}
-
-		// Log any warnings we got, separated by newlines.
+		// Log any warnings when we're done.
+		_ = printer.Wait()
 		for _, w := range printer.Warnings() {
 			b := &bytes.Buffer{}
 			_, _ = b.Write(w.Short)
@@ -261,40 +224,21 @@ func (c *cli) Build(
 		},
 	}
 
-	resultC := make(chan map[string]*client.SolveResponse)
-	errC := make(chan error)
-
-	// buildx.Build doesn't handle context cancellation, so we monitor it in a
-	// goroutine. cli.Close cleans up our file descriptors, so if we do exit
-	// early the remote build should terminate as soon as it sees the pipe has
-	// broken.
-	go func() {
-		defer close(resultC)
-		defer close(errC)
-		results, err := c.builder.Build(
-			ctx,
-			b.nodes,
-			payload,
-			dockerutil.NewClient(c),
-			confutil.NewConfig(c),
-			printer,
-		)
-		if err != nil {
-			errC <- err
-			return
-		}
-		resultC <- results
-	}()
-
-	select {
-	case results := <-resultC:
-		return results[target], nil
-	case err := <-errC:
+	// Perform the build.
+	results, err := buildx.Build(
+		ctx,
+		b.nodes,
+		payload,
+		dockerutil.NewClient(c),
+		confutil.NewConfig(c),
+		printer,
+	)
+	if err != nil {
 		c.dumplogs = true
 		return nil, err
-	case <-ctx.Done():
-		return nil, ctx.Err()
 	}
+
+	return results[target], err
 }
 
 // BuildKitEnabled returns true if the client supports buildkit.
@@ -410,31 +354,6 @@ func (c *cli) Delete(ctx context.Context, r string) error {
 	return nil
 }
 
-// Builder allows injecting mock responses from the build daemon.
-type Builder interface {
-	Build(
-		ctx context.Context,
-		nodes []builder.Node,
-		opts map[string]buildx.Options,
-		docker *dockerutil.Client,
-		cfg *confutil.Config,
-		w progress.Writer,
-	) (resp map[string]*client.SolveResponse, err error)
-}
-
-type defaultBuilder struct{}
-
-func (defaultBuilder) Build(
-	ctx context.Context,
-	nodes []builder.Node,
-	opts map[string]buildx.Options,
-	docker *dockerutil.Client,
-	cfg *confutil.Config,
-	w progress.Writer,
-) (resp map[string]*client.SolveResponse, err error) {
-	return buildx.Build(ctx, nodes, opts, docker, cfg, w)
-}
-
 func normalizeReference(ref string) (reference.Named, error) {
 	namedRef, err := reference.ParseNormalizedNamed(ref)
 	if err != nil {

provider/internal/client_test.go

@@ -17,23 +17,15 @@ package internal
 import (
 	"bytes"
 	"context"
-	"errors"
 	"io"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
 
-	buildx "github.com/docker/buildx/build"
-	"github.com/docker/buildx/builder"
-	"github.com/docker/buildx/util/confutil"
-	"github.com/docker/buildx/util/dockerutil"
-	"github.com/docker/buildx/util/progress"
 	"github.com/docker/docker/api/types/registry"
-	"github.com/moby/buildkit/client"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"go.uber.org/mock/gomock"
 )
 
 func TestAuth(t *testing.T) {
@@ -440,35 +432,6 @@ func TestBuildExecError(t *testing.T) {
 	}
 }
 
-func TestBuildCancelation(t *testing.T) {
-	t.Parallel()
-	cli := testcli(t, true)
-
-	ctrl := gomock.NewController(t)
-
-	ctx, cancel := context.WithCancel(context.Background())
-
-	b := NewMockBuilder(ctrl)
-	b.EXPECT().Build(
-		gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(),
-	).DoAndReturn(func(
-		_ context.Context,
-		_ []builder.Node,
-		_ map[string]buildx.Options,
-		_ *dockerutil.Client,
-		_ *confutil.Config,
-		_ progress.Writer,
-	) (map[string]*client.SolveResponse, error) {
-		cancel()
-		return nil, errors.New("cancel wasn't respected")
-	})
-	cli.builder = b
-
-	resp, err := cli.Build(ctx, &build{})
-	assert.ErrorIs(t, err, context.Canceled)
-	assert.Nil(t, resp)
-}
-
 // testcli returns a new standalone CLI instance. Set ping to true if a live
 // daemon is required -- the test will be skipped if the daemon is not available.
 func testcli(t *testing.T, ping bool, auths ...Registry) *cli {

provider/internal/deprecated/configencoding.go

@@ -0,0 +1,191 @@
+// Copyright 2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package deprecated
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/pulumi/pulumi/pkg/v3/codegen/schema"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin"
+)
+
+// ConfigEncoding handles unmarshaling legacy JSON provider config.
+type ConfigEncoding struct {
+	schema schema.ConfigSpec
+}
+
+// New constructs a new config encoder for the provided spec.
+func New(s schema.ConfigSpec) *ConfigEncoding {
+	return &ConfigEncoding{schema: s}
+}
+
+func (*ConfigEncoding) tryUnwrapSecret(encoded any) (any, bool) {
+	m, ok := encoded.(map[string]any)
+	if !ok {
+		return nil, false
+	}
+	sig, ok := m["4dabf18193072939515e22adb298388d"]
+	if !ok {
+		return nil, false
+	}
+	ss, ok := sig.(string)
+	if !ok {
+		return nil, false
+	}
+	if ss != "1b47061264138c4ac30d75fd1eb44270" {
+		return nil, false
+	}
+	value, ok := m["value"]
+	return value, ok
+}
+
+func (enc *ConfigEncoding) convertStringToPropertyValue(s string, prop schema.PropertySpec) (
+	resource.PropertyValue, error,
+) {
+	// If the schema expects a string, we can just return this as-is.
+	if prop.Type == "string" {
+		return resource.NewStringProperty(s), nil
+	}
+
+	// Otherwise, we will attempt to deserialize the input string as JSON and convert the result into a Pulumi
+	// property. If the input string is empty, we will return an appropriate zero value.
+	if s == "" {
+		return enc.zeroValue(prop.Type), nil
+	}
+
+	var jsonValue interface{}
+	if err := json.Unmarshal([]byte(s), &jsonValue); err != nil {
+		return resource.PropertyValue{}, err
+	}
+
+	opts := enc.unmarshalOpts()
+
+	// Instead of using resource.NewPropertyValue, specialize it to detect nested json-encoded secrets.
+	var replv func(encoded any) (resource.PropertyValue, bool)
+	replv = func(encoded any) (resource.PropertyValue, bool) {
+		encodedSecret, isSecret := enc.tryUnwrapSecret(encoded)
+		if !isSecret {
+			return resource.NewNullProperty(), false
+		}
+
+		v := resource.NewPropertyValueRepl(encodedSecret, nil, replv)
+		if opts.KeepSecrets {
+			v = resource.MakeSecret(v)
+		}
+
+		return v, true
+	}
+
+	return resource.NewPropertyValueRepl(jsonValue, nil, replv), nil
+}
+
+func (*ConfigEncoding) zeroValue(typ string) resource.PropertyValue {
+	switch typ {
+	case "boolean":
+		return resource.NewPropertyValue(false)
+	case "integer", "number":
+		return resource.NewPropertyValue(0)
+	case "array":
+		return resource.NewPropertyValue([]interface{}{})
+	default:
+		return resource.NewPropertyValue(map[string]interface{}{})
+	}
+}
+
+func (enc *ConfigEncoding) unmarshalOpts() plugin.MarshalOptions {
+	return plugin.MarshalOptions{
+		Label:        "config",
+		KeepUnknowns: true,
+		KeepSecrets:  true,
+		SkipNulls:    true,
+		RejectAssets: true,
+	}
+}
+
+// Like plugin.UnmarshalPropertyValue but overrides string parsing with convertStringToPropertyValue.
+func (enc *ConfigEncoding) unmarshalPropertyValue(key resource.PropertyKey,
+	pv resource.PropertyValue,
+) (resource.PropertyValue, error) {
+	opts := enc.unmarshalOpts()
+
+	prop, ok := enc.schema.Variables[string(key)]
+
+	// Only apply JSON-encoded recognition for known fields.
+	if !ok {
+		return pv, nil
+	}
+
+	var (
+		jsonString                           string
+		jsonStringDetected, jsonStringSecret bool
+	)
+
+	if pv.IsString() {
+		jsonString = pv.StringValue()
+		jsonStringDetected = true
+	}
+
+	if opts.KeepSecrets && pv.IsSecret() && pv.SecretValue().Element.IsString() {
+		jsonString = pv.SecretValue().Element.StringValue()
+		jsonStringDetected = true
+		jsonStringSecret = true
+	}
+
+	if jsonStringDetected {
+		v, err := enc.convertStringToPropertyValue(jsonString, prop)
+		if err != nil {
+			return resource.PropertyValue{}, fmt.Errorf("error unmarshalling property %q: %w", key, err)
+		}
+		if jsonStringSecret {
+			return resource.MakeSecret(v), nil
+		}
+		return v, nil
+	}
+
+	// Computed sentinels are coming in as always having an empty string, but the encoding coerces them to a zero
+	// value of the appropriate type.
+	if pv.IsComputed() {
+		el := pv.V.(resource.Computed).Element
+		if el.IsString() && el.StringValue() == "" {
+			res := resource.MakeComputed(enc.zeroValue(prop.Type))
+			return res, nil
+		}
+	}
+
+	return pv, nil
+}
+
+// UnmarshalProperties is copied from plugin.UnmarshalProperties substituting plugin.UnmarshalPropertyValue.
+func (enc *ConfigEncoding) UnmarshalProperties(
+	props resource.PropertyMap,
+) (resource.PropertyMap, error) {
+	result := make(resource.PropertyMap)
+
+	// First sort the keys so we enumerate them in order (in case errors happen, we want determinism).
+	keys := props.StableKeys()
+
+	// And now unmarshal every field it into the map.
+	for _, key := range keys {
+		v, err := enc.unmarshalPropertyValue(key, props[key])
+		if err != nil {
+			return resource.PropertyMap{}, err
+		}
+		result[key] = v
+	}
+
+	return result, nil
+}

provider/internal/deprecated/configencoding_test.go

@@ -0,0 +1,265 @@
+// Copyright 2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package deprecated
+
+import (
+	"fmt"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pulumi/pulumi/pkg/v3/codegen/schema"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
+)
+
+func TestConfigEncoding(t *testing.T) {
+	t.Parallel()
+
+	type testCase struct {
+		ty    schema.TypeSpec
+		given resource.PropertyValue
+		want  resource.PropertyValue
+	}
+
+	knownKey := "mykey"
+
+	makeEnc := func(typ schema.TypeSpec) *ConfigEncoding {
+		return New(
+			schema.ConfigSpec{
+				Variables: map[string]schema.PropertySpec{
+					knownKey: {
+						TypeSpec: typ,
+					},
+				},
+			},
+		)
+	}
+
+	checkUnmarshal := func(t *testing.T, tc testCase) {
+		enc := makeEnc(tc.ty)
+		key := resource.PropertyKey(knownKey)
+
+		actual, err := enc.unmarshalPropertyValue(key, tc.given)
+		require.NoError(t, err)
+		assert.Equal(t, tc.want, actual)
+	}
+
+	turnaroundTestCases := []testCase{
+		{
+			schema.TypeSpec{Type: "boolean"},
+			resource.NewPropertyValue(`true`),
+			resource.NewBoolProperty(true),
+		},
+		{
+			schema.TypeSpec{Type: "boolean"},
+			resource.NewPropertyValue(`false`),
+			resource.NewBoolProperty(false),
+		},
+		{
+			schema.TypeSpec{Type: "integer"},
+			resource.NewPropertyValue(`0`),
+			resource.NewNumberProperty(0),
+		},
+		{
+			schema.TypeSpec{Type: "integer"},
+			resource.NewPropertyValue(`42`),
+			resource.NewNumberProperty(42),
+		},
+		{
+			schema.TypeSpec{Type: "number"},
+			resource.NewPropertyValue(`0`),
+			resource.NewNumberProperty(0.0),
+		},
+		{
+			schema.TypeSpec{Type: "number"},
+			resource.NewPropertyValue(`42.5`),
+			resource.NewNumberProperty(42.5),
+		},
+		{
+			schema.TypeSpec{Type: "string"},
+			resource.NewStringProperty(""),
+			resource.NewStringProperty(""),
+		},
+		{
+			schema.TypeSpec{Type: "string"},
+			resource.NewStringProperty("hello"),
+			resource.NewStringProperty("hello"),
+		},
+		{
+			schema.TypeSpec{Type: "array"},
+			resource.NewPropertyValue(`[]`),
+			resource.NewArrayProperty([]resource.PropertyValue{}),
+		},
+		{
+			schema.TypeSpec{Type: "array"},
+			resource.NewPropertyValue(`["hello","there"]`),
+			resource.NewArrayProperty([]resource.PropertyValue{
+				resource.NewStringProperty("hello"),
+				resource.NewStringProperty("there"),
+			}),
+		},
+		{
+			schema.TypeSpec{Type: "object"},
+			resource.NewPropertyValue(`{}`),
+			resource.NewObjectProperty(resource.PropertyMap{}),
+		},
+		{
+			schema.TypeSpec{Type: "object"},
+			resource.NewPropertyValue(`{"key":"value"}`),
+			resource.NewObjectProperty(resource.PropertyMap{
+				"key": resource.NewStringProperty("value"),
+			}),
+		},
+	}
+
+	t.Run("turnaround", func(t *testing.T) {
+		for i, tc := range turnaroundTestCases {
+			t.Run(strconv.Itoa(i), func(t *testing.T) {
+				t.Parallel()
+				checkUnmarshal(t, tc)
+			})
+		}
+	})
+
+	t.Run("zero_values", func(t *testing.T) {
+		// Historically the encoding was able to convert empty strings into type-appropriate zero values.
+		cases := []testCase{
+			{
+				schema.TypeSpec{Type: "boolean"},
+				resource.NewPropertyValue(""),
+				resource.NewBoolProperty(false),
+			},
+			{
+				schema.TypeSpec{Type: "number"},
+				resource.NewPropertyValue(""),
+				resource.NewNumberProperty(0.),
+			},
+			{
+				schema.TypeSpec{Type: "integer"},
+				resource.NewPropertyValue(""),
+				resource.NewNumberProperty(0),
+			},
+			{
+				schema.TypeSpec{Type: "string"},
+				resource.NewPropertyValue(""),
+				resource.NewStringProperty(""),
+			},
+			{
+				schema.TypeSpec{Type: "object"},
+				resource.NewPropertyValue(""),
+				resource.NewObjectProperty(make(resource.PropertyMap)),
+			},
+			{
+				schema.TypeSpec{Type: "array"},
+				resource.NewPropertyValue(""),
+				resource.NewArrayProperty([]resource.PropertyValue{}),
+			},
+		}
+		for _, tc := range cases {
+			t.Run(fmt.Sprintf("%v", tc.ty), func(t *testing.T) {
+				t.Parallel()
+				checkUnmarshal(t, tc)
+			})
+		}
+	})
+
+	t.Run("computed", func(t *testing.T) {
+		unk := resource.MakeComputed(resource.NewStringProperty(""))
+
+		for i, tc := range turnaroundTestCases {
+			t.Run(strconv.Itoa(i), func(t *testing.T) {
+				t.Parallel()
+				// Unknown sentinel unmarshals to a Computed with a type-appropriate zero value.
+				checkUnmarshal(t, testCase{
+					ty:    tc.ty,
+					given: unk,
+					want:  resource.MakeComputed(makeEnc(tc.ty).zeroValue(tc.ty.Type)),
+				})
+			})
+		}
+	})
+
+	t.Run("secret", func(t *testing.T) {
+		// Unmarshalling happens with KeepSecrets=false, replacing them with the underlying values. This case
+		// does not need to be tested.
+		//
+		// Marhalling however supports sending secrets back to the engine, intending to mark values as secret
+		// that happen on paths that are declared as secret in the schema. Due to the limitation of the
+		// JSON-in-proto-encoding, secrets are communicated imprecisely as an approximation: if any nested
+		// element of a property is secret, the entire property is marshalled as secret.
+
+		var secretCases []testCase
+
+		for _, tc := range turnaroundTestCases {
+			secretCases = append(secretCases, testCase{
+				ty:    tc.ty,
+				given: resource.MakeSecret(tc.given),
+				want:  resource.MakeSecret(tc.want),
+			})
+		}
+
+		for i, tc := range secretCases {
+			t.Run(strconv.Itoa(i), func(t *testing.T) {
+				t.Parallel()
+				checkUnmarshal(t, tc)
+			})
+		}
+
+		t.Run("nested secrets", func(t *testing.T) {
+			checkUnmarshal(t, testCase{
+				schema.TypeSpec{Type: "object"},
+				resource.MakeSecret(resource.NewPropertyValue(`{"key":"val"}`)),
+				resource.MakeSecret(resource.NewObjectProperty(resource.PropertyMap{
+					"key": resource.NewStringProperty("val"),
+				})),
+			})
+		})
+	})
+
+	regressUnmarshalTestCases := []testCase{
+		{
+			schema.TypeSpec{Type: "array"},
+			resource.NewPropertyValue(`
+			[
+			  {
+			    "address": "somewhere.org",
+			    "password": {
+			      "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
+			      "value": "some-password"
+			    },
+			    "username": "some-user"
+			  }
+			]`),
+			resource.NewArrayProperty([]resource.PropertyValue{
+				resource.NewObjectProperty(resource.PropertyMap{
+					"address":  resource.NewStringProperty("somewhere.org"),
+					"password": resource.MakeSecret(resource.NewStringProperty("some-password")),
+					"username": resource.NewStringProperty("some-user"),
+				}),
+			}),
+		},
+	}
+
+	t.Run("regress-unmarshal", func(t *testing.T) {
+		for i, tc := range regressUnmarshalTestCases {
+			t.Run(strconv.Itoa(i), func(t *testing.T) {
+				t.Parallel()
+				checkUnmarshal(t, tc)
+			})
+		}
+	})
+}

provider/internal/deprecated/doc.go

@@ -0,0 +1,19 @@
+// Copyright 2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package deprecated vendors config parsing from pulumi-terraform-bridge.
+//
+// Originally taken from here:
+// https://github.com/pulumi/pulumi-terraform-bridge/blob/90733a0c7/pkg/tfbridge/config_encoding.go
+package deprecated

provider/internal/export.go

@@ -28,10 +28,6 @@ import (
 	"github.com/pulumi/pulumi-go-provider/infer"
 )
 
-const (
-	trueLiteral = "true"
-)
-
 var (
 	_ fmt.Stringer    = (*Export)(nil)
 	_ fmt.Stringer    = (*ExportDocker)(nil)
@@ -118,7 +114,7 @@ func (e Export) pushed() bool {
 		if err != nil {
 			return false
 		}
-		return exp[0].Attrs["push"] == trueLiteral
+		return exp[0].Attrs["push"] == "true"
 	}
 	if e.Registry != nil {
 		return e.Registry.Push == nil || *e.Registry.Push
@@ -186,7 +182,7 @@ func parseExports(inp []string) ([]*controllerapi.ExportEntry, error) {
 		if out.Type == "registry" {
 			out.Type = client.ExporterImage
 			if _, ok := out.Attrs["push"]; !ok {
-				out.Attrs["push"] = trueLiteral
+				out.Attrs["push"] = "true"
 			}
 		}
 

provider/internal/host.go

@@ -16,10 +16,8 @@ package internal
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"path/filepath"
-	"strings"
 	"sync"
 	"time"
 
@@ -43,7 +41,7 @@ type host struct {
 	supportsMultipleExports bool
 }
 
-func newHost(_ context.Context, config *Config) (*host, error) {
+func newHost(ctx context.Context, config *Config) (*host, error) {
 	docker, err := newDockerCLI(config)
 	if err != nil {
 		return nil, err
@@ -95,19 +93,6 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 		builder.WithContextPathHash(contextPathHash),
 		builder.WithStore(txn),
 	)
-	if err != nil && build.ShouldExec() && strings.HasPrefix(opts.Builder, "cloud-") {
-		//nolint:revive // Human-readable.
-		err = errors.Join(err,
-			errors.New("Make sure you're logged in to Docker (`docker login`) if you're trying to use a cloud builder."),
-			errors.New("Make sure you have the correct buildx plugin installed (https://github.com/docker/buildx-desktop)."),
-		)
-	}
-	if err != nil && build.ShouldExec() {
-		//nolint:revive // Human-readable.
-		err = errors.Join(err, errors.New(
-			"Make sure your buildx plugin is executable (`docker buildx version`)"),
-		)
-	}
 	if err != nil {
 		return nil, fmt.Errorf("new builder: %w", err)
 	}
@@ -174,12 +159,6 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 	// drivers that are unknown to us.
 	nodes, err := b.LoadNodes(ctx, builder.WithData())
 	if err != nil && !build.ShouldExec() {
-		if strings.Contains(err.Error(), "failed to find driver") {
-			//nolint:revive // Human-readable.
-			err = errors.Join(err, errors.New(
-				"Use `exec: true` if you're trying to use Docker Build Cloud or other custom drivers.",
-			))
-		}
 		return nil, fmt.Errorf("loading nodes: %w", err)
 	}
 	// Attempt to determine our builder's buildkit version.

provider/internal/image.go

@@ -62,8 +62,8 @@ var _migration string
 
 // Image is a Docker image build using buildkit.
 type Image struct {
-	clientF clientF
-	config  *Config
+	docker Client
+	config *Config
 }
 
 // Annotate provides a description of the Image resource.
@@ -284,11 +284,6 @@ func (ia *ImageArgs) Annotate(a infer.Annotator) {
 	a.SetDefault(&ia.Network, Default)
 }
 
-// GetRegistries returns the image's registries, if any.
-func (ia ImageArgs) GetRegistries() []Registry {
-	return ia.Registries
-}
-
 // ImageState is serialized to the program's state file.
 type ImageState struct {
 	ImageArgs
@@ -337,8 +332,20 @@ func (is *ImageState) Annotate(a infer.Annotator) {
 
 // client produces a CLI client scoped to this resource and layered on top of
 // any host-level credentials.
-func (i *Image) client(ctx context.Context, args ImageArgs) (Client, error) {
-	return i.clientF(ctx, i.config.getHost(), i.config, args)
+func (i *Image) client(_ context.Context, state ImageState, args ImageArgs) (Client, error) {
+	// Use our mock client, if it's set.
+	if i.docker != nil {
+		return i.docker, nil
+	}
+
+	// We prefer auth from args, the provider, and state in that order. We
+	// build a slice in reverse order because wrap() will overwrite earlier
+	// entries with later ones.
+	auths := []Registry{}
+	auths = append(auths, i.config.Registries...)
+	auths = append(auths, args.Registries...)
+
+	return wrap(i.config.host, auths...)
 }
 
 // Check validates ImageArgs, sets defaults, and ensures our client is
@@ -693,7 +700,7 @@ func (i *Image) Create(
 		break
 	}
 
-	cli, err := i.client(ctx, input)
+	cli, err := i.client(ctx, state, input)
 	if err != nil {
 		return infer.CreateResponse[ImageState]{ID: id, Output: state}, err
 	}
@@ -795,7 +802,7 @@ func (i *Image) Read(
 ) {
 	state, input := req.State, req.Inputs
 
-	cli, err := i.client(ctx, input)
+	cli, err := i.client(ctx, state, input)
 	if err != nil {
 		return infer.ReadResponse[ImageArgs, ImageState]{
 			ID:     req.ID,
@@ -861,7 +868,7 @@ func (i *Image) Delete(
 	req infer.DeleteRequest[ImageState],
 ) (infer.DeleteResponse, error) {
 	state := req.State
-	cli, err := i.client(ctx, state.ImageArgs)
+	cli, err := i.client(ctx, state, state.ImageArgs)
 	if err != nil {
 		return infer.DeleteResponse{}, err
 	}

provider/internal/image_test.go

@@ -84,7 +84,7 @@ func TestImageLifecycle(t *testing.T) {
 					Return(nil)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -130,7 +130,7 @@ func TestImageLifecycle(t *testing.T) {
 		{
 			name:   "tags are required when pushing",
 			client: noClient,
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -159,7 +159,7 @@ func TestImageLifecycle(t *testing.T) {
 		{
 			name:   "invalid exports",
 			client: noClient,
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -192,7 +192,7 @@ func TestImageLifecycle(t *testing.T) {
 				)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -219,7 +219,7 @@ func TestImageLifecycle(t *testing.T) {
 				)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -252,7 +252,7 @@ func TestImageLifecycle(t *testing.T) {
 				c.EXPECT().Delete(gomock.Any(), "default-dockerfile").Return(nil)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -294,7 +294,7 @@ func TestImageLifecycle(t *testing.T) {
 				c.EXPECT().Delete(gomock.Any(), "inline-dockerfile").Return(nil)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"push": property.New(false),
@@ -328,7 +328,7 @@ func TestImageLifecycle(t *testing.T) {
 				Resource: "docker-build:index:Image",
 				Create:   tt.op(t),
 			}
-			s := newServer(t.Context(), t, mockClientF(tt.client(t)))
+			s := newServer(t.Context(), t, tt.client(t))
 
 			err := s.Configure(provider.ConfigureRequest{})
 			require.NoError(t, err)
@@ -353,7 +353,7 @@ func TestDelete(t *testing.T) {
 			Delete(gomock.Any(), "docker.io/pulumi/test@sha256:foo").
 			Return(errNotFound{})
 
-		i := &Image{clientF: mockClientF(client)}
+		i := &Image{docker: client}
 
 		_, err := i.Delete(t.Context(), infer.DeleteRequest[ImageState]{
 			ID: "foo,bar",
@@ -386,7 +386,7 @@ func TestRead(t *testing.T) {
 			},
 		}, nil)
 
-	i := &Image{clientF: mockClientF(client)}
+	i := &Image{docker: client}
 
 	resp, err := i.Read(t.Context(), infer.ReadRequest[ImageArgs, ImageState]{
 		ID: "my-image",
@@ -459,7 +459,7 @@ func TestImageDiff(t *testing.T) {
 				is.Pull = true
 				return is
 			},
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Pull = true
 				return ia
 			},
@@ -472,7 +472,7 @@ func TestImageDiff(t *testing.T) {
 				is.Load = true
 				return is
 			},
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Pull = true
 				ia.Load = true
 				return ia
@@ -534,7 +534,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if pull changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Pull = true
 				return ia
 			},
@@ -543,7 +543,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if load changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Load = true
 				return ia
 			},
@@ -552,7 +552,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if push changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Push = true
 				return ia
 			},
@@ -561,7 +561,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if buildOnPreview doesn't change",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
 				val := true
 				ia.BuildOnPreview = &val
 				return ia
@@ -571,7 +571,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if buildOnPreview changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
 				val := false
 				ia.BuildOnPreview = &val
 				return ia
@@ -581,7 +581,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if ssh changes",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.SSH = []SSH{{ID: "default"}}
 				return ia
 			},
@@ -590,7 +590,7 @@ func TestImageDiff(t *testing.T) {
 		{
 			name:  "diff if hosts change",
 			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			inputs: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.AddHosts = []string{"localhost"}
 				return ia
 			},
@@ -751,7 +751,7 @@ func TestImageDiff(t *testing.T) {
 		},
 		{
 			name: "diff if local export doesn't exist",
-			state: func(_ *testing.T, state ImageState) ImageState {
+			state: func(t *testing.T, state ImageState) ImageState {
 				state.Exports = []Export{
 					{Local: &ExportLocal{Dest: "not-real"}},
 				}
@@ -767,7 +767,7 @@ func TestImageDiff(t *testing.T) {
 		},
 		{
 			name: "diff if tar export doesn't exist",
-			state: func(_ *testing.T, state ImageState) ImageState {
+			state: func(t *testing.T, state ImageState) ImageState {
 				state.Exports = []Export{
 					{Tar: &ExportTar{ExportLocal: ExportLocal{Dest: "not-real"}}},
 				}
@@ -917,10 +917,8 @@ func TestValidateImageArgs(t *testing.T) {
 			{
 				name: "gha environment",
 				envs: map[string]string{
-					"ACTIONS_CACHE_URL":        "test-cache-url",
-					"ACTIONS_RUNTIME_TOKEN":    "test-runtime-token",
-					"ACTIONS_RESULTS_URL":      "test-results-url",
-					"ACTIONS_CACHE_SERVICE_V2": "true",
+					"ACTIONS_CACHE_URL":     "test-cache-url",
+					"ACTIONS_RUNTIME_TOKEN": "test-runtime-token",
 				},
 				args: ImageArgs{
 					Context:   &BuildContext{Context: Context{Location: "testdata/noop"}},
@@ -932,17 +930,15 @@ func TestValidateImageArgs(t *testing.T) {
 				wantCacheFrom: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token":  "test-runtime-token",
-						"url":    "test-cache-url",
-						"url_v2": "test-results-url",
+						"token": "test-runtime-token",
+						"url":   "test-cache-url",
 					},
 				},
 				wantCacheTo: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token":  "test-runtime-token",
-						"url":    "test-cache-url",
-						"url_v2": "test-results-url",
+						"token": "test-runtime-token",
+						"url":   "test-cache-url",
 					},
 				},
 			},

provider/internal/index.go

@@ -47,8 +47,8 @@ var _indexExamples string
 
 // Index is an OCI index or manifest list on a remote registry.
 type Index struct {
-	clientF clientF
-	config  *Config
+	docker Client
+	config *Config
 }
 
 // IndexArgs instantiate an Index.
@@ -66,14 +66,6 @@ func (i IndexArgs) isPushed() bool {
 	return *i.Push
 }
 
-// GetRegistries returns the index's registry.
-func (i IndexArgs) GetRegistries() []Registry {
-	if i.Registry == nil {
-		return nil
-	}
-	return []Registry{*i.Registry}
-}
-
 // IndexState captures the state of an Index.
 type IndexState struct {
 	IndexArgs
@@ -166,7 +158,7 @@ func (i *Index) Update(
 	state.IndexArgs = input
 	state.Ref = input.Tag
 
-	cli, err := i.client(ctx, input)
+	cli, err := i.client(ctx, state, input)
 	if err != nil {
 		return infer.UpdateResponse[IndexState]{Output: state}, err
 	}
@@ -211,7 +203,7 @@ func (i *Index) Read(
 		}, nil // Nothing to read.
 	}
 
-	cli, err := i.client(ctx, input)
+	cli, err := i.client(ctx, state, input)
 	if err != nil {
 		return infer.ReadResponse[IndexArgs, IndexState]{
 			ID:     req.ID,
@@ -298,7 +290,7 @@ func (i *Index) Delete(
 		return infer.DeleteResponse{}, nil // Nothing to delete.
 	}
 
-	cli, err := i.client(ctx, state.IndexArgs)
+	cli, err := i.client(ctx, state, state.IndexArgs)
 	if err != nil {
 		return infer.DeleteResponse{}, err
 	}
@@ -358,8 +350,23 @@ func (i *Index) Diff(
 // client produces a CLI client scoped to this resource and layered on top of
 // any host-level credentials.
 func (i *Index) client(
-	ctx context.Context,
+	_ context.Context,
+	_ IndexState,
 	args IndexArgs,
 ) (Client, error) {
-	return i.clientF(ctx, i.config.getHost(), i.config, args)
+	// Use our mock client, if it's set.
+	if i.docker != nil {
+		return i.docker, nil
+	}
+
+	// We prefer auth from args, the provider, and state in that order. We
+	// build a slice in reverse order because wrap() will overwrite earlier
+	// entries with later ones.
+	auths := []Registry{}
+	auths = append(auths, i.config.Registries...)
+	if args.Registry != nil {
+		auths = append(auths, *args.Registry)
+	}
+
+	return wrap(i.config.host, auths...)
 }

provider/internal/index_test.go

@@ -32,19 +32,19 @@ import (
 
 func TestIndexLifecycle(t *testing.T) {
 	t.Parallel()
-	realClient := func(_ *testing.T) clientF { return RealClientF }
+	realClient := func(t *testing.T) Client { return nil }
 
 	tests := []struct {
 		name string
 		skip bool
 
 		op     func(t *testing.T) integration.Operation
-		client func(t *testing.T) clientF
+		client func(t *testing.T) Client
 	}{
 		{
 			name:   "not pushed",
 			client: realClient,
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"tag": property.New(
@@ -63,7 +63,7 @@ func TestIndexLifecycle(t *testing.T) {
 			name:   "pushed",
 			skip:   os.Getenv("DOCKER_HUB_PASSWORD") == "",
 			client: realClient,
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"tag": property.New(
@@ -85,15 +85,15 @@ func TestIndexLifecycle(t *testing.T) {
 		},
 		{
 			name: "expired credentials",
-			client: func(_ *testing.T) clientF {
+			client: func(t *testing.T) Client {
 				ctrl := gomock.NewController(t)
 				c := NewMockClient(ctrl)
 				c.EXPECT().ManifestCreate(gomock.Any(), true, gomock.Any(), gomock.Any())
 				c.EXPECT().ManifestInspect(gomock.Any(), gomock.Any()).Return("", errs.ErrHTTPUnauthorized)
 				c.EXPECT().ManifestDelete(gomock.Any(), gomock.Any()).Return(nil)
-				return mockClientF(c)
+				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
 					Inputs: property.NewMap(map[string]property.Value{
 						"tag": property.New(
@@ -157,7 +157,7 @@ func TestIndexDiff(t *testing.T) {
 		{
 			name:  "diff if tag changes",
 			state: func(*testing.T, IndexState) IndexState { return baseState },
-			inputs: func(_ *testing.T, a IndexArgs) IndexArgs {
+			inputs: func(t *testing.T, a IndexArgs) IndexArgs {
 				a.Tag = "new-tag"
 				return a
 			},

provider/internal/mockcli_test.go

@@ -16,8 +16,12 @@ import (
 	configfile "github.com/docker/cli/cli/config/configfile"
 	docker "github.com/docker/cli/cli/context/docker"
 	store "github.com/docker/cli/cli/context/store"
+	store0 "github.com/docker/cli/cli/manifest/store"
+	client "github.com/docker/cli/cli/registry/client"
 	streams "github.com/docker/cli/cli/streams"
-	client "github.com/docker/docker/client"
+	trust "github.com/docker/cli/cli/trust"
+	client0 "github.com/docker/docker/client"
+	client1 "github.com/theupdateframework/notary/client"
 	metric "go.opentelemetry.io/otel/metric"
 	resource "go.opentelemetry.io/otel/sdk/resource"
 	trace "go.opentelemetry.io/otel/trace"
@@ -130,10 +134,10 @@ func (c *MockCliBuildKitEnabledCall) DoAndReturn(f func() (bool, error)) *MockCl
 }
 
 // Client mocks base method.
-func (m *MockCli) Client() client.APIClient {
+func (m *MockCli) Client() client0.APIClient {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Client")
-	ret0, _ := ret[0].(client.APIClient)
+	ret0, _ := ret[0].(client0.APIClient)
 	return ret0
 }
 
@@ -150,19 +154,19 @@ type MockCliClientCall struct {
 }
 
 // Return rewrite *gomock.Call.Return
-func (c *MockCliClientCall) Return(arg0 client.APIClient) *MockCliClientCall {
+func (c *MockCliClientCall) Return(arg0 client0.APIClient) *MockCliClientCall {
 	c.Call = c.Call.Return(arg0)
 	return c
 }
 
 // Do rewrite *gomock.Call.Do
-func (c *MockCliClientCall) Do(f func() client.APIClient) *MockCliClientCall {
+func (c *MockCliClientCall) Do(f func() client0.APIClient) *MockCliClientCall {
 	c.Call = c.Call.Do(f)
 	return c
 }
 
 // DoAndReturn rewrite *gomock.Call.DoAndReturn
-func (c *MockCliClientCall) DoAndReturn(f func() client.APIClient) *MockCliClientCall {
+func (c *MockCliClientCall) DoAndReturn(f func() client0.APIClient) *MockCliClientCall {
 	c.Call = c.Call.DoAndReturn(f)
 	return c
 }
@@ -509,6 +513,44 @@ func (c *MockCliInCall) DoAndReturn(f func() *streams.In) *MockCliInCall {
 	return c
 }
 
+// ManifestStore mocks base method.
+func (m *MockCli) ManifestStore() store0.Store {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ManifestStore")
+	ret0, _ := ret[0].(store0.Store)
+	return ret0
+}
+
+// ManifestStore indicates an expected call of ManifestStore.
+func (mr *MockCliMockRecorder) ManifestStore() *MockCliManifestStoreCall {
+	mr.mock.ctrl.T.Helper()
+	call := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ManifestStore", reflect.TypeOf((*MockCli)(nil).ManifestStore))
+	return &MockCliManifestStoreCall{Call: call}
+}
+
+// MockCliManifestStoreCall wrap *gomock.Call
+type MockCliManifestStoreCall struct {
+	*gomock.Call
+}
+
+// Return rewrite *gomock.Call.Return
+func (c *MockCliManifestStoreCall) Return(arg0 store0.Store) *MockCliManifestStoreCall {
+	c.Call = c.Call.Return(arg0)
+	return c
+}
+
+// Do rewrite *gomock.Call.Do
+func (c *MockCliManifestStoreCall) Do(f func() store0.Store) *MockCliManifestStoreCall {
+	c.Call = c.Call.Do(f)
+	return c
+}
+
+// DoAndReturn rewrite *gomock.Call.DoAndReturn
+func (c *MockCliManifestStoreCall) DoAndReturn(f func() store0.Store) *MockCliManifestStoreCall {
+	c.Call = c.Call.DoAndReturn(f)
+	return c
+}
+
 // MeterProvider mocks base method.
 func (m *MockCli) MeterProvider() metric.MeterProvider {
 	m.ctrl.T.Helper()
@@ -547,6 +589,45 @@ func (c *MockCliMeterProviderCall) DoAndReturn(f func() metric.MeterProvider) *M
 	return c
 }
 
+// NotaryClient mocks base method.
+func (m *MockCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client1.Repository, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NotaryClient", imgRefAndAuth, actions)
+	ret0, _ := ret[0].(client1.Repository)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// NotaryClient indicates an expected call of NotaryClient.
+func (mr *MockCliMockRecorder) NotaryClient(imgRefAndAuth, actions any) *MockCliNotaryClientCall {
+	mr.mock.ctrl.T.Helper()
+	call := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NotaryClient", reflect.TypeOf((*MockCli)(nil).NotaryClient), imgRefAndAuth, actions)
+	return &MockCliNotaryClientCall{Call: call}
+}
+
+// MockCliNotaryClientCall wrap *gomock.Call
+type MockCliNotaryClientCall struct {
+	*gomock.Call
+}
+
+// Return rewrite *gomock.Call.Return
+func (c *MockCliNotaryClientCall) Return(arg0 client1.Repository, arg1 error) *MockCliNotaryClientCall {
+	c.Call = c.Call.Return(arg0, arg1)
+	return c
+}
+
+// Do rewrite *gomock.Call.Do
+func (c *MockCliNotaryClientCall) Do(f func(trust.ImageRefAndAuth, []string) (client1.Repository, error)) *MockCliNotaryClientCall {
+	c.Call = c.Call.Do(f)
+	return c
+}
+
+// DoAndReturn rewrite *gomock.Call.DoAndReturn
+func (c *MockCliNotaryClientCall) DoAndReturn(f func(trust.ImageRefAndAuth, []string) (client1.Repository, error)) *MockCliNotaryClientCall {
+	c.Call = c.Call.DoAndReturn(f)
+	return c
+}
+
 // Out mocks base method.
 func (m *MockCli) Out() *streams.Out {
 	m.ctrl.T.Helper()
@@ -585,6 +666,44 @@ func (c *MockCliOutCall) DoAndReturn(f func() *streams.Out) *MockCliOutCall {
 	return c
 }
 
+// RegistryClient mocks base method.
+func (m *MockCli) RegistryClient(arg0 bool) client.RegistryClient {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "RegistryClient", arg0)
+	ret0, _ := ret[0].(client.RegistryClient)
+	return ret0
+}
+
+// RegistryClient indicates an expected call of RegistryClient.
+func (mr *MockCliMockRecorder) RegistryClient(arg0 any) *MockCliRegistryClientCall {
+	mr.mock.ctrl.T.Helper()
+	call := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RegistryClient", reflect.TypeOf((*MockCli)(nil).RegistryClient), arg0)
+	return &MockCliRegistryClientCall{Call: call}
+}
+
+// MockCliRegistryClientCall wrap *gomock.Call
+type MockCliRegistryClientCall struct {
+	*gomock.Call
+}
+
+// Return rewrite *gomock.Call.Return
+func (c *MockCliRegistryClientCall) Return(arg0 client.RegistryClient) *MockCliRegistryClientCall {
+	c.Call = c.Call.Return(arg0)
+	return c
+}
+
+// Do rewrite *gomock.Call.Do
+func (c *MockCliRegistryClientCall) Do(f func(bool) client.RegistryClient) *MockCliRegistryClientCall {
+	c.Call = c.Call.Do(f)
+	return c
+}
+
+// DoAndReturn rewrite *gomock.Call.DoAndReturn
+func (c *MockCliRegistryClientCall) DoAndReturn(f func(bool) client.RegistryClient) *MockCliRegistryClientCall {
+	c.Call = c.Call.DoAndReturn(f)
+	return c
+}
+
 // Resource mocks base method.
 func (m *MockCli) Resource() *resource.Resource {
 	m.ctrl.T.Helper()

provider/internal/mockclient_test.go

@@ -3,7 +3,7 @@
 //
 // Generated by this command:
 //
-//	mockgen -typed -package internal -source client.go -destination mockclient_test.go --self_package github.com/pulumi/pulumi-docker-build/provider/internal -imports buildx=github.com/docker/buildx/build
+//	mockgen -typed -package internal -source client.go -destination mockclient_test.go --self_package github.com/pulumi/pulumi-docker-build/provider/internal
 //
 
 // Package internal is a generated GoMock package.
@@ -13,12 +13,7 @@ import (
 	context "context"
 	reflect "reflect"
 
-	buildx "github.com/docker/buildx/build"
-	builder "github.com/docker/buildx/builder"
 	pb "github.com/docker/buildx/controller/pb"
-	confutil "github.com/docker/buildx/util/confutil"
-	dockerutil "github.com/docker/buildx/util/dockerutil"
-	progress "github.com/docker/buildx/util/progress"
 	client "github.com/moby/buildkit/client"
 	session "github.com/moby/buildkit/session"
 	descriptor "github.com/regclient/regclient/types/descriptor"
@@ -537,66 +532,3 @@ func (c *MockBuildShouldExecCall) DoAndReturn(f func() bool) *MockBuildShouldExe
 	c.Call = c.Call.DoAndReturn(f)
 	return c
 }
-
-// MockBuilder is a mock of Builder interface.
-type MockBuilder struct {
-	ctrl     *gomock.Controller
-	recorder *MockBuilderMockRecorder
-	isgomock struct{}
-}
-
-// MockBuilderMockRecorder is the mock recorder for MockBuilder.
-type MockBuilderMockRecorder struct {
-	mock *MockBuilder
-}
-
-// NewMockBuilder creates a new mock instance.
-func NewMockBuilder(ctrl *gomock.Controller) *MockBuilder {
-	mock := &MockBuilder{ctrl: ctrl}
-	mock.recorder = &MockBuilderMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockBuilder) EXPECT() *MockBuilderMockRecorder {
-	return m.recorder
-}
-
-// Build mocks base method.
-func (m *MockBuilder) Build(ctx context.Context, nodes []builder.Node, opts map[string]buildx.Options, docker *dockerutil.Client, cfg *confutil.Config, w progress.Writer) (map[string]*client.SolveResponse, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Build", ctx, nodes, opts, docker, cfg, w)
-	ret0, _ := ret[0].(map[string]*client.SolveResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Build indicates an expected call of Build.
-func (mr *MockBuilderMockRecorder) Build(ctx, nodes, opts, docker, cfg, w any) *MockBuilderBuildCall {
-	mr.mock.ctrl.T.Helper()
-	call := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Build", reflect.TypeOf((*MockBuilder)(nil).Build), ctx, nodes, opts, docker, cfg, w)
-	return &MockBuilderBuildCall{Call: call}
-}
-
-// MockBuilderBuildCall wrap *gomock.Call
-type MockBuilderBuildCall struct {
-	*gomock.Call
-}
-
-// Return rewrite *gomock.Call.Return
-func (c *MockBuilderBuildCall) Return(resp map[string]*client.SolveResponse, err error) *MockBuilderBuildCall {
-	c.Call = c.Call.Return(resp, err)
-	return c
-}
-
-// Do rewrite *gomock.Call.Do
-func (c *MockBuilderBuildCall) Do(f func(context.Context, []builder.Node, map[string]buildx.Options, *dockerutil.Client, *confutil.Config, progress.Writer) (map[string]*client.SolveResponse, error)) *MockBuilderBuildCall {
-	c.Call = c.Call.Do(f)
-	return c
-}
-
-// DoAndReturn rewrite *gomock.Call.DoAndReturn
-func (c *MockBuilderBuildCall) DoAndReturn(f func(context.Context, []builder.Node, map[string]buildx.Options, *dockerutil.Client, *confutil.Config, progress.Writer) (map[string]*client.SolveResponse, error)) *MockBuilderBuildCall {
-	c.Call = c.Call.DoAndReturn(f)
-	return c
-}

provider/internal/provider.go

@@ -18,17 +18,18 @@ import (
 	"context"
 	"fmt"
 
-	csgen "github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3/codegen"
 	provider "github.com/pulumi/pulumi-go-provider"
 	"github.com/pulumi/pulumi-go-provider/infer"
 	pschema "github.com/pulumi/pulumi-go-provider/middleware/schema"
 	"github.com/pulumi/pulumi-java/pkg/codegen/java"
+	csgen "github.com/pulumi/pulumi/pkg/v3/codegen/dotnet"
 	gogen "github.com/pulumi/pulumi/pkg/v3/codegen/go"
 	tsgen "github.com/pulumi/pulumi/pkg/v3/codegen/nodejs"
 	pygen "github.com/pulumi/pulumi/pkg/v3/codegen/python"
 	"github.com/pulumi/pulumi/pkg/v3/codegen/schema"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/tokens"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
+	"github.com/pulumi/pulumi/sdk/v3/go/property"
 )
 
 var (
@@ -61,21 +62,8 @@ func (c *Config) Configure(ctx context.Context) error {
 	return nil
 }
 
-// GetRegistries returns the config's registries, if any.
-func (c Config) GetRegistries() []Registry {
-	return c.Registries
-}
-
-// getHost returns the config's host, or nil if the config is also nil.
-func (c *Config) getHost() *host {
-	if c == nil {
-		return nil
-	}
-	return c.host
-}
-
 // NewBuildxProvider returns a new buildx provider.
-func NewBuildxProvider(clientF clientF) provider.Provider {
+func NewBuildxProvider(mock Client) provider.Provider {
 	config := &Config{}
 
 	prov := infer.Provider(
@@ -125,8 +113,8 @@ func NewBuildxProvider(clientF clientF) provider.Provider {
 				},
 			},
 			Resources: []infer.InferredResource{
-				infer.Resource(&Image{clientF: clientF, config: config}),
-				infer.Resource(&Index{clientF: clientF, config: config}),
+				infer.Resource(&Image{docker: mock, config: config}),
+				infer.Resource(&Index{docker: mock, config: config}),
 			},
 			ModuleMap: map[tokens.ModuleName]tokens.ModuleName{
 				"internal": "index",
@@ -135,9 +123,32 @@ func NewBuildxProvider(clientF clientF) provider.Provider {
 		},
 	)
 
+	prov.DiffConfig = diffConfigIgnoreInternal(prov.DiffConfig)
+
 	return prov
 }
 
+// TODO(pulumi/pulumi-docker-build#404): Remove this function once the bug is fixed in either
+// upstream pu/pu or pulumi-go-provider.
+
+// diffConfigInternalIgnore is a custom DiffConfig implementation for the buildx provider. This is required to
+// circumvent the bug identified in https://github.com/pulumi/pulumi-docker-build/issues/404.
+// Since `__internal` is currently populated in new inputs, but stripped in old state, we need to
+// ignore this field in the diff. There is no easy way to override DiffConfig to compare inputs only.
+func diffConfigIgnoreInternal(
+	diffConfig func(ctx context.Context, req provider.DiffRequest) (provider.DiffResponse, error),
+) func(ctx context.Context, req provider.DiffRequest) (provider.DiffResponse, error) {
+	return func(ctx context.Context, req provider.DiffRequest) (provider.DiffResponse, error) {
+		m := req.Inputs.AsMap()
+		delete(m, "__internal")
+		delete(m, "__pulumi-go-provider-infer")
+		delete(m, "__pulumi-go-provider-version")
+		req.Inputs = property.NewMap(m)
+
+		return diffConfig(ctx, req)
+	}
+}
+
 // Schema returns our package specification.
 func Schema(ctx context.Context, version string) schema.PackageSpec {
 	p := NewBuildxProvider(nil)

provider/internal/provider_test.go

@@ -75,14 +75,10 @@ func (annotator) SetToken(tokens.ModuleName, tokens.TypeName) {}
 func (annotator) AddAlias(tokens.ModuleName, tokens.TypeName) {}
 func (annotator) SetResourceDeprecationMessage(_ string)      {}
 
-func newServer(ctx context.Context, t *testing.T, clientF clientF) integration.Server {
+func newServer(ctx context.Context, t *testing.T, client Client) integration.Server {
 	t.Helper()
 
-	if clientF == nil {
-		clientF = RealClientF
-	}
-
-	p := NewBuildxProvider(clientF)
+	p := NewBuildxProvider(client)
 
 	s, err := integration.NewServer(
 		ctx,

provider/provider.go

@@ -15,11 +15,10 @@
 package provider
 
 import (
+	"github.com/pulumi/pulumi-docker-build/provider/internal"
 	gp "github.com/pulumi/pulumi-go-provider"
 	"github.com/pulumi/pulumi/pkg/v3/resource/provider"
 	rpc "github.com/pulumi/pulumi/sdk/v3/proto/go"
-
-	"github.com/pulumi/pulumi-docker-build/provider/internal"
 )
 
 // Version is initialized by the Go linker to contain the semver of this build.
@@ -35,5 +34,5 @@ func Serve() error {
 
 // New creates a new provider.
 func New(host *provider.HostClient) (rpc.ResourceProviderServer, error) {
-	return gp.RawServer(Name, Version, internal.NewBuildxProvider(internal.RealClientF))(host)
+	return gp.RawServer(Name, Version, internal.NewBuildxProvider(nil))(host)
 }

renovate.json5

@@ -1,23 +0,0 @@
-{
-  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
-  extends: [
-    'github>pulumi/renovate-config//default.json5',
-  ],
-  packageRules: [
-    {
-      matchDatasources: [
-        'go',
-      ],
-      matchPackageNames: [
-        'github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3',
-        'github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3',
-        'github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3',
-        'github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3',
-      ],
-      matchUpdateTypes: [
-        'pin',
-        'digest',
-      ],
-    },
-  ],
-}

scripts/get-versions.sh

@@ -1,55 +0,0 @@
-#!/usr/bin/env bash
-set -euo pipefail
-
-# This script can be simplified to use go when https://github.com/jdx/mise/discussions/6374 is fixed
-# e.g. go list -m -f '{{.GoVersion}}'
-
-module_path="github.com/pulumi/pulumi/pkg/v3"
-go_mod_path="."
-gomod="go.mod"
-
-if [[ "$go_mod_path" != "" && "$go_mod_path" != "." ]]; then
-  gomod="$go_mod_path/$gomod"
-fi
-
-if [[ ! -f "$gomod" ]]; then
-  echo "missing $gomod" >&2
-  exit 1
-fi
-
-raw_version=$(awk -v module="$module_path" '
-    $1 == module || $2 == module {
-        for (i = 1; i <= NF; i++) {
-            if ($i ~ /^v[0-9]/) {
-                sub(/^v/, "", $i)
-                print $i
-                exit
-            }
-        }
-    }
-' "$gomod")
-
-if [[ -z "${raw_version:-}" ]]; then
-  echo "failed to determine Pulumi version from $gomod" >&2
-  exit 1
-fi
-
-echo "PULUMI_VERSION_MISE=$raw_version"
-export PULUMI_VERSION_MISE=$raw_version
-
-# Prefer the toolchain directive if present, otherwise fall back to the `go` version line
-go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod")
-
-if [[ -n "${go_toolchain:-}" ]]; then
-  go_version=${go_toolchain#go}
-else
-  go_version=$(awk '/^go[[:space:]]+[0-9]/{ print $2; exit }' "$gomod")
-fi
-
-if [[ -z "${go_version:-}" ]]; then
-  echo "failed to determine Go version from $gomod" >&2
-  exit 1
-fi
-
-echo "GO_VERSION_MISE=$go_version"
-export GO_VERSION_MISE=$go_version

sdk/dotnet/.gitattributes

@@ -1 +0,0 @@
-* linguist-generated

sdk/dotnet/.gitignore

@@ -1,2 +0,0 @@
-bin
-obj

sdk/dotnet/Inputs/CacheFromGitHubActionsArgs.cs

@@ -10,12 +10,6 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
 
-    /// <summary>
-    /// Recommended for use with GitHub Actions workflows.
-    /// 
-    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    /// appropriate credentials to your GitHub workflow.
-    /// </summary>
     public sealed class CacheFromGitHubActionsArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
@@ -27,9 +21,42 @@ namespace Pulumi.DockerBuild.Inputs
         [Input("scope")]
         public Input<string>? Scope { get; set; }
 
+        [Input("token")]
+        private Input<string>? _token;
+
+        /// <summary>
+        /// The GitHub Actions token to use. This is not a personal access tokens
+        /// and is typically generated automatically as part of each job.
+        /// 
+        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public Input<string>? Token
+        {
+            get => _token;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
+
+        /// <summary>
+        /// The cache server URL to use for artifacts.
+        /// 
+        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        [Input("url")]
+        public Input<string>? Url { get; set; }
+
         public CacheFromGitHubActionsArgs()
         {
             Scope = "buildkit";
+            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
+            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
         }
         public static new CacheFromGitHubActionsArgs Empty => new CacheFromGitHubActionsArgs();
     }

sdk/dotnet/Inputs/CacheToGitHubActionsArgs.cs

@@ -10,12 +10,6 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
 
-    /// <summary>
-    /// Recommended for use with GitHub Actions workflows.
-    /// 
-    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    /// appropriate credentials to your GitHub workflow.
-    /// </summary>
     public sealed class CacheToGitHubActionsArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
@@ -39,11 +33,44 @@ namespace Pulumi.DockerBuild.Inputs
         [Input("scope")]
         public Input<string>? Scope { get; set; }
 
+        [Input("token")]
+        private Input<string>? _token;
+
+        /// <summary>
+        /// The GitHub Actions token to use. This is not a personal access tokens
+        /// and is typically generated automatically as part of each job.
+        /// 
+        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public Input<string>? Token
+        {
+            get => _token;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
+
+        /// <summary>
+        /// The cache server URL to use for artifacts.
+        /// 
+        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        [Input("url")]
+        public Input<string>? Url { get; set; }
+
         public CacheToGitHubActionsArgs()
         {
             IgnoreError = false;
             Mode = Pulumi.DockerBuild.CacheMode.Min;
             Scope = "buildkit";
+            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
+            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
         }
         public static new CacheToGitHubActionsArgs Empty => new CacheToGitHubActionsArgs();
     }

sdk/dotnet/Outputs/CacheFromGitHubActions.cs

@@ -10,12 +10,6 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
 
-    /// <summary>
-    /// Recommended for use with GitHub Actions workflows.
-    /// 
-    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    /// appropriate credentials to your GitHub workflow.
-    /// </summary>
     [OutputType]
     public sealed class CacheFromGitHubActions
     {
@@ -26,11 +20,35 @@ namespace Pulumi.DockerBuild.Outputs
         /// workflow, otherwise caches will overwrite each other.
         /// </summary>
         public readonly string? Scope;
+        /// <summary>
+        /// The GitHub Actions token to use. This is not a personal access tokens
+        /// and is typically generated automatically as part of each job.
+        /// 
+        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public readonly string? Token;
+        /// <summary>
+        /// The cache server URL to use for artifacts.
+        /// 
+        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public readonly string? Url;
 
         [OutputConstructor]
-        private CacheFromGitHubActions(string? scope)
+        private CacheFromGitHubActions(
+            string? scope,
+
+            string? token,
+
+            string? url)
         {
             Scope = scope;
+            Token = token;
+            Url = url;
         }
     }
 }

sdk/dotnet/Outputs/CacheToGitHubActions.cs

@@ -10,12 +10,6 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
 
-    /// <summary>
-    /// Recommended for use with GitHub Actions workflows.
-    /// 
-    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    /// appropriate credentials to your GitHub workflow.
-    /// </summary>
     [OutputType]
     public sealed class CacheToGitHubActions
     {
@@ -34,6 +28,23 @@ namespace Pulumi.DockerBuild.Outputs
         /// workflow, otherwise caches will overwrite each other.
         /// </summary>
         public readonly string? Scope;
+        /// <summary>
+        /// The GitHub Actions token to use. This is not a personal access tokens
+        /// and is typically generated automatically as part of each job.
+        /// 
+        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public readonly string? Token;
+        /// <summary>
+        /// The cache server URL to use for artifacts.
+        /// 
+        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public readonly string? Url;
 
         [OutputConstructor]
         private CacheToGitHubActions(
@@ -41,11 +52,17 @@ namespace Pulumi.DockerBuild.Outputs
 
             Pulumi.DockerBuild.CacheMode? mode,
 
-            string? scope)
+            string? scope,
+
+            string? token,
+
+            string? url)
         {
             IgnoreError = ignoreError;
             Mode = mode;
             Scope = scope;
+            Token = token;
+            Url = url;
         }
     }
 }

sdk/go/.gitattributes

@@ -1 +0,0 @@
-* linguist-generated

sdk/go/dockerbuild/go.mod

@@ -1,14 +1,15 @@
 module github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild
 
-go 1.24.7
+go 1.24.1
 
 require (
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/pulumi/pulumi/sdk/v3 v3.219.0
+	github.com/pulumi/pulumi/sdk/v3 v3.169.0
 )
 
 require (
 	dario.cat/mergo v1.0.1 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
 	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
@@ -57,44 +58,45 @@ require (
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
-	github.com/pgavlin/fx/v2 v2.0.10 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.21.0 // indirect
+	github.com/pulumi/esc v0.13.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
-	github.com/sergi/go-diff v1.4.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.10.1 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
-	github.com/stretchr/testify v1.11.1 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/zclconf/go-cty v1.16.3 // indirect
-	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
+	github.com/zclconf/go-cty v1.16.2 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.35.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/crypto v0.47.0 // indirect
-	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
-	golang.org/x/mod v0.31.0 // indirect
-	golang.org/x/net v0.49.0 // indirect
-	golang.org/x/sync v0.19.0 // indirect
-	golang.org/x/sys v0.40.0 // indirect
-	golang.org/x/term v0.39.0 // indirect
-	golang.org/x/text v0.33.0 // indirect
-	golang.org/x/tools v0.40.0 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
-	google.golang.org/grpc v1.72.1 // indirect
+	golang.org/x/crypto v0.38.0 // indirect
+	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/sync v0.14.0 // indirect
+	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/text v0.25.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
+	google.golang.org/grpc v1.71.1 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/frand v1.5.1 // indirect
-	pgregory.net/rapid v1.2.0 // indirect
+	pgregory.net/rapid v1.1.0 // indirect
 )

sdk/go/dockerbuild/go.sum

@@ -1,5 +1,7 @@
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
+github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
@@ -146,8 +148,6 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pgavlin/fx v0.1.6 h1:r9jEg69DhNoCd3Xh0+5mIbdbS3PqWrVWujkY76MFRTU=
 github.com/pgavlin/fx v0.1.6/go.mod h1:KWZJ6fqBBSh8GxHYqwYCf3rYE7Gp2p0N8tJp8xv9u9M=
-github.com/pgavlin/fx/v2 v2.0.10 h1:ggyQ6pB+lEQEbEae48Wh/X221eLOamMD7i01ISe88u4=
-github.com/pgavlin/fx/v2 v2.0.10/go.mod h1:M/nF/ooAOy+NUBooYYXl2REARzJ/giPJxfMs8fINfKc=
 github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
 github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
 github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
@@ -160,10 +160,10 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.21.0 h1:TR8Ff22SU+z8cooTmUKkmk2FltXW/wDPrIwI9BP88Vk=
-github.com/pulumi/esc v0.21.0/go.mod h1:mkghIFn/TvN3XnP4jmCB4U5BG1I4UjGluARi39ckrCE=
-github.com/pulumi/pulumi/sdk/v3 v3.219.0 h1:OwTSwk1ZuOI4hQUdSccWuIAuqs4fL/FcppesPOAKHQ8=
-github.com/pulumi/pulumi/sdk/v3 v3.219.0/go.mod h1:ZOBPPC2NZOZf729AdCX+CctfNc5SN6aJh0bdqNdzQC4=
+github.com/pulumi/esc v0.13.0 h1:O2MPR2koScaQ2fXwyer8Q3Dd7z+DCnaDfsgNl5mVNMk=
+github.com/pulumi/esc v0.13.0/go.mod h1:IIQo6W6Uzajt6f1RW4QvNxIRDlbK3TNQysnrwBHNo3U=
+github.com/pulumi/pulumi/sdk/v3 v3.169.0 h1:bgz1fp2rl28khSXgF4FaRQiB9wh3lSKWtzUOGalf+x4=
+github.com/pulumi/pulumi/sdk/v3 v3.169.0/go.mod h1:Qhe4dOjqedyLr47kGGnG6ULIbzaPTlmjAvPqNQ1Ollo=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -171,20 +171,21 @@ github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/f
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=
+github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
-github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
-github.com/spf13/cobra v1.10.1 h1:lJeBwCfmrnXthfAupyUTzJ/J4Nc1RsHC/mSRU2dll/s=
-github.com/spf13/cobra v1.10.1/go.mod h1:7SmJGaTHFVBY0jW4NXGluQoLvhqFQM+6XSKD+P4XaB0=
-github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
-github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
@@ -192,8 +193,9 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
 github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8=
 github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
@@ -206,49 +208,49 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/zclconf/go-cty v1.16.3 h1:osr++gw2T61A8KVYHoQiFbFd1Lh3JOCXc/jFLJXKTxk=
-github.com/zclconf/go-cty v1.16.3/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
+github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70=
+github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
 go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
 go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
-go.opentelemetry.io/otel v1.36.0 h1:UumtzIklRBY6cI/lllNZlALOF5nNIzJVb16APdvgTXg=
-go.opentelemetry.io/otel v1.36.0/go.mod h1:/TcFMXYjyRNh8khOAO9ybYkqaDBb/70aVwkNML4pP8E=
-go.opentelemetry.io/otel/metric v1.36.0 h1:MoWPKVhQvJ+eeXWHFBOPoBOi20jh6Iq2CcCREuTYufE=
-go.opentelemetry.io/otel/metric v1.36.0/go.mod h1:zC7Ks+yeyJt4xig9DEw9kuUFe5C3zLbVjV2PzT6qzbs=
-go.opentelemetry.io/otel/sdk v1.36.0 h1:b6SYIuLRs88ztox4EyrvRti80uXIFy+Sqzoh9kFULbs=
-go.opentelemetry.io/otel/sdk v1.36.0/go.mod h1:+lC+mTgD+MUWfjJubi2vvXWcVxyr9rmlshZni72pXeY=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/metric v1.35.0 h1:0znxYu2SNyuMSQT4Y9WDWej0VpcsxkuklLa4/siN90M=
+go.opentelemetry.io/otel/metric v1.35.0/go.mod h1:nKVFgxBZ2fReX6IlyW28MgZojkoAkJGaE8CpgeAU3oE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
 go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
 go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
-go.opentelemetry.io/otel/trace v1.36.0 h1:ahxWNuqZjpdiFAyrIoQ4GIiAIhxAunQR6MUoKrsNd4w=
-go.opentelemetry.io/otel/trace v1.36.0/go.mod h1:gQ+OnDZzrybY4k4seLzPAWNwVBBVlF2szhehOBB/tGA=
+go.opentelemetry.io/otel/trace v1.35.0 h1:dPpEfJu1sDIqruz7BHFG3c7528f6ddfSWfFDVt/xgMs=
+go.opentelemetry.io/otel/trace v1.35.0/go.mod h1:WUk7DtFp1Aw2MkvqGdwiXYDZZNvA/1J8o6xRXLrIkyc=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.47.0 h1:V6e3FRj+n4dbpw86FJ8Fv7XVOql7TEwpHapKoMJ/GO8=
-golang.org/x/crypto v0.47.0/go.mod h1:ff3Y9VzzKbwSSEzWqJsJVBnWmRwRSHt/6Op5n9bQc4A=
-golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
-golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
+golang.org/x/crypto v0.38.0 h1:jt+WWG8IZlBnVbomuhg2Mdq0+BBQaHbtqHEFEigjUV8=
+golang.org/x/crypto v0.38.0/go.mod h1:MvrbAqul58NNYPKnOra203SB9vpuZW0e+RRZV+Ggqjw=
+golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
+golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.31.0 h1:HaW9xtz0+kOcWKwli0ZXy79Ix+UW/vOfmWI5QVd2tgI=
-golang.org/x/mod v0.31.0/go.mod h1:43JraMp9cGx1Rx3AqioxrbrhNsLl2l/iNAvuBkrezpg=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.49.0 h1:eeHFmOGUTtaaPSGNmjBKpbng9MulQsJURQUAfUwY++o=
-golang.org/x/net v0.49.0/go.mod h1:/ysNB2EvaqvesRkuLAyjI1ycPZlQHM3q01F02UY/MV8=
+golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.19.0 h1:vV+1eWNmZ5geRlYjzm2adRgW2/mcpevXNg50YZtPCE4=
-golang.org/x/sync v0.19.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
+golang.org/x/sync v0.14.0 h1:woo0S4Yywslg6hp4eUFjTVOyKt0RookbpAHG4c1HmhQ=
+golang.org/x/sync v0.14.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -264,32 +266,32 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.40.0 h1:DBZZqJ2Rkml6QMQsZywtnjnnGvHza6BTfYFWY9kjEWQ=
-golang.org/x/sys v0.40.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
+golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.39.0 h1:RclSuaJf32jOqZz74CkPA9qFuVTX7vhLlpfj/IGWlqY=
-golang.org/x/term v0.39.0/go.mod h1:yxzUCTP/U+FzoxfdKmLaA0RV1WgE0VY7hXBwKtY/4ww=
+golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.33.0 h1:B3njUFyqtHDUI5jMn1YIr5B0IE2U0qck04r6d4KPAxE=
-golang.org/x/text v0.33.0/go.mod h1:LuMebE6+rBincTi9+xWTY8TztLzKHc/9C1uBCG27+q8=
+golang.org/x/text v0.25.0 h1:qVyWApTSYLk/drJRO5mDlNYskwQznZmkpV2c8q9zls4=
+golang.org/x/text v0.25.0/go.mod h1:WEdwpYrmk1qmdHvhkSTNPm3app7v4rsT8F2UD6+VHIA=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.40.0 h1:yLkxfA+Qnul4cs9QA3KnlFu0lVmd8JJfoq+E41uSutA=
-golang.org/x/tools v0.40.0/go.mod h1:Ik/tzLRlbscWpqqMRjyWYDisX8bG13FrdXp3o4Sr9lc=
+golang.org/x/tools v0.32.0 h1:Q7N1vhpkQv7ybVzLFtTjvQya2ewbwNDZzUgfXGqtMWU=
+golang.org/x/tools v0.32.0/go.mod h1:ZxrU41P/wAbZD8EDa6dDCa6XfpkhJ7HFMjHJXfBDu8s=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 h1:cJfm9zPbe1e873mHJzmQ1nwVEeRDU/T1wXDK2kUSU34=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
-google.golang.org/grpc v1.72.1 h1:HR03wO6eyZ7lknl75XlxABNVLLFc2PAb6mHlYh756mA=
-google.golang.org/grpc v1.72.1/go.mod h1:wH5Aktxcg25y1I3w7H69nHfXdOG3UiadoBtjh3izSDM=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e h1:ztQaXfzEXTmCBvbtWYRhJxW+0iJcz2qXfd38/e9l7bA=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e/go.mod h1:qQ0YXyHHx3XkvlzUtpXDkS29lDSafHMZBAZDc03LQ3A=
+google.golang.org/grpc v1.71.1 h1:ffsFWr7ygTUscGPI0KKK6TLrGz0476KUvvsbqWK0rPI=
+google.golang.org/grpc v1.71.1/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
 google.golang.org/protobuf v1.36.6 h1:z1NpPI8ku2WgiWnf+t9wTPsn6eP1L7ksHUlkfLvd9xY=
 google.golang.org/protobuf v1.36.6/go.mod h1:jduwjTPXsFjZGTmRluh+L6NjiWu7pchiJ2/5YcXBHnY=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -301,9 +303,10 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 lukechampine.com/frand v1.5.1 h1:fg0eRtdmGFIxhP5zQJzM1lFDbD6CUfu/f+7WgAZd5/w=
 lukechampine.com/frand v1.5.1/go.mod h1:4VstaWc2plN4Mjr10chUD46RAVGWhpkZ5Nja8+Azp0Q=
-pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
-pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
+pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
+pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=

sdk/go/dockerbuild/pulumiTypes.go

@@ -834,16 +834,25 @@ func (o CacheFromAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token *string `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -856,6 +865,18 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			token_ := d.(string)
+			tmp.Token = &token_
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			url_ := d.(string)
+			tmp.Url = &url_
+		}
+	}
 	return &tmp
 }
 
@@ -870,16 +891,25 @@ type CacheFromGitHubActionsInput interface {
 	ToCacheFromGitHubActionsOutputWithContext(context.Context) CacheFromGitHubActionsOutput
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token pulumi.StringPtrInput `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -891,6 +921,16 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			tmp.Token = pulumi.StringPtr(d.(string))
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			tmp.Url = pulumi.StringPtr(d.(string))
+		}
+	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -958,10 +998,6 @@ func (i *cacheFromGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Ou
 	}
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -1000,6 +1036,25 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsOutput) Token() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsOutput) Url() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
+}
+
 type CacheFromGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -1043,6 +1098,35 @@ func (o CacheFromGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
+		if v == nil {
+			return nil
+		}
+		return v.Token
+	}).(pulumi.StringPtrOutput)
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
+		if v == nil {
+			return nil
+		}
+		return v.Url
+	}).(pulumi.StringPtrOutput)
+}
+
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -2277,10 +2361,6 @@ func (o CacheToAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -2291,6 +2371,19 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token *string `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -2311,6 +2404,18 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			token_ := d.(string)
+			tmp.Token = &token_
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			url_ := d.(string)
+			tmp.Url = &url_
+		}
+	}
 	return &tmp
 }
 
@@ -2325,10 +2430,6 @@ type CacheToGitHubActionsInput interface {
 	ToCacheToGitHubActionsOutputWithContext(context.Context) CacheToGitHubActionsOutput
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumi.BoolPtrInput `pulumi:"ignoreError"`
@@ -2339,6 +2440,19 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token pulumi.StringPtrInput `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -2356,6 +2470,16 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			tmp.Token = pulumi.StringPtr(d.(string))
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			tmp.Url = pulumi.StringPtr(d.(string))
+		}
+	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -2423,10 +2547,6 @@ func (i *cacheToGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Outp
 	}
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -2475,6 +2595,25 @@ func (o CacheToGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsOutput) Token() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsOutput) Url() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
+}
+
 type CacheToGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -2538,6 +2677,35 @@ func (o CacheToGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *CacheToGitHubActions) *string {
+		if v == nil {
+			return nil
+		}
+		return v.Token
+	}).(pulumi.StringPtrOutput)
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *CacheToGitHubActions) *string {
+		if v == nil {
+			return nil
+		}
+		return v.Url
+	}).(pulumi.StringPtrOutput)
+}
+
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }

sdk/go/dockerbuild/x/pulumiTypes.go

@@ -393,16 +393,25 @@ func (o CacheFromAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromAzureBlob](o, func(v CacheFromAzureBlob) *string { return v.SecretAccessKey })
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token *string `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -415,19 +424,40 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			token_ := d.(string)
+			tmp.Token = &token_
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			url_ := d.(string)
+			tmp.Url = &url_
+		}
+	}
 	return &tmp
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token pulumix.Input[*string] `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url pulumix.Input[*string] `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -439,6 +469,16 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			tmp.Token = pulumix.Ptr(d.(string))
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			tmp.Url = pulumix.Ptr(d.(string))
+		}
+	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -457,10 +497,6 @@ func (i *CacheFromGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Outpu
 	return pulumix.Val(i)
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -489,6 +525,25 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Scope })
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsOutput) Token() pulumix.Output[*string] {
+	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Token })
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsOutput) Url() pulumix.Output[*string] {
+	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Url })
+}
+
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -1079,10 +1134,6 @@ func (o CacheToAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToAzureBlob](o, func(v CacheToAzureBlob) *string { return v.SecretAccessKey })
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -1093,6 +1144,19 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token *string `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -1113,13 +1177,21 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			token_ := d.(string)
+			tmp.Token = &token_
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			url_ := d.(string)
+			tmp.Url = &url_
+		}
+	}
 	return &tmp
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumix.Input[*bool] `pulumi:"ignoreError"`
@@ -1130,6 +1202,19 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token pulumix.Input[*string] `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url pulumix.Input[*string] `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -1147,6 +1232,16 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			tmp.Token = pulumix.Ptr(d.(string))
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			tmp.Url = pulumix.Ptr(d.(string))
+		}
+	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -1165,10 +1260,6 @@ func (i *CacheToGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Output[
 	return pulumix.Val(i)
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -1207,6 +1298,25 @@ func (o CacheToGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Scope })
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsOutput) Token() pulumix.Output[*string] {
+	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Token })
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsOutput) Url() pulumix.Output[*string] {
+	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Url })
+}
+
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }

sdk/java/.gitattributes

@@ -1 +0,0 @@
-* linguist-generated

sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheFromGitHubActionsArgs.java

@@ -12,13 +12,6 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 
 
-/**
- * Recommended for use with GitHub Actions workflows.
- * 
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- * 
- */
 public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
 
     public static final CacheFromGitHubActionsArgs Empty = new CacheFromGitHubActionsArgs();
@@ -44,10 +37,60 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
         return Optional.ofNullable(this.scope);
     }
 
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    @Import(name="token")
+    private @Nullable Output<String> token;
+
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<Output<String>> token() {
+        return Optional.ofNullable(this.token);
+    }
+
+    /**
+     * The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    @Import(name="url")
+    private @Nullable Output<String> url;
+
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<Output<String>> url() {
+        return Optional.ofNullable(this.url);
+    }
+
     private CacheFromGitHubActionsArgs() {}
 
     private CacheFromGitHubActionsArgs(CacheFromGitHubActionsArgs $) {
         this.scope = $.scope;
+        this.token = $.token;
+        this.url = $.url;
     }
 
     public static Builder builder() {
@@ -95,8 +138,70 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
             return scope(Output.of(scope));
         }
 
+        /**
+         * @param token The GitHub Actions token to use. This is not a personal access tokens
+         * and is typically generated automatically as part of each job.
+         * 
+         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder token(@Nullable Output<String> token) {
+            $.token = token;
+            return this;
+        }
+
+        /**
+         * @param token The GitHub Actions token to use. This is not a personal access tokens
+         * and is typically generated automatically as part of each job.
+         * 
+         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder token(String token) {
+            return token(Output.of(token));
+        }
+
+        /**
+         * @param url The cache server URL to use for artifacts.
+         * 
+         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder url(@Nullable Output<String> url) {
+            $.url = url;
+            return this;
+        }
+
+        /**
+         * @param url The cache server URL to use for artifacts.
+         * 
+         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder url(String url) {
+            return url(Output.of(url));
+        }
+
         public CacheFromGitHubActionsArgs build() {
             $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
+            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
+            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
             return $;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheToGitHubActionsArgs.java

@@ -14,13 +14,6 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 
 
-/**
- * Recommended for use with GitHub Actions workflows.
- * 
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- * 
- */
 public final class CacheToGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
 
     public static final CacheToGitHubActionsArgs Empty = new CacheToGitHubActionsArgs();
@@ -76,12 +69,62 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
         return Optional.ofNullable(this.scope);
     }
 
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    @Import(name="token")
+    private @Nullable Output<String> token;
+
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<Output<String>> token() {
+        return Optional.ofNullable(this.token);
+    }
+
+    /**
+     * The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    @Import(name="url")
+    private @Nullable Output<String> url;
+
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<Output<String>> url() {
+        return Optional.ofNullable(this.url);
+    }
+
     private CacheToGitHubActionsArgs() {}
 
     private CacheToGitHubActionsArgs(CacheToGitHubActionsArgs $) {
         this.ignoreError = $.ignoreError;
         this.mode = $.mode;
         this.scope = $.scope;
+        this.token = $.token;
+        this.url = $.url;
     }
 
     public static Builder builder() {
@@ -171,10 +214,72 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
             return scope(Output.of(scope));
         }
 
+        /**
+         * @param token The GitHub Actions token to use. This is not a personal access tokens
+         * and is typically generated automatically as part of each job.
+         * 
+         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder token(@Nullable Output<String> token) {
+            $.token = token;
+            return this;
+        }
+
+        /**
+         * @param token The GitHub Actions token to use. This is not a personal access tokens
+         * and is typically generated automatically as part of each job.
+         * 
+         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder token(String token) {
+            return token(Output.of(token));
+        }
+
+        /**
+         * @param url The cache server URL to use for artifacts.
+         * 
+         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder url(@Nullable Output<String> url) {
+            $.url = url;
+            return this;
+        }
+
+        /**
+         * @param url The cache server URL to use for artifacts.
+         * 
+         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder url(String url) {
+            return url(Output.of(url));
+        }
+
         public CacheToGitHubActionsArgs build() {
             $.ignoreError = Codegen.booleanProp("ignoreError").output().arg($.ignoreError).def(false).getNullable();
             $.mode = Codegen.objectProp("mode", CacheMode.class).output().arg($.mode).def(CacheMode.Min).getNullable();
             $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
+            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
+            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
             return $;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheFromGitHubActions.java

@@ -19,6 +19,25 @@ public final class CacheFromGitHubActions {
      * 
      */
     private @Nullable String scope;
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    private @Nullable String token;
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    private @Nullable String url;
 
     private CacheFromGitHubActions() {}
     /**
@@ -31,6 +50,29 @@ public final class CacheFromGitHubActions {
     public Optional<String> scope() {
         return Optional.ofNullable(this.scope);
     }
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<String> token() {
+        return Optional.ofNullable(this.token);
+    }
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<String> url() {
+        return Optional.ofNullable(this.url);
+    }
 
     public static Builder builder() {
         return new Builder();
@@ -42,10 +84,14 @@ public final class CacheFromGitHubActions {
     @CustomType.Builder
     public static final class Builder {
         private @Nullable String scope;
+        private @Nullable String token;
+        private @Nullable String url;
         public Builder() {}
         public Builder(CacheFromGitHubActions defaults) {
     	      Objects.requireNonNull(defaults);
     	      this.scope = defaults.scope;
+    	      this.token = defaults.token;
+    	      this.url = defaults.url;
         }
 
         @CustomType.Setter
@@ -54,9 +100,23 @@ public final class CacheFromGitHubActions {
             this.scope = scope;
             return this;
         }
+        @CustomType.Setter
+        public Builder token(@Nullable String token) {
+
+            this.token = token;
+            return this;
+        }
+        @CustomType.Setter
+        public Builder url(@Nullable String url) {
+
+            this.url = url;
+            return this;
+        }
         public CacheFromGitHubActions build() {
             final var _resultValue = new CacheFromGitHubActions();
             _resultValue.scope = scope;
+            _resultValue.token = token;
+            _resultValue.url = url;
             return _resultValue;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheToGitHubActions.java

@@ -31,6 +31,25 @@ public final class CacheToGitHubActions {
      * 
      */
     private @Nullable String scope;
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    private @Nullable String token;
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    private @Nullable String url;
 
     private CacheToGitHubActions() {}
     /**
@@ -57,6 +76,29 @@ public final class CacheToGitHubActions {
     public Optional<String> scope() {
         return Optional.ofNullable(this.scope);
     }
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<String> token() {
+        return Optional.ofNullable(this.token);
+    }
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<String> url() {
+        return Optional.ofNullable(this.url);
+    }
 
     public static Builder builder() {
         return new Builder();
@@ -70,12 +112,16 @@ public final class CacheToGitHubActions {
         private @Nullable Boolean ignoreError;
         private @Nullable CacheMode mode;
         private @Nullable String scope;
+        private @Nullable String token;
+        private @Nullable String url;
         public Builder() {}
         public Builder(CacheToGitHubActions defaults) {
     	      Objects.requireNonNull(defaults);
     	      this.ignoreError = defaults.ignoreError;
     	      this.mode = defaults.mode;
     	      this.scope = defaults.scope;
+    	      this.token = defaults.token;
+    	      this.url = defaults.url;
         }
 
         @CustomType.Setter
@@ -96,11 +142,25 @@ public final class CacheToGitHubActions {
             this.scope = scope;
             return this;
         }
+        @CustomType.Setter
+        public Builder token(@Nullable String token) {
+
+            this.token = token;
+            return this;
+        }
+        @CustomType.Setter
+        public Builder url(@Nullable String url) {
+
+            this.url = url;
+            return this;
+        }
         public CacheToGitHubActions build() {
             final var _resultValue = new CacheToGitHubActions();
             _resultValue.ignoreError = ignoreError;
             _resultValue.mode = mode;
             _resultValue.scope = scope;
+            _resultValue.token = token;
+            _resultValue.url = url;
             return _resultValue;
         }
     }

sdk/nodejs/.gitattributes

@@ -1 +0,0 @@
-* linguist-generated

sdk/nodejs/.gitignore

@@ -1,2 +0,0 @@
-node_modules/
-bin/

sdk/nodejs/image.ts

@@ -501,7 +501,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--add-host` flag.
      */
-    declare public readonly addHosts: pulumi.Output<string[] | undefined>;
+    public readonly addHosts!: pulumi.Output<string[] | undefined>;
     /**
      * `ARG` names and values to set during the build.
      *
@@ -513,7 +513,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--build-arg` flag.
      */
-    declare public readonly buildArgs: pulumi.Output<{[key: string]: string} | undefined>;
+    public readonly buildArgs!: pulumi.Output<{[key: string]: string} | undefined>;
     /**
      * Setting this to `false` will always skip image builds during previews,
      * and setting it to `true` will always build images during previews.
@@ -527,35 +527,35 @@ export class Image extends pulumi.CustomResource {
      * Defaults to `true` as a safeguard against broken images merging as part
      * of CI pipelines.
      */
-    declare public readonly buildOnPreview: pulumi.Output<boolean | undefined>;
+    public readonly buildOnPreview!: pulumi.Output<boolean | undefined>;
     /**
      * Builder configuration.
      */
-    declare public readonly builder: pulumi.Output<outputs.BuilderConfig | undefined>;
+    public readonly builder!: pulumi.Output<outputs.BuilderConfig | undefined>;
     /**
      * Cache export configuration.
      *
      * Equivalent to Docker's `--cache-from` flag.
      */
-    declare public readonly cacheFrom: pulumi.Output<outputs.CacheFrom[] | undefined>;
+    public readonly cacheFrom!: pulumi.Output<outputs.CacheFrom[] | undefined>;
     /**
      * Cache import configuration.
      *
      * Equivalent to Docker's `--cache-to` flag.
      */
-    declare public readonly cacheTo: pulumi.Output<outputs.CacheTo[] | undefined>;
+    public readonly cacheTo!: pulumi.Output<outputs.CacheTo[] | undefined>;
     /**
      * Build context settings. Defaults to the current directory.
      *
      * Equivalent to Docker's `PATH | URL | -` positional argument.
      */
-    declare public readonly context: pulumi.Output<outputs.BuildContext | undefined>;
+    public readonly context!: pulumi.Output<outputs.BuildContext | undefined>;
     /**
      * A preliminary hash of the image's build context.
      *
      * Pulumi uses this to determine if an image _may_ need to be re-built.
      */
-    declare public /*out*/ readonly contextHash: pulumi.Output<string>;
+    public /*out*/ readonly contextHash!: pulumi.Output<string>;
     /**
      * A SHA256 digest of the image if it was exported to a registry or
      * elsewhere.
@@ -565,13 +565,13 @@ export class Image extends pulumi.CustomResource {
      * Registry images can be referenced precisely as `<tag>@<digest>`. The
      * `ref` output provides one such reference as a convenience.
      */
-    declare public /*out*/ readonly digest: pulumi.Output<string>;
+    public /*out*/ readonly digest!: pulumi.Output<string>;
     /**
      * Dockerfile settings.
      *
      * Equivalent to Docker's `--file` flag.
      */
-    declare public readonly dockerfile: pulumi.Output<outputs.Dockerfile | undefined>;
+    public readonly dockerfile!: pulumi.Output<outputs.Dockerfile | undefined>;
     /**
      * Use `exec` mode to build this image.
      *
@@ -594,7 +594,7 @@ export class Image extends pulumi.CustomResource {
      * are temporarily written to disk in order to provide them to the
      * `docker-buildx` binary.
      */
-    declare public readonly exec: pulumi.Output<boolean | undefined>;
+    public readonly exec!: pulumi.Output<boolean | undefined>;
     /**
      * Controls where images are persisted after building.
      *
@@ -606,13 +606,13 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--output` flag.
      */
-    declare public readonly exports: pulumi.Output<outputs.Export[] | undefined>;
+    public readonly exports!: pulumi.Output<outputs.Export[] | undefined>;
     /**
      * Attach arbitrary key/value metadata to the image.
      *
      * Equivalent to Docker's `--label` flag.
      */
-    declare public readonly labels: pulumi.Output<{[key: string]: string} | undefined>;
+    public readonly labels!: pulumi.Output<{[key: string]: string} | undefined>;
     /**
      * When `true` the build will automatically include a `docker` export.
      *
@@ -620,7 +620,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--load` flag.
      */
-    declare public readonly load: pulumi.Output<boolean | undefined>;
+    public readonly load!: pulumi.Output<boolean | undefined>;
     /**
      * Set the network mode for `RUN` instructions. Defaults to `default`.
      *
@@ -628,25 +628,25 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--network` flag.
      */
-    declare public readonly network: pulumi.Output<enums.NetworkMode | undefined>;
+    public readonly network!: pulumi.Output<enums.NetworkMode | undefined>;
     /**
      * Do not import cache manifests when building the image.
      *
      * Equivalent to Docker's `--no-cache` flag.
      */
-    declare public readonly noCache: pulumi.Output<boolean | undefined>;
+    public readonly noCache!: pulumi.Output<boolean | undefined>;
     /**
      * Set target platform(s) for the build. Defaults to the host's platform.
      *
      * Equivalent to Docker's `--platform` flag.
      */
-    declare public readonly platforms: pulumi.Output<enums.Platform[] | undefined>;
+    public readonly platforms!: pulumi.Output<enums.Platform[] | undefined>;
     /**
      * Always pull referenced images.
      *
      * Equivalent to Docker's `--pull` flag.
      */
-    declare public readonly pull: pulumi.Output<boolean | undefined>;
+    public readonly pull!: pulumi.Output<boolean | undefined>;
     /**
      * When `true` the build will automatically include a `registry` export.
      *
@@ -654,7 +654,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--push` flag.
      */
-    declare public readonly push: pulumi.Output<boolean>;
+    public readonly push!: pulumi.Output<boolean>;
     /**
      * If the image was pushed to any registries then this will contain a
      * single fully-qualified tag including the build's digest.
@@ -671,7 +671,7 @@ export class Image extends pulumi.CustomResource {
      * For more control over tags consumed by downstream resources you should
      * use the `digest` output.
      */
-    declare public /*out*/ readonly ref: pulumi.Output<string>;
+    public /*out*/ readonly ref!: pulumi.Output<string>;
     /**
      * Registry credentials. Required if reading or exporting to private
      * repositories.
@@ -681,7 +681,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Similar to `docker login`.
      */
-    declare public readonly registries: pulumi.Output<outputs.Registry[] | undefined>;
+    public readonly registries!: pulumi.Output<outputs.Registry[] | undefined>;
     /**
      * A mapping of secret names to their corresponding values.
      *
@@ -693,13 +693,13 @@ export class Image extends pulumi.CustomResource {
      *
      * Similar to Docker's `--secret` flag.
      */
-    declare public readonly secrets: pulumi.Output<{[key: string]: string} | undefined>;
+    public readonly secrets!: pulumi.Output<{[key: string]: string} | undefined>;
     /**
      * SSH agent socket or keys to expose to the build.
      *
      * Equivalent to Docker's `--ssh` flag.
      */
-    declare public readonly ssh: pulumi.Output<outputs.SSH[] | undefined>;
+    public readonly ssh!: pulumi.Output<outputs.SSH[] | undefined>;
     /**
      * Name and optionally a tag (format: `name:tag`).
      *
@@ -708,7 +708,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--tag` flag.
      */
-    declare public readonly tags: pulumi.Output<string[] | undefined>;
+    public readonly tags!: pulumi.Output<string[] | undefined>;
     /**
      * Set the target build stage(s) to build.
      *
@@ -716,7 +716,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--target` flag.
      */
-    declare public readonly target: pulumi.Output<string | undefined>;
+    public readonly target!: pulumi.Output<string | undefined>;
 
     /**
      * Create a Image resource with the given unique name, arguments, and options.
@@ -729,31 +729,31 @@ export class Image extends pulumi.CustomResource {
         let resourceInputs: pulumi.Inputs = {};
         opts = opts || {};
         if (!opts.id) {
-            if (args?.push === undefined && !opts.urn) {
+            if ((!args || args.push === undefined) && !opts.urn) {
                 throw new Error("Missing required property 'push'");
             }
-            resourceInputs["addHosts"] = args?.addHosts;
-            resourceInputs["buildArgs"] = args?.buildArgs;
-            resourceInputs["buildOnPreview"] = (args?.buildOnPreview) ?? true;
-            resourceInputs["builder"] = args?.builder;
-            resourceInputs["cacheFrom"] = args?.cacheFrom;
-            resourceInputs["cacheTo"] = args?.cacheTo;
-            resourceInputs["context"] = args?.context;
-            resourceInputs["dockerfile"] = args?.dockerfile;
-            resourceInputs["exec"] = args?.exec;
-            resourceInputs["exports"] = args?.exports;
-            resourceInputs["labels"] = args?.labels;
-            resourceInputs["load"] = args?.load;
-            resourceInputs["network"] = (args?.network) ?? "default";
-            resourceInputs["noCache"] = args?.noCache;
-            resourceInputs["platforms"] = args?.platforms;
-            resourceInputs["pull"] = args?.pull;
-            resourceInputs["push"] = args?.push;
-            resourceInputs["registries"] = args?.registries;
-            resourceInputs["secrets"] = args?.secrets;
-            resourceInputs["ssh"] = args?.ssh;
-            resourceInputs["tags"] = args?.tags;
-            resourceInputs["target"] = args?.target;
+            resourceInputs["addHosts"] = args ? args.addHosts : undefined;
+            resourceInputs["buildArgs"] = args ? args.buildArgs : undefined;
+            resourceInputs["buildOnPreview"] = (args ? args.buildOnPreview : undefined) ?? true;
+            resourceInputs["builder"] = args ? args.builder : undefined;
+            resourceInputs["cacheFrom"] = args ? args.cacheFrom : undefined;
+            resourceInputs["cacheTo"] = args ? args.cacheTo : undefined;
+            resourceInputs["context"] = args ? args.context : undefined;
+            resourceInputs["dockerfile"] = args ? args.dockerfile : undefined;
+            resourceInputs["exec"] = args ? args.exec : undefined;
+            resourceInputs["exports"] = args ? args.exports : undefined;
+            resourceInputs["labels"] = args ? args.labels : undefined;
+            resourceInputs["load"] = args ? args.load : undefined;
+            resourceInputs["network"] = (args ? args.network : undefined) ?? "default";
+            resourceInputs["noCache"] = args ? args.noCache : undefined;
+            resourceInputs["platforms"] = args ? args.platforms : undefined;
+            resourceInputs["pull"] = args ? args.pull : undefined;
+            resourceInputs["push"] = args ? args.push : undefined;
+            resourceInputs["registries"] = args ? args.registries : undefined;
+            resourceInputs["secrets"] = args ? args.secrets : undefined;
+            resourceInputs["ssh"] = args ? args.ssh : undefined;
+            resourceInputs["tags"] = args ? args.tags : undefined;
+            resourceInputs["target"] = args ? args.target : undefined;
             resourceInputs["contextHash"] = undefined /*out*/;
             resourceInputs["digest"] = undefined /*out*/;
             resourceInputs["ref"] = undefined /*out*/;

sdk/nodejs/index_.ts

@@ -113,27 +113,27 @@ export class Index extends pulumi.CustomResource {
      *
      * Defaults to `true`.
      */
-    declare public readonly push: pulumi.Output<boolean | undefined>;
+    public readonly push!: pulumi.Output<boolean | undefined>;
     /**
      * The pushed tag with digest.
      *
      * Identical to the tag if the index was not pushed.
      */
-    declare public /*out*/ readonly ref: pulumi.Output<string>;
+    public /*out*/ readonly ref!: pulumi.Output<string>;
     /**
      * Authentication for the registry where the tagged index will be pushed.
      *
      * Credentials can also be included with the provider's configuration.
      */
-    declare public readonly registry: pulumi.Output<outputs.Registry | undefined>;
+    public readonly registry!: pulumi.Output<outputs.Registry | undefined>;
     /**
      * Existing images to include in the index.
      */
-    declare public readonly sources: pulumi.Output<string[]>;
+    public readonly sources!: pulumi.Output<string[]>;
     /**
      * The tag to apply to the index.
      */
-    declare public readonly tag: pulumi.Output<string>;
+    public readonly tag!: pulumi.Output<string>;
 
     /**
      * Create a Index resource with the given unique name, arguments, and options.
@@ -146,16 +146,16 @@ export class Index extends pulumi.CustomResource {
         let resourceInputs: pulumi.Inputs = {};
         opts = opts || {};
         if (!opts.id) {
-            if (args?.sources === undefined && !opts.urn) {
+            if ((!args || args.sources === undefined) && !opts.urn) {
                 throw new Error("Missing required property 'sources'");
             }
-            if (args?.tag === undefined && !opts.urn) {
+            if ((!args || args.tag === undefined) && !opts.urn) {
                 throw new Error("Missing required property 'tag'");
             }
-            resourceInputs["push"] = (args?.push) ?? true;
-            resourceInputs["registry"] = args?.registry;
-            resourceInputs["sources"] = args?.sources;
-            resourceInputs["tag"] = args?.tag;
+            resourceInputs["push"] = (args ? args.push : undefined) ?? true;
+            resourceInputs["registry"] = args ? args.registry : undefined;
+            resourceInputs["sources"] = args ? args.sources : undefined;
+            resourceInputs["tag"] = args ? args.tag : undefined;
             resourceInputs["ref"] = undefined /*out*/;
         } else {
             resourceInputs["push"] = undefined /*out*/;

sdk/nodejs/provider.ts

@@ -25,7 +25,7 @@ export class Provider extends pulumi.ProviderResource {
     /**
      * The build daemon's address.
      */
-    declare public readonly host: pulumi.Output<string | undefined>;
+    public readonly host!: pulumi.Output<string | undefined>;
 
     /**
      * Create a Provider resource with the given unique name, arguments, and options.
@@ -38,8 +38,8 @@ export class Provider extends pulumi.ProviderResource {
         let resourceInputs: pulumi.Inputs = {};
         opts = opts || {};
         {
-            resourceInputs["host"] = (args?.host) ?? (utilities.getEnv("DOCKER_HOST") || "");
-            resourceInputs["registries"] = pulumi.output(args?.registries).apply(JSON.stringify);
+            resourceInputs["host"] = (args ? args.host : undefined) ?? (utilities.getEnv("DOCKER_HOST") || "");
+            resourceInputs["registries"] = pulumi.output(args ? args.registries : undefined).apply(JSON.stringify);
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(Provider.__pulumiType, name, resourceInputs, opts);

sdk/nodejs/tsconfig.json

@@ -1,7 +1,7 @@
 {
     "compilerOptions": {
         "outDir": "bin",
-        "target": "ES2020",
+        "target": "es2016",
         "module": "commonjs",
         "moduleResolution": "node",
         "declaration": true,

sdk/nodejs/types/input.ts

@@ -104,12 +104,6 @@ export interface CacheFromAzureBlobArgs {
     secretAccessKey?: pulumi.Input<string>;
 }
 
-/**
- * Recommended for use with GitHub Actions workflows.
- *
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- */
 export interface CacheFromGitHubActionsArgs {
     /**
      * The scope to use for cache keys. Defaults to `buildkit`.
@@ -118,6 +112,23 @@ export interface CacheFromGitHubActionsArgs {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: pulumi.Input<string>;
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     *
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    token?: pulumi.Input<string>;
+    /**
+     * The cache server URL to use for artifacts.
+     *
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    url?: pulumi.Input<string>;
 }
 /**
  * cacheFromGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -126,6 +137,8 @@ export function cacheFromGitHubActionsArgsProvideDefaults(val: CacheFromGitHubAc
     return {
         ...val,
         scope: (val.scope) ?? "buildkit",
+        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
+        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 
@@ -290,12 +303,6 @@ export function cacheToAzureBlobArgsProvideDefaults(val: CacheToAzureBlobArgs):
     };
 }
 
-/**
- * Recommended for use with GitHub Actions workflows.
- *
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- */
 export interface CacheToGitHubActionsArgs {
     /**
      * Ignore errors caused by failed cache exports.
@@ -312,6 +319,23 @@ export interface CacheToGitHubActionsArgs {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: pulumi.Input<string>;
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     *
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    token?: pulumi.Input<string>;
+    /**
+     * The cache server URL to use for artifacts.
+     *
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    url?: pulumi.Input<string>;
 }
 /**
  * cacheToGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -322,6 +346,8 @@ export function cacheToGitHubActionsArgsProvideDefaults(val: CacheToGitHubAction
         ignoreError: (val.ignoreError) ?? false,
         mode: (val.mode) ?? "min",
         scope: (val.scope) ?? "buildkit",
+        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
+        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 

sdk/nodejs/types/output.ts

@@ -104,12 +104,6 @@ export interface CacheFromAzureBlob {
     secretAccessKey?: string;
 }
 
-/**
- * Recommended for use with GitHub Actions workflows.
- *
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- */
 export interface CacheFromGitHubActions {
     /**
      * The scope to use for cache keys. Defaults to `buildkit`.
@@ -118,6 +112,23 @@ export interface CacheFromGitHubActions {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: string;
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     *
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    token?: string;
+    /**
+     * The cache server URL to use for artifacts.
+     *
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    url?: string;
 }
 /**
  * cacheFromGitHubActionsProvideDefaults sets the appropriate defaults for CacheFromGitHubActions
@@ -126,6 +137,8 @@ export function cacheFromGitHubActionsProvideDefaults(val: CacheFromGitHubAction
     return {
         ...val,
         scope: (val.scope) ?? "buildkit",
+        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
+        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 
@@ -290,12 +303,6 @@ export function cacheToAzureBlobProvideDefaults(val: CacheToAzureBlob): CacheToA
     };
 }
 
-/**
- * Recommended for use with GitHub Actions workflows.
- *
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- */
 export interface CacheToGitHubActions {
     /**
      * Ignore errors caused by failed cache exports.
@@ -312,6 +319,23 @@ export interface CacheToGitHubActions {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: string;
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     *
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    token?: string;
+    /**
+     * The cache server URL to use for artifacts.
+     *
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    url?: string;
 }
 /**
  * cacheToGitHubActionsProvideDefaults sets the appropriate defaults for CacheToGitHubActions
@@ -322,6 +346,8 @@ export function cacheToGitHubActionsProvideDefaults(val: CacheToGitHubActions):
         ignoreError: (val.ignoreError) ?? false,
         mode: (val.mode) ?? "min",
         scope: (val.scope) ?? "buildkit",
+        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
+        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 

sdk/nodejs/utilities.ts

@@ -68,7 +68,6 @@ export function lazyLoad(exports: any, props: string[], loadModule: any) {
     }
 }
 
-/** @internal */
 export async function callAsync<T>(
     tok: string,
     props: pulumi.Inputs,

sdk/python/.gitattributes

@@ -1 +0,0 @@
-* linguist-generated

sdk/python/.gitignore

@@ -1,6 +0,0 @@
-*.pyc
-__pycache__
-.mypy_cache
-dist
-build
-*.egg-info

sdk/python/pulumi_docker_build/__init__.py

@@ -2,7 +2,7 @@
 # *** WARNING: this file was generated by pulumi-language-python. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
-import builtins as _builtins
+import builtins
 from . import _utilities
 import typing
 # Export this package's modules as members:

sdk/python/pulumi_docker_build/_enums.py

@@ -2,7 +2,7 @@
 # *** WARNING: this file was generated by pulumi-language-python. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
-import builtins as _builtins
+import builtins
 import pulumi
 from enum import Enum
 
@@ -15,7 +15,7 @@ __all__ = [
 
 
 @pulumi.type_token("docker-build:index:CacheMode")
-class CacheMode(_builtins.str, Enum):
+class CacheMode(builtins.str, Enum):
     MIN = "min"
     """
     Only layers that are exported into the resulting image are cached.
@@ -27,7 +27,7 @@ class CacheMode(_builtins.str, Enum):
 
 
 @pulumi.type_token("docker-build:index:CompressionType")
-class CompressionType(_builtins.str, Enum):
+class CompressionType(builtins.str, Enum):
     GZIP = "gzip"
     """
     Use `gzip` for compression.
@@ -43,7 +43,7 @@ class CompressionType(_builtins.str, Enum):
 
 
 @pulumi.type_token("docker-build:index:NetworkMode")
-class NetworkMode(_builtins.str, Enum):
+class NetworkMode(builtins.str, Enum):
     DEFAULT = "default"
     """
     The default sandbox network mode.
@@ -59,7 +59,7 @@ class NetworkMode(_builtins.str, Enum):
 
 
 @pulumi.type_token("docker-build:index:Platform")
-class Platform(_builtins.str, Enum):
+class Platform(builtins.str, Enum):
     DARWIN_386 = "darwin/386"
     DARWIN_AMD64 = "darwin/amd64"
     DARWIN_ARM = "darwin/arm"

sdk/python/pulumi_docker_build/config/__init__.py

@@ -2,7 +2,7 @@
 # *** WARNING: this file was generated by pulumi-language-python. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
-import builtins as _builtins
+import builtins
 import sys
 from .vars import _ExportableConfig
 

sdk/python/pulumi_docker_build/config/__init__.pyi

@@ -2,7 +2,8 @@
 # *** WARNING: this file was generated by pulumi-language-python. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
-import builtins as _builtins
+import builtins
+import copy
 import warnings
 import sys
 import pulumi

sdk/python/pulumi_docker_build/config/vars.py

@@ -2,7 +2,8 @@
 # *** WARNING: this file was generated by pulumi-language-python. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
-import builtins as _builtins
+import builtins
+import copy
 import warnings
 import sys
 import pulumi
@@ -21,14 +22,14 @@ __config__ = pulumi.Config('docker-build')
 
 
 class _ExportableConfig(types.ModuleType):
-    @_builtins.property
+    @property
     def host(self) -> str:
         """
         The build daemon's address.
         """
         return __config__.get('host') or (_utilities.get_env('DOCKER_HOST') or '')
 
-    @_builtins.property
+    @property
     def registries(self) -> Optional[str]:
         return __config__.get('registries')
 

sdk/python/pulumi_docker_build/image.py

@@ -2,7 +2,8 @@
 # *** WARNING: this file was generated by pulumi-language-python. ***
 # *** Do not edit by hand unless you're certain you know what you are doing! ***
 
-import builtins as _builtins
+import builtins
+import copy
 import warnings
 import sys
 import pulumi
@@ -22,39 +23,39 @@ __all__ = ['ImageArgs', 'Image']
 @pulumi.input_type
 class ImageArgs:
     def __init__(__self__, *,
-                 push: pulumi.Input[_builtins.bool],
-                 add_hosts: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
-                 build_args: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
-                 build_on_preview: Optional[pulumi.Input[_builtins.bool]] = None,
+                 push: pulumi.Input[builtins.bool],
+                 add_hosts: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 build_args: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 build_on_preview: Optional[pulumi.Input[builtins.bool]] = None,
                  builder: Optional[pulumi.Input['BuilderConfigArgs']] = None,
                  cache_from: Optional[pulumi.Input[Sequence[pulumi.Input['CacheFromArgs']]]] = None,
                  cache_to: Optional[pulumi.Input[Sequence[pulumi.Input['CacheToArgs']]]] = None,
                  context: Optional[pulumi.Input['BuildContextArgs']] = None,
                  dockerfile: Optional[pulumi.Input['DockerfileArgs']] = None,
-                 exec_: Optional[pulumi.Input[_builtins.bool]] = None,
+                 exec_: Optional[pulumi.Input[builtins.bool]] = None,
                  exports: Optional[pulumi.Input[Sequence[pulumi.Input['ExportArgs']]]] = None,
-                 labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
-                 load: Optional[pulumi.Input[_builtins.bool]] = None,
+                 labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 load: Optional[pulumi.Input[builtins.bool]] = None,
                  network: Optional[pulumi.Input['NetworkMode']] = None,
-                 no_cache: Optional[pulumi.Input[_builtins.bool]] = None,
+                 no_cache: Optional[pulumi.Input[builtins.bool]] = None,
                  platforms: Optional[pulumi.Input[Sequence[pulumi.Input['Platform']]]] = None,
-                 pull: Optional[pulumi.Input[_builtins.bool]] = None,
+                 pull: Optional[pulumi.Input[builtins.bool]] = None,
                  registries: Optional[pulumi.Input[Sequence[pulumi.Input['RegistryArgs']]]] = None,
-                 secrets: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 secrets: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
                  ssh: Optional[pulumi.Input[Sequence[pulumi.Input['SSHArgs']]]] = None,
-                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
-                 target: Optional[pulumi.Input[_builtins.str]] = None):
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 target: Optional[pulumi.Input[builtins.str]] = None):
         """
         The set of arguments for constructing a Image resource.
-        :param pulumi.Input[_builtins.bool] push: When `true` the build will automatically include a `registry` export.
+        :param pulumi.Input[builtins.bool] push: When `true` the build will automatically include a `registry` export.
                
                Defaults to `false`.
                
                Equivalent to Docker's `--push` flag.
-        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] add_hosts: Custom `host:ip` mappings to use during the build.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] add_hosts: Custom `host:ip` mappings to use during the build.
                
                Equivalent to Docker's `--add-host` flag.
-        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] build_args: `ARG` names and values to set during the build.
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] build_args: `ARG` names and values to set during the build.
                
                These variables are accessed like environment variables inside `RUN`
                instructions.
@@ -63,7 +64,7 @@ class ImageArgs:
                if these arguments are sensitive.
                
                Equivalent to Docker's `--build-arg` flag.
-        :param pulumi.Input[_builtins.bool] build_on_preview: Setting this to `false` will always skip image builds during previews,
+        :param pulumi.Input[builtins.bool] build_on_preview: Setting this to `false` will always skip image builds during previews,
                and setting it to `true` will always build images during previews.
                
                Images built during previews are never exported to registries, however
@@ -87,7 +88,7 @@ class ImageArgs:
         :param pulumi.Input['DockerfileArgs'] dockerfile: Dockerfile settings.
                
                Equivalent to Docker's `--file` flag.
-        :param pulumi.Input[_builtins.bool] exec_: Use `exec` mode to build this image.
+        :param pulumi.Input[builtins.bool] exec_: Use `exec` mode to build this image.
                
                By default the provider embeds a v25 Docker client with v0.12 buildx
                support. This helps ensure consistent behavior across environments and
@@ -116,10 +117,10 @@ class ImageArgs:
                0.13 or later.
                
                Equivalent to Docker's `--output` flag.
-        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] labels: Attach arbitrary key/value metadata to the image.
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] labels: Attach arbitrary key/value metadata to the image.
                
                Equivalent to Docker's `--label` flag.
-        :param pulumi.Input[_builtins.bool] load: When `true` the build will automatically include a `docker` export.
+        :param pulumi.Input[builtins.bool] load: When `true` the build will automatically include a `docker` export.
                
                Defaults to `false`.
                
@@ -129,13 +130,13 @@ class ImageArgs:
                For custom networks, configure your builder with `--driver-opt network=...`.
                
                Equivalent to Docker's `--network` flag.
-        :param pulumi.Input[_builtins.bool] no_cache: Do not import cache manifests when building the image.
+        :param pulumi.Input[builtins.bool] no_cache: Do not import cache manifests when building the image.
                
                Equivalent to Docker's `--no-cache` flag.
         :param pulumi.Input[Sequence[pulumi.Input['Platform']]] platforms: Set target platform(s) for the build. Defaults to the host's platform.
                
                Equivalent to Docker's `--platform` flag.
-        :param pulumi.Input[_builtins.bool] pull: Always pull referenced images.
+        :param pulumi.Input[builtins.bool] pull: Always pull referenced images.
                
                Equivalent to Docker's `--pull` flag.
         :param pulumi.Input[Sequence[pulumi.Input['RegistryArgs']]] registries: Registry credentials. Required if reading or exporting to private
@@ -145,7 +146,7 @@ class ImageArgs:
                credentials on the host.
                
                Similar to `docker login`.
-        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] secrets: A mapping of secret names to their corresponding values.
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] secrets: A mapping of secret names to their corresponding values.
                
                Unlike the Docker CLI, these can be passed by value and do not need to
                exist on-disk or in environment variables.
@@ -157,13 +158,13 @@ class ImageArgs:
         :param pulumi.Input[Sequence[pulumi.Input['SSHArgs']]] ssh: SSH agent socket or keys to expose to the build.
                
                Equivalent to Docker's `--ssh` flag.
-        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] tags: Name and optionally a tag (format: `name:tag`).
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] tags: Name and optionally a tag (format: `name:tag`).
                
                If exporting to a registry, the name should include the fully qualified
                registry address (e.g. `docker.io/pulumi/pulumi:latest`).
                
                Equivalent to Docker's `--tag` flag.
-        :param pulumi.Input[_builtins.str] target: Set the target build stage(s) to build.
+        :param pulumi.Input[builtins.str] target: Set the target build stage(s) to build.
                
                If not specified all targets will be built by default.
                
@@ -217,9 +218,9 @@ class ImageArgs:
         if target is not None:
             pulumi.set(__self__, "target", target)
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def push(self) -> pulumi.Input[_builtins.bool]:
+    def push(self) -> pulumi.Input[builtins.bool]:
         """
         When `true` the build will automatically include a `registry` export.
 
@@ -230,12 +231,12 @@ class ImageArgs:
         return pulumi.get(self, "push")
 
     @push.setter
-    def push(self, value: pulumi.Input[_builtins.bool]):
+    def push(self, value: pulumi.Input[builtins.bool]):
         pulumi.set(self, "push", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="addHosts")
-    def add_hosts(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+    def add_hosts(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Custom `host:ip` mappings to use during the build.
 
@@ -244,12 +245,12 @@ class ImageArgs:
         return pulumi.get(self, "add_hosts")
 
     @add_hosts.setter
-    def add_hosts(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+    def add_hosts(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "add_hosts", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="buildArgs")
-    def build_args(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
+    def build_args(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
         """
         `ARG` names and values to set during the build.
 
@@ -264,12 +265,12 @@ class ImageArgs:
         return pulumi.get(self, "build_args")
 
     @build_args.setter
-    def build_args(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
+    def build_args(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "build_args", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="buildOnPreview")
-    def build_on_preview(self) -> Optional[pulumi.Input[_builtins.bool]]:
+    def build_on_preview(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Setting this to `false` will always skip image builds during previews,
         and setting it to `true` will always build images during previews.
@@ -286,10 +287,10 @@ class ImageArgs:
         return pulumi.get(self, "build_on_preview")
 
     @build_on_preview.setter
-    def build_on_preview(self, value: Optional[pulumi.Input[_builtins.bool]]):
+    def build_on_preview(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "build_on_preview", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def builder(self) -> Optional[pulumi.Input['BuilderConfigArgs']]:
         """
@@ -301,7 +302,7 @@ class ImageArgs:
     def builder(self, value: Optional[pulumi.Input['BuilderConfigArgs']]):
         pulumi.set(self, "builder", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="cacheFrom")
     def cache_from(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['CacheFromArgs']]]]:
         """
@@ -315,7 +316,7 @@ class ImageArgs:
     def cache_from(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['CacheFromArgs']]]]):
         pulumi.set(self, "cache_from", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="cacheTo")
     def cache_to(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['CacheToArgs']]]]:
         """
@@ -329,7 +330,7 @@ class ImageArgs:
     def cache_to(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['CacheToArgs']]]]):
         pulumi.set(self, "cache_to", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def context(self) -> Optional[pulumi.Input['BuildContextArgs']]:
         """
@@ -343,7 +344,7 @@ class ImageArgs:
     def context(self, value: Optional[pulumi.Input['BuildContextArgs']]):
         pulumi.set(self, "context", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def dockerfile(self) -> Optional[pulumi.Input['DockerfileArgs']]:
         """
@@ -357,9 +358,9 @@ class ImageArgs:
     def dockerfile(self, value: Optional[pulumi.Input['DockerfileArgs']]):
         pulumi.set(self, "dockerfile", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="exec")
-    def exec_(self) -> Optional[pulumi.Input[_builtins.bool]]:
+    def exec_(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Use `exec` mode to build this image.
 
@@ -385,10 +386,10 @@ class ImageArgs:
         return pulumi.get(self, "exec_")
 
     @exec_.setter
-    def exec_(self, value: Optional[pulumi.Input[_builtins.bool]]):
+    def exec_(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "exec_", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def exports(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['ExportArgs']]]]:
         """
@@ -408,9 +409,9 @@ class ImageArgs:
     def exports(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['ExportArgs']]]]):
         pulumi.set(self, "exports", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def labels(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
+    def labels(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
         """
         Attach arbitrary key/value metadata to the image.
 
@@ -419,12 +420,12 @@ class ImageArgs:
         return pulumi.get(self, "labels")
 
     @labels.setter
-    def labels(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
+    def labels(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "labels", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def load(self) -> Optional[pulumi.Input[_builtins.bool]]:
+    def load(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         When `true` the build will automatically include a `docker` export.
 
@@ -435,10 +436,10 @@ class ImageArgs:
         return pulumi.get(self, "load")
 
     @load.setter
-    def load(self, value: Optional[pulumi.Input[_builtins.bool]]):
+    def load(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "load", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def network(self) -> Optional[pulumi.Input['NetworkMode']]:
         """
@@ -454,9 +455,9 @@ class ImageArgs:
     def network(self, value: Optional[pulumi.Input['NetworkMode']]):
         pulumi.set(self, "network", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="noCache")
-    def no_cache(self) -> Optional[pulumi.Input[_builtins.bool]]:
+    def no_cache(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Do not import cache manifests when building the image.
 
@@ -465,10 +466,10 @@ class ImageArgs:
         return pulumi.get(self, "no_cache")
 
     @no_cache.setter
-    def no_cache(self, value: Optional[pulumi.Input[_builtins.bool]]):
+    def no_cache(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "no_cache", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def platforms(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['Platform']]]]:
         """
@@ -482,9 +483,9 @@ class ImageArgs:
     def platforms(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['Platform']]]]):
         pulumi.set(self, "platforms", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def pull(self) -> Optional[pulumi.Input[_builtins.bool]]:
+    def pull(self) -> Optional[pulumi.Input[builtins.bool]]:
         """
         Always pull referenced images.
 
@@ -493,10 +494,10 @@ class ImageArgs:
         return pulumi.get(self, "pull")
 
     @pull.setter
-    def pull(self, value: Optional[pulumi.Input[_builtins.bool]]):
+    def pull(self, value: Optional[pulumi.Input[builtins.bool]]):
         pulumi.set(self, "pull", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def registries(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['RegistryArgs']]]]:
         """
@@ -514,9 +515,9 @@ class ImageArgs:
     def registries(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['RegistryArgs']]]]):
         pulumi.set(self, "registries", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def secrets(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]:
+    def secrets(self) -> Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]:
         """
         A mapping of secret names to their corresponding values.
 
@@ -531,10 +532,10 @@ class ImageArgs:
         return pulumi.get(self, "secrets")
 
     @secrets.setter
-    def secrets(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]]):
+    def secrets(self, value: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "secrets", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def ssh(self) -> Optional[pulumi.Input[Sequence[pulumi.Input['SSHArgs']]]]:
         """
@@ -548,9 +549,9 @@ class ImageArgs:
     def ssh(self, value: Optional[pulumi.Input[Sequence[pulumi.Input['SSHArgs']]]]):
         pulumi.set(self, "ssh", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def tags(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]:
+    def tags(self) -> Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]:
         """
         Name and optionally a tag (format: `name:tag`).
 
@@ -562,12 +563,12 @@ class ImageArgs:
         return pulumi.get(self, "tags")
 
     @tags.setter
-    def tags(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]]):
+    def tags(self, value: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]]):
         pulumi.set(self, "tags", value)
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def target(self) -> Optional[pulumi.Input[_builtins.str]]:
+    def target(self) -> Optional[pulumi.Input[builtins.str]]:
         """
         Set the target build stage(s) to build.
 
@@ -578,7 +579,7 @@ class ImageArgs:
         return pulumi.get(self, "target")
 
     @target.setter
-    def target(self, value: Optional[pulumi.Input[_builtins.str]]):
+    def target(self, value: Optional[pulumi.Input[builtins.str]]):
         pulumi.set(self, "target", value)
 
 
@@ -588,28 +589,28 @@ class Image(pulumi.CustomResource):
     def __init__(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 add_hosts: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
-                 build_args: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
-                 build_on_preview: Optional[pulumi.Input[_builtins.bool]] = None,
+                 add_hosts: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 build_args: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 build_on_preview: Optional[pulumi.Input[builtins.bool]] = None,
                  builder: Optional[pulumi.Input[Union['BuilderConfigArgs', 'BuilderConfigArgsDict']]] = None,
                  cache_from: Optional[pulumi.Input[Sequence[pulumi.Input[Union['CacheFromArgs', 'CacheFromArgsDict']]]]] = None,
                  cache_to: Optional[pulumi.Input[Sequence[pulumi.Input[Union['CacheToArgs', 'CacheToArgsDict']]]]] = None,
                  context: Optional[pulumi.Input[Union['BuildContextArgs', 'BuildContextArgsDict']]] = None,
                  dockerfile: Optional[pulumi.Input[Union['DockerfileArgs', 'DockerfileArgsDict']]] = None,
-                 exec_: Optional[pulumi.Input[_builtins.bool]] = None,
+                 exec_: Optional[pulumi.Input[builtins.bool]] = None,
                  exports: Optional[pulumi.Input[Sequence[pulumi.Input[Union['ExportArgs', 'ExportArgsDict']]]]] = None,
-                 labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
-                 load: Optional[pulumi.Input[_builtins.bool]] = None,
+                 labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 load: Optional[pulumi.Input[builtins.bool]] = None,
                  network: Optional[pulumi.Input['NetworkMode']] = None,
-                 no_cache: Optional[pulumi.Input[_builtins.bool]] = None,
+                 no_cache: Optional[pulumi.Input[builtins.bool]] = None,
                  platforms: Optional[pulumi.Input[Sequence[pulumi.Input['Platform']]]] = None,
-                 pull: Optional[pulumi.Input[_builtins.bool]] = None,
-                 push: Optional[pulumi.Input[_builtins.bool]] = None,
+                 pull: Optional[pulumi.Input[builtins.bool]] = None,
+                 push: Optional[pulumi.Input[builtins.bool]] = None,
                  registries: Optional[pulumi.Input[Sequence[pulumi.Input[Union['RegistryArgs', 'RegistryArgsDict']]]]] = None,
-                 secrets: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 secrets: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
                  ssh: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SSHArgs', 'SSHArgsDict']]]]] = None,
-                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
-                 target: Optional[pulumi.Input[_builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 target: Optional[pulumi.Input[builtins.str]] = None,
                  __props__=None):
         """
         A Docker image built using buildx -- Docker's interface to the improved
@@ -920,10 +921,10 @@ class Image(pulumi.CustomResource):
 
         :param str resource_name: The name of the resource.
         :param pulumi.ResourceOptions opts: Options for the resource.
-        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] add_hosts: Custom `host:ip` mappings to use during the build.
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] add_hosts: Custom `host:ip` mappings to use during the build.
                
                Equivalent to Docker's `--add-host` flag.
-        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] build_args: `ARG` names and values to set during the build.
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] build_args: `ARG` names and values to set during the build.
                
                These variables are accessed like environment variables inside `RUN`
                instructions.
@@ -932,7 +933,7 @@ class Image(pulumi.CustomResource):
                if these arguments are sensitive.
                
                Equivalent to Docker's `--build-arg` flag.
-        :param pulumi.Input[_builtins.bool] build_on_preview: Setting this to `false` will always skip image builds during previews,
+        :param pulumi.Input[builtins.bool] build_on_preview: Setting this to `false` will always skip image builds during previews,
                and setting it to `true` will always build images during previews.
                
                Images built during previews are never exported to registries, however
@@ -956,7 +957,7 @@ class Image(pulumi.CustomResource):
         :param pulumi.Input[Union['DockerfileArgs', 'DockerfileArgsDict']] dockerfile: Dockerfile settings.
                
                Equivalent to Docker's `--file` flag.
-        :param pulumi.Input[_builtins.bool] exec_: Use `exec` mode to build this image.
+        :param pulumi.Input[builtins.bool] exec_: Use `exec` mode to build this image.
                
                By default the provider embeds a v25 Docker client with v0.12 buildx
                support. This helps ensure consistent behavior across environments and
@@ -985,10 +986,10 @@ class Image(pulumi.CustomResource):
                0.13 or later.
                
                Equivalent to Docker's `--output` flag.
-        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] labels: Attach arbitrary key/value metadata to the image.
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] labels: Attach arbitrary key/value metadata to the image.
                
                Equivalent to Docker's `--label` flag.
-        :param pulumi.Input[_builtins.bool] load: When `true` the build will automatically include a `docker` export.
+        :param pulumi.Input[builtins.bool] load: When `true` the build will automatically include a `docker` export.
                
                Defaults to `false`.
                
@@ -998,16 +999,16 @@ class Image(pulumi.CustomResource):
                For custom networks, configure your builder with `--driver-opt network=...`.
                
                Equivalent to Docker's `--network` flag.
-        :param pulumi.Input[_builtins.bool] no_cache: Do not import cache manifests when building the image.
+        :param pulumi.Input[builtins.bool] no_cache: Do not import cache manifests when building the image.
                
                Equivalent to Docker's `--no-cache` flag.
         :param pulumi.Input[Sequence[pulumi.Input['Platform']]] platforms: Set target platform(s) for the build. Defaults to the host's platform.
                
                Equivalent to Docker's `--platform` flag.
-        :param pulumi.Input[_builtins.bool] pull: Always pull referenced images.
+        :param pulumi.Input[builtins.bool] pull: Always pull referenced images.
                
                Equivalent to Docker's `--pull` flag.
-        :param pulumi.Input[_builtins.bool] push: When `true` the build will automatically include a `registry` export.
+        :param pulumi.Input[builtins.bool] push: When `true` the build will automatically include a `registry` export.
                
                Defaults to `false`.
                
@@ -1019,7 +1020,7 @@ class Image(pulumi.CustomResource):
                credentials on the host.
                
                Similar to `docker login`.
-        :param pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]] secrets: A mapping of secret names to their corresponding values.
+        :param pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]] secrets: A mapping of secret names to their corresponding values.
                
                Unlike the Docker CLI, these can be passed by value and do not need to
                exist on-disk or in environment variables.
@@ -1031,13 +1032,13 @@ class Image(pulumi.CustomResource):
         :param pulumi.Input[Sequence[pulumi.Input[Union['SSHArgs', 'SSHArgsDict']]]] ssh: SSH agent socket or keys to expose to the build.
                
                Equivalent to Docker's `--ssh` flag.
-        :param pulumi.Input[Sequence[pulumi.Input[_builtins.str]]] tags: Name and optionally a tag (format: `name:tag`).
+        :param pulumi.Input[Sequence[pulumi.Input[builtins.str]]] tags: Name and optionally a tag (format: `name:tag`).
                
                If exporting to a registry, the name should include the fully qualified
                registry address (e.g. `docker.io/pulumi/pulumi:latest`).
                
                Equivalent to Docker's `--tag` flag.
-        :param pulumi.Input[_builtins.str] target: Set the target build stage(s) to build.
+        :param pulumi.Input[builtins.str] target: Set the target build stage(s) to build.
                
                If not specified all targets will be built by default.
                
@@ -1371,28 +1372,28 @@ class Image(pulumi.CustomResource):
     def _internal_init(__self__,
                  resource_name: str,
                  opts: Optional[pulumi.ResourceOptions] = None,
-                 add_hosts: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
-                 build_args: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
-                 build_on_preview: Optional[pulumi.Input[_builtins.bool]] = None,
+                 add_hosts: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 build_args: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 build_on_preview: Optional[pulumi.Input[builtins.bool]] = None,
                  builder: Optional[pulumi.Input[Union['BuilderConfigArgs', 'BuilderConfigArgsDict']]] = None,
                  cache_from: Optional[pulumi.Input[Sequence[pulumi.Input[Union['CacheFromArgs', 'CacheFromArgsDict']]]]] = None,
                  cache_to: Optional[pulumi.Input[Sequence[pulumi.Input[Union['CacheToArgs', 'CacheToArgsDict']]]]] = None,
                  context: Optional[pulumi.Input[Union['BuildContextArgs', 'BuildContextArgsDict']]] = None,
                  dockerfile: Optional[pulumi.Input[Union['DockerfileArgs', 'DockerfileArgsDict']]] = None,
-                 exec_: Optional[pulumi.Input[_builtins.bool]] = None,
+                 exec_: Optional[pulumi.Input[builtins.bool]] = None,
                  exports: Optional[pulumi.Input[Sequence[pulumi.Input[Union['ExportArgs', 'ExportArgsDict']]]]] = None,
-                 labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
-                 load: Optional[pulumi.Input[_builtins.bool]] = None,
+                 labels: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
+                 load: Optional[pulumi.Input[builtins.bool]] = None,
                  network: Optional[pulumi.Input['NetworkMode']] = None,
-                 no_cache: Optional[pulumi.Input[_builtins.bool]] = None,
+                 no_cache: Optional[pulumi.Input[builtins.bool]] = None,
                  platforms: Optional[pulumi.Input[Sequence[pulumi.Input['Platform']]]] = None,
-                 pull: Optional[pulumi.Input[_builtins.bool]] = None,
-                 push: Optional[pulumi.Input[_builtins.bool]] = None,
+                 pull: Optional[pulumi.Input[builtins.bool]] = None,
+                 push: Optional[pulumi.Input[builtins.bool]] = None,
                  registries: Optional[pulumi.Input[Sequence[pulumi.Input[Union['RegistryArgs', 'RegistryArgsDict']]]]] = None,
-                 secrets: Optional[pulumi.Input[Mapping[str, pulumi.Input[_builtins.str]]]] = None,
+                 secrets: Optional[pulumi.Input[Mapping[str, pulumi.Input[builtins.str]]]] = None,
                  ssh: Optional[pulumi.Input[Sequence[pulumi.Input[Union['SSHArgs', 'SSHArgsDict']]]]] = None,
-                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[_builtins.str]]]] = None,
-                 target: Optional[pulumi.Input[_builtins.str]] = None,
+                 tags: Optional[pulumi.Input[Sequence[pulumi.Input[builtins.str]]]] = None,
+                 target: Optional[pulumi.Input[builtins.str]] = None,
                  __props__=None):
         opts = pulumi.ResourceOptions.merge(_utilities.get_resource_opts_defaults(), opts)
         if not isinstance(opts, pulumi.ResourceOptions):
@@ -1482,9 +1483,9 @@ class Image(pulumi.CustomResource):
         __props__.__dict__["target"] = None
         return Image(resource_name, opts=opts, __props__=__props__)
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="addHosts")
-    def add_hosts(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+    def add_hosts(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         Custom `host:ip` mappings to use during the build.
 
@@ -1492,9 +1493,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "add_hosts")
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="buildArgs")
-    def build_args(self) -> pulumi.Output[Optional[Mapping[str, _builtins.str]]]:
+    def build_args(self) -> pulumi.Output[Optional[Mapping[str, builtins.str]]]:
         """
         `ARG` names and values to set during the build.
 
@@ -1508,9 +1509,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "build_args")
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="buildOnPreview")
-    def build_on_preview(self) -> pulumi.Output[Optional[_builtins.bool]]:
+    def build_on_preview(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Setting this to `false` will always skip image builds during previews,
         and setting it to `true` will always build images during previews.
@@ -1526,7 +1527,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "build_on_preview")
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def builder(self) -> pulumi.Output[Optional['outputs.BuilderConfig']]:
         """
@@ -1534,7 +1535,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "builder")
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="cacheFrom")
     def cache_from(self) -> pulumi.Output[Optional[Sequence['outputs.CacheFrom']]]:
         """
@@ -1544,7 +1545,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "cache_from")
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="cacheTo")
     def cache_to(self) -> pulumi.Output[Optional[Sequence['outputs.CacheTo']]]:
         """
@@ -1554,7 +1555,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "cache_to")
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def context(self) -> pulumi.Output[Optional['outputs.BuildContext']]:
         """
@@ -1564,9 +1565,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "context")
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="contextHash")
-    def context_hash(self) -> pulumi.Output[_builtins.str]:
+    def context_hash(self) -> pulumi.Output[builtins.str]:
         """
         A preliminary hash of the image's build context.
 
@@ -1574,9 +1575,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "context_hash")
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def digest(self) -> pulumi.Output[_builtins.str]:
+    def digest(self) -> pulumi.Output[builtins.str]:
         """
         A SHA256 digest of the image if it was exported to a registry or
         elsewhere.
@@ -1588,7 +1589,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "digest")
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def dockerfile(self) -> pulumi.Output[Optional['outputs.Dockerfile']]:
         """
@@ -1598,9 +1599,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "dockerfile")
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="exec")
-    def exec_(self) -> pulumi.Output[Optional[_builtins.bool]]:
+    def exec_(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Use `exec` mode to build this image.
 
@@ -1625,7 +1626,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "exec_")
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def exports(self) -> pulumi.Output[Optional[Sequence['outputs.Export']]]:
         """
@@ -1641,9 +1642,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "exports")
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def labels(self) -> pulumi.Output[Optional[Mapping[str, _builtins.str]]]:
+    def labels(self) -> pulumi.Output[Optional[Mapping[str, builtins.str]]]:
         """
         Attach arbitrary key/value metadata to the image.
 
@@ -1651,9 +1652,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "labels")
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def load(self) -> pulumi.Output[Optional[_builtins.bool]]:
+    def load(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         When `true` the build will automatically include a `docker` export.
 
@@ -1663,7 +1664,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "load")
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def network(self) -> pulumi.Output[Optional['NetworkMode']]:
         """
@@ -1675,9 +1676,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "network")
 
-    @_builtins.property
+    @property
     @pulumi.getter(name="noCache")
-    def no_cache(self) -> pulumi.Output[Optional[_builtins.bool]]:
+    def no_cache(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Do not import cache manifests when building the image.
 
@@ -1685,7 +1686,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "no_cache")
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def platforms(self) -> pulumi.Output[Optional[Sequence['Platform']]]:
         """
@@ -1695,9 +1696,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "platforms")
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def pull(self) -> pulumi.Output[Optional[_builtins.bool]]:
+    def pull(self) -> pulumi.Output[Optional[builtins.bool]]:
         """
         Always pull referenced images.
 
@@ -1705,9 +1706,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "pull")
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def push(self) -> pulumi.Output[_builtins.bool]:
+    def push(self) -> pulumi.Output[builtins.bool]:
         """
         When `true` the build will automatically include a `registry` export.
 
@@ -1717,9 +1718,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "push")
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def ref(self) -> pulumi.Output[_builtins.str]:
+    def ref(self) -> pulumi.Output[builtins.str]:
         """
         If the image was pushed to any registries then this will contain a
         single fully-qualified tag including the build's digest.
@@ -1738,7 +1739,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "ref")
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def registries(self) -> pulumi.Output[Optional[Sequence['outputs.Registry']]]:
         """
@@ -1752,9 +1753,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "registries")
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def secrets(self) -> pulumi.Output[Optional[Mapping[str, _builtins.str]]]:
+    def secrets(self) -> pulumi.Output[Optional[Mapping[str, builtins.str]]]:
         """
         A mapping of secret names to their corresponding values.
 
@@ -1768,7 +1769,7 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "secrets")
 
-    @_builtins.property
+    @property
     @pulumi.getter
     def ssh(self) -> pulumi.Output[Optional[Sequence['outputs.SSH']]]:
         """
@@ -1778,9 +1779,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "ssh")
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def tags(self) -> pulumi.Output[Optional[Sequence[_builtins.str]]]:
+    def tags(self) -> pulumi.Output[Optional[Sequence[builtins.str]]]:
         """
         Name and optionally a tag (format: `name:tag`).
 
@@ -1791,9 +1792,9 @@ class Image(pulumi.CustomResource):
         """
         return pulumi.get(self, "tags")
 
-    @_builtins.property
+    @property
     @pulumi.getter
-    def target(self) -> pulumi.Output[Optional[_builtins.str]]:
+    def target(self) -> pulumi.Output[Optional[builtins.str]]:
         """
         Set the target build stage(s) to build.