[internal] Update GitHub Actions workflow files

.ci-mgmt.yaml

@@ -4,17 +4,23 @@ major-version: 0
 providerDefaultBranch: main
 providerVersion: github.com/pulumi/pulumi-docker-build/provider.Version
 aws: true
-modulePath: .
 gcp: true
 sdkModuleDir: sdk/go/dockerbuild
 parallel: 3
-esc:
-  enabled: true
 envOverride:
+  AWS_REGION: us-west-2
+  PULUMI_API: "https://api.pulumi-staging.io"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
   GOOGLE_PROJECT: pulumi-ci-gcp-provider
-  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_PROJECT_NUMBER: 895284651812
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}

.config/mise.test.toml

@@ -1,4 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-
-[tools]
-"aqua:gotestyourself/gotestsum" = "1.12.0"

.config/mise.toml

@@ -1,35 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-# You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
-
-[env]
-_.vfox-pulumi = { module_path = "." } # Sets GO_VERSION_MISE and PULUMI_VERSION_MISE
-PULUMI_HOME = "{{config_root}}/.pulumi"
-
-[tools]
-
-# Runtimes
-go = "{{ env.GO_VERSION_MISE }}"
-node = '20.19.5'
-python = '3.11.8'
-"vfox:version-fox/vfox-dotnet" = "8.0.20" # vfox backend doesn't work on Windows, gives "error converting Lua table to PreInstall (no version returned from vfox plugin)" https://github.com/jdx/mise/discussions/5876 https://github.com/jdx/mise/discussions/5550
-# Corretto version used as Java SE/OpenJDK version no longer offered
-java = 'corretto-11'
-
-# Executable tools
-"github:pulumi/pulumi" = "{{ env.PULUMI_VERSION_MISE }}"
-"github:pulumi/pulumictl" = '0.0.50'
-"github:pulumi/schema-tools" = "0.6.0"
-"go:github.com/pulumi/upgrade-provider" = "main"
-"aqua:gradle/gradle-distributions" = '7.6.6'
-golangci-lint = "2.9.0" # See note about about overrides if you need to customize this.
-"npm:yarn" = "1.22.22"
-
-[settings]
-experimental = true # Required for Go binaries (e.g. pulumictl).
-lockfile = false
-http_retries = 3
-pin = true # `mise use` should pin versions instead of defaulting to latest.
-fetch_remote_versions_cache = "24h" # Mise queries versions even if they're pinned to confirm they exist. Reduce GitHub API calls by doing that less often.
-
-[plugins]
-vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"

.gitattributes

@@ -1,2 +1,2 @@
 sdk/**/* linguist-generated=true
-.github/workflows/*.lock.yml linguist-generated=true merge=ours
+provider/internal/mock*.go linguist-generated=true

.github/ISSUE_TEMPLATE/bug.yaml

@@ -1,69 +0,0 @@
-name: Bug Report
-description: Report something that's not working correctly
-labels: ["kind/bug", "needs-triage"]
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this bug report! 
-        You can also ask questions on our [Community Slack](https://slack.pulumi.com/).
-  - type: textarea
-    id: what-happened
-    attributes:
-      label: Describe what happened
-      description: Please summarize what happened, including what Pulumi commands you ran, as well as
-        an inline snippet of any relevant error or console output.
-    validations:
-      required: true
-  - type: textarea
-    id: sample-program
-    attributes:
-      label: Sample program
-      description: |
-        <details><summary>Provide a reproducible sample program</summary>
-        If this is a bug you encountered while running a Pulumi command, please provide us with a minimal, 
-        self-contained Pulumi program that reproduces this behavior so that we can investigate on our end. 
-        Without a functional reproduction, we will not be able to prioritize this bug.
-        **Note:** If the program output is more than a few lines, please send us a Gist or a link to a file.
-        </details>
-    validations:
-      required: true
-  - type: textarea
-    id: log-output
-    attributes:
-      label: Log output
-      description: |
-        <details><summary>How to Submit Logs</summary>
-        If this is something that is dependent on your environment, please also provide us with the output of
-        `pulumi up --logtostderr --logflow -v=10` from the root of your project.
-        We may also ask you to supply us with debug output following [these steps](https://www.pulumi.com/docs/using-pulumi/pulumi-packages/debugging-provider-packages/).
-        **Note:** If the log output is more than a few lines, please send us a Gist or a link to a file.
-        </details>
-  - type: textarea
-    id: resources
-    attributes:
-      label: Affected Resource(s)
-      description: Please list the affected Pulumi Resource(s) or Function(s).
-    validations:
-      required: false
-  - type: textarea
-    id: versions
-    attributes:
-      label: Output of `pulumi about`
-      description: Provide the output of `pulumi about` from the root of your project.
-    validations:
-      required: true
-  - type: textarea
-    id: ctx
-    attributes:
-      label: Additional context
-      description: Anything else you would like to add?
-    validations:
-      required: false
-  - type: textarea
-    id: voting
-    attributes:
-      label: Contributing
-      value: |
-        Vote on this issue by adding a 👍 reaction. 
-        To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

.github/ISSUE_TEMPLATE/epic.md

@@ -1,35 +0,0 @@
----
-name: Epic
-about: Tracks a shippable unit of work
-title: '[Epic] {your-title-here}'
-labels: kind/epic
-projects: ['pulumi/32']
-assignees: ''
-type: Epic
----
-
-## Overview
-<!-- Start with a one- to three-sentence summary that should be understandable by any Pulumian or community member, even those without any context on the work. -->
-
-## Key KPIs
-<!-- What KPIs should this Epic will move; what could we measure to observe that this project was successful? -->
-
-## Key Stakeholders
-- Product and Engineering: <!-- Teams and individuals involved in the design and implementation -->
-- Documentation: <!-- Representative from the docs team -->
-- Marketing/Partnerships: <!-- Representative from the Marketing team -->
-- Customers: <!-- [Tracking Issue](add-link-and-uncomment) -->
-
-## Key Deliverables
-<!-- List any discrete chunks of work or milestones that are planned in the epic (eg. subcomponent A, dogfood release, beta, etc.) -->
-
-### References 📔
-
-<!-- Any project that is more than one iteration should have a Project Board using this [template](https://github.com/orgs/pulumi/projects/131).  -->
-- [ ] Project View <!-- [Link](add-link-and-uncomment) -->
-- [ ] PR/FAQ <!-- [Link](add-link-and-uncomment) -->
-- [ ] Design Doc <!-- [Link](add-link-and-uncomment) -->
-- [ ] UX Designs <!-- [Link](add-link-and-uncomment) -->
-- [ ] Decision Log <!-- [Link](add-link-and-uncomment) -->
-
-<!-- Work items should be added to the project board linked above  -->

.github/actions/download-provider/action.yml

@@ -1,19 +0,0 @@
-name: Download Provider Binary
-description: Downloads the provider binary artifact and restores executable permissions
-
-runs:
-  using: "composite"
-  steps:
-    - name: Download provider
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-      with:
-        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
-        path: ${{ github.workspace }}/bin
-
-    - name: UnTar provider binaries
-      shell: bash
-      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
-
-    - name: Restore Binary Permissions
-      shell: bash
-      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;

.github/actions/download-sdk/action.yml

@@ -1,20 +0,0 @@
-name: Download SDK
-description: Downloads and extracts SDK artifacts for a specific language
-
-inputs:
-  language:
-    description: 'The SDK language to download (nodejs, python, dotnet, java)'
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Download SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
-      with:
-        name: ${{ inputs.language }}-sdk.tar.gz
-        path: ${{ github.workspace }}/sdk/
-
-    - name: UnTar SDK folder
-      shell: bash
-      run: tar -zxf ${{ github.workspace }}/sdk/${{ inputs.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ inputs.language }}

.github/actions/esc-action/action.yaml

@@ -1,12 +0,0 @@
-name: "Load secrets"
-description: |
-  This is a temporary action which assists with our migration to ESC. Instead
-  of surrounding every step that references secrets with an "if ESC" block, we
-  instead modify those steps to consume their secrets from this step's outputs.
-  Then, later, we can replace this action with esc-action to actually load
-  secrets from ESC.
-inputs: {}
-outputs: {}
-runs:
-  using: "node20"
-  main: "index.js"

.github/actions/esc-action/index.js

@@ -1,14 +0,0 @@
-const fs = require("fs");
-
-const file = process.env["GITHUB_OUTPUT"];
-var stream = fs.createWriteStream(file, { flags: "a" });
-
-for (const [name, value] of Object.entries(process.env)) {
-  try {
-    stream.write(`${name}<<EEEOOOFFF\n${value}\nEEEOOOFFF\n`); // << syntax accommodates multiline strings.
-  } catch (err) {
-    console.log(`error: failed to set output for ${name}: ${err.message}`);
-  }
-}
-
-stream.end();

.github/actions/setup-tools/action.yml

@@ -1,41 +0,0 @@
-name: Setup Tools
-description: Installs all tools (Go, Node, Python, .NET, Java, Pulumi, etc.) using mise
-
-inputs:
-  cache:
-    description: Enable caching
-    required: false
-    default: "false"
-  github_token:
-    description: GitHub token
-    required: true
-
-runs:
-  using: "composite"
-  steps:
-    - name: Setup mise
-      uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
-      env:
-        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
-      with:
-        version: 2026.3.7
-        cache_save: ${{ inputs.cache }}
-        github_token: ${{ inputs.github_token }}
-
-    - name: Setup Go Cache
-      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
-      with:
-        cache: ${{ inputs.cache }}
-        cache-dependency-path: |
-          provider/*.sum
-          upstream/*.sum
-          sdk/go/*.sum
-          sdk/*.sum
-          *.sum
-
-    - name: Setup Node
-      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
-      with:
-        # we don't set node-version because we install with mise.
-        # this step is needed to setup npm auth
-        registry-url: https://registry.npmjs.org

.github/agents/agentic-workflows.agent.md

@@ -1,177 +0,0 @@
----
-description: GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing
-disable-model-invocation: true
----
-
-# GitHub Agentic Workflows Agent
-
-This agent helps you work with **GitHub Agentic Workflows (gh-aw)**, a CLI extension for creating AI-powered workflows in natural language using markdown files.
-
-## What This Agent Does
-
-This is a **dispatcher agent** that routes your request to the appropriate specialized prompt based on your task:
-
-- **Creating new workflows**: Routes to `create` prompt
-- **Updating existing workflows**: Routes to `update` prompt
-- **Debugging workflows**: Routes to `debug` prompt  
-- **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt
-- **Creating report-generating workflows**: Routes to `report` prompt — consult this whenever the workflow posts status updates, audits, analyses, or any structured output as issues, discussions, or comments
-- **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt
-- **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes
-- **Analyzing test coverage**: Routes to `test-coverage` prompt — consult this whenever the workflow reads, analyzes, or reports on test coverage data from PRs or CI runs
-
-Workflows may optionally include:
-
-- **Project tracking / monitoring** (GitHub Projects updates, status reporting)
-- **Orchestration / coordination** (one workflow assigning agents or dispatching and coordinating other workflows)
-
-## Files This Applies To
-
-- Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md`
-- Workflow lock files: `.github/workflows/*.lock.yml`
-- Shared components: `.github/workflows/shared/*.md`
-- Configuration: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/github-agentic-workflows.md
-
-## Problems This Solves
-
-- **Workflow Creation**: Design secure, validated agentic workflows with proper triggers, tools, and permissions
-- **Workflow Debugging**: Analyze logs, identify missing tools, investigate failures, and fix configuration issues
-- **Version Upgrades**: Migrate workflows to new gh-aw versions, apply codemods, fix breaking changes
-- **Component Design**: Create reusable shared workflow components that wrap MCP servers
-
-## How to Use
-
-When you interact with this agent, it will:
-
-1. **Understand your intent** - Determine what kind of task you're trying to accomplish
-2. **Route to the right prompt** - Load the specialized prompt file for your task
-3. **Execute the task** - Follow the detailed instructions in the loaded prompt
-
-## Available Prompts
-
-### Create New Workflow
-**Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet
-
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/create-agentic-workflow.md
-
-**Use cases**:
-- "Create a workflow that triages issues"
-- "I need a workflow to label pull requests"
-- "Design a weekly research automation"
-
-### Update Existing Workflow  
-**Load when**: User wants to modify, improve, or refactor an existing workflow
-
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/update-agentic-workflow.md
-
-**Use cases**:
-- "Add web-fetch tool to the issue-classifier workflow"
-- "Update the PR reviewer to use discussions instead of issues"
-- "Improve the prompt for the weekly-research workflow"
-
-### Debug Workflow  
-**Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors
-
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/debug-agentic-workflow.md
-
-**Use cases**:
-- "Why is this workflow failing?"
-- "Analyze the logs for workflow X"
-- "Investigate missing tool calls in run #12345"
-
-### Upgrade Agentic Workflows
-**Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations
-
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/upgrade-agentic-workflows.md
-
-**Use cases**:
-- "Upgrade all workflows to the latest version"
-- "Fix deprecated fields in workflows"
-- "Apply breaking changes from the new release"
-
-### Create a Report-Generating Workflow
-**Load when**: The workflow being created or updated produces reports — recurring status updates, audit summaries, analyses, or any structured output posted as a GitHub issue, discussion, or comment
-
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/report.md
-
-**Use cases**:
-- "Create a weekly CI health report"
-- "Post a daily security audit to Discussions"
-- "Add a status update comment to open PRs"
-
-### Create Shared Agentic Workflow
-**Load when**: User wants to create a reusable workflow component or wrap an MCP server
-
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/create-shared-agentic-workflow.md
-
-**Use cases**:
-- "Create a shared component for Notion integration"
-- "Wrap the Slack MCP server as a reusable component"
-- "Design a shared workflow for database queries"
-
-### Fix Dependabot PRs
-**Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`)
-
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/dependabot.md
-
-**Use cases**:
-- "Fix the open Dependabot PRs for npm dependencies"
-- "Bundle and close the Dependabot PRs for workflow dependencies"
-- "Update @playwright/test to fix the Dependabot PR"
-
-### Analyze Test Coverage
-**Load when**: The workflow reads, analyzes, or reports test coverage — whether triggered by a PR, a schedule, or a slash command. Always consult this prompt before designing the coverage data strategy.
-
-**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/test-coverage.md
-
-**Use cases**:
-- "Create a workflow that comments coverage on PRs"
-- "Analyze coverage trends over time"
-- "Add a coverage gate that blocks PRs below a threshold"
-
-## Instructions
-
-When a user interacts with you:
-
-1. **Identify the task type** from the user's request
-2. **Load the appropriate prompt** from the GitHub repository URLs listed above
-3. **Follow the loaded prompt's instructions** exactly
-4. **If uncertain**, ask clarifying questions to determine the right prompt
-
-## Quick Reference
-
-```bash
-# Initialize repository for agentic workflows
-gh aw init
-
-# Generate the lock file for a workflow
-gh aw compile [workflow-name]
-
-# Debug workflow runs
-gh aw logs [workflow-name]
-gh aw audit <run-id>
-
-# Upgrade workflows
-gh aw fix --write
-gh aw compile --validate
-```
-
-## Key Features of gh-aw
-
-- **Natural Language Workflows**: Write workflows in markdown with YAML frontmatter
-- **AI Engine Support**: Copilot, Claude, Codex, or custom engines
-- **MCP Server Integration**: Connect to Model Context Protocol servers for tools
-- **Safe Outputs**: Structured communication between AI and GitHub API
-- **Strict Mode**: Security-first validation and sandboxing
-- **Shared Components**: Reusable workflow building blocks
-- **Repo Memory**: Persistent git-backed storage for agents
-- **Sandboxed Execution**: All workflows run in the Agent Workflow Firewall (AWF) sandbox, enabling full `bash` and `edit` tools by default
-
-## Important Notes
-
-- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/github-agentic-workflows.md for complete documentation
-- Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud
-- Workflows must be compiled to `.lock.yml` files before running in GitHub Actions
-- **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF
-- Follow security best practices: minimal permissions, explicit network access, no template injection
-- **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself.

.github/aw/actions-lock.json

@@ -1,41 +0,0 @@
-{
-  "entries": {
-    "actions/github-script@v9.0.0": {
-      "repo": "actions/github-script",
-      "version": "v9.0.0",
-      "sha": "3a2844b7e9c422d3c10d287c895573f7108da1b3"
-    },
-    "github/gh-aw-actions/setup@v0.76.1": {
-      "repo": "github/gh-aw-actions/setup",
-      "version": "v0.76.1",
-      "sha": "46d564922b082d0db93244972e8005ea6904ee5f"
-    },
-    "github/gh-aw/actions/setup@v0.76.1": {
-      "repo": "github/gh-aw/actions/setup",
-      "version": "v0.76.1",
-      "sha": "58d1bedbb7200f59c2d224151339e38fd8687d05"
-    }
-  },
-  "containers": {
-    "ghcr.io/github/gh-aw-firewall/agent:0.25.55": {
-      "image": "ghcr.io/github/gh-aw-firewall/agent:0.25.55",
-      "digest": "sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731",
-      "pinned_image": "ghcr.io/github/gh-aw-firewall/agent:0.25.55@sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731"
-    },
-    "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55": {
-      "image": "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55",
-      "digest": "sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3",
-      "pinned_image": "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55@sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3"
-    },
-    "ghcr.io/github/gh-aw-firewall/squid:0.25.55": {
-      "image": "ghcr.io/github/gh-aw-firewall/squid:0.25.55",
-      "digest": "sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca",
-      "pinned_image": "ghcr.io/github/gh-aw-firewall/squid:0.25.55@sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca"
-    },
-    "ghcr.io/github/gh-aw-mcpg:v0.3.19": {
-      "image": "ghcr.io/github/gh-aw-mcpg:v0.3.19",
-      "digest": "sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f",
-      "pinned_image": "ghcr.io/github/gh-aw-mcpg:v0.3.19@sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f"
-    }
-  }
-}

.github/workflows/build.yml

@@ -1,6 +1,6 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
-name: main # For consistency with bridged providers.
+name: build
 on:
   push:
     branches:
@@ -15,13 +15,43 @@ on:
     - "**"
   workflow_dispatch: {}
 env:
+  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
+    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
+    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
-  GOVERSION: "1.21.x"
-  NODEVERSION: "20.x"
-  PYTHONVERSION: "3.11.8"
-  DOTNETVERSION: "8.0.x"
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  GOVERSION: 1.21.x
+  NODEVERSION: 20.x
+  PYTHONVERSION: "3.11"
+  DOTNETVERSION: 8.0.x
   JAVAVERSION: "11"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  AWS_REGION: us-west-2
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -30,52 +60,34 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  TF_APPEND_USER_AGENT: pulumi
-
 jobs:
   prerequisites:
     runs-on: ubuntu-latest
     name: prerequisites
-    permissions:
-      id-token: write # For ESC secrets.
-      pull-requests: write # For schema check comment.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        cache: 'true'
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/schema-tools
     - name: Build codegen binaries
@@ -85,15 +97,13 @@ jobs:
     - if: github.event_name == 'pull_request'
       name: Check Schema is Valid
       run: >-
-        {
-          echo 'SCHEMA_CHANGES<<EOF';
+        echo 'SCHEMA_CHANGES<<EOF' >> $GITHUB_ENV
 
-          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+        schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json >> $GITHUB_ENV
 
-          echo 'EOF';
-        } >> "$GITHUB_ENV"
+        echo 'EOF' >> $GITHUB_ENV
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -118,39 +128,74 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar provider binaries
       run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
       env:
-        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in building provider prerequisites
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   build_sdks:
     needs: prerequisites
     runs-on: pulumi-ubuntu-8core
@@ -164,42 +209,61 @@ jobs:
         - go
         - java
     name: build_sdks
-    permissions:
-      pull-requests: write # For Renovate SDK updates.
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Generate SDK
       run: make generate_${{ matrix.language }}
     - name: Build SDK
@@ -210,65 +274,67 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
         retention-days: 30
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure while building SDKs
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
-
-  tag_release_if_labeled_needs_release:
-    name: Tag release if labeled as needs-release
-    needs: publish
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - name: check if this commit needs release
-      if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
-      uses: pulumi/action-release-by-pr-label@main
-      with:
-        command: "release-if-needed"
-        repo: ${{ github.repository }}
-        commit: ${{ github.sha }}
-        slack_channel: C02MGR8JVST
-      env:
-        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
   test:
     runs-on: pulumi-ubuntu-8core
     needs:
@@ -286,47 +352,74 @@ jobs:
     name: test
     permissions:
       contents: read
-      id-token: write # For ESC secrets and Pulumi access token OIDC.
+      id-token: write
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: ./.github/actions/download-sdk
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
-        language: ${{ matrix.language }}
+        name: ${{ matrix.language }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: UnTar SDK folder
+      if: ${{ matrix.language != 'yaml' }}
+      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
+        github.workspace}}/sdk/${{ matrix.language}}
     - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+      run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
     - name: Install Node dependencies
       run: yarn global add typescript
     - run: dotnet nuget add source ${{ github.workspace }}/nuget
@@ -339,19 +432,19 @@ jobs:
       run: make install_${{ matrix.language}}_sdk
     - name: Generate Pulumi Access Token
       id: generate_pulumi_token
-      uses: pulumi/auth-actions@141415910c3beb54e03b48e9057c204c97b956f2 # v2.1.0
+      uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
       with:
         organization: pulumi
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -359,7 +452,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -372,55 +465,32 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in SDK tests
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish:
     runs-on: ubuntu-latest
     needs: test
     name: publish
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
     - name: Clear GitHub Actions Ubuntu runner disk space
       uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
       with:
@@ -430,86 +500,82 @@ jobs:
         haskell: true
         swap-storage: true
         large-packages: false
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
-        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
-        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         role-duration-seconds: 7200
         role-session-name: ${{ env.PROVIDER }}@githubActions
         role-external-id: upload-pulumi-release
-        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
       env:
         GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
-        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_ACCOUNT_ENDPOINT: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT }}
-        AZURE_SIGNING_ACCOUNT_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME }}
-        AZURE_SIGNING_CERT_PROFILE_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME }}
-        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME == '' }}
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
       with:
         args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
         version: latest
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing binaries
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_sdk:
     runs-on: ubuntu-latest
     needs: publish
     name: publish_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Checkout Scripts Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: ci-scripts
         repository: pulumi/scripts
     - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: python-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -517,7 +583,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
         ${{github.workspace}}/sdk/python
     - name: Download dotnet SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: dotnet-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -525,7 +591,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
         ${{github.workspace}}/sdk/dotnet
     - name: Download nodejs SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: nodejs-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -537,26 +603,38 @@ jobs:
     - name: Publish SDKs
       run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
       env:
-        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         PYPI_PUBLISH_ARTIFACTS: all
-        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
-        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
-        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing SDK
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   lint:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      with:
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Disarm go:embed directives to enable linters that compile source code
+      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
+        's/go:embed/ goembed/g'
+    - name: golangci-lint provider pkg
+      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+      with:
+        version: ${{ env.GOLANGCI_LINT_VERSION }}
+        args: -c ../.golangci.yml
+        working-directory: provider
     name: lint
-    uses: ./.github/workflows/lint.yml
-    secrets: inherit
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/claude.yml

@@ -1,139 +0,0 @@
-name: Claude Code
-
-on:
-  # Responds to @claude mentions in comments.
-  issue_comment:
-    types: [created]
-  pull_request_review_comment:
-    types: [created]
-  issues:
-    types: [opened]
-  pull_request_review:
-    types: [submitted]
-
-jobs:
-  claude:
-    # Only run when @claude is mentioned by a trusted user (OWNER, MEMBER, or COLLABORATOR)
-    # Note: the claude-code-action can only be triggered by users with write access to the repository so this is extra
-    # see https://github.com/anthropics/claude-code-action/blob/main/docs/security.md
-    if: |
-      (github.event_name == 'issue_comment' &&
-        contains(github.event.comment.body, '@claude') &&
-        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
-      (github.event_name == 'pull_request_review_comment' &&
-        contains(github.event.comment.body, '@claude') &&
-        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
-      (github.event_name == 'pull_request_review' &&
-        contains(github.event.review.body, '@claude') &&
-        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) ||
-      (github.event_name == 'issues' &&
-        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
-        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association))
-    runs-on: ubuntu-latest
-    permissions:
-      contents: write
-      pull-requests: write
-      issues: write
-      id-token: write
-      actions: read
-    steps:
-      - env:
-          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-          ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-          ESC_ACTION_OIDC_AUTH: "true"
-          ESC_ACTION_OIDC_ORGANIZATION: pulumi
-          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-        id: esc-secrets
-        name: Fetch secrets from ESC
-        uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
-      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
-        with:
-          fetch-depth: 0
-      - name: Checkout PR head (if applicable)
-        if: ${{ github.event.pull_request.number || (github.event.issue.pull_request && github.event.issue.number) }}
-        env:
-          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-        run: gh pr checkout "$PR_NUMBER"
-      - name: Setup mise
-        uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
-        env:
-          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
-        with:
-          version: 2026.3.7
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          # only saving the cache in the prerequisites job
-          cache_save: false
-      - name: Set git identity
-        run: |-
-          git config --global user.name "claude[bot]"
-          git config --global user.email "bot@pulumi.com"
-        shell: bash
-      - name: Prepare local workspace
-        # this runs install_plugins and upstream
-        run: make prepare_local_workspace
-      - name: Run Claude Code Review
-        # Comment must contain '@claude review'
-        if: |
-          (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude review')) ||
-          (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude review')) ||
-          (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude review'))
-        id: claude-review
-        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1
-        with:
-          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
-          prompt: |
-            REPO: ${{ github.repository }}
-            PR NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-
-            Review this pull request using the provider-code-review skill for guidelines.
-            The PR branch is already checked out in the current working directory.
-
-            Use `gh pr comment` for top-level feedback.
-            Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues.
-            Only post GitHub comments - don't submit review text as messages.
-          # Taken from https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md
-          claude_args: |
-            --allowedTools "Skill,Bash(gh issue view *),Bash(gh search *),Bash(gh issue list *),Bash(gh pr comment *),Bash(gh pr diff *),Bash(gh pr view *),Bash(gh pr list *),mcp__github_inline_comment__create_inline_comment"
-      - name: Run Claude Code
-        # Comment must contain '@claude', but not '@claude review'
-        if: |
-          !contains(github.event.comment.body, '@claude review') &&
-          !contains(github.event.review.body, '@claude review')
-        id: claude-action
-        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1
-        with:
-          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
-          # This allows claude to read github action logs
-          additional_permissions: |
-            actions: read
-          # Sandbox settings: --allowedTools controls which tools Claude can invoke,
-          # but the sandbox also enforces OS-level filesystem restrictions. Edit()
-          # rules in permissions.allow control all bash filesystem writes (mkdir,
-          # output redirection, etc.), not just the Edit tool. Without these, commands
-          # like `mkdir .pulumi` or `cmd > file.txt` would be blocked by the sandbox.
-          settings: |
-            {
-              "permissions": {
-                "allow": ["Edit(./**)", "Edit(/tmp/**)"]
-              }
-            }
-          claude_args: |
-            --max-turns 50
-            --allowedTools "Skill,Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(upgrade-provider *),Bash(./scripts/upstream.sh *),Bash(git *),Bash(GIT_EDITOR=* git *),Bash(make *),Bash(gh *),Bash(mkdir *),Bash(go mod tidy *),Bash(ls *),Bash(test *),Bash(cat *),Bash(pwd),Bash(head *),Bash(tail *),Bash(tee *),Bash(rg *),Bash(grep *),Bash(sed *),Bash(awk *),Bash(find *)"
-        # If the claude action fails you don't get any logs on what claude was doing
-        # Uploading the artifact allows you to download the artifact from the UI
-      - name: Upload Claude review output on failure
-        if: failure() && steps.claude-review.outputs.execution_file
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
-        with:
-          name: claude-review-execution-log
-          path: ${{ steps.claude-review.outputs.execution_file }}
-          retention-days: 7
-      - name: Upload Claude output on failure
-        if: failure() && steps.claude-action.outputs.execution_file
-        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
-        with:
-          name: claude-execution-log
-          path: ${{ steps.claude-action.outputs.execution_file }}
-          retention-days: 7

.github/workflows/command-dispatch.yml

@@ -1,6 +1,42 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 
+name: command-dispatch
+on:
+  issue_comment:
+    types:
+    - created
+    - edited
 env:
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  TRAVIS_OS_NAME: linux
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  GOVERSION: 1.21.x
+  NODEVERSION: 20.x
+  PYTHONVERSION: "3.11"
+  DOTNETVERSION: 8.0.x
+  JAVAVERSION: "11"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  AWS_REGION: us-west-2
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -9,45 +45,21 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
-  TF_APPEND_USER_AGENT: pulumi
-
 jobs:
   command-dispatch-for-testing:
-    name: command-dispatch-for-testing
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
+    name: command-dispatch-for-testing
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        persist-credentials: false    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: peter-evans/slash-command-dispatch@5c11dc7efead556e3bdabf664302212f79eb26fa # v5
+        lfs: true
+    - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4.0.0
       with:
-        commands: |
-          run-acceptance-tests
-          release
-        issue-type: pull-request
-        permission: write
+        token: ${{ secrets.PULUMI_BOT_TOKEN }}
         reaction-token: ${{ secrets.GITHUB_TOKEN }}
+        commands: run-acceptance-tests
+        permission: write
+        issue-type: pull-request
         repository: pulumi/pulumi-docker-build
-        token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
-name: command-dispatch
-on:
-  issue_comment:
-    types:
-    - created
-    - edited
+    if: ${{ github.event.issue.pull_request }}

.github/workflows/comment-on-stale-issues.yml

@@ -1,44 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-name: "Comment on stale issues"
-
-on:
-  workflow_dispatch: {}
-  schedule:
-  - cron: "46 4 * * *" # run once per day
-
-jobs:
-  cleanup:
-    runs-on: ubuntu-latest
-    name: Stale issue job
-    steps:
-    - uses: pose/stale-issue-cleanup@d2922f61fc5669f4154408689f9bb2a981996112
-      with:
-        issue-types: issues # only look at issues (ignore pull-requests)
-
-        # Setting messages to an empty string causes the automation to skip that category
-        ancient-issue-message: "Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still experiencing this issue, could you leave a quick comment to let us know so we can prioritize it?"
-        ancient-pr-message: ""
-        stale-issue-message: ""
-        stale-pr-message: ""
-
-        # These labels are required
-        stale-issue-label: awaiting-feedback # somewhat confusingly, this is also used for when labeling "ancient" issues
-        exempt-issue-labels: kind/enhancement,kind/task,kind/epic,kind/engineering, awaiting-upstream # only run on kind/bug for now, ignore awaiting-upstream too.
-        stale-pr-label: no-pr-activity # unused because we aren't processing PRs
-        exempt-pr-labels: awaiting-approval # unused because we aren't processing PRs
-        response-requested-label: response-requested # unused because we don't set a "stale-issue-message" above
-
-        # Issue timing
-        days-before-close: 10000 # this action lacks the option not to close, so just set this indefinitly far in the future
-        days-before-ancient: 180 # 6 months
-
-        # If you don't want to mark a issue as being ancient based on a
-        # threshold of "upvotes", you can set this here. An "upvote" is
-        # the total number of +1, heart, hooray, and rocket reactions
-        # on an issue.
-        minimum-upvotes-to-exempt: 2
-
-        repo-token: ${{ secrets.GITHUB_TOKEN }}
-        loglevel: DEBUG
-        # Set dry-run to true to not perform label or close actions.
-        dry-run: true

.github/workflows/community-moderation.yml

@@ -1,43 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-
-jobs:
-  warn_codegen:
-    name: warn_codegen
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        persist-credentials: false
-    - id: schema_changed
-      name: Check for diff in schema
-      uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
-      with:
-        filters: "changed: 'provider/cmd/**/schema.json'"
-    - id: sdk_changed
-      if: steps.schema_changed.outputs.changed == 'false'
-      name: Check for diff in sdk/**
-      uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
-      with:
-        filters: "changed: 'sdk/**'"
-    - if: steps.sdk_changed.outputs.changed == 'true' &&
-        github.event.pull_request.head.repo.full_name != github.repository
-      name: Send codegen warning as comment on PR
-      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
-      with:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        message: >
-          Hello and thank you for your pull request! :heart: :sparkles:
-
-          It looks like you're directly modifying files in the language SDKs, many of which are autogenerated.
-
-          Be sure any files you're editing do not begin with a code generation warning.
-
-          For generated files, you will need to make changes in `resources.go` instead, and [generate the code](https://github.com/pulumi/${{ github.event.repository.name }}/blob/master/CONTRIBUTING.md#committing-generated-code).
-name: warn-codegen
-on:
-  pull_request_target:
-    branches:
-    - main
-    types:
-    - opened

.github/workflows/export-repo-secrets.yml

@@ -1,25 +0,0 @@
-permissions: write-all # Equivalent to default permissions plus id-token: write
-name: Export secrets to ESC
-on: [workflow_dispatch]
-jobs:
-  export-to-esc:
-    runs-on: ubuntu-latest
-    name: export GitHub secrets to ESC
-    steps:
-      - name: Generate a GitHub token
-        id: generate-token
-        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
-        with:
-          app-id: 1256780 # Export Secrets GitHub App
-          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
-      - name: Export secrets to ESC
-        uses: pulumi/esc-export-secrets-action@9d6485759b6adff2538ae91f1b77cc96265c9dad # v1
-        with:
-          organization: pulumi
-          org-environment: imports/github-secrets
-          exclude-secrets: EXPORT_SECRETS_PRIVATE_KEY
-          github-token: ${{ steps.generate-token.outputs.token }}
-          oidc-auth: true
-          oidc-requested-token-type: urn:pulumi:token-type:access_token:organization
-        env:
-          GITHUB_SECRETS: ${{ toJSON(secrets) }}

.github/workflows/gh-aw-pr-rereview.md

@@ -1,20 +0,0 @@
----
-on:
-  slash_command:
-    events:
-    - pull_request_comment
-    - pull_request_review_comment
-    name: review-again
-permissions:
-  contents: read
-  id-token: write
-  pull-requests: read
-imports:
-- shared/review.md
-- shared/plugins/code-review/code-review.md
-description: Run PR re-review on explicit maintainer slash command.
-source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-rereview.md@8a92f53fac170563f7727cacab2dbedb5d5b9e29
-strict: true
-timeout-minutes: 15
----
-# Internal PR Re-Review (Slash Command)

.github/workflows/gh-aw-pr-review.md

@@ -1,25 +0,0 @@
----
-on:
-  pull_request:
-    types:
-    - opened
-    - ready_for_review
-  workflow_dispatch:
-    inputs:
-      pr_number:
-        description: Pull request number to review
-        required: true
-        type: string
-permissions:
-  contents: read
-  id-token: write
-  pull-requests: read
-imports:
-- shared/review.md
-- shared/plugins/code-review/code-review.md
-description: Automated PR review for trusted internal contributors.
-source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@8a92f53fac170563f7727cacab2dbedb5d5b9e29
-strict: true
-timeout-minutes: 15
----
-# Internal Trusted PR Reviewer

.github/workflows/lint.yml

@@ -1,66 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-
-name: lint
-
-on:
-  workflow_call:
-    inputs: {}
-
-env:
-  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
-  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
-  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
-  GOOGLE_PROJECT: pulumi-ci-gcp-provider
-  GOOGLE_PROJECT_NUMBER: "895284651812"
-  GOOGLE_REGION: us-central1
-  GOOGLE_ZONE: us-central1-a
-  PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
-  TF_APPEND_USER_AGENT: pulumi
-
-jobs:
-  lint:
-    name: lint
-    runs-on: ubuntu-latest
-    permissions:
-      contents: read
-      pull-requests: write
-      id-token: write # For ESC secrets.
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        persist-credentials: false    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
-    - name: Setup mise
-      uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
-      env:
-        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
-      with:
-        version: 2026.3.7
-        github_token: ${{ steps.app-auth.outputs.token }}
-        cache_save: false # A different job handles caching our tools.
-    - name: prepare workspace
-      continue-on-error: true
-      run: make prepare_local_workspace
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
-    - name: lint
-      run: make lint

.github/workflows/prerelease.yml

@@ -6,13 +6,43 @@ on:
     tags:
     - v*.*.*-**
 env:
+  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
+    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
+    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
-  GOVERSION: "1.21.x"
-  NODEVERSION: "20.x"
-  PYTHONVERSION: "3.11.8"
-  DOTNETVERSION: "8.0.x"
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  GOVERSION: 1.21.x
+  NODEVERSION: 20.x
+  PYTHONVERSION: "3.11"
+  DOTNETVERSION: 8.0.x
   JAVAVERSION: "11"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  AWS_REGION: us-west-2
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -21,53 +51,35 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  TF_APPEND_USER_AGENT: pulumi
   IS_PRERELEASE: true
-
 jobs:
   prerequisites:
     runs-on: ubuntu-latest
     name: prerequisites
-    permissions:
-      id-token: write # For ESC secrets.
-      pull-requests: write # For schema check comment.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        cache: 'true'
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/schema-tools
     - name: Build codegen binaries
@@ -77,15 +89,13 @@ jobs:
     - if: github.event_name == 'pull_request'
       name: Check Schema is Valid
       run: >-
-        {
-          echo 'SCHEMA_CHANGES<<EOF';
+        echo 'SCHEMA_CHANGES<<EOF' >> $GITHUB_ENV
 
-          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+        schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json >> $GITHUB_ENV
 
-          echo 'EOF';
-        } >> "$GITHUB_ENV"
+        echo 'EOF' >> $GITHUB_ENV
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -110,39 +120,74 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar provider binaries
       run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
       env:
-        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in building provider prerequisites
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   build_sdks:
     needs: prerequisites
     runs-on: pulumi-ubuntu-8core
@@ -156,42 +201,61 @@ jobs:
         - go
         - java
     name: build_sdks
-    permissions:
-      pull-requests: write # For Renovate SDK updates.
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Generate SDK
       run: make generate_${{ matrix.language }}
     - name: Build SDK
@@ -202,29 +266,66 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure while building SDKs
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   test:
     runs-on: pulumi-ubuntu-8core
     needs:
@@ -242,47 +343,74 @@ jobs:
     name: test
     permissions:
       contents: read
-      id-token: write # For ESC secrets and Pulumi access token OIDC.
+      id-token: write
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: ./.github/actions/download-sdk
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
-        language: ${{ matrix.language }}
+        name: ${{ matrix.language }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: UnTar SDK folder
+      if: ${{ matrix.language != 'yaml' }}
+      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
+        github.workspace}}/sdk/${{ matrix.language}}
     - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+      run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
     - name: Install Node dependencies
       run: yarn global add typescript
     - run: dotnet nuget add source ${{ github.workspace }}/nuget
@@ -295,19 +423,19 @@ jobs:
       run: make install_${{ matrix.language}}_sdk
     - name: Generate Pulumi Access Token
       id: generate_pulumi_token
-      uses: pulumi/auth-actions@141415910c3beb54e03b48e9057c204c97b956f2 # v2.1.0
+      uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
       with:
         organization: pulumi
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -315,7 +443,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -328,55 +456,32 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in SDK tests
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish:
     runs-on: ubuntu-latest
     needs: test
     name: publish
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
     - name: Clear GitHub Actions Ubuntu runner disk space
       uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
       with:
@@ -386,86 +491,82 @@ jobs:
         haskell: true
         swap-storage: true
         large-packages: false
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
-        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
-        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         role-duration-seconds: 7200
         role-session-name: ${{ env.PROVIDER }}@githubActions
         role-external-id: upload-pulumi-release
-        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
       env:
         GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
-        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_ACCOUNT_ENDPOINT: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT }}
-        AZURE_SIGNING_ACCOUNT_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME }}
-        AZURE_SIGNING_CERT_PROFILE_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME }}
-        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME == '' }}
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
       with:
         args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
         version: latest
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing binaries
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_sdk:
     runs-on: ubuntu-latest
     needs: publish
     name: publish_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Checkout Scripts Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: ci-scripts
         repository: pulumi/scripts
     - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: python-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -473,7 +574,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
         ${{github.workspace}}/sdk/python
     - name: Download dotnet SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: dotnet-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -481,7 +582,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
         ${{github.workspace}}/sdk/dotnet
     - name: Download nodejs SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: nodejs-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -493,98 +594,83 @@ jobs:
     - name: Publish SDKs
       run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
       env:
-        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         PYPI_PUBLISH_ARTIFACTS: all
-        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing SDK
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_java_sdk:
     runs-on: ubuntu-latest
     continue-on-error: true
     needs: publish
     name: publish_java_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
     - name: Download java SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: java-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
     - name: Uncompress java SDK
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
-      with:
-        gradle-version: "7.6"
     - name: Publish Java SDK
-      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
       env:
         PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
+      with:
+        arguments: publishToSonatype closeAndReleaseSonatypeStagingRepository
+        build-root-directory: ./sdk/java
+        gradle-version: 7.4.1
   publish_go_sdk:
     runs-on: ubuntu-latest
     name: publish-go-sdk
     needs: publish_sdk
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Download go SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: go-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/

.github/workflows/pull-request.yml

@@ -3,14 +3,52 @@
 name: pull-request
 on:
   pull_request_target: {}
-
+env:
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  TRAVIS_OS_NAME: linux
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  GOVERSION: 1.21.x
+  NODEVERSION: 20.x
+  PYTHONVERSION: "3.11"
+  DOTNETVERSION: 8.0.x
+  JAVAVERSION: "11"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  AWS_REGION: us-west-2
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
 jobs:
   comment-on-pr:
     runs-on: ubuntu-latest
     name: comment-on-pr
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
     - name: Comment PR

.github/workflows/release.yml

@@ -7,13 +7,43 @@ on:
     - v*.*.*
     - "!v*.*.*-**"
 env:
+  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
+    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
+    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
-  GOVERSION: "1.21.x"
-  NODEVERSION: "20.x"
-  PYTHONVERSION: "3.11.8"
-  DOTNETVERSION: "8.0.x"
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  GOVERSION: 1.21.x
+  NODEVERSION: 20.x
+  PYTHONVERSION: "3.11"
+  DOTNETVERSION: 8.0.x
   JAVAVERSION: "11"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  AWS_REGION: us-west-2
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -22,52 +52,34 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  TF_APPEND_USER_AGENT: pulumi
-
 jobs:
   prerequisites:
     runs-on: ubuntu-latest
     name: prerequisites
-    permissions:
-      id-token: write # For ESC secrets.
-      pull-requests: write # For schema check comment.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        cache: 'true'
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/schema-tools
     - name: Build codegen binaries
@@ -77,15 +89,13 @@ jobs:
     - if: github.event_name == 'pull_request'
       name: Check Schema is Valid
       run: >-
-        {
-          echo 'SCHEMA_CHANGES<<EOF';
+        echo 'SCHEMA_CHANGES<<EOF' >> $GITHUB_ENV
 
-          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+        schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json >> $GITHUB_ENV
 
-          echo 'EOF';
-        } >> "$GITHUB_ENV"
+        echo 'EOF' >> $GITHUB_ENV
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -110,39 +120,74 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar provider binaries
       run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
       env:
-        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in building provider prerequisites
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   build_sdks:
     needs: prerequisites
     runs-on: pulumi-ubuntu-8core
@@ -156,42 +201,61 @@ jobs:
         - go
         - java
     name: build_sdks
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Generate SDK
       run: make generate_${{ matrix.language }}
     - name: Build SDK
@@ -202,29 +266,66 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk
+
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
+
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure while building SDKs
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   test:
     runs-on: pulumi-ubuntu-8core
     needs:
@@ -242,47 +343,74 @@ jobs:
     name: test
     permissions:
       contents: read
-      id-token: write # For ESC secrets.
+      id-token: write
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Download Provider Binary
-      uses: ./.github/actions/download-provider
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
+    - name: Download provider
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: ./.github/actions/download-sdk
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
-        language: ${{ matrix.language }}
+        name: ${{ matrix.language }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: UnTar SDK folder
+      if: ${{ matrix.language != 'yaml' }}
+      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
+        github.workspace}}/sdk/${{ matrix.language}}
     - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+      run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
     - name: Install Node dependencies
       run: yarn global add typescript
     - run: dotnet nuget add source ${{ github.workspace }}/nuget
@@ -295,19 +423,19 @@ jobs:
       run: make install_${{ matrix.language}}_sdk
     - name: Generate Pulumi Access Token
       id: generate_pulumi_token
-      uses: pulumi/auth-actions@141415910c3beb54e03b48e9057c204c97b956f2 # v2.1.0
+      uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
       with:
         organization: pulumi
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -315,7 +443,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -328,55 +456,32 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
-      env:
-        GTIHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in SDK tests
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish:
     runs-on: ubuntu-latest
     needs: test
     name: publish
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
     - name: Clear GitHub Actions Ubuntu runner disk space
       uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
       with:
@@ -386,86 +491,82 @@ jobs:
         haskell: true
         swap-storage: true
         large-packages: false
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
-        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      with:
+        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
-        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         role-duration-seconds: 7200
         role-session-name: ${{ env.PROVIDER }}@githubActions
         role-external-id: upload-pulumi-release
-        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
       env:
         GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
-        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_ACCOUNT_ENDPOINT: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT }}
-        AZURE_SIGNING_ACCOUNT_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME }}
-        AZURE_SIGNING_CERT_PROFILE_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME }}
-        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME == '' }}
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
       with:
         args: -p 3 release --clean --timeout 60m0s
         version: latest
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing binaries
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_sdk:
     runs-on: ubuntu-latest
     needs: publish
     name: publish_sdks
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Checkout Scripts Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         path: ci-scripts
         repository: pulumi/scripts
     - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: python-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -473,7 +574,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
         ${{github.workspace}}/sdk/python
     - name: Download dotnet SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: dotnet-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -481,7 +582,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
         ${{github.workspace}}/sdk/dotnet
     - name: Download nodejs SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: nodejs-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -493,98 +594,83 @@ jobs:
     - name: Publish SDKs
       run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
       env:
-        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
         PYPI_PUBLISH_ARTIFACTS: all
-        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in publishing SDK
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_java_sdk:
     runs-on: ubuntu-latest
     continue-on-error: true
     needs: publish
     name: publish_java_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
     - name: Download java SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: java-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
     - name: Uncompress java SDK
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
-    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
-      with:
-        gradle-version: "7.6"
     - name: Publish Java SDK
-      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
       env:
         PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
+      with:
+        arguments: publishToSonatype closeAndReleaseSonatypeStagingRepository
+        build-root-directory: ./sdk/java
+        gradle-version: 7.4.1
   publish_go_sdk:
     runs-on: ubuntu-latest
     name: publish-go-sdk
     needs: publish_sdk
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Download go SDK
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: go-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -604,36 +690,14 @@ jobs:
   dispatch_docs_build:
     runs-on: ubuntu-latest
     needs: publish_go_sdk
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
-    - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
     - name: Install pulumictl
-      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/pulumictl
     - name: Dispatch Event
       run: pulumictl create docs-build pulumi-${{ env.PROVIDER }}
-        "${GITHUB_REF#refs/tags/}"
+        ${GITHUB_REF#refs/tags/}
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     name: dispatch_docs_build

.github/workflows/release_command.yml

@@ -1,54 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-
-name: release-command
-on:
-  repository_dispatch:
-    types:
-    - release-command
-jobs:
-  should_release:
-    name: Should release PR
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        persist-credentials: false    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - name: Should release PR
-      uses: pulumi/action-release-by-pr-label@main
-      with:
-        command: "should-release"
-        repo: ${{ github.repository }}
-        pr: ${{ github.event.client_payload.pull_request.number }}
-        version: ${{ github.event.client_payload.slash_command.args.all }}
-        slack_channel: ${{ steps.esc-secrets.outputs.RELEASE_OPS_STAGING_SLACK_CHANNEL }}
-      env:
-        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - if: failure()
-      name: Notify failure
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
-        body: |
-          "release command failed: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
-    - if: success()
-      name: Notify success
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
-        reaction-type: hooray

.github/workflows/run-acceptance-tests.yml

@@ -10,13 +10,36 @@ on:
     - CHANGELOG.md
   workflow_dispatch: {}
 env:
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
-  GOVERSION: "1.21.x"
-  NODEVERSION: "20.x"
-  PYTHONVERSION: "3.11.8"
-  DOTNETVERSION: "8.0.x"
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  GOVERSION: 1.21.x
+  NODEVERSION: 20.x
+  PYTHONVERSION: "3.11"
+  DOTNETVERSION: 8.0.x
   JAVAVERSION: "11"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  AWS_REGION: us-west-2
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -25,78 +48,54 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
-  TF_APPEND_USER_AGENT: pulumi
   PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 jobs:
   comment-notification:
-    if: github.event_name == 'repository_dispatch'
     runs-on: ubuntu-latest
     name: comment-notification
     steps:
+    - name: Create URL to the run output
+      id: vars
+      run: echo
+        run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID
+        >> "$GITHUB_OUTPUT"
+    - name: Update with Result
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      with:
+        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
+        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
+    if: github.event_name == 'repository_dispatch'
+  prerequisites:
+    runs-on: ubuntu-latest
+    name: prerequisites
+    steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
         persist-credentials: false
         ref: ${{ env.PR_COMMIT_SHA }}
-    - name: Create URL to the run output
-      id: vars
-      run: echo
-        "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
-        >> "$GITHUB_OUTPUT"
-    - name: Update with Result
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
-        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
-  prerequisites:
-    runs-on: ubuntu-latest
-    name: prerequisites
-    permissions:
-      id-token: write # For ESC secrets.
-      pull-requests: write # For schema check comment.
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        lfs: true
-        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        cache: 'true'
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
-      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
         repo: pulumi/schema-tools
     - name: Build codegen binaries
@@ -106,15 +105,13 @@ jobs:
     - if: github.event_name == 'pull_request'
       name: Check Schema is Valid
       run: >-
-        {
-          echo 'SCHEMA_CHANGES<<EOF';
+        echo 'SCHEMA_CHANGES<<EOF' >> $GITHUB_ENV
 
-          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+        schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json >> $GITHUB_ENV
 
-          echo 'EOF';
-        } >> "$GITHUB_ENV"
+        echo 'EOF' >> $GITHUB_ENV
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -139,22 +136,18 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
-      # This worktree check is a safeguard against someone forgetting to
-      # re-build and commit locally, but we handle that commit automatically in
-      # the case of dependency bumps.
-      continue-on-error: ${{ contains(github.actor, 'renovate') }}
-    - name: Commit SDK changes for Renovate
-      if: steps.worktreeClean.outcome == 'failure' &&
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
         'pull_request'
       shell: bash
       run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
         git config --global user.email "bot@pulumi.com"
 
         git config --global user.name "pulumi-bot"
@@ -169,27 +162,23 @@ jobs:
 
 
         # Apply and add our changes, but don't commit any files we expect to
+
         # always change due to versioning.
 
         git stash pop
 
-        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json
+        git add sdk
 
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
 
-        git commit -m 'Commit SDK for Renovate'
 
         # Push with pulumi-bot credentials to trigger a re-run of the
+
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
@@ -198,27 +187,23 @@ jobs:
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+      uses: codecov/codecov-action@ad3126e916f78f00edff4ed0317cf185271ccc2d # v5.4.2
       env:
-        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in building provider prerequisites
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
   build_sdks:
@@ -234,44 +219,54 @@ jobs:
         - go
         - java
     name: build_sdks
-    permissions:
-      contents: read
-      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
         persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        ref: ${{ env.PR_COMMIT_SHA }}
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -291,19 +286,18 @@ jobs:
       with:
         allowed-changes: |-
           sdk/**/pulumi-plugin.json
-          sdk/dotnet/*.*.csproj
-          sdk/dotnet/version.txt
+          sdk/dotnet/Pulumi.*.csproj
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
-      continue-on-error: ${{ contains(github.actor, 'renovate') }}
-    - name: Commit SDK changes for Renovate
-      if: steps.worktreeClean.outcome == 'failure' &&
+    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+      if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
         'pull_request'
       shell: bash
       run: >
+        git diff --quiet -- sdk && echo "no changes to sdk" && exit
+
         git config --global user.email "bot@pulumi.com"
 
         git config --global user.name "pulumi-bot"
@@ -316,48 +310,43 @@ jobs:
 
         git checkout "origin/$HEAD_REF"
 
+
         # Apply and add our changes, but don't commit any files we expect to
+
         # always change due to versioning.
 
         git stash pop
 
-        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json
+        git add sdk
 
-        git reset sdk/python/*/pulumi-plugin.json \
-            sdk/python/pyproject.toml \
-            sdk/dotnet/pulumi-plugin.json \
-            sdk/dotnet/*.*.csproj \
-            sdk/dotnet/version.txt \
-            sdk/go/*/pulumi-plugin.json \
-            sdk/go/*/internal/pulumiUtilities.go \
-            sdk/nodejs/package.json
+        git reset     sdk/python/*/pulumi-plugin.json     sdk/python/pyproject.toml     sdk/dotnet/pulumi-plugin.json     sdk/dotnet/Pulumi.*.csproj     sdk/go/*/pulumi-plugin.json     sdk/go/*/internal/pulumiUtilities.go     sdk/nodejs/package.json
+
+        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
 
-        git commit -m 'Commit SDK for Renovate'
 
         # Push with pulumi-bot credentials to trigger a re-run of the
+
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
         retention-days: 30
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure while building SDKs
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
   test:
@@ -380,39 +369,52 @@ jobs:
       id-token: write
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
         lfs: true
         persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
-      with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
+        ref: ${{ env.PR_COMMIT_SHA }}
     - id: version
       name: Set Provider Version
-      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
       with:
         set-env: PROVIDER_VERSION
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
+    - name: Setup Java
+      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      with:
+        java-version: ${{ env.JAVAVERSION }}
+        distribution: temurin
+        cache: gradle
+    - name: Setup Gradle
+      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      with:
+        gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -424,7 +426,7 @@ jobs:
         -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
       with:
         name: ${{ matrix.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -433,7 +435,7 @@ jobs:
       run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
         github.workspace}}/sdk/${{ matrix.language}}
     - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+      run: echo "${{ github.workspace }}/bin" >> $GITHUB_PATH
     - name: Install Node dependencies
       run: yarn global add typescript
     - run: dotnet nuget add source ${{ github.workspace }}/nuget
@@ -446,19 +448,19 @@ jobs:
       run: make install_${{ matrix.language}}_sdk
     - name: Generate Pulumi Access Token
       id: generate_pulumi_token
-      uses: pulumi/auth-actions@141415910c3beb54e03b48e9057c204c97b956f2 # v2.1.0
+      uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
       with:
         organization: pulumi
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      uses: pulumi/esc-action@41fd832f44f4820124b5350b5f84a00f741f234e # v1.3.0
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      uses: google-github-actions/auth@71f986410dfbc7added4569d411d040a91dc6935 # v2.1.8
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -466,7 +468,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -479,40 +481,21 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
-      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
       with:
         author_name: Failure in SDK tests
         fields: repo,commit,author,action
         status: ${{ job.status }}
-      env:
-        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
   sentinel:
     runs-on: ubuntu-latest
     name: sentinel
     steps:
-    - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
-      with:
-        lfs: true
-        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Mark workflow as successful
-      uses: guibranco/github-status-action-v2@77639353504055053524efa7a3719aaf0b731ce9 # v1.2.4
+      uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
       with:
         authToken: ${{ secrets.GITHUB_TOKEN }}
         context: Sentinel
@@ -521,7 +504,6 @@ jobs:
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
     permissions:
       statuses: write
-      id-token: write # For ESC secrets.
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
@@ -529,8 +511,28 @@ jobs:
     - prerequisites
     - lint
   lint:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
+      with:
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Disarm go:embed directives to enable linters that compile source code
+      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
+        's/go:embed/ goembed/g'
+    - name: golangci-lint provider pkg
+      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+      with:
+        version: ${{ env.GOLANGCI_LINT_VERSION }}
+        args: -c ../.golangci.yml
+        working-directory: provider
+    name: lint
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
-    name: lint
-    uses: ./.github/workflows/lint.yml
-    secrets: inherit

.github/workflows/shared/plugins/code-review/code-review.md

@@ -1,214 +0,0 @@
----
-description: High-signal PR review for gh-aw workflows using safe outputs
----
-
-Provide a code review for the given pull request.
-
-**Agent assumptions (applies to all agents and subagents):**
-- All tools are functional and will work without error. Do not test tools or make exploratory calls. Make sure this is clear to every subagent that is launched.
-- Only call a tool if it is required to complete the task. Every tool call should have a clear purpose.
-- Use GitHub MCP tools for repository reads. Do not use `gh` CLI commands for repository inspection or for posting review output.
-- Use the workflow PR number as the authoritative target.
-- Review output must be terse and issue-focused. Do not praise the PR, narrate checks that passed, explain why code is correct, or offer "good change" commentary.
-- Use only gh-aw safe outputs for review side effects:
-  - `create-pull-request-review-comment` for actionable inline findings on changed lines
-  - `resolve-pull-request-review-thread` for unresolved bot-authored review threads that are now fixed or clearly acknowledged
-  - `submit-pull-request-review` for the final review decision
-  - `noop` when no action should be taken
-- Use cache-memory only for short-lived continuity and deduplication hints. Treat live PR state and current review threads as the source of truth.
-- Never post free-form issue comments or use any side channel for review output.
-- Respect the workflow safe-output limits. Prioritize the highest-signal unique findings and keep the inline review set within the configured maximum.
-- Consult `.gitattributes` when relevant and treat files matched there as generated by default. Ignore findings that exist only in generated outputs such as `.lock.yml` files unless the corresponding source-of-truth files show a real behavioral problem.
-
-To do this, follow these steps precisely:
-
-1. Create a short todo list for yourself before starting.
-
-2. Launch a fast subagent to check if any of the following are true:
-   - The pull request is closed
-   - The pull request is a draft
-   - The pull request does not need code review (e.g. automated PR, trivial change that is obviously correct)
-   - Required PR context cannot be read from the workflow tools
-
-   If any condition is true, call `noop` with a brief reason and stop.
-
-Note: Do not skip solely because prior automated review comments exist. Use prior comments for deduplication and stale-thread cleanup instead.
-
-3. Read any prior review memory for this PR from cache-memory before you start detailed analysis.
-
-   Use a PR-specific file such as:
-   - `/tmp/gh-aw/cache-memory/pr-${PR_NUMBER}.json`
-
-   If a prior memory file exists, use it only as a hint for:
-   - Previously reported issues
-   - Dedupe patterns
-   - Prior review timestamps
-   - Risk areas worth re-checking
-
-   Do not trust cache-memory over current GitHub state. If memory conflicts with the live PR, changed files, or review threads, trust the live PR and ignore stale memory.
-
-4. Launch a fast subagent to return a list of file paths (not their contents) for all relevant `CLAUDE.md` files including:
-   - The root CLAUDE.md file, if it exists
-   - Any CLAUDE.md files in directories containing files modified by the pull request
-
-5. Launch a subagent to summarize:
-   - The PR title and description
-   - The changed files
-   - The main behavioral changes in the diff
-   - Any obvious risk areas worth checking carefully
-
-6. Fetch existing review comments and review threads on the PR before preparing any new findings. Use them to identify:
-   - Similar issues already flagged
-   - Threads where a human already acknowledged the feedback
-   - Comments on code that has changed since the earlier review and may now be stale
-   - Unresolved bot-authored review threads that may now be fixed or obsolete
-
-7. Launch 4 review subagents in parallel. Each agent should return a list of candidate issues, where each issue includes:
-   - A concise description
-   - The reason it was flagged (for example `CLAUDE.md adherence` or `bug`)
-   - The changed file path
-   - The changed line or closest changed hunk
-   - Why the issue is likely real
-
-   Agents 1 + 2: CLAUDE.md compliance sonnet agents
-   Audit changes for `CLAUDE.md` compliance in parallel. When evaluating a file, only consider `CLAUDE.md` files that share a path scope with that file or its parents.
-
-   Agent 3: bug-focused review agent
-   Scan for obvious bugs. Focus only on the diff itself without reading extra context. Flag only significant bugs; ignore nitpicks and likely false positives. Do not flag issues that you cannot validate without looking at context outside of the git diff.
-
-   Agent 4: behavior-focused review agent
-   Look for problems introduced by the new code, including security issues, incorrect logic, regressions, and missing error handling. Only look for issues that fall within changed code.
-
-   **CRITICAL: We only want HIGH SIGNAL issues.** Flag issues where:
-   - The code will fail to compile or parse (syntax errors, type errors, missing imports, unresolved references)
-   - The code will definitely produce wrong results regardless of inputs (clear logic errors)
-   - The code introduces a clear security or regression bug in changed lines
-   - Clear, unambiguous `CLAUDE.md` violations where you can quote the exact rule being broken
-
-   Do NOT flag:
-   - Code style or quality concerns
-   - Potential issues that depend on specific inputs or state
-   - Subjective suggestions or improvements
-
-   If you are not certain an issue is real, do not flag it. False positives erode trust and waste reviewer time.
-
-   Each review subagent should receive the PR title and description so it can evaluate intent.
-
-8. For each candidate issue, launch validation subagents in parallel. Each validator should receive the PR title, description, issue description, affected file, and affected hunk. The validator must confirm that the issue is real with high confidence.
-
-   For bug and logic issues, verify the changed code actually causes the stated problem.
-
-   For `CLAUDE.md` issues, verify both:
-   - The cited rule exists
-   - The rule applies to that file path and is actually violated
-
-9. Filter out any issue that fails validation.
-
-10. Deduplicate and prune the validated issue list. Remove:
-   - Issues already covered by an existing review comment
-   - Issues in threads where a human has already acknowledged the feedback
-   - Issues that were present in an earlier revision but are fixed in the latest code
-   - Duplicate findings reported by multiple subagents
-   - Findings that are not on changed lines or cannot be tied to a changed hunk
-   - Findings that only came from cache-memory and are not confirmed by the current PR state
-
-   Also create a separate internal list of review threads to resolve. A thread is eligible for resolution only when all of the following are true:
-   - The thread is currently unresolved
-   - The thread was started by this automation or another bot, not by a human reviewer
-   - The underlying issue is fixed in the latest diff, outdated, or explicitly acknowledged by a human as intentionally left as-is
-   - You have high confidence that resolving it will not hide an outstanding real issue
-
-   Never resolve human-authored review threads. When uncertain, leave the thread unresolved.
-
-11. Classify the remaining issues:
-   - `Blocking`: correctness, security, regression, data loss, or clear required-rule violations
-   - `Non-blocking`: actionable but not merge-blocking concerns that are still worth interrupting the author for now
-
-   Drop any candidate that is merely:
-   - praise
-   - reassurance
-   - a follow-up idea
-   - a readability suggestion with no concrete risk
-   - an observation that does not require author action
-
-12. Produce a short internal summary of findings for yourself:
-   - If issues remain, list the highest-signal ones first
-   - If no issues remain, summarize that no actionable high-signal issues were found
-
-13. If no actionable issues remain, submit exactly one final review with `submit-pull-request-review`:
-   - Use `APPROVE`
-   - Use one short sentence only, such as `No actionable issues found.`
-   - Do not create inline comments
-   - Do not include praise, summaries of what was checked, or correctness narration
-   - Before stopping, write a compact review memory file for this PR containing:
-     - review timestamp
-     - PR number
-     - files reviewed
-     - summary of what was checked
-     - `issues_reported: []`
-   - Stop after the final review is submitted and memory is updated
-
-14. If actionable issues remain, choose the highest-signal unique issues up to the safe-output comment limit. Create a list of planned inline comments for yourself before posting anything.
-
-   Prefer zero comments over low-signal comments. Non-blocking comments should be rare.
-
-15. Post one inline comment per chosen issue using `create-pull-request-review-comment`. For each comment:
-   - Provide a brief description of the issue
-   - Explain why it matters
-   - Reference the exact changed line
-   - Cite the relevant `CLAUDE.md` rule when applicable
-   - Keep the comment concise and actionable
-   - Do not post comments that merely suggest optional follow-up cleanup or extra documentation
-   - Do not post comments whose conclusion is that the code is acceptable as-is
-   - Do not post duplicate comments for the same issue
-
-16. Resolve eligible stale review threads using `resolve-pull-request-review-thread` before submitting the final review.
-   - Resolve only threads from your internal resolution list
-   - Resolve only bot-authored threads
-   - Do not add explanatory comments when resolving
-   - If no threads qualify, do nothing
-
-17. Submit exactly one final review using `submit-pull-request-review`:
-   - Use `REQUEST_CHANGES` when at least one blocking issue remains
-   - Use `APPROVE` otherwise, including when only non-blocking inline comments were left
-   - Do not use `COMMENT` as the final review state
-   - Keep the summary to one or two short sentences
-   - Do not restate inline comments in the final review; point readers to the inline comments instead
-   - Do not include praise, correctness checklists, or "overall LGTM" framing unless there are zero inline comments and you are using the exact terse approval style above
-
-18. After the final review is submitted, update the PR-specific cache-memory file with a compact record of this review. Store only short-lived operational state such as:
-   - review timestamp
-   - PR number
-   - files reviewed
-   - issue fingerprints or short summaries
-   - whether the final review was `APPROVE` or `REQUEST_CHANGES`
-
-   Do not store secrets, tokens, personal data, or large blobs. Keep the file concise so future runs can use it for continuity and dedupe.
-
-Use this list when evaluating issues in Steps 4 and 5 (these are false positives, do NOT flag):
-
-- Pre-existing issues
-- Something that appears to be a bug but is actually correct
-- Pedantic nitpicks that a senior engineer would not flag
-- Issues that a linter will catch (do not run the linter to verify)
-- General code quality concerns (e.g., lack of test coverage, general security issues) unless explicitly required in CLAUDE.md
-- Issues mentioned in CLAUDE.md but explicitly silenced in the code (e.g., via a lint ignore comment)
-- Differences that exist only in files classified as generated by `.gitattributes`, unless they expose a real issue in the source workflow, prompt, or other source-of-truth file
-- Explanations that a change is good, correct, well-structured, or acceptable as-is
-- Non-blocking observations that do not require the author to change anything now
-- Requests for extra comments or documentation unless their absence creates a concrete correctness risk
-
-Notes:
-
-- Use GitHub tools for all repository reads. Do not use web fetch.
-- Always operate on the workflow PR target rather than guessing from local git state.
-- Inline comments should only be created for actionable issues on changed lines.
-- If you leave inline comments, the final review should not repeat them.
-- Cache-memory is best-effort and may be missing or stale. Use it to improve continuity, never to override current repository state.
-- When linking to code in an inline comment, use a full GitHub blob URL with a full SHA and a line range, for example: https://github.com/anthropics/claude-code/blob/c21d3c10bc8e898b7ac1a2d745bdc9bc4e423afe/package.json#L10-L15
-  - Requires full git sha
-  - Do not use shell substitution in the URL
-  - Repo name must match the repo you're code reviewing
-  - Use `#L[start]-L[end]`
-  - Provide at least one line of context before and after when possible
-- If context checks fail or the PR is not reviewable, call `noop` with a brief explanation instead of exiting silently.

.github/workflows/shared/review.md

@@ -1,74 +0,0 @@
----
-permissions:
-  contents: read
-  pull-requests: read
-  id-token: write
-engine:
-  id: claude
-  env:
-    ANTHROPIC_API_KEY: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY || '__GH_AW_ACTIVATION_PLACEHOLDER__' }}
-steps:
-  - env:
-      ESC_ACTION_ENVIRONMENT: imports/github-secrets
-      ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-      ESC_ACTION_OIDC_AUTH: "true"
-      ESC_ACTION_OIDC_ORGANIZATION: pulumi
-      ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-    id: esc-secrets
-    name: Fetch secrets from ESC
-    uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5  # v1.5.0
-  - name: Validate ESC secret output
-    env:
-      ANTHROPIC_API_KEY_FROM_ESC: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
-    run: |
-      test -n "$ANTHROPIC_API_KEY_FROM_ESC" || {
-        echo "ESC did not return ANTHROPIC_API_KEY";
-        exit 1;
-      }
-tools:
-  cache-memory: true
-  github:
-    toolsets: [pull_requests, repos]
-safe-outputs:
-  threat-detection: false
-  create-pull-request-review-comment:
-    max: 12
-    side: "RIGHT"
-    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
-    target-repo: "${{ github.repository }}"
-  resolve-pull-request-review-thread:
-    max: 12
-    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
-    target-repo: "${{ github.repository }}"
-  submit-pull-request-review:
-    max: 1
-    allowed-events: [APPROVE, REQUEST_CHANGES, COMMENT]
-    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
-  noop:
-    max: 1
-  messages:
-    footer: "> Reviewed by [{workflow_name}]({run_url})"
-    run-started: "Started automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
-    run-success: "Finished automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
-    run-failure: "Automated PR review failed for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} ({status})."
----
-
-
-Review pull request #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} in repository `${{ github.repository }}`.
-
-Workflow-specific rules:
-- Use `${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}` as the authoritative PR target.
-- Treat the imported review prompt as the source of the review procedure.
-- Use only gh-aw safe outputs for side effects:
-  - `create-pull-request-review-comment` for actionable inline findings on changed lines
-  - `resolve-pull-request-review-thread` for previously reported bot-authored threads that are now fixed or clearly acknowledged
-  - `submit-pull-request-review` for the final review
-  - `noop` when the PR is not reviewable or required context is missing
-- Submit exactly one final review:
-  - `REQUEST_CHANGES` when at least one blocking issue exists.
-  - `APPROVE` otherwise, including when only non-blocking observations exist.
-  - Do not submit `COMMENT` as the final review state.
-- Do not post free-form issue comments outside safe outputs.
-- Respect the configured inline comment limit and prioritize the highest-signal unique findings.
-- Use cache-memory only as a best-effort continuity aid; live PR state and current review threads are authoritative.
-- Ignore discovery steps intended for runs without PR context.

.github/workflows/weekly-pulumi-update.yml

@@ -8,12 +8,34 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  PYPI_USERNAME: __token__
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
   TRAVIS_OS_NAME: linux
-  GOVERSION: "1.21.x"
-  NODEVERSION: "20.x"
-  PYTHONVERSION: "3.11.8"
-  DOTNETVERSION: "8.0.x"
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  GOVERSION: 1.21.x
+  NODEVERSION: 20.x
+  PYTHONVERSION: "3.11"
+  DOTNETVERSION: 8.0.x
   JAVAVERSION: "11"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  AWS_REGION: us-west-2
+  AZURE_LOCATION: westus
+  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -22,39 +44,38 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
-  TF_APPEND_USER_AGENT: pulumi
-
 jobs:
   weekly-pulumi-update:
     runs-on: ubuntu-latest
-    permissions: write-all
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
       with:
-        lfs: true    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
-      id: app-auth
+        lfs: true
+    - name: Install Go
+      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
       with:
-        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
-        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
-        owner: ${{ github.repository_owner }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
+        go-version: ${{ env.GOVERSION }}
+        cache-dependency-path: "**/*.sum"
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
       with:
-        github_token: ${{ steps.app-auth.outputs.token }}
+        repo: pulumi/pulumictl
+    - name: Install Pulumi CLI
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6.2.0
+    - name: Setup DotNet
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      with:
+        dotnet-version: ${{ env.DOTNETVERSION }}
+    - name: Setup Node
+      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      with:
+        node-version: ${{ env.NODEVERSION }}
+        registry-url: https://registry.npmjs.org
+    - name: Setup Python
+      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      with:
+        python-version: ${{ env.PYTHONVERSION }}
     - name: Update Pulumi/Pulumi
       id: gomod
       run: >-
@@ -64,9 +85,9 @@ jobs:
 
         git checkout -b update-pulumi/${{ github.run_id }}-${{ github.run_number }}
 
-        gh repo view pulumi/pulumi --json latestRelease --jq .latestRelease.tagName | sed 's/^v//' > .pulumi.version
+        for MODFILE in $(find . -name go.mod); do pushd $(dirname $MODFILE); go get github.com/pulumi/pulumi/pkg/v3 github.com/pulumi/pulumi/sdk/v3; go mod tidy; popd; done
 
-        VERSION=$(cat .pulumi.version) find . -name go.mod -execdir sh -c 'go get github.com/pulumi/pulumi/pkg/v3@v${VERSION} github.com/pulumi/pulumi/sdk/v3@v${VERSION}; go mod tidy' \;
+        gh repo view pulumi/pulumi --json latestRelease --jq .latestRelease.tagName | sed 's/^v//' > .pulumi.version
 
         git update-index -q --refresh
 
@@ -109,7 +130,9 @@ jobs:
 
         msg="Automated upgrade: bump pulumi/pulumi to ${ver}"
 
-        gh pr create -t "$msg" -b "$msg"
+        # See https://github.com/cli/cli/issues/6485#issuecomment-2560935183 for --head workaround
+
+        gh pr create -t "$msg" -b "$msg" --head $(git branch --show-current)
       env:
-        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
     name: weekly-pulumi-update

.gitignore

@@ -7,7 +7,6 @@
 **/.ionide
 **/.vscode
 *.swp
-.pulumi
 Pulumi.*.yaml
 yarn.lock
 ci-scripts

.golangci.yml

@@ -1,53 +1,104 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+run:
+  timeout: 10m
 
-version: "2"
 linters:
+  enable-all: false
   enable:
-    - goconst
+    - depguard
+    - errcheck
+    - exhaustive
+    - copyloopvar
+    - gci
+    - gocritic
+    - gofumpt
+    - goheader
     - gosec
+    - govet
+    - importas
+    - ineffassign
     - lll
     - misspell
     - nakedret
+    - nolintlint
+    - paralleltest
+    - perfsprint
+    - prealloc
     - revive
     - unconvert
-  exclusions:
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
-    paths:
-      - schema.go
-      - pulumiManifest.go
-      - pkg/vendored
-      - third_party$
-      - builtin$
-      - examples$
+    - unused
+
+linters-settings:
+  depguard:
     rules:
-      - linters:
-          - revive
-        path: pkg/
-        text: "var-naming" # https://github.com/pulumi/ci-mgmt/issues/2100
-formatters:
-  enable:
-    - gci
-    - gofmt
-  settings:
-    gci:
-      sections:
-        - standard # Standard section: captures all standard library packages.
-        - blank # Blank section: contains all blank imports.
-        - default # Default section: contains all imports that could not be matched to another section type.
-        - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
-        - prefix(github.com/pulumi/pulumi-docker-build) # Custom section: local imports
-      custom-order: true
-  exclusions:
-    generated: lax
-    paths:
-      - schema.go
-      - pulumiManifest.go
-      - pkg/vendored
-      - third_party$
-      - builtin$
-      - examples$
+      protobuf:
+        deny:
+          - pkg: "github.com/golang/protobuf"
+            desc: Use google.golang.org/protobuf instead
+  gci:
+    sections:
+      - standard # Standard section: captures all standard library packages.
+      - blank # Blank section: contains all blank imports.
+      - default # Default section: contains all imports that could not be matched to another section type.
+      - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
+      - prefix(github.com/pulumi/pulumi-dockerbuild/) # Custom section: local imports
+    custom-order: true
+  gocritic:
+    enable-all: true
+    disabled-checks:
+      - hugeParam
+      - importShadow
+  goheader:
+    template: |-
+      Copyright 2024, Pulumi Corporation.
+
+      Licensed under the Apache License, Version 2.0 (the "License");
+      you may not use this file except in compliance with the License.
+      You may obtain a copy of the License at
+
+          http://www.apache.org/licenses/LICENSE-2.0
+
+      Unless required by applicable law or agreed to in writing, software
+      distributed under the License is distributed on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+      See the License for the specific language governing permissions and
+      limitations under the License.
+  govet:
+    enable:
+      - nilness
+      # Reject comparisons of reflect.Value with DeepEqual or '=='.
+      - reflectvaluecompare
+      # Reject sort.Slice calls with a non-slice argument.
+      - sortslice
+      # Detect write to struct/arrays by-value that aren't read again.
+      - unusedwrite
+  nakedret:
+    # Make an issue if func has more lines of code than this setting, and it has naked returns.
+    # Default: 30
+    max-func-lines: 60
+  nolintlint:
+    # Some linter exclusions are added to generated or templated files
+    # pre-emptively.
+    # Don't complain about these.
+    allow-unused: true
+
+issues:
+  exclude-use-default: false
+  exclude-rules:
+    # Don't warn on unused parameters.
+    # Parameter names are useful; replacing them with '_' is undesirable.
+    - linters: [revive]
+      text: 'unused-parameter: parameter \S+ seems to be unused, consider removing or renaming it as _'
+
+    # staticcheck already has smarter checks for empty blocks.
+    # revive's empty-block linter has false positives.
+    # For example, as of writing this, the following is not allowed.
+    #   for foo() { }
+    - linters: [revive]
+      text: "empty-block: this block is empty, you can remove it"
+
+    # We *frequently* use the term 'new' in the context of properties
+    # (new and old properties),
+    # and we rarely use the 'new' built-in function.
+    # It's fine to ignore these cases.
+    - linters: [revive]
+      text: "redefines-builtin-id: redefinition of the built-in function new"

.goreleaser.yml

@@ -1,4 +1,5 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
 project_name: pulumi-docker-build
 builds:
 - id: build-provider

.pulumi.version

@@ -1 +1 @@
-3.239.0
+3.163.0

CHANGELOG.md

@@ -1,41 +1,5 @@
 ## Unreleased
 
-### Fixed
-
-- Fixes a regression where a 404 status code during deletion wasn't considered deleted. (https://github.com/pulumi/pulumi-docker-build/issues/849)
-
-## 0.0.15 (2025-10-17)
-
-### Changed
-
-- Arguments `CacheFromGitHubActions.URL` and `CacheFromGitHubActions.Token` have been removed. If the previous behaviour is desired, set the `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_TOKEN` environment variables. (https://github.com/pulumi/pulumi-docker-build/issues/75)
-
-## 0.0.14 (2025-09-30)
-
-### Fixed
-
-- A warning is no longer emitted for the reserved `__internal` key. (https://github.com/pulumi/pulumi-docker-build/issues/579)
-
-## 0.0.13 (2025-08-27)
-
-### Changed
-
-- Docker Build Cloud and `exec` errors are more helpful. (https://github.com/pulumi/pulumi-docker-build/issues/549)
-
-### Fixed
-
-- The provider is no longer replaced on version changes. (https://github.com/pulumi/pulumi-docker-build/issues/581)
-
-## 0.0.12 (2025-05-16)
-
-### Changed
-
-- Upgraded pulumi-go-provider to v1.0.0-rc2.
-
-### Fixed
-
-- Builds now respect cancellation. (https://github.com/pulumi/pulumi-docker-build/issues/533, https://github.com/pulumi/pulumi-docker-build/pull/522)
-
 ## 0.0.11 (2025-04-11)
 
 ### Changed

Makefile

@@ -17,9 +17,8 @@ WORKING_DIR      := $(shell pwd)
 EXAMPLES_DIR     := ${WORKING_DIR}/examples/yaml
 TESTPARALLELISM  := 4
 
-PULUMI           := pulumi
-GOGLANGCILINT    := golangci-lint
-GOTEST           := go test
+PULUMI           := bin/pulumi
+GOGLANGCILINT    := bin/golangci-lint
 
 # Override during CI using `make [TARGET] PROVIDER_VERSION=""` or by setting a PROVIDER_VERSION environment variable
 # Local & branch builds will just used this fixed default version unless specified
@@ -47,10 +46,10 @@ provider_debug::
 	(cd provider && go build -o $(WORKING_DIR)/bin/${PROVIDER} -gcflags="all=-N -l" -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
 
 test_provider:: # Required by CI
-	${GOTEST} -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
+	go test -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
 
 test_examples: install_nodejs_sdk install_dotnet_sdk
-	${GOTEST} -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
+	go test -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
 
 test_all:: test_provider test_examples
 
@@ -58,34 +57,43 @@ test_all:: test_provider test_examples
 gen_examples:
 
 examples: $(shell mkdir -p examples)
-examples: sdk examples/yaml examples/go examples/nodejs examples/python examples/dotnet examples/java examples/hcl
+examples: sdk examples/yaml examples/go examples/nodejs examples/python examples/dotnet examples/java
 
 examples/yaml:
 	rm -rf ${WORKING_DIR}/examples/yaml/app
 	cp -r ${WORKING_DIR}/examples/app ${WORKING_DIR}/examples/yaml/app
 
-examples/go: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/go: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,go)
 	@git checkout examples/go/go.mod
 
-examples/nodejs: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/nodejs: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,nodejs)
 	@git checkout examples/nodejs/package.json
 
-examples/python: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/python: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,python)
 	@git checkout examples/python/requirements.txt
 
-examples/dotnet: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/dotnet: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,dotnet)
 	@git checkout examples/dotnet/provider-docker-build.csproj
 
-examples/java: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/java: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,java)
 	@git checkout examples/java/pom.xml
 
-examples/hcl: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
-	$(call example,hcl)
+${PULUMI}: go.sum
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/pkg/v3/cmd/pulumi
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-java/pkg/cmd/pulumi-language-java
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-yaml/cmd/pulumi-converter-yaml
+
+${GOGLANGCILINT}: go.sum
+	GOBIN=${WORKING_DIR}/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@8b37f14
 
 define pulumi_login
     export PULUMI_CONFIG_PASSPHRASE=asdfqwerty1234; \
@@ -94,7 +102,7 @@ endef
 
 define example
 	rm -rf ${WORKING_DIR}/examples/$(1)
-	pulumi convert \
+	$(PULUMI) convert \
 		--cwd ${WORKING_DIR}/examples/yaml \
 		--logtostderr \
 		--generate-only \
@@ -132,7 +140,7 @@ build:: provider sdk/dotnet sdk/go sdk/nodejs sdk/python sdk/java ${SCHEMA_PATH}
 only_build:: build
 
 .PHONY: lint
-lint:
+lint: ${GOGLANGCILINT}
 	${GOGLANGCILINT} run --fix -c .golangci.yml
 
 install:: install_nodejs_sdk install_dotnet_sdk
@@ -179,13 +187,12 @@ generate_dotnet: sdk/dotnet # Required by CI
 build_dotnet: # Required by CI
 
 ${SCHEMA_PATH}: bin/${PROVIDER}
-	pulumi package get-schema ./bin/${PROVIDER} | jq 'del(.version)' > $(SCHEMA_PATH)
+	pulumi package get-schema bin/${PROVIDER} | jq 'del(.version)' > $(SCHEMA_PATH)
 
 bin/${PROVIDER}: $(shell find ./provider -name '*.go') go.mod
 	(cd provider && go build -o ../bin/${PROVIDER} -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
 
 bin/pulumi-gen-${PACK}: # Required by CI
-	@mkdir -p bin
 	touch bin/pulumi-gen-${PACK}
 
 go.mod: $(shell find . -name '*.go')
@@ -198,9 +205,9 @@ sdk: sdk/python sdk/nodejs sdk/java sdk/python sdk/go sdk/dotnet
 .PHONY: sdk/*
 
 sdk/python: TMPDIR := $(shell mktemp -d)
-sdk/python: bin/${PROVIDER}
+sdk/python: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/python
-	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language python -o ${TMPDIR}
+	$(PULUMI) package gen-sdk bin/$(PROVIDER) --language python -o ${TMPDIR}
 	cp README.md ${TMPDIR}/python/
 	cd ${TMPDIR}/python/ && \
 		rm -rf ./bin/ ../python.bin/ && cp -R . ../python.bin && mv ../python.bin ./bin && \
@@ -211,9 +218,9 @@ sdk/python: bin/${PROVIDER}
 	mv -f ${TMPDIR}/python ${WORKING_DIR}/sdk/.
 
 sdk/nodejs: TMPDIR := $(shell mktemp -d)
-sdk/nodejs: bin/${PROVIDER}
+sdk/nodejs: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/nodejs
-	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
+	$(PULUMI) package gen-sdk bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
 	cp README.md LICENSE ${TMPDIR}/nodejs
 	cd ${TMPDIR}/nodejs/ && \
 		yarn install && \
@@ -223,9 +230,9 @@ sdk/nodejs: bin/${PROVIDER}
 
 sdk/go: TMPDIR := $(shell mktemp -d)
 sdk/go: PATH := "$(WORKING_DIR)/bin:$(PATH)"
-sdk/go: bin/${PROVIDER}
+sdk/go: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/go
-	PATH=$(PATH) $(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language go -o ${TMPDIR}
+	PATH=$(PATH) $(PULUMI) package gen-sdk bin/$(PROVIDER) --language go -o ${TMPDIR}
 	cp go.mod ${TMPDIR}/go/dockerbuild/go.mod
 	cd ${TMPDIR}/go/dockerbuild && \
 		go mod edit -module=github.com/pulumi/pulumi-${PACK}/${PACKDIR}/go/dockerbuild && \
@@ -233,9 +240,9 @@ sdk/go: bin/${PROVIDER}
 	mv -f ${TMPDIR}/go ${WORKING_DIR}/sdk/go
 
 sdk/dotnet: TMPDIR := $(shell mktemp -d)
-sdk/dotnet: bin/${PROVIDER}
+sdk/dotnet: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/dotnet
-	$(PULUMI) package gen-sdk ./bin/${PROVIDER} --language dotnet -o ${TMPDIR}
+	$(PULUMI) package gen-sdk bin/${PROVIDER} --language dotnet -o ${TMPDIR}
 	cd ${TMPDIR}/dotnet/ && \
 		echo "$(VERSION_GENERIC)" > version.txt && \
 		dotnet build
@@ -243,9 +250,9 @@ sdk/dotnet: bin/${PROVIDER}
 
 sdk/java: PACKAGE_VERSION := $(shell pulumictl convert-version --language generic -v "$(VERSION_GENERIC)")
 sdk/java: TMPDIR := $(shell mktemp -d)
-sdk/java: bin/${PROVIDER}
+sdk/java: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/java
-	$(PULUMI) package gen-sdk --language java ./bin/${PROVIDER} -o ${TMPDIR}
+	$(PULUMI) package gen-sdk --language java bin/${PROVIDER} -o ${TMPDIR}
 	cd ${TMPDIR}/java/ && gradle --console=plain build
 	mv -f ${TMPDIR}/java ${WORKING_DIR}/sdk/.
 
@@ -253,32 +260,29 @@ docs: $(shell find docs/yaml -type f) $(shell find ./provider/internal/embed -na
 	go generate docs/generate.go
 	@touch docs
 
-# Set these variables to enable signing of the windows binary with Azure Trusted Signing.
+# Set these variables to enable signing of the windows binary
 AZURE_SIGNING_CLIENT_ID ?=
 AZURE_SIGNING_CLIENT_SECRET ?=
 AZURE_SIGNING_TENANT_ID ?=
-AZURE_SIGNING_ACCOUNT_ENDPOINT ?=
-AZURE_SIGNING_ACCOUNT_NAME ?=
-AZURE_SIGNING_CERT_PROFILE_NAME ?=
+AZURE_SIGNING_KEY_VAULT_URI ?=
 SKIP_SIGNING ?=
 
-bin/jsign-7.4.jar:
-	@mkdir -p bin
-	wget https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar --output-document=bin/jsign-7.4.jar
+bin/jsign-6.0.jar:
+	wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar --output-document=bin/jsign-6.0.jar
 
 sign-goreleaser-exe-amd64: GORELEASER_ARCH := amd64_v1
 sign-goreleaser-exe-arm64: GORELEASER_ARCH := arm64
 
 # Set the shell to bash to allow for the use of bash syntax.
 sign-goreleaser-exe-%: SHELL:=/bin/bash
-sign-goreleaser-exe-%: bin/jsign-7.4.jar
+sign-goreleaser-exe-%: bin/jsign-6.0.jar
 	@# Only sign windows binary if fully configured.
 	@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
 	@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
 	@set -e; \
 	if [[ "${SKIP_SIGNING}" != "true" ]]; then \
-		if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_ACCOUNT_ENDPOINT}|${AZURE_SIGNING_ACCOUNT_NAME}|${AZURE_SIGNING_CERT_PROFILE_NAME}|" == *"||"* ]]; then \
-			echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_ACCOUNT_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, AZURE_SIGNING_CERT_PROFILE_NAME"; \
+		if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \
+			echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \
 			echo "To rebuild with signing delete the unsigned windows exe file and rebuild with the fixed configuration"; \
 			if [[ "${CI}" == "true" ]]; then exit 1; fi; \
 		else \
@@ -289,15 +293,12 @@ sign-goreleaser-exe-%: bin/jsign-7.4.jar
 				--password "${AZURE_SIGNING_CLIENT_SECRET}" \
 				--tenant "${AZURE_SIGNING_TENANT_ID}" \
 				--output none; \
-			ACCESS_TOKEN=$$(az account get-access-token --resource "https://codesigning.azure.net" | jq -r .accessToken); \
-			ENDPOINT_HOST="$${AZURE_SIGNING_ACCOUNT_ENDPOINT#https://}"; \
-			ENDPOINT_HOST="$${ENDPOINT_HOST#http://}"; \
-			ENDPOINT_HOST="$${ENDPOINT_HOST%/}"; \
-			java -jar bin/jsign-7.4.jar \
-				--storetype TRUSTEDSIGNING \
-				--keystore "$${ENDPOINT_HOST}" \
+			ACCESS_TOKEN=$$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken); \
+			java -jar bin/jsign-6.0.jar \
+				--storetype AZUREKEYVAULT \
+				--keystore "PulumiCodeSigning" \
+				--url "${AZURE_SIGNING_KEY_VAULT_URI}" \
 				--storepass "$${ACCESS_TOKEN}" \
-				--alias "${AZURE_SIGNING_ACCOUNT_NAME}/${AZURE_SIGNING_CERT_PROFILE_NAME}" \
 				$${file}.unsigned; \
 			mv $${file}.unsigned $${file}; \
 			az logout; \

bin/pulumi-language-python-exec

@@ -0,0 +1,204 @@
+#!/usr/bin/env python
+# Copyright 2016-2018, Pulumi Corporation.  All rights reserved.
+
+import argparse
+import asyncio
+from typing import Optional
+import logging
+import os
+import sys
+import traceback
+import runpy
+from concurrent.futures import ThreadPoolExecutor
+
+# The user might not have installed Pulumi yet in their environment - provide a high-quality error message in that case.
+try:
+    import pulumi
+    import pulumi.runtime
+except ImportError:
+    # For whatever reason, sys.stderr.write is not picked up by the engine as a message, but 'print' is. The Python
+    # langhost automatically flushes stdout and stderr on shutdown, so we don't need to do it here - just trust that
+    # Python does the sane thing when printing to stderr.
+    print(traceback.format_exc(), file=sys.stderr)
+    print("""
+It looks like the Pulumi SDK has not been installed. Have you run pip install?
+If you are running in a virtualenv, you must run pip install -r requirements.txt from inside the virtualenv.""", file=sys.stderr)
+    sys.exit(1)
+
+# use exit code 32 to signal to the language host that an error message was displayed to the user
+PYTHON_PROCESS_EXITED_AFTER_SHOWING_USER_ACTIONABLE_MESSAGE_CODE = 32
+
+def get_abs_module_path(mod_path):
+    path, ext = os.path.splitext(mod_path)
+    if not ext:
+        path = os.path.join(path, '__main__')
+    return os.path.abspath(path)
+
+
+def _get_user_stacktrace(user_program_abspath: str) -> str:
+    '''grabs the current stacktrace and truncates it to show the only stacks pertaining to a user's program'''
+    tb = traceback.extract_tb(sys.exc_info()[2])
+
+    for frame_index, frame in enumerate(tb):
+        # loop over stack frames until we reach the main program
+        # then return the traceback truncated to the user's code
+        cur_module = frame[0]
+        if get_abs_module_path(user_program_abspath) == get_abs_module_path(cur_module):
+            # we have detected the start of a user's stack trace
+            remaining_frames = len(tb)-frame_index
+
+            # include remaining frames from the bottom by negating
+            return traceback.format_exc(limit=-remaining_frames)
+
+    # we did not detect a __main__ program, return normal traceback
+    return traceback.format_exc()
+
+def _set_default_executor(loop, parallelism: Optional[int]):
+    '''configure this event loop to respect the settings provided.'''
+    if parallelism is None:
+        return
+    parallelism = max(parallelism, 1)
+    exec = ThreadPoolExecutor(max_workers=parallelism)
+    loop.set_default_executor(exec)
+
+if __name__ == "__main__":
+    # Parse the arguments, program name, and optional arguments.
+    ap = argparse.ArgumentParser(description='Execute a Pulumi Python program')
+    ap.add_argument('--project', help='Set the project name')
+    ap.add_argument('--stack', help='Set the stack name')
+    ap.add_argument('--parallel', help='Run P resource operations in parallel (default=none)')
+    ap.add_argument('--dry_run', help='Simulate resource changes, but without making them')
+    ap.add_argument('--pwd', help='Change the working directory before running the program')
+    ap.add_argument('--monitor', help='An RPC address for the resource monitor to connect to')
+    ap.add_argument('--engine', help='An RPC address for the engine to connect to')
+    ap.add_argument('--tracing', help='A Zipkin-compatible endpoint to send tracing data to')
+    ap.add_argument('--organization', help='Set the organization name')
+    ap.add_argument('PROGRAM', help='The Python program to run')
+    ap.add_argument('ARGS', help='Arguments to pass to the program', nargs='*')
+    args = ap.parse_args()
+
+    # If any config variables are present, parse and set them, so subsequent accesses are fast.
+    config_env = pulumi.runtime.get_config_env()
+    if hasattr(pulumi.runtime, "get_config_secret_keys_env") and hasattr(pulumi.runtime, "set_all_config"):
+        # If the pulumi SDK has `get_config_secret_keys_env` and `set_all_config`, use them
+        # to set the config and secret keys.
+        config_secret_keys_env = pulumi.runtime.get_config_secret_keys_env()
+        pulumi.runtime.set_all_config(config_env, config_secret_keys_env)
+    else:
+        # Otherwise, fallback to setting individual config values.
+        for k, v in config_env.items():
+            pulumi.runtime.set_config(k, v)
+
+    # Configure the runtime so that the user program hooks up to Pulumi as appropriate.
+    # New versions of pulumi python support setting organization, old versions do not
+    try:
+        settings = pulumi.runtime.Settings(
+            monitor=args.monitor,
+            engine=args.engine,
+            project=args.project,
+            stack=args.stack,
+            parallel=int(args.parallel),
+            dry_run=args.dry_run == "true",
+            organization=args.organization,
+        )
+    except TypeError:
+        settings = pulumi.runtime.Settings(
+            monitor=args.monitor,
+            engine=args.engine,
+            project=args.project,
+            stack=args.stack,
+            parallel=int(args.parallel),
+            dry_run=args.dry_run == "true"
+        )
+
+    pulumi.runtime.configure(settings)
+
+    # Finally, swap in the args, chdir if needed, and run the program as if it had been executed directly.
+    sys.argv = [args.PROGRAM] + args.ARGS
+    if args.pwd is not None:
+        os.chdir(args.pwd)
+
+    successful = False
+
+    try:
+        # The docs for get_running_loop are somewhat misleading because they state:
+        # This function can only be called from a coroutine or a callback. However, if the function is
+        # called from outside a coroutine or callback (the standard case when running `pulumi up`), the function
+        # raises a RuntimeError as expected and falls through to the exception clause below.
+        loop = asyncio.get_running_loop()
+    except RuntimeError:
+        loop = asyncio.new_event_loop()
+        asyncio.set_event_loop(loop)
+    
+    # Configure the event loop to respect the parallelism value provided as input.
+    _set_default_executor(loop, settings.parallel)
+
+    # We are (unfortunately) suppressing the log output of asyncio to avoid showing to users some of the bad things we
+    # do in our programming model.
+    #
+    # Fundamentally, Pulumi is a way for users to build asynchronous dataflow graphs that, as their deployments
+    # progress, resolve naturally and eventually result in the complete resolution of the graph. If one node in the
+    # graph fails (i.e. a resource fails to create, there's an exception in an apply, etc.), part of the graph remains
+    # unevaluated at the time that we exit.
+    #
+    # asyncio abhors this. It gets very upset if the process terminates without having observed every future that we
+    # have resolved. If we are terminating abnormally, it is highly likely that we are not going to observe every single
+    # future that we have created. Furthermore, it's *harmless* to do this - asyncio logs errors because it thinks it
+    # needs to tell users that they're doing bad things (which, to their credit, they are), but we are doing this
+    # deliberately.
+    #
+    # In order to paper over this for our users, we simply turn off the logger for asyncio. Users won't see any asyncio
+    # error messages, but if they stick to the Pulumi programming model, they wouldn't be seeing any anyway.
+    logging.getLogger("asyncio").setLevel(logging.CRITICAL)
+    exit_code = 1
+    try:
+        # record the location of the user's program to return user tracebacks
+        user_program_abspath = os.path.abspath(args.PROGRAM)
+        def run():
+            try:
+                runpy.run_path(args.PROGRAM, run_name='__main__')
+            except ImportError as e:
+                def fix_module_file(m: str) -> str:
+                    # Work around python 11 reporting "<frozen runpy>" rather
+                    # than runpy.__file__ in the traceback.
+                    return runpy.__file__ if m == "<frozen runpy>" else m
+
+                # detect if the main pulumi python program does not exist
+                stack_modules = [fix_module_file(f.filename) for f in traceback.extract_tb(e.__traceback__)]
+                unique_modules = set(module for module in stack_modules)
+                last_module_name = stack_modules[-1]
+
+                # we identify a missing program error if
+                # 1. the only modules in the stack trace are
+                #   - `pulumi-language-python-exec`
+                #   - `runpy`
+                # 2. the last function in the stack trace is in the `runpy` module
+                if unique_modules == {
+                            __file__, # the language runtime itself
+                            runpy.__file__,
+                        } and last_module_name == runpy.__file__ :
+                    # this error will only be hit when the user provides a directory
+                    # the engine has a check to determine if the `main` file exists and will fail early
+
+                    # if a language runtime receives a directory, it's the language's responsibility to determine
+                    # whether the provided directory has a pulumi program
+                    pulumi.log.error(f"unable to find main python program `__main__.py` in `{user_program_abspath}`")
+                    sys.exit(PYTHON_PROCESS_EXITED_AFTER_SHOWING_USER_ACTIONABLE_MESSAGE_CODE)
+                else:
+                    raise e
+
+        coro = pulumi.runtime.run_in_stack(run)
+        loop.run_until_complete(coro)
+        exit_code = 0
+    except pulumi.RunError as e:
+        pulumi.log.error(str(e))
+    except Exception:
+        error_msg = "Program failed with an unhandled exception:\n" + _get_user_stacktrace(user_program_abspath)
+        pulumi.log.error(error_msg)
+        exit_code = PYTHON_PROCESS_EXITED_AFTER_SHOWING_USER_ACTIONABLE_MESSAGE_CODE
+    finally:
+        loop.close()
+        sys.stdout.flush()
+        sys.stderr.flush()
+
+    sys.exit(exit_code)

docs/_index.md

@@ -1,428 +0,0 @@
----
-title: Docker Build
-meta_desc: Provides an overview of the Docker Build Provider for Pulumi.
-layout: package
----
-
-The Docker Build provider leverages [buildx and BuildKit](https://docs.docker.com/build/architecture/) to build modern Docker images with Pulumi.
-
-Not to be confused with the earlier
-[Docker](../docker) provider, which is still
-appropriate for managing resources unrelated to building images.
-
-| Provider               | Use cases                                                               |
-| ----------------       | ----------------------------------------------------------------------- |
-| `@pulumi/docker-build` | Anything related to building images with `docker build`.                |
-| `@pulumi/docker`       | Everything else -- including running containers and creating networks.  |
-
-## Example
-
-If your Pulumi program has a directory called `app` alongside it, containing a
-file named "Dockerfile" (which can be as simple as `FROM alpine` for the
-purpose of example), then the code below shows how to build a multi-platform
-image, publish it to a remote AWS ECR registry, and use an [inline
-cache](https://docs.docker.com/build/cache/backends/inline/) to speed up
-subsequent builds.
-
-{{< chooser language "typescript,python,csharp,go,yaml,java" >}}
-
-{{% choosable language typescript %}}
-
-```typescript
-import * as aws from "@pulumi/aws";
-import * as docker_build from "@pulumi/docker-build";
-
-// Create an ECR repository for pushing.
-const ecrRepository = new aws.ecr.Repository("ecr-repository", {});
-
-// Grab auth credentials for ECR.
-const authToken = aws.ecr.getAuthorizationTokenOutput({
-    registryId: ecrRepository.registryId,
-});
-
-// Build and push an image to ECR with inline caching.
-const myImage = new docker_build.Image("my-image", {
-    // Tag our image with our ECR repository's address.
-    tags: [pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`],
-    context: {
-        location: "./app",
-    },
-    // Use the pushed image as a cache source.
-    cacheFrom: [{
-        registry: {
-            ref: pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`,
-        },
-    }],
-    // Include an inline cache with our pushed image.
-    cacheTo: [{
-        inline: {},
-    }],
-    // Build a multi-platform image manifest for ARM and AMD.
-    platforms: [
-        "linux/amd64",
-        "linux/arm64",
-    ],
-    // Push the final result to ECR.
-    push: true,
-    // Provide our ECR credentials.
-    registries: [{
-        address: ecrRepository.repositoryUrl,
-        password: authToken.password,
-        username: authToken.userName,
-    }],
-});
-
-// Export a ref for the pushed images so we can deploy it.
-export const ref = myImage.ref;
-```
-
-{{% /choosable %}}
-
-{{% choosable language python %}}
-
-```python
-import pulumi
-import pulumi_aws as aws
-import pulumi_docker_build as docker_build
-
-# Create an ECR repository for pushing.
-ecr_repository = aws.ecr.Repository("ecr-repository")
-
-# Grab auth credentials for ECR.
-auth_token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
-
-# Build and push an image to ECR with inline caching.
-my_image = docker_build.Image("my-image",
-    # Tag our image with our ECR repository's address.
-    tags=[ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest")],
-    context=docker_build.BuildContextArgs(
-        location="./app",
-    ),
-    # Use the pushed image as a cache source.
-    cache_from=[docker_build.CacheFromArgs(
-        registry=docker_build.CacheFromRegistryArgs(
-            ref=ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest"),
-        ),
-    )],
-    # Include an inline cache with our pushed image.
-    cache_to=[docker_build.CacheToArgs(
-        inline=docker_build.CacheToInlineArgs(),
-    )],
-    # Build a multi-platform image manifest for ARM and AMD.
-    platforms=[
-        docker_build.Platform.LINUX_AMD64,
-        docker_build.Platform.LINUX_ARM64,
-    ],
-    # Push the final result to ECR.
-    push=True,
-    # Provide our ECR credentials.
-    registries=[docker_build.RegistryArgs(
-        address=ecr_repository.repository_url,
-        password=auth_token.password,
-        username=auth_token.user_name,
-    )],
-)
-
-# Export a ref for the pushed images so we can deploy it.
-pulumi.export("ref", my_image.ref)
-```
-
-{{% /choosable %}}
-
-{{% choosable language csharp %}}
-
-```csharp
-using System.Collections.Generic;
-using System.Linq;
-using Pulumi;
-using Aws = Pulumi.Aws;
-using DockerBuild = Pulumi.DockerBuild;
-
-return await Deployment.RunAsync(() =>
-{
-    // Create an ECR repository for pushing.
-    var ecrRepository = new Aws.Ecr.Repository("ecr-repository");
-
-    // Grab auth credentials for ECR.
-    var authToken = Aws.Ecr.GetAuthorizationToken.Invoke(new()
-    {
-        RegistryId = ecrRepository.RegistryId,
-    });
-
-    // Build and push an image to ECR with inline caching.
-    var myImage = new DockerBuild.Image("my-image", new()
-    {
-        // Tag our image with our ECR repository's address.
-        Tags = new[]
-        {
-            ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
-        },
-        Context = new DockerBuild.Inputs.BuildContextArgs
-        {
-            Location = "./app",
-        },
-        // Use the pushed image as a cache source.
-        CacheFrom = new[]
-        {
-            new DockerBuild.Inputs.CacheFromArgs
-            {
-                Registry = new DockerBuild.Inputs.CacheFromRegistryArgs
-                {
-                    Ref = ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
-                },
-            },
-        },
-        // Include an inline cache with our pushed image.
-        CacheTo = new[]
-        {
-            new DockerBuild.Inputs.CacheToArgs
-            {
-                Inline = null,
-            },
-        },
-        // Build a multi-platform image manifest for ARM and AMD.
-        Platforms = new[]
-        {
-            DockerBuild.Platform.Linux_amd64,
-            DockerBuild.Platform.Linux_arm64,
-        },
-        // Push the final result to ECR.
-        Push = true,
-        // Provide our ECR credentials.
-        Registries = new[]
-        {
-            new DockerBuild.Inputs.RegistryArgs
-            {
-                Address = ecrRepository.RepositoryUrl,
-                Password = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.Password),
-                Username = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.UserName),
-            },
-        },
-    });
-
-    // Export a ref for the pushed images so we can deploy it.
-    return new Dictionary<string, object?>
-    {
-        ["ref"] = myImage.Ref,
-    };
-});
-
-```
-
-{{% /choosable %}}
-
-{{% choosable language go %}}
-
-```go
-package main
-
-import (
-    "fmt"
-
-    "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
-    "github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
-    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
-)
-
-func main() {
-    pulumi.Run(func(ctx *pulumi.Context) error {
-        // Create an ECR repository for pushing.
-        ecrRepository, err := ecr.NewRepository(ctx, "ecr-repository", nil)
-        if err != nil {
-            return err
-        }
-
-        // Grab auth credentials for ECR.
-        authToken := ecr.GetAuthorizationTokenOutput(ctx, ecr.GetAuthorizationTokenOutputArgs{
-            RegistryId: ecrRepository.RegistryId,
-        }, nil)
-
-        // Build and push an image to ECR with inline caching.
-        myImage, err := dockerbuild.NewImage(ctx, "my-image", &dockerbuild.ImageArgs{
-            // Tag our image with our ECR repository's address.
-            Tags: pulumi.StringArray{
-                ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
-                    return fmt.Sprintf("%v:latest", repositoryUrl), nil
-                }).(pulumi.StringOutput),
-            },
-            Context: &dockerbuild.BuildContextArgs{
-                Location: pulumi.String("./app"),
-            },
-            // Use the pushed image as a cache source.
-            CacheFrom: dockerbuild.CacheFromArray{
-                &dockerbuild.CacheFromArgs{
-                    Registry: &dockerbuild.CacheFromRegistryArgs{
-                        Ref: ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
-                            return fmt.Sprintf("%v:latest", repositoryUrl), nil
-                        }).(pulumi.StringOutput),
-                    },
-                },
-            },
-            // Include an inline cache with our pushed image.
-            CacheTo: dockerbuild.CacheToArray{
-                &dockerbuild.CacheToArgs{
-                    Inline: nil,
-                },
-            },
-            // Build a multi-platform image manifest for ARM and AMD.
-            Platforms: dockerbuild.PlatformArray{
-                dockerbuild.Platform_Linux_amd64,
-                dockerbuild.Platform_Linux_arm64,
-            },
-            // Push the final result to ECR.
-            Push: pulumi.Bool(true),
-            // Provide our ECR credentials.
-            Registries: dockerbuild.RegistryArray{
-                &dockerbuild.RegistryArgs{
-                    Address: ecrRepository.RepositoryUrl,
-                    Password: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
-                        return &authToken.Password, nil
-                    }).(pulumi.StringPtrOutput),
-                    Username: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
-                        return &authToken.UserName, nil
-                    }).(pulumi.StringPtrOutput),
-                },
-            },
-        })
-        if err != nil {
-            return err
-        }
-
-        // Export a ref for the pushed images so we can deploy it.
-        ctx.Export("ref", myImage.Ref)
-        return nil
-    })
-}
-```
-
-{{% /choosable %}}
-
-{{% choosable language yaml %}}
-
-```yaml
-description: Push to AWS ECR with caching
-name: ecr
-outputs:
-    ref: ${my-image.ref}
-resources:
-    # Create an ECR repository for pushing.
-    ecr-repository:
-        type: aws:ecr:Repository
-
-    # Build and push an image to ECR with inline caching.
-    my-image:
-        type: docker-build:Image
-        properties:
-            # Tag our image with our ECR repository's address.
-            tags:
-                - ${ecr-repository.repositoryUrl}:latest
-            context:
-                location: ./app
-            # Use the pushed image as a cache source.
-            cacheFrom:
-                - registry:
-                    ref: ${ecr-repository.repositoryUrl}:latest
-            # Include an inline cache with our pushed image.
-            cacheTo:
-                - inline: {}
-            # Build a multi-platform image manifest for ARM and AMD.
-            platforms:
-                - linux/amd64
-                - linux/arm64
-            # Push the final result to ECR.
-            push: true
-            # Provide our ECR credentials.
-            registries:
-                - address: ${ecr-repository.repositoryUrl}
-                  password: ${auth-token.password}
-                  username: ${auth-token.userName}
-
-runtime: yaml
-variables:
-    auth-token:
-        # Grab auth credentials for ECR.
-        fn::aws:ecr:getAuthorizationToken:
-            registryId: ${ecr-repository.registryId}
-```
-
-{{% /choosable %}}
-
-{{% choosable language java %}}
-
-```java
-package myapp;
-
-import com.pulumi.Context;
-import com.pulumi.Pulumi;
-import com.pulumi.core.Output;
-import com.pulumi.aws.ecr.Repository;
-import com.pulumi.aws.ecr.EcrFunctions;
-import com.pulumi.aws.ecr.inputs.GetAuthorizationTokenArgs;
-import com.pulumi.dockerbuild.Image;
-import com.pulumi.dockerbuild.ImageArgs;
-import com.pulumi.dockerbuild.inputs.CacheFromArgs;
-import com.pulumi.dockerbuild.inputs.CacheFromRegistryArgs;
-import com.pulumi.dockerbuild.inputs.CacheToArgs;
-import com.pulumi.dockerbuild.inputs.CacheToInlineArgs;
-import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import com.pulumi.dockerbuild.inputs.RegistryArgs;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Map;
-import java.io.File;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-
-public class App {
-    public static void main(String[] args) {
-        Pulumi.run(App::stack);
-    }
-
-    public static void stack(Context ctx) {
-        // Create an ECR repository for pushing.
-        var ecrRepository = new Repository("ecrRepository");
-
-        // Grab auth credentials for ECR.
-        final var authToken = EcrFunctions.getAuthorizationToken(GetAuthorizationTokenArgs.builder()
-            .registryId(ecrRepository.registryId())
-            .build());
-
-        // Build and push an image to ECR with inline caching.
-        var myImage = new Image("myImage", ImageArgs.builder()
-            // Tag our image with our ECR repository's address.
-            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
-            .context(BuildContextArgs.builder()
-                .location("./app")
-                .build())
-            // Use the pushed image as a cache source.
-            .cacheFrom(CacheFromArgs.builder()
-                .registry(CacheFromRegistryArgs.builder()
-                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
-                    .build())
-                .build())
-            // Include an inline cache with our pushed image.
-            .cacheTo(CacheToArgs.builder()
-                .inline()
-                .build())
-            // Build a multi-platform image manifest for ARM and AMD.
-            .platforms(
-                "linux/amd64",
-                "linux/arm64")
-            // Push the final result to ECR.
-            .push(true)
-            // Provide our ECR credentials.
-            .registries(RegistryArgs.builder()
-                .address(ecrRepository.repositoryUrl())
-                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
-                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
-                .build())
-            .build());
-
-        ctx.export("ref", myImage.ref());
-    }
-}
-```
-
-{{% /choosable %}}
-
-{{< /chooser >}}

docs/generate.go

@@ -81,7 +81,6 @@ func markdownExample(description string,
 	csharp string,
 	golang string,
 	yaml string,
-	hcl string,
 	java string,
 ) string {
 	return fmt.Sprintf("{{%% example %%}}\n### %s\n\n"+
@@ -90,10 +89,9 @@ func markdownExample(description string,
 		"```csharp\n%s```\n"+
 		"```go\n%s```\n"+
 		"```yaml\n%s```\n"+
-		"```hcl\n%s```\n"+
 		"```java\n%s```\n"+
 		"{{%% /example %%}}\n",
-		description, typescript, python, csharp, golang, yaml, hcl, java)
+		description, typescript, python, csharp, golang, yaml, java)
 }
 
 func convert(language, tempDir, programFile string) (string, error) {
@@ -188,10 +186,6 @@ func processYaml(path, mdDir string) error {
 			if err != nil {
 				return false, err
 			}
-			hcl, err := convert("hcl", dir, "program.hcl")
-			if err != nil {
-				return false, err
-			}
 
 			yamlContent, err := os.ReadFile(filepath.Clean(filepath.Join(dir, "Pulumi.yaml")))
 			if err != nil {
@@ -199,9 +193,7 @@ func processYaml(path, mdDir string) error {
 			}
 			yaml := string(yamlContent)
 
-			exampleStrings = append(exampleStrings, markdownExample(
-				description, typescript, python, csharp, golang, yaml, hcl, java,
-			))
+			exampleStrings = append(exampleStrings, markdownExample(description, typescript, python, csharp, golang, yaml, java))
 
 			return true, nil
 		}()

docs/installation-configuration.md

@@ -1,33 +0,0 @@
----
-title: Docker-Build Installation & Configuration
-meta_desc: Provides an overview on how to configure the Pulumi Docker-Build Provider.
-layout: package
----
-
-The Pulumi Docker-build provider builds modern Docker images with [buildx](https://docs.docker.com/reference/cli/docker/buildx/) and [BuildKit](https://docs.docker.com/build/buildkit/).
-
-## Installation
-
-The Docker-Build provider is available as a package in all Pulumi languages:
-
-* JavaScript/TypeScript: [`@pulumi/docker-build`](https://www.npmjs.com/package/@pulumi/docker-build)
-* Python: [`pulumi-docker-build`](https://pypi.org/project/pulumi-docker-build/)
-* Go: [`github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild`](https://github.com/pulumi/pulumi-docker-build)
-* .NET: [`Pulumi.DockerBuild`](https://www.nuget.org/packages/Pulumi.DockerBuild)
-* Java: [`com.pulumi/docker-build`](https://central.sonatype.com/artifact/com.pulumi/docker-build)
-
-## Configuring The Provider
-
-### Host
-
-The `DOCKER_HOST` environment variable can be used to specify a custom build daemon's location.
-
-```bash
-$ export DOCKER_HOST=tcp://127.0.0.1:2376/
-```
-
-This can also be specified in your stack's configuration:
-
-```bash
-$ pulumi config set docker-build:host tcp://127.0.0.1:2376/
-```

docs/yaml/image-examples.yaml

@@ -62,7 +62,7 @@ resources:
           username: pulumibot
           password: ${dockerHubPassword}
 outputs:
-  ref: ${image.ref}
+  ref: ${my-image.ref}
 ---
 name: caching
 runtime: yaml

examples/dotnet_test.go

@@ -10,9 +10,8 @@ import (
 	"path/filepath"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+	"github.com/stretchr/testify/require"
 )
 
 func TestDotNetExample(t *testing.T) {

examples/go/go.mod

@@ -1,118 +1,96 @@
 module provider-docker-build
 
-go 1.25.8
+go 1.23.1
+
+toolchain go1.24.2
 
 require (
-	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.18
-	github.com/pulumi/pulumi/sdk/v3 v3.242.0
+	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.11
+	github.com/pulumi/pulumi/sdk/v3 v3.165.0
 )
 
 require (
 	dario.cat/mergo v1.0.1 // indirect
+	github.com/BurntSushi/toml v1.4.0 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
-	github.com/ProtonMail/go-crypto v1.2.0 // indirect
+	github.com/ProtonMail/go-crypto v1.1.6 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
 	github.com/blang/semver v3.5.1+incompatible // indirect
-	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/charmbracelet/bubbles v1.0.0 // indirect
-	github.com/charmbracelet/bubbletea v1.3.10 // indirect
-	github.com/charmbracelet/colorprofile v0.4.3 // indirect
+	github.com/charmbracelet/bubbles v0.20.0 // indirect
+	github.com/charmbracelet/bubbletea v1.3.4 // indirect
+	github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
-	github.com/charmbracelet/x/ansi v0.11.7 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
-	github.com/charmbracelet/x/term v0.2.2 // indirect
+	github.com/charmbracelet/x/ansi v0.8.0 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
 	github.com/cheggaaa/pb v1.0.29 // indirect
-	github.com/clipperhouse/displaywidth v0.11.0 // indirect
-	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
-	github.com/cloudflare/circl v1.6.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
+	github.com/cloudflare/circl v1.6.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.9.0 // indirect
-	github.com/go-git/go-git/v5 v5.19.0 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
-	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-git/go-git/v5 v5.14.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
-	github.com/golang/glog v1.2.5 // indirect
+	github.com/golang/glog v1.2.4 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/google/uuid v1.6.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-version v1.9.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
-	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
-	github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
-	github.com/mattn/go-isatty v0.0.22 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
-	github.com/mattn/go-runewidth v0.0.23 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
 	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
-	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
-	github.com/pgavlin/fx/v2 v2.0.12 // indirect
-	github.com/pjbgf/sha1cd v0.6.0 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.24.0 // indirect
+	github.com/pulumi/esc v0.13.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
-	github.com/sergi/go-diff v1.4.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.10.2 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/zclconf/go-cty v1.17.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/collector/featuregate v1.58.0 // indirect
-	go.opentelemetry.io/collector/pdata v1.58.0 // indirect
-	go.opentelemetry.io/otel v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
-	go.opentelemetry.io/otel/metric v1.43.0 // indirect
-	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
-	go.opentelemetry.io/otel/trace v1.43.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
+	github.com/zclconf/go-cty v1.16.2 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	go.uber.org/multierr v1.11.0 // indirect
-	golang.org/x/crypto v0.51.0 // indirect
-	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
-	golang.org/x/mod v0.35.0 // indirect
-	golang.org/x/net v0.54.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.44.0 // indirect
-	golang.org/x/term v0.43.0 // indirect
-	golang.org/x/text v0.37.0 // indirect
-	golang.org/x/tools v0.44.0 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260519071638-aa98bba5eb94 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94 // indirect
-	google.golang.org/grpc v1.81.1 // indirect
-	google.golang.org/protobuf v1.36.11 // indirect
+	golang.org/x/crypto v0.36.0 // indirect
+	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.37.0 // indirect
+	golang.org/x/sync v0.12.0 // indirect
+	golang.org/x/sys v0.31.0 // indirect
+	golang.org/x/term v0.30.0 // indirect
+	golang.org/x/text v0.23.0 // indirect
+	golang.org/x/tools v0.31.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 // indirect
+	google.golang.org/grpc v1.71.0 // indirect
+	google.golang.org/protobuf v1.36.5 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 	lukechampine.com/frand v1.5.1 // indirect

examples/go/go.sum

@@ -1,12 +1,14 @@
 dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
 dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/BurntSushi/toml v1.4.0 h1:kuoIxZQy2WRRk1pttg9asf+WVv6tWQuBNVmK8+nqPr0=
+github.com/BurntSushi/toml v1.4.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
 github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
-github.com/ProtonMail/go-crypto v1.2.0 h1:+PhXXn4SPGd+qk76TlEePBfOfivE0zkWFenhGhFLzWs=
-github.com/ProtonMail/go-crypto v1.2.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
+github.com/ProtonMail/go-crypto v1.1.6 h1:ZcV+Ropw6Qn0AX9brlQLAUXfqLBc7Bl+f/DmNxpLfdw=
+github.com/ProtonMail/go-crypto v1.1.6/go.mod h1:rA3QumHc/FZ8pAHreoekgiAbzpNsfQAosU5td4SnOrE=
 github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
 github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
 github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
@@ -21,35 +23,27 @@ github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiE
 github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
 github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
-github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
-github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
-github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
-github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
-github.com/charmbracelet/bubbles v1.0.0 h1:12J8/ak/uCZEMQ6KU7pcfwceyjLlWsDLAxB5fXonfvc=
-github.com/charmbracelet/bubbles v1.0.0/go.mod h1:9d/Zd5GdnauMI5ivUIVisuEm3ave1XwXtD1ckyV6r3E=
-github.com/charmbracelet/bubbletea v1.3.10 h1:otUDHWMMzQSB0Pkc87rm691KZ3SWa4KUlvF9nRvCICw=
-github.com/charmbracelet/bubbletea v1.3.10/go.mod h1:ORQfo0fk8U+po9VaNvnV95UPWA1BitP1E0N6xJPlHr4=
-github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q=
-github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q=
+github.com/charmbracelet/bubbles v0.20.0 h1:jSZu6qD8cRQ6k9OMfR1WlM+ruM8fkPWkHvQWD9LIutE=
+github.com/charmbracelet/bubbles v0.20.0/go.mod h1:39slydyswPy+uVOHZ5x/GjwVAFkCsV8IIVy+4MhzwwU=
+github.com/charmbracelet/bubbletea v1.3.4 h1:kCg7B+jSCFPLYRA52SDZjr51kG/fMUEoPoZrkaDHyoI=
+github.com/charmbracelet/bubbletea v1.3.4/go.mod h1:dtcUCyCGEX3g9tosuYiut3MXgY/Jsv9nKVdibKKRRXo=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc h1:4pZI35227imm7yK2bGPcfpFEmuY1gc2YSTShr4iJBfs=
+github.com/charmbracelet/colorprofile v0.2.3-0.20250311203215-f60798e515dc/go.mod h1:X4/0JoqgTIPSFcRA/P6INZzIuyqdFY5rm8tb41s9okk=
 github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
 github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
-github.com/charmbracelet/x/ansi v0.11.7 h1:kzv1kJvjg2S3r9KHo8hDdHFQLEqn4RBCb39dAYC84jI=
-github.com/charmbracelet/x/ansi v0.11.7/go.mod h1:9qGpnAVYz+8ACONkZBUWPtL7lulP9No6p1epAihUZwQ=
-github.com/charmbracelet/x/cellbuf v0.0.15 h1:ur3pZy0o6z/R7EylET877CBxaiE1Sp1GMxoFPAIztPI=
-github.com/charmbracelet/x/cellbuf v0.0.15/go.mod h1:J1YVbR7MUuEGIFPCaaZ96KDl5NoS0DAWkskup+mOY+Q=
-github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
-github.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI=
+github.com/charmbracelet/x/ansi v0.8.0 h1:9GTq3xq9caJW8ZrBTe0LIe2fvfLR/bYXKTx2llXn7xE=
+github.com/charmbracelet/x/ansi v0.8.0/go.mod h1:wdYl/ONOLHLIVmQaxbIYEC/cRKOQyjTkowiI4blgS9Q=
+github.com/charmbracelet/x/cellbuf v0.0.13 h1:/KBBKHuVRbq1lYx5BzEHBAFBP8VcQzJejZ/IA3iR28k=
+github.com/charmbracelet/x/cellbuf v0.0.13/go.mod h1:xe0nKWGd3eJgtqZRaN9RjMtK7xUYchjzPr7q6kcvCCs=
+github.com/charmbracelet/x/term v0.2.1 h1:AQeHeLZ1OqSXhrAWpYUtZyX1T3zVxfpZuEQMIQaGIAQ=
+github.com/charmbracelet/x/term v0.2.1/go.mod h1:oQ4enTYFV7QN4m0i9mzHrViD7TQKvNEEkHUMCmsxdUg=
 github.com/cheggaaa/pb v1.0.29 h1:FckUN5ngEk2LpvuG0fw1GEFx6LtyY2pWI/Z2QgCnEYo=
 github.com/cheggaaa/pb v1.0.29/go.mod h1:W40334L7FMC5JKWldsTWbdGjLo0RxUKK73K+TuPxX30=
-github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8=
-github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
-github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
-github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
-github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
-github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
+github.com/cloudflare/circl v1.6.0 h1:cr5JKic4HI+LkINy2lg3W2jF8sHCVTBncJr5gIIq7qk=
+github.com/cloudflare/circl v1.6.0/go.mod h1:uddAzsPgqdMAYatqJ0lsjX1oECcQLIlRpzZh3pJrofs=
 github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
-github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
-github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
+github.com/cyphar/filepath-securejoin v0.4.1 h1:JyxxyPEaktOD+GAnqIqTf9A8tHyAG22rowi7HkoSU1s=
+github.com/cyphar/filepath-securejoin v0.4.1/go.mod h1:Sdj7gXlvMcPZsbhwhQ33GguGLDGQL7h7bg04C/+u9jI=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
@@ -63,41 +57,37 @@ github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FM
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
 github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
 github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
-github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
-github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
-github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
-github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
+github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4=
+github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
 github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
 github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
 github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
-github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
-github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
+github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UNbRM=
+github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.19.0 h1:+WkVUQZSy/F1Gb13udrMKjIM2PrzsNfDKFSfo5tkMtc=
-github.com/go-git/go-git/v5 v5.19.0/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
-github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
-github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
-github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60=
+github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj9ItW3Wk5k=
+github.com/go-logr/logr v1.4.2 h1:6pFjapn8bFcIbiKo3XT4j/BhANplGihG6tvd+8rYgrY=
+github.com/go-logr/logr v1.4.2/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I=
-github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/glog v1.2.4 h1:CNNw5U8lSiiBk7druxtSHHTsRWcxKoac6kZKm2peBBc=
+github.com/golang/glog v1.2.4/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
 github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
 github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
-github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
 github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 h1:5VipnvEpbqr2gA2VbM+nYVbkIF28c5ZQfqCBQ5g2xfk=
-github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0/go.mod h1:Hyl3n6Twe1hvtd9XUXDec4pTvgMSEixRuQKPTMH2bNs=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 h1:MJG/KsmcqMwFAkh8mTnAwhyKoB+sTAnY4CACC110tbU=
 github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw=
 github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -105,25 +95,17 @@ github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY
 github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
 github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-version v1.9.0 h1:CeOIz6k+LoN3qX9Z0tyQrPtiB1DFYRPfCIBtaXPSCnA=
-github.com/hashicorp/go-version v1.9.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
-github.com/hashicorp/hcl/v2 v2.24.0 h1:2QJdZ454DSsYGoaE6QheQZjtKZSUs9Nh2izTWiwQxvE=
-github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGbkZpYAcqfM=
+github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
+github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
 github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
 github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
 github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
-github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
-github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
 github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
 github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
 github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
 github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
-github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
-github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -131,30 +113,24 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lucasb-eyer/go-colorful v1.4.0 h1:UtrWVfLdarDgc44HcS7pYloGHJUjHV/4FwW4TvVgFr4=
-github.com/lucasb-eyer/go-colorful v1.4.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/lucasb-eyer/go-colorful v1.2.0 h1:1nnpGOrhyZZuNyfu1QjKiUICQ74+3FNCN69Aj6K7nkY=
+github.com/lucasb-eyer/go-colorful v1.2.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
-github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
-github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA=
+github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg=
 github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
 github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
-github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
-github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
+github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
+github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
 github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
 github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
 github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
-github.com/mattn/go-runewidth v0.0.23 h1:7ykA0T0jkPpzSvMS5i9uoNn2Xy3R383f9HDx3RybWcw=
-github.com/mattn/go-runewidth v0.0.23/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/mattn/go-runewidth v0.0.16 h1:E5ScNMtiwvlvB5paMFdw9p4kSQzbXFikJ5SQO6TULQc=
+github.com/mattn/go-runewidth v0.0.16/go.mod h1:Jdepj2loyihRzMpdS35Xk/zdY8IAYHsh153qUoGf23w=
 github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
 github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
 github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
 github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
-github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
-github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
-github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
-github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
-github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
 github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
 github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
@@ -170,10 +146,8 @@ github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pgavlin/fx v0.1.6 h1:r9jEg69DhNoCd3Xh0+5mIbdbS3PqWrVWujkY76MFRTU=
 github.com/pgavlin/fx v0.1.6/go.mod h1:KWZJ6fqBBSh8GxHYqwYCf3rYE7Gp2p0N8tJp8xv9u9M=
-github.com/pgavlin/fx/v2 v2.0.12 h1:SjjaJ68Dt8Z4zHwOpY/RPijd7lShs6xYupJbF9ra00M=
-github.com/pgavlin/fx/v2 v2.0.12/go.mod h1:M/nF/ooAOy+NUBooYYXl2REARzJ/giPJxfMs8fINfKc=
-github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
-github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
+github.com/pjbgf/sha1cd v0.3.2 h1:a9wb0bp1oC2TGwStyn0Umc/IGKQnEgF0vVaZ8QF8eo4=
+github.com/pjbgf/sha1cd v0.3.2/go.mod h1:zQWigSxVmsHEZow5qaLtPYxpcKMMQpa09ixqBxuCS6A=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/term v1.1.0 h1:xIAAdCMh3QIAy+5FrE8Ad8XoDhEU4ufwbaSozViP9kk=
@@ -183,31 +157,33 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.24.0 h1:sCtiB0qbyrlU1ZNzJn4dTLYiChl8xeCBFbHWl1YoXJg=
-github.com/pulumi/esc v0.24.0/go.mod h1:eCOOkcDJS6eooGwdE4/E0+pOsvUWG254+KBmPCFwJpA=
-github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.18 h1:emkSEfjXfz7i2vNDi43WTqABhP9TY2mQnO2zdL683hw=
-github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.18/go.mod h1:BriBqoV2I/58/AZy4/4oJfoiJYX7Nf/NxsAmGXDgvgo=
-github.com/pulumi/pulumi/sdk/v3 v3.242.0 h1:gQIZ1ALbT5gCMuRoBscGzk7Rdbx9mbOc+YwDFxvRyss=
-github.com/pulumi/pulumi/sdk/v3 v3.242.0/go.mod h1:P9VS6pQws3YBu67uszFRHn24n5AwzeMlyC2hIiHGWHg=
+github.com/pulumi/esc v0.13.0 h1:O2MPR2koScaQ2fXwyer8Q3Dd7z+DCnaDfsgNl5mVNMk=
+github.com/pulumi/esc v0.13.0/go.mod h1:IIQo6W6Uzajt6f1RW4QvNxIRDlbK3TNQysnrwBHNo3U=
+github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.11 h1:16T7aYBGcMs7oMGcRHzRO9ETHit0xVYgPRBkaFu6T3M=
+github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.11/go.mod h1:Uxxd/MM83Wys2lfpbfqvY8KUmnbU9mePbxbwEda/+SM=
+github.com/pulumi/pulumi/sdk/v3 v3.165.0 h1:cglplKZOJDpqH8wa/2J250G9az/sE9eKp9fS2bC+vi8=
+github.com/pulumi/pulumi/sdk/v3 v3.165.0/go.mod h1:GAaHrdv3kWJHbzkFFFflGbTBQXUYu6SF1ZCo+O9jo44=
+github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
 github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
 github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 h1:OkMGxebDjyw0ULyrTYWeN0UNCCkmCWfjPnIA2W6oviI=
+github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06/go.mod h1:+ePHsJ1keEjQtpvf9HHw0f4ZeJ0TLRsxhunSI2hYJSs=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
 github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
-github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
-github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 h1:n661drycOFuPLCN3Uc8sB6B/s6Z4t2xvBgU1htSHuq8=
+github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
 github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
 github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
 github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
-github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
-github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
-github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
-github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
-github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
+github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0=
+github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o=
+github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
@@ -215,8 +191,9 @@ github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXf
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
-github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA=
+github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
 github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
 github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8=
 github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
@@ -229,72 +206,49 @@ github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavM
 github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
 github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
-github.com/zclconf/go-cty v1.17.0 h1:seZvECve6XX4tmnvRzWtJNHdscMtYEx5R7bnnVyd/d0=
-github.com/zclconf/go-cty v1.17.0/go.mod h1:wqFzcImaLTI6A5HfsRwB0nj5n0MRZFwmey8YoFPPs3U=
-go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
-go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
-go.opentelemetry.io/collector/featuregate v1.58.0 h1:Kh6Dpgbxywv/Q3D6qPehaSxNCxvr/U/ki7CL4y3udCo=
-go.opentelemetry.io/collector/featuregate v1.58.0/go.mod h1:4ga1QBMPEejXXmpyJS8lmaRpknJ3Lb9Bvk6e420bUFU=
-go.opentelemetry.io/collector/internal/testutil v0.152.0 h1:8LGwekR7mLcUDhT1ofLmdnrHRFuUa3U7PBd95ZvJEjQ=
-go.opentelemetry.io/collector/internal/testutil v0.152.0/go.mod h1:Jkjs6rkqs973LqgZ0Fe3zrokQRKULYXPIf4HuqStiEE=
-go.opentelemetry.io/collector/pdata v1.58.0 h1:5Lxut3NxKp87066Pzt+3q7+JUuFI5B3teCyLZIF8wIs=
-go.opentelemetry.io/collector/pdata v1.58.0/go.mod h1:4vZtODINbC/JF3eGocnatdImzbRHseOywIcr+aULjCg=
-go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
-go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 h1:RAE+JPfvEmvy+0LzyUA25/SGawPwIUbZ6u0Wug54sLc=
-go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0/go.mod h1:AGmbycVGEsRx9mXMZ75CsOyhSP6MFIcj/6dnG+vhVjk=
-go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
-go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
-go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
-go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
-go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
-go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
-go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
-go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
-go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
-go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
-go.opentelemetry.io/proto/slim/otlp v1.10.0 h1:iR97Vs/ZDR+y9TfuP9b1XBtdPWeC+OMslIBmhcLU7jM=
-go.opentelemetry.io/proto/slim/otlp v1.10.0/go.mod h1:lV9250stpjYLPNA5viFabIgP2QlUGRT1GdTgAf8SIUk=
-go.opentelemetry.io/proto/slim/otlp/collector/profiles/v1development v0.3.0 h1:RUF5rO0hAlgiJt1fzQVzcVs3vZVNHIcMLgOgG4rWNcQ=
-go.opentelemetry.io/proto/slim/otlp/collector/profiles/v1development v0.3.0/go.mod h1:I89cynRj8y+383o7tEQVg2SVA6SRgDVIouWPUVXjx0U=
-go.opentelemetry.io/proto/slim/otlp/profiles/v1development v0.3.0 h1:CQvJSldHRUN6Z8jsUeYv8J0lXRvygALXIzsmAeCcZE0=
-go.opentelemetry.io/proto/slim/otlp/profiles/v1development v0.3.0/go.mod h1:xSQ+mEfJe/GjK1LXEyVOoSI1N9JV9ZI923X5kup43W4=
+github.com/zclconf/go-cty v1.16.2 h1:LAJSwc3v81IRBZyUVQDUdZ7hs3SYs9jv0eZJDWHD/70=
+github.com/zclconf/go-cty v1.16.2/go.mod h1:VvMs5i0vgZdhYawQNq5kePSpLAoz8u1xvZgrPIxfnZE=
+go.opentelemetry.io/auto/sdk v1.1.0 h1:cH53jehLUN6UFLY71z+NDOiNJqDdPRaXzTel0sJySYA=
+go.opentelemetry.io/auto/sdk v1.1.0/go.mod h1:3wSPjt5PWp2RhlCcmmOial7AvC4DQqZb7a7wCow3W8A=
+go.opentelemetry.io/otel v1.35.0 h1:xKWKPxrxB6OtMCbmMY021CqC45J+3Onta9MqjhnusiQ=
+go.opentelemetry.io/otel v1.35.0/go.mod h1:UEqy8Zp11hpkUrL73gSlELM0DupHoiq72dR+Zqel/+Y=
+go.opentelemetry.io/otel/metric v1.34.0 h1:+eTR3U0MyfWjRDhmFMxe2SsW64QrZ84AOhvqS7Y+PoQ=
+go.opentelemetry.io/otel/metric v1.34.0/go.mod h1:CEDrp0fy2D0MvkXE+dPV7cMi8tWZwX3dmaIhwPOaqHE=
+go.opentelemetry.io/otel/sdk v1.35.0 h1:iPctf8iprVySXSKJffSS79eOjl9pvxV9ZqOWT0QejKY=
+go.opentelemetry.io/otel/sdk v1.35.0/go.mod h1:+ga1bZliga3DxJ3CQGg3updiaAJoNECOgJREo9KHGQg=
+go.opentelemetry.io/otel/sdk/metric v1.34.0 h1:5CeK9ujjbFVL5c1PhLuStg1wxA7vQv7ce1EK0Gyvahk=
+go.opentelemetry.io/otel/sdk/metric v1.34.0/go.mod h1:jQ/r8Ze28zRKoNRdkjCZxfs6YvBTG1+YIqyFVFYec5w=
+go.opentelemetry.io/otel/trace v1.34.0 h1:+ouXS2V8Rd4hp4580a8q23bg0azF2nI8cqLYnC8mh/k=
+go.opentelemetry.io/otel/trace v1.34.0/go.mod h1:Svm7lSjQD7kG7KJ/MUHPVXSDGz2OX4h0M2jHBhmSfRE=
 go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
 go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
-go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
-go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
-go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
-go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
-golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
-golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
-golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
+golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34=
+golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 h1:nDVHiLt8aIbd/VzvPWN6kSOPE7+F/fNFDSXLVYkE/Iw=
+golang.org/x/exp v0.0.0-20250305212735-054e65f0b394/go.mod h1:sIifuuw/Yco/y6yb6+bDNfyeQ/MdPUy/hKEMYQV17cM=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
-golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/mod v0.24.0 h1:ZfthKaKaT4NrhGVZHO1/WDTwGES4De8KtWO0SIbNJMU=
+golang.org/x/mod v0.24.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
-golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
+golang.org/x/net v0.37.0 h1:1zLorHbz+LYj7MQlSf1+2tPIIgibq2eL5xkrGk6f+2c=
+golang.org/x/net v0.37.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
-golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sync v0.12.0 h1:MHc5BpPuC30uJk597Ri8TV3CNZcTLu6B6z4lJy+g6Jw=
+golang.org/x/sync v0.12.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -309,38 +263,35 @@ golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
-golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik=
+golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
-golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
+golang.org/x/term v0.30.0 h1:PQ39fJZ+mfadBm0y5WlL4vlM7Sx1Hgf13sMIY2+QS9Y=
+golang.org/x/term v0.30.0/go.mod h1:NYYFdzHoI5wRh/h5tDMdMqCqPJZEuNqVR5xJLd/n67g=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
-golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
+golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY=
+golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
-golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/tools v0.31.0 h1:0EedkvKDbh+qistFTd0Bcwe/YLh4vHwWEkiI0toFIBU=
+golang.org/x/tools v0.31.0/go.mod h1:naFTU+Cev749tSJRXJlna0T3WxKvb1kWEx15xA4SdmQ=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
-gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
-google.golang.org/genproto/googleapis/api v0.0.0-20260519071638-aa98bba5eb94 h1:DddG61lE5LkX6144z22i0gma9BMBs5aZ9B8lZLobxyw=
-google.golang.org/genproto/googleapis/api v0.0.0-20260519071638-aa98bba5eb94/go.mod h1:1dCETSCY2YKZNXQE3h4fun3TYwF5p8jejRKZgfWAgAY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94 h1:eZCjr/aAF8c5ccm5pb6T4EXgIei5MlAAPWPJk+5ArfY=
-google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
-google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ=
-google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
-google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
-google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4 h1:iK2jbkWL86DXjEx0qiHcRE9dE4/Ahua5k6V8OWFb//c=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20250313205543-e70fdf4c4cb4/go.mod h1:LuRYeWDFV6WOn90g357N17oMCaxpgCnbi/44qJvDn2I=
+google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
+google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
+google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
+google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
@@ -350,9 +301,10 @@ gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRN
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 lukechampine.com/frand v1.5.1 h1:fg0eRtdmGFIxhP5zQJzM1lFDbD6CUfu/f+7WgAZd5/w=
 lukechampine.com/frand v1.5.1/go.mod h1:4VstaWc2plN4Mjr10chUD46RAVGWhpkZ5Nja8+Azp0Q=
-pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
-pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=
+pgregory.net/rapid v1.1.0 h1:CMa0sjHSru3puNx+J0MIAuiiEV4N0qj8/cMWGBBCsjw=
+pgregory.net/rapid v1.1.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=

examples/go/main.go

@@ -1,10 +1,9 @@
 package main
 
 import (
+	"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
-
-	"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
 )
 
 func main() {

examples/go_test.go

@@ -8,9 +8,8 @@ import (
 	"path"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+	"github.com/stretchr/testify/require"
 )
 
 func TestGoExample(t *testing.T) {

examples/hcl/.dockerignore

@@ -1,2 +0,0 @@
-command-output
-tmp

examples/hcl/Pulumi.yaml

@@ -1,10 +0,0 @@
-name: provider-docker-build
-runtime: hcl
-config:
-  dockerHubPassword:
-    type: string
-    secret: true
-plugins:
-  providers:
-    - name: docker-build
-      path: ../../bin

examples/hcl/app/Dockerfile

@@ -1,2 +0,0 @@
-FROM alpine
-RUN echo 👍

examples/hcl/app/Dockerfile.buildArgs

@@ -1,5 +0,0 @@
-FROM alpine
-
-ARG SET_ME_TO_TRUE
-RUN [ "$SET_ME_TO_TRUE" = "true" ]
-RUN echo "That's the correct build arg, thanks! 👍"

examples/hcl/app/Dockerfile.emptyContext

@@ -1,2 +0,0 @@
-FROM alpine
-RUN echo "This image doesn't use any local files, so it doesn't need a context parameter 👍"

examples/hcl/app/Dockerfile.extraHosts

@@ -1,3 +0,0 @@
-FROM bash AS base
-
-RUN getent hosts metadata.google.internal

examples/hcl/app/Dockerfile.multiPlatform

@@ -1,7 +0,0 @@
-FROM --platform=$BUILDPLATFORM alpine as build
-RUN echo ${BUILDPLATFORM} > buildplatform
-RUN echo ${TARGETPLATFORM} > targetplatform
-
-FROM build
-RUN cat buildplatform
-RUN cat targetplatform

examples/hcl/app/Dockerfile.namedContexts

@@ -1,5 +0,0 @@
-# syntax=docker/dockerfile:1.4
-FROM golang:latest
-
-RUN version="$(go version)" && echo $version && [ "$version" = "go version go1.21.7 linux/amd64" ]
-RUN echo "This image uses named contexts to pin golang:latest to a specific SHA 👍"

examples/hcl/app/Dockerfile.secrets

@@ -1,4 +0,0 @@
-FROM alpine
-
-RUN --mount=type=secret,id=password [ "$(cat /run/secrets/password)" = "hunter2" ]
-

examples/hcl/app/Dockerfile.sshMount

@@ -1,5 +0,0 @@
-FROM alpine
-
-RUN apk add openssh-client
-
-RUN --mount=type=ssh ssh-add -l

examples/hcl/app/Dockerfile.target

@@ -1,8 +0,0 @@
-FROM alpine as build-me
-RUN echo 👍
-
-FROM build-me as also-build-me
-RUN echo 🤙
-
-FROM build-me as dont-build-me
-RUN [ "true" = "false" ]

examples/hcl/program.hcl

@@ -1,171 +0,0 @@
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.1.0-alpha.0+dev"
-    }
-  }
-}
-
-resource "docker-build_image" "multiPlatform" {
-  push = false
-  dockerfile = {
-    location = "./app/Dockerfile.multiPlatform"
-  }
-  context = {
-    location = "./app"
-  }
-  platforms = ["plan9/amd64", "plan9/386"]
-}
-resource "docker-build_image" "registryPush" {
-  push = false
-  context = {
-    location = "./app"
-  }
-  tags = ["docker.io/pulumibot/buildkit-e2e:example"]
-  exports {
-    registry = {
-      oci_media_types = true
-      push            = false
-    }
-  }
-  registries {
-    address  = "docker.io"
-    username = "pulumibot"
-    password = var.dockerHubPassword
-  }
-}
-resource "docker-build_image" "cached" {
-  push = false
-  context = {
-    location = "./app"
-  }
-  cache_to {
-    local = {
-      dest = "tmp/cache"
-      mode = "max"
-    }
-  }
-  cache_from {
-    local = {
-      src = "tmp/cache"
-    }
-  }
-}
-resource "docker-build_image" "buildArgs" {
-  push = false
-  dockerfile = {
-    location = "./app/Dockerfile.buildArgs"
-  }
-  context = {
-    location = "./app"
-  }
-  build_args = {
-    "SET_ME_TO_TRUE" = "true"
-  }
-}
-resource "docker-build_image" "extraHosts" {
-  push = false
-  dockerfile = {
-    location = "./app/Dockerfile.extraHosts"
-  }
-  context = {
-    location = "./app"
-  }
-  add_hosts = ["metadata.google.internal:169.254.169.254"]
-}
-resource "docker-build_image" "sshMount" {
-  push = false
-  dockerfile = {
-    location = "./app/Dockerfile.sshMount"
-  }
-  context = {
-    location = "./app"
-  }
-  ssh {
-    id = "default"
-  }
-}
-resource "docker-build_image" "secrets" {
-  push = false
-  dockerfile = {
-    location = "./app/Dockerfile.secrets"
-  }
-  context = {
-    location = "./app"
-  }
-  secrets = {
-    "password" = "hunter2"
-  }
-}
-resource "docker-build_image" "labels" {
-  push = false
-  context = {
-    location = "./app"
-  }
-  labels = {
-    "description" = "This image will get a descriptive label 👍"
-  }
-}
-resource "docker-build_image" "target" {
-  push = false
-  dockerfile = {
-    location = "./app/Dockerfile.target"
-  }
-  context = {
-    location = "./app"
-  }
-  target = "build-me"
-}
-resource "docker-build_image" "namedContexts" {
-  push = false
-  dockerfile = {
-    location = "./app/Dockerfile.namedContexts"
-  }
-  context = {
-    location = "./app"
-    named = {
-      "golang:latest" = {
-        location = "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984"
-      }
-    }
-  }
-}
-resource "docker-build_image" "remoteContext" {
-  push = false
-  context = {
-    location = "https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile"
-  }
-}
-resource "docker-build_image" "remoteContextWithInline" {
-  push = false
-  dockerfile = {
-    inline = "FROM busybox\nCOPY hello.c ./\n"
-  }
-  context = {
-    location = "https://github.com/docker-library/hello-world.git"
-  }
-}
-resource "docker-build_image" "inline" {
-  push = false
-  dockerfile = {
-    inline = "FROM alpine\nRUN echo \"This uses an inline Dockerfile! 👍\"\n"
-  }
-}
-resource "docker-build_image" "dockerLoad" {
-  push = false
-  context = {
-    location = "./app"
-  }
-  exports {
-    docker = {
-      tar = true
-    }
-  }
-}
-variable "dockerHubPassword" {
-  type = string
-}
-output "platforms" {
-  value = docker-build_image.multiPlatform.platforms
-}

examples/java_test.go

@@ -8,9 +8,8 @@ import (
 	"path"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+	"github.com/stretchr/testify/require"
 )
 
 func TestJavaExample(t *testing.T) {

examples/nodejs/package.json

@@ -5,6 +5,6 @@
   },
   "dependencies": {
     "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.244.0"
+    "@pulumi/pulumi": "3.165.0"
   }
 }

examples/nodejs_test.go

@@ -16,15 +16,14 @@ import (
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/session"
 	"github.com/aws/aws-sdk-go/service/ecr"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
 	"github.com/pulumi/providertest"
 	"github.com/pulumi/providertest/optproviderupgrade"
 	"github.com/pulumi/providertest/pulumitest"
 	"github.com/pulumi/providertest/pulumitest/assertpreview"
 	"github.com/pulumi/providertest/pulumitest/opttest"
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
 )
 
 func TestNodeExample(t *testing.T) {
@@ -182,9 +181,8 @@ func TestConfig(t *testing.T) {
 	require.NoError(t, err)
 
 	test := integration.ProgramTestOptions{
-		Dir:                    path.Join(cwd, "tests", "config"),
-		Dependencies:           []string{"@pulumi/docker-build"},
-		SkipEmptyPreviewUpdate: true,
+		Dir:          path.Join(cwd, "tests", "config"),
+		Dependencies: []string{"@pulumi/docker-build"},
 	}
 
 	integration.ProgramTest(t, &test)

examples/python/__main__.py

@@ -5,151 +5,151 @@ config = pulumi.Config()
 docker_hub_password = config.require("dockerHubPassword")
 multi_platform = docker_build.Image("multiPlatform",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.multiPlatform",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.multiPlatform",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     platforms=[
         docker_build.Platform.PLAN9_AMD64,
         docker_build.Platform.PLAN9_386,
     ])
 registry_push = docker_build.Image("registryPush",
     push=False,
-    context={
-        "location": "./app",
-    },
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     tags=["docker.io/pulumibot/buildkit-e2e:example"],
-    exports=[{
-        "registry": {
-            "oci_media_types": True,
-            "push": False,
-        },
-    }],
-    registries=[{
-        "address": "docker.io",
-        "username": "pulumibot",
-        "password": docker_hub_password,
-    }])
+    exports=[docker_build.ExportArgs(
+        registry=docker_build.ExportRegistryArgs(
+            oci_media_types=True,
+            push=False,
+        ),
+    )],
+    registries=[docker_build.RegistryArgs(
+        address="docker.io",
+        username="pulumibot",
+        password=docker_hub_password,
+    )])
 cached = docker_build.Image("cached",
     push=False,
-    context={
-        "location": "./app",
-    },
-    cache_to=[{
-        "local": {
-            "dest": "tmp/cache",
-            "mode": docker_build.CacheMode.MAX,
-        },
-    }],
-    cache_from=[{
-        "local": {
-            "src": "tmp/cache",
-        },
-    }])
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    cache_to=[docker_build.CacheToArgs(
+        local=docker_build.CacheToLocalArgs(
+            dest="tmp/cache",
+            mode=docker_build.CacheMode.MAX,
+        ),
+    )],
+    cache_from=[docker_build.CacheFromArgs(
+        local=docker_build.CacheFromLocalArgs(
+            src="tmp/cache",
+        ),
+    )])
 build_args = docker_build.Image("buildArgs",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.buildArgs",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.buildArgs",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     build_args={
         "SET_ME_TO_TRUE": "true",
     })
 extra_hosts = docker_build.Image("extraHosts",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.extraHosts",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.extraHosts",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     add_hosts=["metadata.google.internal:169.254.169.254"])
 ssh_mount = docker_build.Image("sshMount",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.sshMount",
-    },
-    context={
-        "location": "./app",
-    },
-    ssh=[{
-        "id": "default",
-    }])
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.sshMount",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    ssh=[docker_build.SSHArgs(
+        id="default",
+    )])
 secrets = docker_build.Image("secrets",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.secrets",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.secrets",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     secrets={
         "password": "hunter2",
     })
 labels = docker_build.Image("labels",
     push=False,
-    context={
-        "location": "./app",
-    },
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     labels={
         "description": "This image will get a descriptive label 👍",
     })
 target = docker_build.Image("target",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.target",
-    },
-    context={
-        "location": "./app",
-    },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.target",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
     target="build-me")
 named_contexts = docker_build.Image("namedContexts",
     push=False,
-    dockerfile={
-        "location": "./app/Dockerfile.namedContexts",
-    },
-    context={
-        "location": "./app",
-        "named": {
-            "golang:latest": {
-                "location": "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984",
-            },
+    dockerfile=docker_build.DockerfileArgs(
+        location="./app/Dockerfile.namedContexts",
+    ),
+    context=docker_build.BuildContextArgs(
+        location="./app",
+        named={
+            "golang:latest": docker_build.ContextArgs(
+                location="docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984",
+            ),
         },
-    })
+    ))
 remote_context = docker_build.Image("remoteContext",
     push=False,
-    context={
-        "location": "https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile",
-    })
+    context=docker_build.BuildContextArgs(
+        location="https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile",
+    ))
 remote_context_with_inline = docker_build.Image("remoteContextWithInline",
     push=False,
-    dockerfile={
-        "inline": """FROM busybox
+    dockerfile=docker_build.DockerfileArgs(
+        inline="""FROM busybox
 COPY hello.c ./
 """,
-    },
-    context={
-        "location": "https://github.com/docker-library/hello-world.git",
-    })
+    ),
+    context=docker_build.BuildContextArgs(
+        location="https://github.com/docker-library/hello-world.git",
+    ))
 inline = docker_build.Image("inline",
     push=False,
-    dockerfile={
-        "inline": """FROM alpine
+    dockerfile=docker_build.DockerfileArgs(
+        inline="""FROM alpine
 RUN echo "This uses an inline Dockerfile! 👍"
 """,
-    })
+    ))
 docker_load = docker_build.Image("dockerLoad",
     push=False,
-    context={
-        "location": "./app",
-    },
-    exports=[{
-        "docker": {
-            "tar": True,
-        },
-    }])
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    exports=[docker_build.ExportArgs(
+        docker=docker_build.ExportDockerArgs(
+            tar=True,
+        ),
+    )])
 pulumi.export("platforms", multi_platform.platforms)

examples/python_test.go

@@ -8,9 +8,8 @@ import (
 	"path"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+	"github.com/stretchr/testify/require"
 )
 
 func TestPythonExample(t *testing.T) {

examples/tests/caching/package.json

@@ -4,6 +4,6 @@
     "@types/node": "^20.0.0"
   },
   "dependencies": {
-    "@pulumi/pulumi": "3.244.0"
+    "@pulumi/pulumi": "3.165.0"
   }
 }

examples/tests/config/package.json

@@ -4,6 +4,6 @@
     "@types/node": "^20.0.0"
   },
   "dependencies": {
-    "@pulumi/pulumi": "3.244.0"
+    "@pulumi/pulumi": "3.165.0"
   }
 }

examples/tests/ecr/Pulumi.yaml

@@ -38,5 +38,3 @@ variables:
   auth-token:
     fn::aws:ecr:getAuthorizationToken:
       registryId: ${ecr-repository.registryId}
-config:
-  aws:region: us-west-2

examples/upgrade-node/package.json

@@ -5,6 +5,6 @@
   },
   "dependencies": {
     "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.244.0"
+    "@pulumi/pulumi": "3.165.0"
   }
 }

examples/yaml_test.go

@@ -8,17 +8,15 @@ import (
 	"path"
 	"testing"
 
-	"github.com/stretchr/testify/require"
-
 	"github.com/pulumi/providertest"
 	"github.com/pulumi/providertest/providers"
 	"github.com/pulumi/providertest/pulumitest"
 	"github.com/pulumi/providertest/pulumitest/assertpreview"
 	"github.com/pulumi/providertest/pulumitest/opttest"
+	"github.com/pulumi/pulumi-docker-build/provider"
 	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
 	pulumirpc "github.com/pulumi/pulumi/sdk/v3/proto/go"
-
-	"github.com/pulumi/pulumi-docker-build/provider"
+	"github.com/stretchr/testify/require"
 )
 
 func TestYAMLExample(t *testing.T) {
@@ -35,20 +33,6 @@ func TestYAMLExample(t *testing.T) {
 	integration.ProgramTest(t, &test)
 }
 
-func TestHCLExample(t *testing.T) {
-	cwd, err := os.Getwd()
-	require.NoError(t, err)
-
-	test := integration.ProgramTestOptions{
-		Dir: path.Join(cwd, "hcl"),
-		Secrets: map[string]string{
-			"dockerHubPassword": os.Getenv("DOCKER_HUB_PASSWORD"),
-		},
-	}
-
-	integration.ProgramTest(t, &test)
-}
-
 func TestYAMLExampleUpgrade(t *testing.T) {
 	pt := pulumitest.NewPulumiTest(t, "upgrade",
 		opttest.AttachProviderServer("docker-build", providerServerFactory))

go.mod

@@ -1,161 +1,242 @@
 module github.com/pulumi/pulumi-docker-build
 
-go 1.25.8
+go 1.24.1
 
 require (
 	github.com/aws/aws-sdk-go v1.55.5
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/containerd/errdefs v1.0.0
 	github.com/distribution/reference v0.6.0
 	github.com/docker/buildx v0.22.0
 	github.com/docker/cli v28.0.4+incompatible
 	github.com/docker/docker v28.0.1+incompatible
+	github.com/golangci/golangci-lint v1.59.1
 	github.com/moby/buildkit v0.20.1
 	github.com/moby/patternmatcher v0.6.0
 	github.com/muesli/reflow v0.3.0
 	github.com/otiai10/copy v1.14.0
-	github.com/pulumi/providertest v0.7.0
-	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.106.2
-	github.com/pulumi/pulumi-go-provider v1.3.2
-	github.com/pulumi/pulumi-java v1.28.0
-	github.com/pulumi/pulumi/pkg/v3 v3.243.0
-	github.com/pulumi/pulumi/sdk/v3 v3.243.0
+	github.com/pulumi/providertest v0.3.1
+	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet v3.79.0
+	github.com/pulumi/pulumi-go-provider v0.26.0
+	github.com/pulumi/pulumi-java/pkg v1.10.0
+	github.com/pulumi/pulumi-yaml v1.17.0
+	github.com/pulumi/pulumi/pkg/v3 v3.165.0
+	github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.165.0
+	github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.165.0
+	github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.165.0
+	github.com/pulumi/pulumi/sdk/v3 v3.165.0
 	github.com/regclient/regclient v0.7.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.14.0
-	github.com/stretchr/testify v1.11.1
+	github.com/stretchr/testify v1.10.0
+	github.com/theupdateframework/notary v0.7.0
 	github.com/tonistiigi/fsutil v0.0.0-20250113203817-b14e27f4135a
 	github.com/tonistiigi/go-csvvalue v0.0.0-20240710180619-ddb21b71c0b4
-	go.opentelemetry.io/otel/metric v1.43.0
-	go.opentelemetry.io/otel/sdk v1.43.0
-	go.opentelemetry.io/otel/trace v1.43.0
-	go.uber.org/mock v0.6.0
-	golang.org/x/crypto v0.51.0
-	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f
-	google.golang.org/protobuf v1.36.11
+	go.opentelemetry.io/otel/metric v1.35.0
+	go.opentelemetry.io/otel/sdk v1.35.0
+	go.opentelemetry.io/otel/trace v1.35.0
+	go.uber.org/mock v0.5.0
+	golang.org/x/crypto v0.37.0
+	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
+	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v3 v3.0.1
 )
 
 require (
+	4d63.com/gocheckcompilerdirectives v1.2.1 // indirect
+	4d63.com/gochecknoglobals v0.2.1 // indirect
 	cloud.google.com/go v0.112.1 // indirect
-	cloud.google.com/go/compute/metadata v0.9.0 // indirect
+	cloud.google.com/go/compute/metadata v0.6.0 // indirect
 	cloud.google.com/go/iam v1.1.6 // indirect
 	cloud.google.com/go/kms v1.15.7 // indirect
 	cloud.google.com/go/logging v1.9.0 // indirect
 	cloud.google.com/go/longrunning v0.5.5 // indirect
 	cloud.google.com/go/storage v1.39.1 // indirect
 	dario.cat/mergo v1.0.1 // indirect
+	github.com/4meepo/tagalign v1.3.4 // indirect
+	github.com/Abirdcfly/dupword v0.0.14 // indirect
 	github.com/AdaLogics/go-fuzz-headers v0.0.0-20240806141605-e8a1dd7889d6 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.17.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.2 // indirect
+	github.com/AlecAivazis/survey/v2 v2.3.7 // indirect
+	github.com/Antonboom/errname v0.1.13 // indirect
+	github.com/Antonboom/nilnil v0.1.9 // indirect
+	github.com/Antonboom/testifylint v1.3.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.16.0 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.8.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/internal v1.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/azkeys v0.10.0 // indirect
 	github.com/Azure/azure-sdk-for-go/sdk/keyvault/internal v0.7.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.5.0 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20250102033503-faa5f7b0171c // indirect
-	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.3 // indirect
-	github.com/BurntSushi/toml v1.6.0 // indirect
+	github.com/Azure/go-autorest v14.2.0+incompatible // indirect
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/AzureAD/microsoft-authentication-library-for-go v1.3.2 // indirect
+	github.com/BurntSushi/toml v1.5.0 // indirect
+	github.com/Crocmagnon/fatcontext v0.2.2 // indirect
+	github.com/Djarvur/go-err113 v0.0.0-20210108212216-aea10b59be24 // indirect
+	github.com/GaijinEntertainment/go-exhaustruct/v3 v3.2.0 // indirect
+	github.com/Masterminds/semver/v3 v3.2.1 // indirect
 	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/OpenPeeDeeP/depguard/v2 v2.2.0 // indirect
 	github.com/ProtonMail/go-crypto v1.2.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/alecthomas/chroma v0.10.0 // indirect
+	github.com/alecthomas/chroma/v2 v2.13.0 // indirect
+	github.com/alecthomas/go-check-sumtype v0.1.4 // indirect
+	github.com/alexkohler/nakedret/v2 v2.0.4 // indirect
+	github.com/alexkohler/prealloc v1.0.0 // indirect
+	github.com/alingse/asasalint v0.0.11 // indirect
 	github.com/apparentlymart/go-cidr v1.0.1 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/ashanbrown/forbidigo v1.6.0 // indirect
+	github.com/ashanbrown/makezero v1.1.1 // indirect
 	github.com/atotto/clipboard v0.1.4 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.41.5 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.30.3 // indirect
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.6.3 // indirect
 	github.com/aws/aws-sdk-go-v2/config v1.27.27 // indirect
 	github.com/aws/aws-sdk-go-v2/credentials v1.17.27 // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.16.11 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.17.8 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.15 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.15 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.0 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.3.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.3 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.3.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.17 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.17.15 // indirect
 	github.com/aws/aws-sdk-go-v2/service/kms v1.30.1 // indirect
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.58.2 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sso v1.22.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.26.4 // indirect
 	github.com/aws/aws-sdk-go-v2/service/sts v1.30.3 // indirect
-	github.com/aws/smithy-go v1.24.2 // indirect
+	github.com/aws/smithy-go v1.20.3 // indirect
 	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
-	github.com/bazelbuild/buildtools v0.0.0-20260211083412-859bfffeef82 // indirect
+	github.com/aymerick/douceur v0.2.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bkielbasa/cyclop v1.2.1 // indirect
+	github.com/blizzy78/varnamelen v0.8.0 // indirect
+	github.com/bombsimon/wsl/v4 v4.2.1 // indirect
+	github.com/breml/bidichk v0.2.7 // indirect
+	github.com/breml/errchkjson v0.3.6 // indirect
+	github.com/butuzov/ireturn v0.3.0 // indirect
+	github.com/butuzov/mirror v1.2.0 // indirect
+	github.com/catenacyber/perfsprint v0.7.1 // indirect
+	github.com/ccojocar/zxcvbn-go v1.0.2 // indirect
 	github.com/cenkalti/backoff/v3 v3.2.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
-	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
-	github.com/charmbracelet/bubbles v1.0.0 // indirect
-	github.com/charmbracelet/bubbletea v1.3.10 // indirect
-	github.com/charmbracelet/colorprofile v0.4.3 // indirect
+	github.com/charithe/durationcheck v0.0.10 // indirect
+	github.com/charmbracelet/bubbles v0.21.0 // indirect
+	github.com/charmbracelet/bubbletea v1.3.4 // indirect
+	github.com/charmbracelet/colorprofile v0.3.0 // indirect
+	github.com/charmbracelet/glamour v0.6.0 // indirect
 	github.com/charmbracelet/lipgloss v1.1.0 // indirect
-	github.com/charmbracelet/x/ansi v0.11.7 // indirect
-	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
-	github.com/charmbracelet/x/term v0.2.2 // indirect
+	github.com/charmbracelet/x/ansi v0.8.0 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.13 // indirect
+	github.com/charmbracelet/x/term v0.2.1 // indirect
+	github.com/chavacava/garif v0.1.0 // indirect
 	github.com/cheggaaa/pb v1.0.29 // indirect
-	github.com/clipperhouse/displaywidth v0.11.0 // indirect
-	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
-	github.com/cloudflare/circl v1.6.3 // indirect
+	github.com/ckaznocha/intrange v0.1.2 // indirect
+	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/compose-spec/compose-go/v2 v2.4.8 // indirect
 	github.com/containerd/console v1.0.4 // indirect
 	github.com/containerd/containerd/api v1.8.0 // indirect
-	github.com/containerd/containerd/v2 v2.0.7 // indirect
+	github.com/containerd/containerd/v2 v2.0.3 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
+	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/containerd/log v0.1.0 // indirect
 	github.com/containerd/platforms v1.0.0-rc.1 // indirect
 	github.com/containerd/ttrpc v1.2.7 // indirect
 	github.com/containerd/typeurl/v2 v2.2.3 // indirect
-	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/curioswitch/go-reassign v0.2.0 // indirect
+	github.com/cyphar/filepath-securejoin v0.4.1 // indirect
+	github.com/daixiang0/gci v0.13.4 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/deckarep/golang-set/v2 v2.5.0 // indirect
+	github.com/denis-tingaikin/go-header v0.5.0 // indirect
 	github.com/djherbis/times v1.6.0 // indirect
+	github.com/dlclark/regexp2 v1.11.0 // indirect
 	github.com/docker/cli-docs-tool v0.9.0 // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.8.2 // indirect
+	github.com/docker/go v1.5.1-1.0.20160303222718-d30aec9fd63c // indirect
 	github.com/docker/go-connections v0.5.0 // indirect
 	github.com/docker/go-metrics v0.0.1 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/docker/libtrust v0.0.0-20160708172513-aabc10ec26b7 // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
 	github.com/edsrzf/mmap-go v1.2.0 // indirect
 	github.com/emicklei/go-restful/v3 v3.11.0 // indirect
 	github.com/emirpasic/gods v1.18.1 // indirect
 	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/erikgeiser/promptkit v0.9.0 // indirect
+	github.com/ettle/strcase v0.2.0 // indirect
+	github.com/fatih/color v1.17.0 // indirect
+	github.com/fatih/structtag v1.2.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
+	github.com/firefart/nonamedreturns v1.0.5 // indirect
 	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/fvbommel/sortorder v1.0.1 // indirect
 	github.com/fxamacker/cbor/v2 v2.7.0 // indirect
-	github.com/git-pkgs/manifests v0.4.1 // indirect
-	github.com/git-pkgs/packageurl-go v0.3.1 // indirect
-	github.com/git-pkgs/purl v0.1.10 // indirect
-	github.com/git-pkgs/vers v0.2.4 // indirect
+	github.com/fzipp/gocyclo v0.6.0 // indirect
+	github.com/ghostiam/protogetter v0.3.6 // indirect
+	github.com/go-critic/go-critic v0.11.4 // indirect
 	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
-	github.com/go-git/go-billy/v5 v5.9.0 // indirect
-	github.com/go-git/go-git/v5 v5.19.1 // indirect
-	github.com/go-jose/go-jose/v3 v3.0.5 // indirect
-	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-git/go-billy/v5 v5.6.2 // indirect
+	github.com/go-git/go-git/v5 v5.16.0 // indirect
+	github.com/go-jose/go-jose/v3 v3.0.4 // indirect
+	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/go-openapi/jsonpointer v0.19.6 // indirect
 	github.com/go-openapi/jsonreference v0.20.2 // indirect
 	github.com/go-openapi/swag v0.22.4 // indirect
-	github.com/go-test/deep v1.1.1 // indirect
-	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
+	github.com/go-toolsmith/astcast v1.1.0 // indirect
+	github.com/go-toolsmith/astcopy v1.1.0 // indirect
+	github.com/go-toolsmith/astequal v1.2.0 // indirect
+	github.com/go-toolsmith/astfmt v1.1.0 // indirect
+	github.com/go-toolsmith/astp v1.1.0 // indirect
+	github.com/go-toolsmith/strparse v1.1.0 // indirect
+	github.com/go-toolsmith/typep v1.1.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
+	github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect
+	github.com/gobwas/glob v0.2.3 // indirect
+	github.com/godbus/dbus/v5 v5.1.0 // indirect
 	github.com/gofrs/flock v0.12.1 // indirect
 	github.com/gofrs/uuid v4.2.0+incompatible // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang-jwt/jwt/v5 v5.2.2 // indirect
-	github.com/golang/glog v1.2.5 // indirect
+	github.com/golang/glog v1.2.4 // indirect
 	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/golangci/dupl v0.0.0-20180902072040-3e9179ac440a // indirect
+	github.com/golangci/gofmt v0.0.0-20231018234816-f50ced29576e // indirect
+	github.com/golangci/misspell v0.6.0 // indirect
+	github.com/golangci/modinfo v0.3.4 // indirect
+	github.com/golangci/plugin-module-register v0.1.1 // indirect
+	github.com/golangci/revgrep v0.5.3 // indirect
+	github.com/golangci/unconvert v0.0.0-20240309020433-c5143eacb3ed // indirect
 	github.com/google/gnostic-models v0.6.8 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-querystring v1.1.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
+	github.com/google/pprof v0.0.0-20240525223248-4bfdf5a9a2af // indirect
 	github.com/google/s2a-go v0.1.7 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/google/uuid v1.6.0 // indirect
 	github.com/google/wire v0.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.2 // indirect
 	github.com/googleapis/gax-go/v2 v2.12.2 // indirect
+	github.com/gordonklaus/ineffassign v0.1.0 // indirect
+	github.com/gorilla/css v1.0.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
-	github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 // indirect
+	github.com/gostaticanalysis/analysisutil v0.7.1 // indirect
+	github.com/gostaticanalysis/comment v1.4.2 // indirect
+	github.com/gostaticanalysis/forcetypeassert v0.1.0 // indirect
+	github.com/gostaticanalysis/nilerr v0.1.1 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.25.1 // indirect
 	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
 	github.com/hashicorp/errwrap v1.1.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
@@ -166,29 +247,59 @@ require (
 	github.com/hashicorp/go-secure-stdlib/parseutil v0.1.8 // indirect
 	github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect
 	github.com/hashicorp/go-sockaddr v1.0.6 // indirect
-	github.com/hashicorp/go-version v1.9.0 // indirect
+	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
 	github.com/hashicorp/vault/api v1.12.0 // indirect
+	github.com/hexops/gotextdiff v1.0.3 // indirect
 	github.com/iancoleman/strcase v0.3.0 // indirect
+	github.com/ijc/Gotty v0.0.0-20170406111628-a8b993ba6abd // indirect
 	github.com/imdario/mergo v0.3.16 // indirect
 	github.com/in-toto/in-toto-golang v0.5.0 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/iwdgo/sigintwindows v0.2.2 // indirect
 	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/jgautheron/goconst v1.7.1 // indirect
+	github.com/jingyugao/rowserrcheck v1.1.1 // indirect
+	github.com/jirfag/go-printf-func-name v0.0.0-20200119135958-7558a9eaa5af // indirect
+	github.com/jjti/go-spancheck v0.6.1 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
+	github.com/jonboulle/clockwork v0.4.0 // indirect
 	github.com/josharian/intern v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/julz/importas v0.1.0 // indirect
+	github.com/karamaru-alpha/copyloopvar v1.1.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
 	github.com/kevinburke/ssh_config v1.2.0 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/kisielk/errcheck v1.7.0 // indirect
+	github.com/kkHAIKE/contextcheck v1.1.5 // indirect
+	github.com/klauspost/compress v1.17.11 // indirect
+	github.com/kulti/thelper v0.6.3 // indirect
+	github.com/kunwardeep/paralleltest v1.0.10 // indirect
 	github.com/kylelemons/godebug v1.1.0 // indirect
-	github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
+	github.com/kyoh86/exportloopref v0.1.11 // indirect
+	github.com/lasiar/canonicalheader v1.1.1 // indirect
+	github.com/ldez/gomoddirectives v0.2.4 // indirect
+	github.com/ldez/tagliatelle v0.5.0 // indirect
+	github.com/leonklingele/grouper v1.1.2 // indirect
+	github.com/lucasb-eyer/go-colorful v1.2.0 // indirect
+	github.com/lufeee/execinquery v1.2.1 // indirect
+	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
+	github.com/macabu/inamedparam v0.1.3 // indirect
+	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/mailru/easyjson v0.7.7 // indirect
-	github.com/mattn/go-isatty v0.0.22 // indirect
+	github.com/maratori/testableexamples v1.0.0 // indirect
+	github.com/maratori/testpackage v1.1.1 // indirect
+	github.com/matoous/godox v0.0.0-20230222163458-006bad1f9d26 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mattn/go-localereader v0.0.1 // indirect
-	github.com/mattn/go-runewidth v0.0.23 // indirect
+	github.com/mattn/go-runewidth v0.0.16 // indirect
 	github.com/mattn/go-shellwords v1.0.12 // indirect
+	github.com/mgechev/revive v1.3.7 // indirect
+	github.com/mgutz/ansi v0.0.0-20170206155736-9520e82c474b // indirect
+	github.com/microcosm-cc/bluemonday v1.0.21 // indirect
+	github.com/miekg/pkcs11 v1.1.1 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-ps v1.0.0 // indirect
@@ -198,6 +309,7 @@ require (
 	github.com/mitchellh/reflectwalk v1.0.2 // indirect
 	github.com/moby/docker-image-spec v1.3.1 // indirect
 	github.com/moby/locker v1.0.1 // indirect
+	github.com/moby/moby v26.1.5+incompatible // indirect
 	github.com/moby/spdystream v0.4.0 // indirect
 	github.com/moby/sys/mountinfo v0.7.2 // indirect
 	github.com/moby/sys/sequential v0.6.0 // indirect
@@ -206,105 +318,170 @@ require (
 	github.com/moby/sys/userns v0.1.0 // indirect
 	github.com/moby/term v0.5.2 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/moricho/tparallel v0.3.1 // indirect
 	github.com/morikuni/aec v1.0.0 // indirect
 	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
 	github.com/muesli/cancelreader v0.2.2 // indirect
 	github.com/muesli/termenv v0.16.0 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
 	github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect
+	github.com/nakabonne/nestif v0.3.1 // indirect
 	github.com/natefinch/atomic v1.0.1 // indirect
+	github.com/nbutton23/zxcvbn-go v0.0.0-20180912185939-ae427f1e4c1d // indirect
+	github.com/nishanths/exhaustive v0.12.0 // indirect
+	github.com/nishanths/predeclared v0.2.2 // indirect
+	github.com/nunnatsa/ginkgolinter v0.16.2 // indirect
 	github.com/nxadm/tail v1.4.11 // indirect
+	github.com/olekukonko/tablewriter v0.0.5 // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0 // indirect
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.3 // indirect
+	github.com/petar-dambovaliev/aho-corasick v0.0.0-20230725210150-fb29fc3c913e // indirect
+	github.com/pgavlin/diff v0.0.0-20230503175810-113847418e2e // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
-	github.com/pgavlin/fx/v2 v2.0.12 // indirect
 	github.com/pgavlin/goldmark v1.1.33-0.20200616210433-b5eb04559386 // indirect
-	github.com/pjbgf/sha1cd v0.6.0 // indirect
+	github.com/pgavlin/text v0.0.0-20240821195002-b51d0990e284 // indirect
+	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/polyfloyd/go-errorlint v1.5.2 // indirect
+	github.com/power-devops/perfstat v0.0.0-20210106213030-5aafc221ea8c // indirect
 	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.24.0 // indirect
+	github.com/pulumi/esc v0.13.0 // indirect
 	github.com/pulumi/inflector v0.2.1 // indirect
+	github.com/quasilyte/go-ruleguard v0.4.2 // indirect
+	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
+	github.com/quasilyte/gogrep v0.5.0 // indirect
+	github.com/quasilyte/regex/syntax v0.0.0-20210819130434-b3f0c404a727 // indirect
+	github.com/quasilyte/stdinfo v0.0.0-20220114132959-f7386bf02567 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/ryancurrah/gomodguard v1.3.2 // indirect
+	github.com/ryanrolds/sqlclosecheck v0.5.1 // indirect
 	github.com/ryanuber/go-glob v1.0.0 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
+	github.com/sanposhiho/wastedassign/v2 v2.0.7 // indirect
 	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
+	github.com/sashamelentyev/interfacebloat v1.1.0 // indirect
+	github.com/sashamelentyev/usestdlibvars v1.26.0 // indirect
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0 // indirect
+	github.com/securego/gosec/v2 v2.20.1-0.20240525090044-5f0084eb01a9 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/segmentio/encoding v0.4.1 // indirect
-	github.com/sergi/go-diff v1.4.0 // indirect
+	github.com/sergi/go-diff v1.3.2-0.20230802210424-5b0b94c5c0d3 // indirect
 	github.com/serialx/hashring v0.0.0-20200727003509-22c0c7ab6b1b // indirect
+	github.com/shazow/go-diff v0.0.0-20160112020656-b6b7b6733b8c // indirect
 	github.com/shibumi/go-pathspec v1.3.0 // indirect
+	github.com/shirou/gopsutil/v3 v3.24.5 // indirect
+	github.com/shoenig/go-m1cpu v0.1.6 // indirect
+	github.com/shurcooL/httpfs v0.0.0-20190707220628-8d4bc4ba7749 // indirect
+	github.com/shurcooL/vfsgen v0.0.0-20200824052919-0d455de96546 // indirect
+	github.com/sivchari/containedctx v1.0.3 // indirect
+	github.com/sivchari/tenv v1.7.1 // indirect
 	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/sonatard/noctx v0.0.2 // indirect
+	github.com/sourcegraph/appdash-data v0.0.0-20151005221446-73f23eafcf67 // indirect
+	github.com/sourcegraph/go-diff v0.7.0 // indirect
 	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/cobra v1.10.2 // indirect
-	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/cobra v1.9.1 // indirect
+	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/spf13/pflag v1.0.6 // indirect
+	github.com/spf13/viper v1.12.0 // indirect
+	github.com/ssgreg/nlreturn/v2 v2.2.1 // indirect
+	github.com/stbenjam/no-sprintf-host-port v0.1.1 // indirect
+	github.com/stretchr/objx v0.5.2 // indirect
+	github.com/subosito/gotenv v1.4.1 // indirect
+	github.com/t-yuki/gocover-cobertura v0.0.0-20180217150009-aaee18c8195c // indirect
+	github.com/tdakkota/asciicheck v0.2.0 // indirect
+	github.com/tetafro/godot v1.4.16 // indirect
 	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
+	github.com/timakin/bodyclose v0.0.0-20230421092635-574207250966 // indirect
+	github.com/timonwong/loggercheck v0.9.4 // indirect
+	github.com/tklauser/go-sysconf v0.3.12 // indirect
+	github.com/tklauser/numcpus v0.6.1 // indirect
+	github.com/tomarrell/wrapcheck/v2 v2.8.3 // indirect
+	github.com/tommy-muehle/go-mnd/v2 v2.5.1 // indirect
 	github.com/tonistiigi/dchapes-mode v0.0.0-20241001053921-ca0759fec205 // indirect
 	github.com/tonistiigi/jaeger-ui-rest v0.0.0-20250211190051-7d4944a45bb6 // indirect
 	github.com/tonistiigi/units v0.0.0-20180711220420-6950e57a87ea // indirect
 	github.com/tonistiigi/vt100 v0.0.0-20240514184818-90bafcd6abab // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
-	github.com/ulikunitz/xz v0.5.15 // indirect
+	github.com/ulikunitz/xz v0.5.12 // indirect
+	github.com/ultraware/funlen v0.1.0 // indirect
+	github.com/ultraware/whitespace v0.1.1 // indirect
+	github.com/uudashr/gocognit v1.1.2 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
+	github.com/xen0n/gosmopolitan v1.2.2 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
-	github.com/zclconf/go-cty v1.17.0 // indirect
+	github.com/yagipy/maintidx v1.0.0 // indirect
+	github.com/yeya24/promlinter v0.3.0 // indirect
+	github.com/ykadowak/zerologlint v0.1.5 // indirect
+	github.com/yuin/goldmark v1.5.2 // indirect
+	github.com/yuin/goldmark-emoji v1.0.1 // indirect
+	github.com/yusufpapurcu/wmi v1.2.4 // indirect
+	github.com/zclconf/go-cty v1.16.2 // indirect
+	gitlab.com/bosi/decorder v0.4.2 // indirect
+	go-simpler.org/musttag v0.12.2 // indirect
+	go-simpler.org/sloglint v0.7.1 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
-	go.opentelemetry.io/collector/featuregate v1.58.0 // indirect
-	go.opentelemetry.io/collector/pdata v1.58.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.1.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.56.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/httptrace/otelhttptrace v0.56.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
-	go.opentelemetry.io/otel v1.43.0 // indirect
-	go.opentelemetry.io/otel/bridge/opentracing v1.33.0 // indirect
+	go.opentelemetry.io/otel v1.35.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetricgrpc v1.31.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlpmetric/otlpmetrichttp v1.31.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
-	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.35.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.31.0 // indirect
 	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.31.0 // indirect
-	go.opentelemetry.io/otel/sdk/metric v1.43.0 // indirect
-	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
+	go.opentelemetry.io/otel/sdk/metric v1.34.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.5.0 // indirect
+	go.pennock.tech/tabular v1.1.3 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/automaxprocs v1.6.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.27.0 // indirect
 	gocloud.dev v0.37.0 // indirect
 	gocloud.dev/secrets/hashivault v0.37.0 // indirect
-	golang.org/x/mod v0.35.0 // indirect
-	golang.org/x/net v0.55.0 // indirect
-	golang.org/x/oauth2 v0.36.0 // indirect
-	golang.org/x/sync v0.20.0 // indirect
-	golang.org/x/sys v0.45.0 // indirect
-	golang.org/x/term v0.43.0 // indirect
-	golang.org/x/text v0.37.0 // indirect
-	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.44.0 // indirect
+	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
+	golang.org/x/mod v0.24.0 // indirect
+	golang.org/x/net v0.39.0 // indirect
+	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/sync v0.13.0 // indirect
+	golang.org/x/sys v0.32.0 // indirect
+	golang.org/x/term v0.31.0 // indirect
+	golang.org/x/text v0.24.0 // indirect
+	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/tools v0.32.0 // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.169.0 // indirect
 	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20260522204824-7f3bc5b78da9 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20260522204824-7f3bc5b78da9 // indirect
-	google.golang.org/grpc v1.81.1 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250414145226-207652e42e2e // indirect
+	google.golang.org/grpc v1.71.1 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
+	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
+	honnef.co/go/tools v0.4.7 // indirect
 	k8s.io/api v0.31.2 // indirect
 	k8s.io/apimachinery v0.31.2 // indirect
 	k8s.io/client-go v0.31.2 // indirect
@@ -312,6 +489,8 @@ require (
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
 	lukechampine.com/frand v1.5.1 // indirect
+	mvdan.cc/gofumpt v0.6.0 // indirect
+	mvdan.cc/unparam v0.0.0-20240528143540-8a5130ca722f // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect
 	sigs.k8s.io/yaml v1.4.0 // indirect

provider/cmd/pulumi-resource-docker-build/main.go

@@ -16,9 +16,8 @@
 package main
 
 import (
-	"github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil"
-
 	"github.com/pulumi/pulumi-docker-build/provider"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/util/cmdutil"
 )
 
 func main() {

provider/internal/cache.go

@@ -17,7 +17,6 @@ package internal
 import (
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 
 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -149,20 +148,33 @@ func (c CacheWithOCI) String() string {
 
 // CacheFromGitHubActions pulls cache manifests from the GitHub actions cache.
 type CacheFromGitHubActions struct {
+	URL   string `pulumi:"url,optional"`
+	Token string `pulumi:"token,optional" provider:"secret"`
 	Scope string `pulumi:"scope,optional"`
 }
 
 // Annotate sets docstrings on CacheFromGitHubActions.
 func (c *CacheFromGitHubActions) Annotate(a infer.Annotator) {
-	a.Describe(&c, dedent(`
-		Recommended for use with GitHub Actions workflows.
-
-		An action like "crazy-max/ghaction-github-runtime" is recommended to expose
-		appropriate credentials to your GitHub workflow.
-	`))
-
+	a.SetDefault(&c.URL, "", "ACTIONS_CACHE_URL")
+	a.SetDefault(&c.Token, "", "ACTIONS_RUNTIME_TOKEN")
 	a.SetDefault(&c.Scope, "buildkit")
 
+	a.Describe(&c.URL, dedent(`
+		The cache server URL to use for artifacts.
+
+		Defaults to "$ACTIONS_CACHE_URL", although a separate action like
+		"crazy-max/ghaction-github-runtime" is recommended to expose this
+		environment variable to your jobs.
+	`))
+	a.Describe(&c.Token, dedent(`
+		The GitHub Actions token to use. This is not a personal access tokens
+		and is typically generated automatically as part of each job.
+
+		Defaults to "$ACTIONS_RUNTIME_TOKEN", although a separate action like
+		"crazy-max/ghaction-github-runtime" is recommended to expose this
+		environment variable to your jobs.
+
+	`))
 	a.Describe(&c.Scope, dedent(`
 		The scope to use for cache keys. Defaults to "buildkit".
 
@@ -179,12 +191,11 @@ func (c *CacheFromGitHubActions) String() string {
 	if c.Scope != "" {
 		parts = append(parts, "scope="+c.Scope)
 	}
-	// Preserving backwards compatibility with the old behaviour.
-	if token := os.Getenv("ACTIONS_RUNTIME_TOKEN"); token != "" {
-		parts = append(parts, "token="+token)
+	if c.Token != "" {
+		parts = append(parts, "token="+c.Token)
 	}
-	if url := os.Getenv("ACTIONS_CACHE_URL"); url != "" {
-		parts = append(parts, "url="+url)
+	if c.URL != "" {
+		parts = append(parts, "url="+c.URL)
 	}
 	return strings.Join(parts, ",")
 }
@@ -448,7 +459,7 @@ func (c CacheFrom) String() string {
 	return join(c.Local, c.Registry, c.GHA, c.AZBlob, c.S3, c.Raw)
 }
 
-func (c CacheFrom) validate(_ bool) (*controllerapi.CacheOptionsEntry, error) {
+func (c CacheFrom) validate(preview bool) (*controllerapi.CacheOptionsEntry, error) {
 	if strings.Count(c.String(), "type=") > 1 {
 		return nil, errors.New("cacheFrom should only specify one cache type")
 	}
@@ -672,7 +683,7 @@ func (c CacheTo) String() string {
 	return join(c.Inline, c.Local, c.Registry, c.GHA, c.AZBlob, c.S3, c.Raw)
 }
 
-func (c CacheTo) validate(_ bool) (*controllerapi.CacheOptionsEntry, error) {
+func (c CacheTo) validate(preview bool) (*controllerapi.CacheOptionsEntry, error) {
 	if strings.Count(c.String(), "type=") > 1 {
 		return nil, errors.New("cacheTo should only specify one cache type")
 	}

provider/internal/cache_test.go

@@ -24,15 +24,14 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
-//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 func TestCacheString(t *testing.T) {
+	t.Parallel()
 	gzip := Gzip
 
 	tests := []struct {
-		name    string
-		arrange func(t *testing.T)
-		given   fmt.Stringer
-		want    string
+		name  string
+		given fmt.Stringer
+		want  string
 	}{
 		{
 			name: "s3",
@@ -56,37 +55,7 @@ func TestCacheString(t *testing.T) {
 		{
 			name:  "gha",
 			given: CacheTo{GHA: &CacheToGitHubActions{}},
-			arrange: func(t *testing.T) {
-				t.Setenv("ACTIONS_CACHE_URL", "")
-				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
-			},
-			want: "type=gha",
-		},
-		{
-			name: "gha-default-envs",
-			arrange: func(t *testing.T) {
-				t.Setenv("ACTIONS_CACHE_URL", "https://example.com")
-				t.Setenv("ACTIONS_RUNTIME_TOKEN", "token")
-			},
-			given: CacheTo{GHA: &CacheToGitHubActions{
-				CacheFromGitHubActions: CacheFromGitHubActions{
-					Scope: "scope",
-				},
-			}},
-			want: "type=gha,scope=scope,token=token,url=https://example.com",
-		},
-		{
-			name: "gha-with-scope",
-			arrange: func(t *testing.T) {
-				t.Setenv("ACTIONS_CACHE_URL", "")
-				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
-			},
-			given: CacheTo{GHA: &CacheToGitHubActions{
-				CacheFromGitHubActions: CacheFromGitHubActions{
-					Scope: "scope",
-				},
-			}},
-			want: "type=gha,scope=scope",
+			want:  "type=gha",
 		},
 		{
 			name:  "from-local",
@@ -152,12 +121,9 @@ func TestCacheString(t *testing.T) {
 		},
 	}
 
-	//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.arrange != nil {
-				tt.arrange(t)
-			}
+			t.Parallel()
 
 			actual := tt.given.String()
 			assert.Equal(t, tt.want, actual)

provider/internal/cli.go

@@ -25,7 +25,6 @@ import (
 	"fmt"
 	"io"
 	"os"
-	"os/exec"
 	"path/filepath"
 	"strings"
 
@@ -57,11 +56,11 @@ type cli struct {
 	auths map[string]cfgtypes.AuthConfig
 	host  *host
 
-	in       string       // stdin
-	r, w     *os.File     // stdout
-	err      bytes.Buffer // stderr
-	dumplogs bool         // if true then tail() will re-log status messages
-	builder  Builder      // for mocking build daemon responses
+	in       string        // stdin
+	r, w     *os.File      // stdout
+	err      bytes.Buffer  // stderr
+	dumplogs bool          // if true then tail() will re-log status messages
+	done     chan struct{} // signaled when all logs have been forwarded to the engine.
 }
 
 // Cli wraps the Docker interface for mock generation.
@@ -120,12 +119,11 @@ func wrap(host *host, registries ...Registry) (*cli, error) {
 	}
 
 	wrapped := &cli{
-		Cli:     docker,
-		host:    host,
-		auths:   auths,
-		r:       r,
-		w:       w,
-		builder: defaultBuilder{},
+		Cli:   docker,
+		host:  host,
+		auths: auths,
+		r:     r,
+		w:     w,
 	}
 
 	return wrapped, nil
@@ -164,6 +162,14 @@ func (c *cli) rc() *regclient.RegClient {
 // tail is meant to be called as a goroutine and will pipe output from the CLI
 // back to the Pulumi engine. Requires a corresponding call to close.
 func (c *cli) tail(ctx context.Context) {
+	c.done = make(chan struct{}, 1)
+	defer func() {
+		c.done <- struct{}{}
+		if err := recover(); err != nil {
+			fmt.Fprintf(os.Stderr, "recovered: %s\n", err)
+		}
+	}()
+
 	b := bytes.Buffer{}
 
 	s := bufio.NewScanner(c.r)
@@ -187,13 +193,17 @@ func (c *cli) tail(ctx context.Context) {
 
 // close flushes any outstanding logs and cleans up resources.
 func (c *cli) Close() error {
-	return errors.Join(c.w.Close(), c.r.Close())
+	err := errors.Join(c.w.Close(), c.r.Close())
+	if c.done != nil {
+		<-c.done
+	}
+	return err
 }
 
 // execBuild performs a build by os.Exec'ing the docker-buildx binary.
 // Credentials are communicated to docker-buildx via a temporary directory.
 // Secrets are communicated via dynamic environment variables.
-func (c *cli) execBuild(ctx context.Context, b Build) (*client.SolveResponse, error) {
+func (c *cli) execBuild(b Build) (*client.SolveResponse, error) {
 	// Setup a temporary directory for auth, and clean it up when we're done.
 	tmp, err := os.MkdirTemp("", "pulumi-docker-")
 	if err != nil {
@@ -203,7 +213,7 @@ func (c *cli) execBuild(ctx context.Context, b Build) (*client.SolveResponse, er
 
 	opts := b.BuildOptions()
 
-	builder, err := c.host.builderFor(ctx, b)
+	builder, err := c.host.builderFor(b)
 	if err != nil {
 		return nil, err
 	}
@@ -329,7 +339,7 @@ func (c *cli) execBuild(ctx context.Context, b Build) (*client.SolveResponse, er
 	}
 
 	// Invoke docker-buildx.
-	err = c.exec(ctx, args, env)
+	err = c.exec(args, env)
 	if err != nil {
 		return nil, err
 	}
@@ -368,7 +378,7 @@ func (c *cli) execBuild(ctx context.Context, b Build) (*client.SolveResponse, er
 
 // exec invokes a Docker plugin binary. The first argument should be the name
 // of the plugin's subcommand, e.g. "buildx".
-func (c *cli) exec(ctx context.Context, args, extraEnv []string) error {
+func (c *cli) exec(args, extraEnv []string) error {
 	if len(args) == 0 {
 		return errors.New("args must be non-empty")
 	}
@@ -385,18 +395,16 @@ func (c *cli) exec(ctx context.Context, args, extraEnv []string) error {
 
 	defer contract.IgnoreClose(c.w)
 
-	runCmd, err := manager.PluginRunCommand(c, name, root)
+	cmd, err := manager.PluginRunCommand(c, name, root)
 	if err != nil {
 		return err
 	}
-	// Create a new command that inherits from ctx.
-	cmd := exec.CommandContext(ctx, //nolint:gosec // We take the first argument and binary from runCmd.
-		runCmd.Path, append([]string{runCmd.Args[1]}, args...)...,
-	)
+	cmd.Args = append([]string{cmd.Args[0]}, args...)
 	cmd.Stderr = c.Err()
 	cmd.Stdout = c.Out()
 	cmd.Stdin = c.In()
-	cmd.Env = append(runCmd.Env, extraEnv...) //nolint:gocritic // We are intentionally assigning from runCmd to cmd
+
+	cmd.Env = append(cmd.Env, extraEnv...)
 
 	return cmd.Run()
 }

provider/internal/cli_test.go

@@ -28,12 +28,12 @@ import (
 func TestExec(t *testing.T) {
 	t.Parallel()
 
-	h, err := newHost(t.Context(), nil)
+	h, err := newHost(context.Background(), nil)
 	require.NoError(t, err)
 	cli, err := wrap(h)
 	require.NoError(t, err)
 
-	err = cli.exec(t.Context(), []string{"buildx", "version"}, nil)
+	err = cli.exec([]string{"buildx", "version"}, nil)
 	assert.NoError(t, err)
 
 	out, err := io.ReadAll(cli.r)

provider/internal/client.go

@@ -12,7 +12,7 @@
 // See the License for the specific language governing permissions and
 // limitations under the License.
 
-//go:generate go run go.uber.org/mock/mockgen -typed -package internal -source client.go -destination mockclient_test.go --self_package github.com/pulumi/pulumi-docker-build/provider/internal -imports buildx=github.com/docker/buildx/build
+//go:generate go run go.uber.org/mock/mockgen -typed -package internal -source client.go -destination mockclient_test.go --self_package github.com/pulumi/pulumi-docker-build/provider/internal
 
 package internal
 
@@ -24,10 +24,8 @@ import (
 	"os"
 	"strings"
 
-	"github.com/containerd/errdefs"
 	"github.com/distribution/reference"
 	buildx "github.com/docker/buildx/build"
-	"github.com/docker/buildx/builder"
 	"github.com/docker/buildx/commands"
 	controllerapi "github.com/docker/buildx/controller/pb"
 	"github.com/docker/buildx/util/confutil"
@@ -64,36 +62,6 @@ type Client interface {
 	SupportsMultipleExports() bool
 }
 
-// registryGetter is something that can return a list of [Registry].
-type registryGetter interface {
-	GetRegistries() []Registry
-}
-
-// clientF builds a Docker client. The order of registryGetters is significant.
-// We typically prefer credentials from args, then provider config, then the
-// host. Provide them to this function in order of increasing priority: host,
-// config, args.
-//
-// We ignore state because if its creds differ from those in args then they are
-// likely volatile and also likely expired.
-type clientF func(context.Context, *host, ...registryGetter) (Client, error)
-
-// RealClientF builds a real Docker client with auth layered on top of the
-// host's latent credentials.
-func RealClientF(_ context.Context, host *host, getters ...registryGetter) (Client, error) {
-	auths := []Registry{}
-	for _, rg := range getters {
-		auths = append(auths, rg.GetRegistries()...)
-	}
-	return wrap(host, auths...)
-}
-
-func mockClientF(c Client) clientF {
-	return func(context.Context, *host, ...registryGetter) (Client, error) {
-		return c, nil
-	}
-}
-
 // Build encapsulates all of the user-provider build parameters and options.
 type Build interface {
 	BuildOptions() controllerapi.BuildOptions
@@ -138,10 +106,10 @@ func (c *cli) Build(
 	defer contract.IgnoreClose(c)
 
 	if build.ShouldExec() {
-		return c.execBuild(ctx, build)
+		return c.execBuild(build)
 	}
 
-	b, err := c.host.builderFor(ctx, build)
+	b, err := c.host.builderFor(build)
 	if err != nil {
 		return nil, err
 	}
@@ -155,15 +123,9 @@ func (c *cli) Build(
 	if err != nil {
 		return nil, fmt.Errorf("creating printer: %w", err)
 	}
-
 	defer func() {
-		// Wait for logs to flush if the build finished, but not if we're
-		// exiting early.
-		if ctx.Err() == nil {
-			_ = printer.Wait()
-		}
-
-		// Log any warnings we got, separated by newlines.
+		// Log any warnings when we're done.
+		_ = printer.Wait()
 		for _, w := range printer.Warnings() {
 			b := &bytes.Buffer{}
 			_, _ = b.Write(w.Short)
@@ -262,40 +224,21 @@ func (c *cli) Build(
 		},
 	}
 
-	resultC := make(chan map[string]*client.SolveResponse)
-	errC := make(chan error)
-
-	// buildx.Build doesn't handle context cancellation, so we monitor it in a
-	// goroutine. cli.Close cleans up our file descriptors, so if we do exit
-	// early the remote build should terminate as soon as it sees the pipe has
-	// broken.
-	go func() {
-		defer close(resultC)
-		defer close(errC)
-		results, err := c.builder.Build(
-			ctx,
-			b.nodes,
-			payload,
-			dockerutil.NewClient(c),
-			confutil.NewConfig(c),
-			printer,
-		)
-		if err != nil {
-			errC <- err
-			return
-		}
-		resultC <- results
-	}()
-
-	select {
-	case results := <-resultC:
-		return results[target], nil
-	case err := <-errC:
+	// Perform the build.
+	results, err := buildx.Build(
+		ctx,
+		b.nodes,
+		payload,
+		dockerutil.NewClient(c),
+		confutil.NewConfig(c),
+		printer,
+	)
+	if err != nil {
 		c.dumplogs = true
 		return nil, err
-	case <-ctx.Done():
-		return nil, ctx.Err()
 	}
+
+	return results[target], err
 }
 
 // BuildKitEnabled returns true if the client supports buildkit.
@@ -340,9 +283,6 @@ func (c *cli) ManifestInspect(ctx context.Context, target string) (string, error
 	}
 
 	m, err := rc.ManifestHead(ctx, ref)
-	if errors.Is(err, errs.ErrNotFound) {
-		return "", fmt.Errorf("fetching %q: %w", ref, errdefs.ErrNotFound)
-	}
 	if err != nil {
 		return "", fmt.Errorf("fetching %q: %w", ref, err)
 	}
@@ -363,9 +303,6 @@ func (c *cli) ManifestDelete(ctx context.Context, target string) error {
 		provider.GetLogger(ctx).Warning("this registry does not support deletions")
 		return nil
 	}
-	if errors.Is(err, errs.ErrNotFound) {
-		return nil
-	}
 	if err != nil {
 		return err
 	}
@@ -417,31 +354,6 @@ func (c *cli) Delete(ctx context.Context, r string) error {
 	return nil
 }
 
-// Builder allows injecting mock responses from the build daemon.
-type Builder interface {
-	Build(
-		ctx context.Context,
-		nodes []builder.Node,
-		opts map[string]buildx.Options,
-		docker *dockerutil.Client,
-		cfg *confutil.Config,
-		w progress.Writer,
-	) (resp map[string]*client.SolveResponse, err error)
-}
-
-type defaultBuilder struct{}
-
-func (defaultBuilder) Build(
-	ctx context.Context,
-	nodes []builder.Node,
-	opts map[string]buildx.Options,
-	docker *dockerutil.Client,
-	cfg *confutil.Config,
-	w progress.Writer,
-) (resp map[string]*client.SolveResponse, err error) {
-	return buildx.Build(ctx, nodes, opts, docker, cfg, w)
-}
-
 func normalizeReference(ref string) (reference.Named, error) {
 	namedRef, err := reference.ParseNormalizedNamed(ref)
 	if err != nil {

provider/internal/client_test.go

@@ -17,23 +17,15 @@ package internal
 import (
 	"bytes"
 	"context"
-	"errors"
 	"io"
 	"log/slog"
 	"os"
 	"path/filepath"
 	"testing"
 
-	buildx "github.com/docker/buildx/build"
-	"github.com/docker/buildx/builder"
-	"github.com/docker/buildx/util/confutil"
-	"github.com/docker/buildx/util/dockerutil"
-	"github.com/docker/buildx/util/progress"
 	"github.com/docker/docker/api/types/registry"
-	"github.com/moby/buildkit/client"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	"go.uber.org/mock/gomock"
 )
 
 func TestAuth(t *testing.T) {
@@ -440,35 +432,6 @@ func TestBuildExecError(t *testing.T) {
 	}
 }
 
-func TestBuildCancelation(t *testing.T) {
-	t.Parallel()
-	cli := testcli(t, true)
-
-	ctrl := gomock.NewController(t)
-
-	ctx, cancel := context.WithCancel(context.Background())
-
-	b := NewMockBuilder(ctrl)
-	b.EXPECT().Build(
-		gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(), gomock.Any(),
-	).DoAndReturn(func(
-		_ context.Context,
-		_ []builder.Node,
-		_ map[string]buildx.Options,
-		_ *dockerutil.Client,
-		_ *confutil.Config,
-		_ progress.Writer,
-	) (map[string]*client.SolveResponse, error) {
-		cancel()
-		return nil, errors.New("cancel wasn't respected")
-	})
-	cli.builder = b
-
-	resp, err := cli.Build(ctx, &build{})
-	assert.ErrorIs(t, err, context.Canceled)
-	assert.Nil(t, resp)
-}
-
 // testcli returns a new standalone CLI instance. Set ping to true if a live
 // daemon is required -- the test will be skipped if the daemon is not available.
 func testcli(t *testing.T, ping bool, auths ...Registry) *cli {

provider/internal/context.go

@@ -170,7 +170,7 @@ func hashFile(
 	if fileMode.IsDir() {
 		return nil
 	}
-	if !fileMode.IsRegular() && fileMode.Type() != os.ModeSymlink {
+	if !(fileMode.IsRegular() || fileMode.Type() == os.ModeSymlink) {
 		return nil
 	}
 

provider/internal/deprecated/configencoding.go

@@ -0,0 +1,191 @@
+// Copyright 2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package deprecated
+
+import (
+	"encoding/json"
+	"fmt"
+
+	"github.com/pulumi/pulumi/pkg/v3/codegen/schema"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin"
+)
+
+// ConfigEncoding handles unmarshaling legacy JSON provider config.
+type ConfigEncoding struct {
+	schema schema.ConfigSpec
+}
+
+// New constructs a new config encoder for the provided spec.
+func New(s schema.ConfigSpec) *ConfigEncoding {
+	return &ConfigEncoding{schema: s}
+}
+
+func (*ConfigEncoding) tryUnwrapSecret(encoded any) (any, bool) {
+	m, ok := encoded.(map[string]any)
+	if !ok {
+		return nil, false
+	}
+	sig, ok := m["4dabf18193072939515e22adb298388d"]
+	if !ok {
+		return nil, false
+	}
+	ss, ok := sig.(string)
+	if !ok {
+		return nil, false
+	}
+	if ss != "1b47061264138c4ac30d75fd1eb44270" {
+		return nil, false
+	}
+	value, ok := m["value"]
+	return value, ok
+}
+
+func (enc *ConfigEncoding) convertStringToPropertyValue(s string, prop schema.PropertySpec) (
+	resource.PropertyValue, error,
+) {
+	// If the schema expects a string, we can just return this as-is.
+	if prop.Type == "string" {
+		return resource.NewStringProperty(s), nil
+	}
+
+	// Otherwise, we will attempt to deserialize the input string as JSON and convert the result into a Pulumi
+	// property. If the input string is empty, we will return an appropriate zero value.
+	if s == "" {
+		return enc.zeroValue(prop.Type), nil
+	}
+
+	var jsonValue interface{}
+	if err := json.Unmarshal([]byte(s), &jsonValue); err != nil {
+		return resource.PropertyValue{}, err
+	}
+
+	opts := enc.unmarshalOpts()
+
+	// Instead of using resource.NewPropertyValue, specialize it to detect nested json-encoded secrets.
+	var replv func(encoded any) (resource.PropertyValue, bool)
+	replv = func(encoded any) (resource.PropertyValue, bool) {
+		encodedSecret, isSecret := enc.tryUnwrapSecret(encoded)
+		if !isSecret {
+			return resource.NewNullProperty(), false
+		}
+
+		v := resource.NewPropertyValueRepl(encodedSecret, nil, replv)
+		if opts.KeepSecrets {
+			v = resource.MakeSecret(v)
+		}
+
+		return v, true
+	}
+
+	return resource.NewPropertyValueRepl(jsonValue, nil, replv), nil
+}
+
+func (*ConfigEncoding) zeroValue(typ string) resource.PropertyValue {
+	switch typ {
+	case "boolean":
+		return resource.NewPropertyValue(false)
+	case "integer", "number":
+		return resource.NewPropertyValue(0)
+	case "array":
+		return resource.NewPropertyValue([]interface{}{})
+	default:
+		return resource.NewPropertyValue(map[string]interface{}{})
+	}
+}
+
+func (enc *ConfigEncoding) unmarshalOpts() plugin.MarshalOptions {
+	return plugin.MarshalOptions{
+		Label:        "config",
+		KeepUnknowns: true,
+		KeepSecrets:  true,
+		SkipNulls:    true,
+		RejectAssets: true,
+	}
+}
+
+// Like plugin.UnmarshalPropertyValue but overrides string parsing with convertStringToPropertyValue.
+func (enc *ConfigEncoding) unmarshalPropertyValue(key resource.PropertyKey,
+	pv resource.PropertyValue,
+) (resource.PropertyValue, error) {
+	opts := enc.unmarshalOpts()
+
+	prop, ok := enc.schema.Variables[string(key)]
+
+	// Only apply JSON-encoded recognition for known fields.
+	if !ok {
+		return pv, nil
+	}
+
+	var (
+		jsonString                           string
+		jsonStringDetected, jsonStringSecret bool
+	)
+
+	if pv.IsString() {
+		jsonString = pv.StringValue()
+		jsonStringDetected = true
+	}
+
+	if opts.KeepSecrets && pv.IsSecret() && pv.SecretValue().Element.IsString() {
+		jsonString = pv.SecretValue().Element.StringValue()
+		jsonStringDetected = true
+		jsonStringSecret = true
+	}
+
+	if jsonStringDetected {
+		v, err := enc.convertStringToPropertyValue(jsonString, prop)
+		if err != nil {
+			return resource.PropertyValue{}, fmt.Errorf("error unmarshalling property %q: %w", key, err)
+		}
+		if jsonStringSecret {
+			return resource.MakeSecret(v), nil
+		}
+		return v, nil
+	}
+
+	// Computed sentinels are coming in as always having an empty string, but the encoding coerces them to a zero
+	// value of the appropriate type.
+	if pv.IsComputed() {
+		el := pv.V.(resource.Computed).Element
+		if el.IsString() && el.StringValue() == "" {
+			res := resource.MakeComputed(enc.zeroValue(prop.Type))
+			return res, nil
+		}
+	}
+
+	return pv, nil
+}
+
+// UnmarshalProperties is copied from plugin.UnmarshalProperties substituting plugin.UnmarshalPropertyValue.
+func (enc *ConfigEncoding) UnmarshalProperties(
+	props resource.PropertyMap,
+) (resource.PropertyMap, error) {
+	result := make(resource.PropertyMap)
+
+	// First sort the keys so we enumerate them in order (in case errors happen, we want determinism).
+	keys := props.StableKeys()
+
+	// And now unmarshal every field it into the map.
+	for _, key := range keys {
+		v, err := enc.unmarshalPropertyValue(key, props[key])
+		if err != nil {
+			return resource.PropertyMap{}, err
+		}
+		result[key] = v
+	}
+
+	return result, nil
+}

provider/internal/deprecated/configencoding_test.go

@@ -0,0 +1,265 @@
+// Copyright 2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package deprecated
+
+import (
+	"fmt"
+	"strconv"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/pulumi/pulumi/pkg/v3/codegen/schema"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
+)
+
+func TestConfigEncoding(t *testing.T) {
+	t.Parallel()
+
+	type testCase struct {
+		ty    schema.TypeSpec
+		given resource.PropertyValue
+		want  resource.PropertyValue
+	}
+
+	knownKey := "mykey"
+
+	makeEnc := func(typ schema.TypeSpec) *ConfigEncoding {
+		return New(
+			schema.ConfigSpec{
+				Variables: map[string]schema.PropertySpec{
+					knownKey: {
+						TypeSpec: typ,
+					},
+				},
+			},
+		)
+	}
+
+	checkUnmarshal := func(t *testing.T, tc testCase) {
+		enc := makeEnc(tc.ty)
+		key := resource.PropertyKey(knownKey)
+
+		actual, err := enc.unmarshalPropertyValue(key, tc.given)
+		require.NoError(t, err)
+		assert.Equal(t, tc.want, actual)
+	}
+
+	turnaroundTestCases := []testCase{
+		{
+			schema.TypeSpec{Type: "boolean"},
+			resource.NewPropertyValue(`true`),
+			resource.NewBoolProperty(true),
+		},
+		{
+			schema.TypeSpec{Type: "boolean"},
+			resource.NewPropertyValue(`false`),
+			resource.NewBoolProperty(false),
+		},
+		{
+			schema.TypeSpec{Type: "integer"},
+			resource.NewPropertyValue(`0`),
+			resource.NewNumberProperty(0),
+		},
+		{
+			schema.TypeSpec{Type: "integer"},
+			resource.NewPropertyValue(`42`),
+			resource.NewNumberProperty(42),
+		},
+		{
+			schema.TypeSpec{Type: "number"},
+			resource.NewPropertyValue(`0`),
+			resource.NewNumberProperty(0.0),
+		},
+		{
+			schema.TypeSpec{Type: "number"},
+			resource.NewPropertyValue(`42.5`),
+			resource.NewNumberProperty(42.5),
+		},
+		{
+			schema.TypeSpec{Type: "string"},
+			resource.NewStringProperty(""),
+			resource.NewStringProperty(""),
+		},
+		{
+			schema.TypeSpec{Type: "string"},
+			resource.NewStringProperty("hello"),
+			resource.NewStringProperty("hello"),
+		},
+		{
+			schema.TypeSpec{Type: "array"},
+			resource.NewPropertyValue(`[]`),
+			resource.NewArrayProperty([]resource.PropertyValue{}),
+		},
+		{
+			schema.TypeSpec{Type: "array"},
+			resource.NewPropertyValue(`["hello","there"]`),
+			resource.NewArrayProperty([]resource.PropertyValue{
+				resource.NewStringProperty("hello"),
+				resource.NewStringProperty("there"),
+			}),
+		},
+		{
+			schema.TypeSpec{Type: "object"},
+			resource.NewPropertyValue(`{}`),
+			resource.NewObjectProperty(resource.PropertyMap{}),
+		},
+		{
+			schema.TypeSpec{Type: "object"},
+			resource.NewPropertyValue(`{"key":"value"}`),
+			resource.NewObjectProperty(resource.PropertyMap{
+				"key": resource.NewStringProperty("value"),
+			}),
+		},
+	}
+
+	t.Run("turnaround", func(t *testing.T) {
+		for i, tc := range turnaroundTestCases {
+			t.Run(strconv.Itoa(i), func(t *testing.T) {
+				t.Parallel()
+				checkUnmarshal(t, tc)
+			})
+		}
+	})
+
+	t.Run("zero_values", func(t *testing.T) {
+		// Historically the encoding was able to convert empty strings into type-appropriate zero values.
+		cases := []testCase{
+			{
+				schema.TypeSpec{Type: "boolean"},
+				resource.NewPropertyValue(""),
+				resource.NewBoolProperty(false),
+			},
+			{
+				schema.TypeSpec{Type: "number"},
+				resource.NewPropertyValue(""),
+				resource.NewNumberProperty(0.),
+			},
+			{
+				schema.TypeSpec{Type: "integer"},
+				resource.NewPropertyValue(""),
+				resource.NewNumberProperty(0),
+			},
+			{
+				schema.TypeSpec{Type: "string"},
+				resource.NewPropertyValue(""),
+				resource.NewStringProperty(""),
+			},
+			{
+				schema.TypeSpec{Type: "object"},
+				resource.NewPropertyValue(""),
+				resource.NewObjectProperty(make(resource.PropertyMap)),
+			},
+			{
+				schema.TypeSpec{Type: "array"},
+				resource.NewPropertyValue(""),
+				resource.NewArrayProperty([]resource.PropertyValue{}),
+			},
+		}
+		for _, tc := range cases {
+			t.Run(fmt.Sprintf("%v", tc.ty), func(t *testing.T) {
+				t.Parallel()
+				checkUnmarshal(t, tc)
+			})
+		}
+	})
+
+	t.Run("computed", func(t *testing.T) {
+		unk := resource.MakeComputed(resource.NewStringProperty(""))
+
+		for i, tc := range turnaroundTestCases {
+			t.Run(strconv.Itoa(i), func(t *testing.T) {
+				t.Parallel()
+				// Unknown sentinel unmarshals to a Computed with a type-appropriate zero value.
+				checkUnmarshal(t, testCase{
+					ty:    tc.ty,
+					given: unk,
+					want:  resource.MakeComputed(makeEnc(tc.ty).zeroValue(tc.ty.Type)),
+				})
+			})
+		}
+	})
+
+	t.Run("secret", func(t *testing.T) {
+		// Unmarshalling happens with KeepSecrets=false, replacing them with the underlying values. This case
+		// does not need to be tested.
+		//
+		// Marhalling however supports sending secrets back to the engine, intending to mark values as secret
+		// that happen on paths that are declared as secret in the schema. Due to the limitation of the
+		// JSON-in-proto-encoding, secrets are communicated imprecisely as an approximation: if any nested
+		// element of a property is secret, the entire property is marshalled as secret.
+
+		var secretCases []testCase
+
+		for _, tc := range turnaroundTestCases {
+			secretCases = append(secretCases, testCase{
+				ty:    tc.ty,
+				given: resource.MakeSecret(tc.given),
+				want:  resource.MakeSecret(tc.want),
+			})
+		}
+
+		for i, tc := range secretCases {
+			t.Run(strconv.Itoa(i), func(t *testing.T) {
+				t.Parallel()
+				checkUnmarshal(t, tc)
+			})
+		}
+
+		t.Run("nested secrets", func(t *testing.T) {
+			checkUnmarshal(t, testCase{
+				schema.TypeSpec{Type: "object"},
+				resource.MakeSecret(resource.NewPropertyValue(`{"key":"val"}`)),
+				resource.MakeSecret(resource.NewObjectProperty(resource.PropertyMap{
+					"key": resource.NewStringProperty("val"),
+				})),
+			})
+		})
+	})
+
+	regressUnmarshalTestCases := []testCase{
+		{
+			schema.TypeSpec{Type: "array"},
+			resource.NewPropertyValue(`
+			[
+			  {
+			    "address": "somewhere.org",
+			    "password": {
+			      "4dabf18193072939515e22adb298388d": "1b47061264138c4ac30d75fd1eb44270",
+			      "value": "some-password"
+			    },
+			    "username": "some-user"
+			  }
+			]`),
+			resource.NewArrayProperty([]resource.PropertyValue{
+				resource.NewObjectProperty(resource.PropertyMap{
+					"address":  resource.NewStringProperty("somewhere.org"),
+					"password": resource.MakeSecret(resource.NewStringProperty("some-password")),
+					"username": resource.NewStringProperty("some-user"),
+				}),
+			}),
+		},
+	}
+
+	t.Run("regress-unmarshal", func(t *testing.T) {
+		for i, tc := range regressUnmarshalTestCases {
+			t.Run(strconv.Itoa(i), func(t *testing.T) {
+				t.Parallel()
+				checkUnmarshal(t, tc)
+			})
+		}
+	})
+}

provider/internal/deprecated/doc.go

@@ -0,0 +1,19 @@
+// Copyright 2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package deprecated vendors config parsing from pulumi-terraform-bridge.
+//
+// Originally taken from here:
+// https://github.com/pulumi/pulumi-terraform-bridge/blob/90733a0c7/pkg/tfbridge/config_encoding.go
+package deprecated

provider/internal/embed/image-examples.md

@@ -143,7 +143,7 @@ package main
 import (
 	"fmt"
 
-	"github.com/pulumi/pulumi-aws/sdk/v7/go/aws/ecr"
+	"github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
 	"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
@@ -241,54 +241,6 @@ variables:
         fn::aws:ecr:getAuthorizationToken:
             registryId: ${ecr-repository.registryId}
 ```
-```hcl
-pulumi {
-  required_providers {
-    aws = {
-      source  = "pulumi/aws"
-      version = "7.29.0"
-    }
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-data "aws_ecr_getauthorizationtoken" "authToken" {
-  registry_id = aws_ecr_repository.ecr-repository.registry_id
-}
-
-resource "aws_ecr_repository" "ecr-repository" {
-}
-resource "docker-build_image" "my-image" {
-  cache_from {
-    registry = {
-      ref ="${aws_ecr_repository.ecr-repository.repository_url}:cache"
-    }
-  }
-  cache_to {
-    registry = {
-      image_manifest  = true
-      oci_media_types = true
-      ref             ="${aws_ecr_repository.ecr-repository.repository_url}:cache"
-    }
-  }
-  context = {
-    location = "./app"
-  }
-  push = true
-  registries {
-    address  = aws_ecr_repository.ecr-repository.repository_url
-    password = data.aws_ecr_getauthorizationtoken.authToken.password
-    username = data.aws_ecr_getauthorizationtoken.authToken.user_name
-  }
-  tags = ["${aws_ecr_repository.ecr-repository.repository_url}:latest"]
-}
-output "ref" {
-  value = docker-build_image.my-image.ref
-}
-```
 ```java
 package generated_program;
 
@@ -306,8 +258,8 @@ import com.pulumi.dockerbuild.inputs.CacheToArgs;
 import com.pulumi.dockerbuild.inputs.CacheToRegistryArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.RegistryArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -328,14 +280,14 @@ public class App {
         var myImage = new Image("myImage", ImageArgs.builder()
             .cacheFrom(CacheFromArgs.builder()
                 .registry(CacheFromRegistryArgs.builder()
-                    .ref(ecrRepository.repositoryUrl().applyValue(_repositoryUrl -> String.format("%s:cache", _repositoryUrl)))
+                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:cache", repositoryUrl)))
                     .build())
                 .build())
             .cacheTo(CacheToArgs.builder()
                 .registry(CacheToRegistryArgs.builder()
                     .imageManifest(true)
                     .ociMediaTypes(true)
-                    .ref(ecrRepository.repositoryUrl().applyValue(_repositoryUrl -> String.format("%s:cache", _repositoryUrl)))
+                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:cache", repositoryUrl)))
                     .build())
                 .build())
             .context(BuildContextArgs.builder()
@@ -344,10 +296,10 @@ public class App {
             .push(true)
             .registries(RegistryArgs.builder()
                 .address(ecrRepository.repositoryUrl())
-                .password(authToken.applyValue(_authToken -> _authToken.password()))
-                .username(authToken.applyValue(_authToken -> _authToken.userName()))
+                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
+                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
                 .build())
-            .tags(ecrRepository.repositoryUrl().applyValue(_repositoryUrl -> String.format("%s:latest", _repositoryUrl)))
+            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
             .build());
 
         ctx.export("ref", myImage.ref());
@@ -454,24 +406,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  context = {
-    location = "app"
-  }
-  platforms = ["plan9/amd64", "plan9/386"]
-  push      = false
-}
-```
 ```java
 package generated_program;
 
@@ -481,8 +415,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -527,7 +461,7 @@ const image = new docker_build.Image("image", {
     }],
     tags: ["docker.io/pulumi/pulumi:3.107.0"],
 });
-export const ref = image.ref;
+export const ref = myImage.ref;
 ```
 ```python
 import pulumi
@@ -544,7 +478,7 @@ image = docker_build.Image("image",
         "username": "pulumibot",
     }],
     tags=["docker.io/pulumi/pulumi:3.107.0"])
-pulumi.export("ref", image.ref)
+pulumi.export("ref", my_image["ref"])
 ```
 ```csharp
 using System.Collections.Generic;
@@ -578,7 +512,7 @@ return await Deployment.RunAsync(() =>
 
     return new Dictionary<string, object?>
     {
-        ["ref"] = image.Ref,
+        ["ref"] = myImage.Ref,
     };
 });
 
@@ -593,7 +527,7 @@ import (
 
 func main() {
 	pulumi.Run(func(ctx *pulumi.Context) error {
-		image, err := dockerbuild.NewImage(ctx, "image", &dockerbuild.ImageArgs{
+		_, err := dockerbuild.NewImage(ctx, "image", &dockerbuild.ImageArgs{
 			Context: &dockerbuild.BuildContextArgs{
 				Location: pulumi.String("app"),
 			},
@@ -612,7 +546,7 @@ func main() {
 		if err != nil {
 			return err
 		}
-		ctx.Export("ref", image.Ref)
+		ctx.Export("ref", myImage.Ref)
 		return nil
 	})
 }
@@ -621,7 +555,7 @@ func main() {
 description: Registry export
 name: registry
 outputs:
-    ref: ${image.ref}
+    ref: ${my-image.ref}
 resources:
     image:
         properties:
@@ -637,32 +571,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  context = {
-    location = "app"
-  }
-  push = true
-  registries {
-    address  = "docker.io"
-    password = dockerHubPassword
-    username = "pulumibot"
-  }
-  tags = ["docker.io/pulumi/pulumi:3.107.0"]
-}
-output "ref" {
-  value = docker-build_image.image.ref
-}
-```
 ```java
 package generated_program;
 
@@ -673,8 +581,8 @@ import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.RegistryArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -699,7 +607,7 @@ public class App {
             .tags("docker.io/pulumi/pulumi:3.107.0")
             .build());
 
-        ctx.export("ref", image.ref());
+        ctx.export("ref", myImage.ref());
     }
 }
 ```
@@ -848,34 +756,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  cache_from {
-    local = {
-      src = "tmp/cache"
-    }
-  }
-  cache_to {
-    local = {
-      dest = "tmp/cache"
-      mode = "max"
-    }
-  }
-  context = {
-    location = "app"
-  }
-  push = false
-}
-```
 ```java
 package generated_program;
 
@@ -889,8 +769,8 @@ import com.pulumi.dockerbuild.inputs.CacheFromLocalArgs;
 import com.pulumi.dockerbuild.inputs.CacheToArgs;
 import com.pulumi.dockerbuild.inputs.CacheToLocalArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1023,27 +903,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  builder = {
-    name = "cloud-builder-name"
-  }
-  context = {
-    location = "app"
-  }
-  exec = true
-  push = false
-}
-```
 ```java
 package generated_program;
 
@@ -1054,8 +913,8 @@ import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuilderConfigArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1176,26 +1035,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  build_args = {
-    "SET_ME_TO_TRUE" = "true"
-  }
-  context = {
-    location = "app"
-  }
-  push = false
-}
-```
 ```java
 package generated_program;
 
@@ -1205,8 +1044,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1314,24 +1153,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  context = {
-    location = "app"
-  }
-  push   = false
-  target = "build-me"
-}
-```
 ```java
 package generated_program;
 
@@ -1341,8 +1162,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1470,28 +1291,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  context = {
-    location = "app"
-    named = {
-      "golang:latest" = {
-        location = "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984"
-      }
-    }
-  }
-  push = false
-}
-```
 ```java
 package generated_program;
 
@@ -1501,8 +1300,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1517,13 +1316,12 @@ public class App {
         var image = new Image("image", ImageArgs.builder()
             .context(BuildContextArgs.builder()
                 .location("app")
-                .named(Map.of("golang:latest", ContextArgs.builder()
-%!v(PANIC=Format method: interface conversion: model.Expression is *model.TemplateExpression, not *model.LiteralValueExpression)))
-                    .build())
-                .push(false)
-                .build());
+                .named(Map.of("golang:latest", Map.of("location", "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984")))
+                .build())
+            .push(false)
+            .build());
 
-        }
+    }
 }
 ```
 {{% /example %}}
@@ -1606,23 +1404,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  context = {
-    location = "https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile"
-  }
-  push = false
-}
-```
 ```java
 package generated_program;
 
@@ -1632,8 +1413,8 @@ import com.pulumi.core.Output;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1758,26 +1539,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  context = {
-    location = "app"
-  }
-  dockerfile = {
-    inline = "FROM busybox\nCOPY hello.c ./\n"
-  }
-  push = false
-}
-```
 ```java
 package generated_program;
 
@@ -1788,8 +1549,8 @@ import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.DockerfileArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -1912,26 +1673,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  context = {
-    location = "https://github.com/docker-library/hello-world.git"
-  }
-  dockerfile = {
-    location = "app/Dockerfile"
-  }
-  push = false
-}
-```
 ```java
 package generated_program;
 
@@ -1942,8 +1683,8 @@ import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.DockerfileArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
@@ -2078,28 +1819,6 @@ resources:
         type: docker-build:Image
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "image" {
-  context = {
-    location = "app"
-  }
-  exports {
-    docker = {
-      tar = true
-    }
-  }
-  push = false
-}
-```
 ```java
 package generated_program;
 
@@ -2111,8 +1830,8 @@ import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.ExportArgs;
 import com.pulumi.dockerbuild.inputs.ExportDockerArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;

provider/internal/embed/index-examples.md

@@ -327,60 +327,6 @@ resources:
         type: docker-build:Index
 runtime: yaml
 ```
-```hcl
-pulumi {
-  required_providers {
-    docker-build = {
-      source  = "pulumi/docker-build"
-      version = "0.0.15"
-    }
-  }
-}
-
-resource "docker-build_image" "amd64" {
-  cache_from {
-    registry = {
-      ref = "docker.io/pulumi/pulumi:cache-amd64"
-    }
-  }
-  cache_to {
-    registry = {
-      mode = "max"
-      ref  = "docker.io/pulumi/pulumi:cache-amd64"
-    }
-  }
-  context = {
-    location = "app"
-  }
-  platforms = ["linux/amd64"]
-  tags      = ["docker.io/pulumi/pulumi:3.107.0-amd64"]
-}
-resource "docker-build_image" "arm64" {
-  cache_from {
-    registry = {
-      ref = "docker.io/pulumi/pulumi:cache-arm64"
-    }
-  }
-  cache_to {
-    registry = {
-      mode = "max"
-      ref  = "docker.io/pulumi/pulumi:cache-arm64"
-    }
-  }
-  context = {
-    location = "app"
-  }
-  platforms = ["linux/arm64"]
-  tags      = ["docker.io/pulumi/pulumi:3.107.0-arm64"]
-}
-resource "docker-build_index" "index" {
-  sources = [docker-build_image.amd64.ref, docker-build_image.arm64.ref]
-  tag     = "docker.io/pulumi/pulumi:3.107.0"
-}
-output "ref" {
-  value = docker-build_index.index.ref
-}
-```
 ```java
 package generated_program;
 
@@ -396,8 +342,8 @@ import com.pulumi.dockerbuild.inputs.CacheToRegistryArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.Index;
 import com.pulumi.dockerbuild.IndexArgs;
+import java.util.List;
 import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;

provider/internal/export.go

@@ -28,10 +28,6 @@ import (
 	"github.com/pulumi/pulumi-go-provider/infer"
 )
 
-const (
-	trueLiteral = "true"
-)
-
 var (
 	_ fmt.Stringer    = (*Export)(nil)
 	_ fmt.Stringer    = (*ExportDocker)(nil)
@@ -118,7 +114,7 @@ func (e Export) pushed() bool {
 		if err != nil {
 			return false
 		}
-		return exp[0].Attrs["push"] == trueLiteral
+		return exp[0].Attrs["push"] == "true"
 	}
 	if e.Registry != nil {
 		return e.Registry.Push == nil || *e.Registry.Push
@@ -186,7 +182,7 @@ func parseExports(inp []string) ([]*controllerapi.ExportEntry, error) {
 		if out.Type == "registry" {
 			out.Type = client.ExporterImage
 			if _, ok := out.Attrs["push"]; !ok {
-				out.Attrs["push"] = trueLiteral
+				out.Attrs["push"] = "true"
 			}
 		}
 

provider/internal/host.go

@@ -16,10 +16,8 @@ package internal
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"path/filepath"
-	"strings"
 	"sync"
 	"time"
 
@@ -43,7 +41,7 @@ type host struct {
 	supportsMultipleExports bool
 }
 
-func newHost(_ context.Context, config *Config) (*host, error) {
+func newHost(ctx context.Context, config *Config) (*host, error) {
 	docker, err := newDockerCLI(config)
 	if err != nil {
 		return nil, err
@@ -70,7 +68,7 @@ func newHost(_ context.Context, config *Config) (*host, error) {
 //
 // If the build doesn't specify a builder by name, we will iterate through all
 // available builders until we find one that we can connect to.
-func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, error) {
+func (h *host) builderFor(build Build) (*cachedBuilder, error) {
 	h.mu.Lock()
 	defer h.mu.Unlock()
 
@@ -95,19 +93,6 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 		builder.WithContextPathHash(contextPathHash),
 		builder.WithStore(txn),
 	)
-	if err != nil && build.ShouldExec() && strings.HasPrefix(opts.Builder, "cloud-") {
-		//nolint:revive // Human-readable.
-		err = errors.Join(err,
-			errors.New("Make sure you're logged in to Docker (`docker login`) if you're trying to use a cloud builder"),     //nolint:lll,staticcheck
-			errors.New("Make sure you have the correct buildx plugin installed (https://github.com/docker/buildx-desktop)"), //nolint:lll,staticcheck
-		)
-	}
-	if err != nil && build.ShouldExec() {
-		//nolint:revive // Human-readable.
-		err = errors.Join(err, errors.New( //nolint:staticcheck
-			"Make sure your buildx plugin is executable (`docker buildx version`)"),
-		)
-	}
 	if err != nil {
 		return nil, fmt.Errorf("new builder: %w", err)
 	}
@@ -131,7 +116,7 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 			if bb.Err() != nil {
 				continue
 			}
-			nodes, err := bb.LoadNodes(ctx)
+			nodes, err := bb.LoadNodes(context.Background())
 			if err != nil {
 				continue
 			}
@@ -140,7 +125,7 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 				if n.Driver == nil {
 					continue nextbuilder
 				}
-				if _, err := n.Driver.Dial(ctx); err != nil {
+				if _, err := n.Driver.Dial(context.Background()); err != nil {
 					continue nextbuilder
 				}
 				// TODO: Confirm the builder supports the requested platforms.
@@ -154,7 +139,7 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 
 		// If we STILL don't have a builder, create a docker-container instance.
 		b, err = builder.Create(
-			ctx,
+			context.Background(),
 			txn,
 			h.cli,
 			builder.CreateOpts{Driver: "docker-container"},
@@ -162,7 +147,7 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 		if err != nil {
 			return nil, fmt.Errorf("creating builder: %w", err)
 		}
-		ctx, cancel := context.WithTimeout(ctx, 30*time.Second)
+		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 		defer cancel()
 		if _, err := b.Boot(ctx); err != nil {
 			return nil, fmt.Errorf("booting builder: %w", err)
@@ -172,14 +157,8 @@ func (h *host) builderFor(ctx context.Context, build Build) (*cachedBuilder, err
 	// Attempt to load nodes in order to determine the builder's driver. Ignore
 	// errors for "exec" builds because it's possible to request builders with
 	// drivers that are unknown to us.
-	nodes, err := b.LoadNodes(ctx, builder.WithData())
+	nodes, err := b.LoadNodes(context.Background(), builder.WithData())
 	if err != nil && !build.ShouldExec() {
-		if strings.Contains(err.Error(), "failed to find driver") {
-			//nolint:revive // Human-readable.
-			err = errors.Join(err, errors.New( //nolint:staticcheck
-				"Use `exec: true` if you're trying to use Docker Build Cloud or other custom drivers",
-			))
-		}
 		return nil, fmt.Errorf("loading nodes: %w", err)
 	}
 	// Attempt to determine our builder's buildkit version.

provider/internal/image.go

@@ -28,9 +28,9 @@ import (
 	_ "github.com/docker/buildx/driver/kubernetes"
 	_ "github.com/docker/buildx/driver/remote"
 
-	"github.com/containerd/errdefs"
 	"github.com/distribution/reference"
 	controllerapi "github.com/docker/buildx/controller/pb"
+	"github.com/docker/docker/errdefs"
 	"github.com/moby/buildkit/exporter/containerimage/exptypes"
 	"github.com/moby/buildkit/session"
 	"github.com/moby/buildkit/session/secrets/secretsprovider"
@@ -38,7 +38,7 @@ import (
 
 	provider "github.com/pulumi/pulumi-go-provider"
 	"github.com/pulumi/pulumi-go-provider/infer"
-	"github.com/pulumi/pulumi/sdk/v3/go/property"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
@@ -61,10 +61,7 @@ var _imageExamples string
 var _migration string
 
 // Image is a Docker image build using buildkit.
-type Image struct {
-	clientF clientF
-	config  *Config
-}
+type Image struct{}
 
 // Annotate provides a description of the Image resource.
 func (i *Image) Annotate(a infer.Annotator) {
@@ -284,11 +281,6 @@ func (ia *ImageArgs) Annotate(a infer.Annotator) {
 	a.SetDefault(&ia.Network, Default)
 }
 
-// GetRegistries returns the image's registries, if any.
-func (ia ImageArgs) GetRegistries() []Registry {
-	return ia.Registries
-}
-
 // ImageState is serialized to the program's state file.
 type ImageState struct {
 	ImageArgs
@@ -337,25 +329,38 @@ func (is *ImageState) Annotate(a infer.Annotator) {
 
 // client produces a CLI client scoped to this resource and layered on top of
 // any host-level credentials.
-func (i *Image) client(ctx context.Context, args ImageArgs) (Client, error) {
-	return i.clientF(ctx, i.config.getHost(), i.config, args)
+func (i *Image) client(ctx context.Context, state ImageState, args ImageArgs) (Client, error) {
+	cfg := infer.GetConfig[Config](ctx)
+
+	if cli, ok := ctx.Value(_mockClientKey).(Client); ok {
+		return cli, nil
+	}
+
+	// We prefer auth from args, the provider, and state in that order. We
+	// build a slice in reverse order because wrap() will overwrite earlier
+	// entries with later ones.
+	auths := []Registry{}
+	auths = append(auths, cfg.Registries...)
+	auths = append(auths, args.Registries...)
+
+	return wrap(cfg.host, auths...)
 }
 
 // Check validates ImageArgs, sets defaults, and ensures our client is
 // authenticated.
 func (i *Image) Check(
 	ctx context.Context,
-	req infer.CheckRequest,
-) (infer.CheckResponse[ImageArgs], error) {
-	args, failures, err := infer.DefaultCheck[ImageArgs](ctx, req.NewInputs)
+	_ string,
+	_ resource.PropertyMap,
+	news resource.PropertyMap,
+) (ImageArgs, []provider.CheckFailure, error) {
+	args, failures, err := infer.DefaultCheck[ImageArgs](ctx, news)
 	if err != nil || len(failures) != 0 {
-		return infer.CheckResponse[ImageArgs]{Failures: failures, Inputs: args}, err
+		return args, failures, err
 	}
 
-	// If the inputs aren't fully resolved we perform a weaker validation, for
-	// example we might not be able to check the Dockerfile for syntactic
-	// correctness.
-	preview := property.New(req.NewInputs).HasComputed()
+	// :(
+	preview := news.ContainsUnknowns()
 
 	cfg := infer.GetConfig[Config](ctx)
 	supportsMultipleExports := true
@@ -371,7 +376,7 @@ func (i *Image) Check(
 		}
 	}
 
-	return infer.CheckResponse[ImageArgs]{Failures: failures, Inputs: args}, err
+	return args, failures, err
 }
 
 type checkFailure struct {
@@ -678,11 +683,12 @@ func (ia *ImageArgs) validate(supportsMultipleExports, preview bool) (controller
 // Create builds an image using buildkit.
 func (i *Image) Create(
 	ctx context.Context,
-	req infer.CreateRequest[ImageArgs],
-) (infer.CreateResponse[ImageState], error) {
-	input := req.Inputs
+	name string,
+	input ImageArgs,
+	preview bool,
+) (string, ImageState, error) {
 	state := ImageState{ImageArgs: input}
-	id := req.Name
+	id := name
 
 	// Default our ref to one of our tags.
 	for _, tag := range state.Tags {
@@ -693,31 +699,22 @@ func (i *Image) Create(
 		break
 	}
 
-	cli, err := i.client(ctx, input)
+	cli, err := i.client(ctx, state, input)
 	if err != nil {
-		return infer.CreateResponse[ImageState]{ID: id, Output: state}, err
+		return id, state, err
 	}
 
 	ok, err := cli.BuildKitEnabled()
 	if err != nil {
-		return infer.CreateResponse[ImageState]{
-			ID:     id,
-			Output: state,
-		}, fmt.Errorf("checking buildkit compatibility: %w", err)
+		return id, state, fmt.Errorf("checking buildkit compatibility: %w", err)
 	}
 	if !ok {
-		return infer.CreateResponse[ImageState]{
-			ID:     id,
-			Output: state,
-		}, errors.New("buildkit is not supported on this host")
+		return id, state, errors.New("buildkit is not supported on this host")
 	}
 
-	build, err := input.toBuild(ctx, cli.SupportsMultipleExports(), req.DryRun)
+	build, err := input.toBuild(ctx, cli.SupportsMultipleExports(), preview)
 	if err != nil {
-		return infer.CreateResponse[ImageState]{
-			ID:     id,
-			Output: state,
-		}, fmt.Errorf("preparing: %w", err)
+		return id, state, fmt.Errorf("preparing: %w", err)
 	}
 
 	hash, err := hashBuildContext(
@@ -726,24 +723,21 @@ func (i *Image) Create(
 		input.Context.Named.Map(),
 	)
 	if err != nil {
-		return infer.CreateResponse[ImageState]{
-			ID:     id,
-			Output: state,
-		}, fmt.Errorf("hashing build context: %w", err)
+		return id, state, fmt.Errorf("hashing build context: %w", err)
 	}
 	state.ContextHash = hash
 
-	if req.DryRun && !input.shouldBuildOnPreview() {
-		return infer.CreateResponse[ImageState]{ID: id, Output: state}, nil
+	if preview && !input.shouldBuildOnPreview() {
+		return id, state, nil
 	}
-	if req.DryRun && !input.buildable() {
+	if preview && !input.buildable() {
 		provider.GetLogger(ctx).Warning("Skipping preview build because some inputs are unknown.")
-		return infer.CreateResponse[ImageState]{ID: id, Output: state}, nil
+		return id, state, nil
 	}
 
 	result, err := cli.Build(ctx, build)
 	if err != nil {
-		return infer.CreateResponse[ImageState]{ID: id, Output: state}, err
+		return id, state, err
 	}
 
 	if d, ok := result.ExporterResponse[exptypes.ExporterImageDigestKey]; ok {
@@ -753,7 +747,7 @@ func (i *Image) Create(
 
 	if state.Digest == "" {
 		// Can't construct a ref, nothing else to do.
-		return infer.CreateResponse[ImageState]{ID: id, Output: state}, nil
+		return id, state, nil
 	}
 
 	// Take the first registry tag we find and add a digest to it. That becomes
@@ -768,7 +762,7 @@ func (i *Image) Create(
 		break
 	}
 
-	return infer.CreateResponse[ImageState]{ID: id, Output: state}, nil
+	return id, state, nil
 }
 
 // Update builds a new image. Normally we create-replace resources, but for
@@ -776,41 +770,36 @@ func (i *Image) Create(
 // updates and simply re-build the image without deleting anything.
 func (i *Image) Update(
 	ctx context.Context,
-	req infer.UpdateRequest[ImageArgs, ImageState],
-) (infer.UpdateResponse[ImageState], error) {
-	resp, err := i.Create(ctx,
-		infer.CreateRequest[ImageArgs]{Name: req.ID, Inputs: req.Inputs, DryRun: req.DryRun},
-	)
-	return infer.UpdateResponse[ImageState]{Output: resp.Output}, err
+	name string,
+	_ ImageState,
+	input ImageArgs,
+	preview bool,
+) (ImageState, error) {
+	_, state, err := i.Create(ctx, name, input, preview)
+	return state, err
 }
 
 // Read attempts to read manifests from an image's exports. An image without
 // exports will have no manifests.
 func (i *Image) Read(
 	ctx context.Context,
-	req infer.ReadRequest[ImageArgs, ImageState],
+	name string,
+	input ImageArgs,
+	state ImageState,
 ) (
-	infer.ReadResponse[ImageArgs, ImageState],
+	string, // id
+	ImageArgs, // normalized inputs
+	ImageState, // normalized state
 	error,
 ) {
-	state, input := req.State, req.Inputs
-
-	cli, err := i.client(ctx, input)
+	cli, err := i.client(ctx, state, input)
 	if err != nil {
-		return infer.ReadResponse[ImageArgs, ImageState]{
-			ID:     req.ID,
-			Inputs: input,
-			State:  state,
-		}, err
+		return name, input, state, err
 	}
 
 	if !state.isExported() {
 		// Nothing was pushed -- all done.
-		return infer.ReadResponse[ImageArgs, ImageState]{
-			ID:     req.ID,
-			Inputs: input,
-			State:  state,
-		}, nil
+		return name, input, state, nil
 	}
 
 	tagsToKeep := []string{}
@@ -846,29 +835,29 @@ func (i *Image) Read(
 	// If we couldn't find the tags we expected then return an empty ID to
 	// delete the resource.
 	if len(input.Tags) > 0 && len(tagsToKeep) == 0 {
-		return infer.ReadResponse[ImageArgs, ImageState]{ID: "", Inputs: input, State: state}, nil
+		return "", input, state, nil
 	}
 
 	state.Tags = tagsToKeep
 
-	return infer.ReadResponse[ImageArgs, ImageState]{ID: req.ID, Inputs: input, State: state}, nil
+	return name, input, state, nil
 }
 
 // Delete deletes an Image. If the Image was already deleted out-of-band it is
 // treated as a success.
 func (i *Image) Delete(
 	ctx context.Context,
-	req infer.DeleteRequest[ImageState],
-) (infer.DeleteResponse, error) {
-	state := req.State
-	cli, err := i.client(ctx, state.ImageArgs)
+	_ string,
+	state ImageState,
+) error {
+	cli, err := i.client(ctx, state, state.ImageArgs)
 	if err != nil {
-		return infer.DeleteResponse{}, err
+		return err
 	}
 
 	if state.Digest == "" {
 		// Nothing was exported. Just try to delete the local image.
-		return infer.DeleteResponse{}, cli.Delete(ctx, state.Ref)
+		return cli.Delete(ctx, state.Ref)
 	}
 
 	digests := []string{}
@@ -896,17 +885,17 @@ func (i *Image) Delete(
 		multierr = errors.Join(multierr, err)
 	}
 
-	return infer.DeleteResponse{}, multierr
+	return multierr
 }
 
 // Diff re-implements most of the default diff behavior, with the exception of
 // ignoring "password" changes on registry inputs.
 func (*Image) Diff(
 	_ context.Context,
-	req infer.DiffRequest[ImageArgs, ImageState],
+	_ string,
+	olds ImageState,
+	news ImageArgs,
 ) (provider.DiffResponse, error) {
-	olds, news := req.State, req.Inputs
-
 	diff := map[string]provider.PropertyDiff{}
 	update := provider.PropertyDiff{Kind: provider.Update}
 

provider/internal/image_test.go

@@ -35,11 +35,9 @@ import (
 	"go.uber.org/mock/gomock"
 
 	provider "github.com/pulumi/pulumi-go-provider"
-	"github.com/pulumi/pulumi-go-provider/infer"
 	"github.com/pulumi/pulumi-go-provider/integration"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/mapper"
-	"github.com/pulumi/pulumi/sdk/v3/go/property"
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
@@ -84,68 +82,70 @@ func TestImageLifecycle(t *testing.T) {
 					Return(nil)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"push": property.New(false),
-						"tags": property.New(
-							[]property.Value{
-								property.New("docker.io/pulumibot/buildkit-e2e"),
-								property.New("docker.io/pulumibot/buildkit-e2e:main"),
+					Inputs: resource.PropertyMap{
+						"push": resource.NewBoolProperty(false),
+						"tags": resource.NewArrayProperty(
+							[]resource.PropertyValue{
+								resource.NewStringProperty("docker.io/pulumibot/buildkit-e2e"),
+								resource.NewStringProperty("docker.io/pulumibot/buildkit-e2e:main"),
 							},
 						),
-						"platforms": property.New(
-							[]property.Value{
-								property.New("linux/arm64"),
-								property.New("linux/amd64"),
+						"platforms": resource.NewArrayProperty(
+							[]resource.PropertyValue{
+								resource.NewStringProperty("linux/arm64"),
+								resource.NewStringProperty("linux/amd64"),
 							},
 						),
-						"context": property.New(map[string]property.Value{
-							"location": property.New("testdata/noop"),
+						"context": resource.NewObjectProperty(resource.PropertyMap{
+							"location": resource.NewStringProperty("testdata/noop"),
 						}),
-						"dockerfile": property.New(map[string]property.Value{
-							"location": property.New("testdata/noop/Dockerfile"),
+						"dockerfile": resource.NewObjectProperty(resource.PropertyMap{
+							"location": resource.NewStringProperty("testdata/noop/Dockerfile"),
 						}),
-						"exports": property.New(
-							[]property.Value{
-								property.New(map[string]property.Value{
-									"raw": property.New("type=registry"),
+						"exports": resource.NewArrayProperty(
+							[]resource.PropertyValue{
+								resource.NewObjectProperty(resource.PropertyMap{
+									"raw": resource.NewStringProperty("type=registry"),
 								},
 								),
 							},
 						),
-						"registries": property.New(
-							[]property.Value{
-								property.New(map[string]property.Value{
-									"address":  property.New("fakeaddress"),
-									"username": property.New("fakeuser"),
-									"password": property.New("password").WithSecret(true),
+						"registries": resource.NewArrayProperty(
+							[]resource.PropertyValue{
+								resource.NewObjectProperty(resource.PropertyMap{
+									"address":  resource.NewStringProperty("fakeaddress"),
+									"username": resource.NewStringProperty("fakeuser"),
+									"password": resource.MakeSecret(
+										resource.NewStringProperty("password"),
+									),
 								}),
 							},
 						),
-					}),
+					},
 				}
 			},
 		},
 		{
 			name:   "tags are required when pushing",
 			client: noClient,
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"push": property.New(false),
-						"tags": property.New([]property.Value{}),
-						"context": property.New(map[string]property.Value{
-							"location": property.New("testdata/noop"),
+					Inputs: resource.PropertyMap{
+						"push": resource.NewBoolProperty(false),
+						"tags": resource.NewArrayProperty([]resource.PropertyValue{}),
+						"context": resource.NewObjectProperty(resource.PropertyMap{
+							"location": resource.NewStringProperty("testdata/noop"),
 						}),
-						"exports": property.New(
-							[]property.Value{
-								property.New(map[string]property.Value{
-									"raw": property.New("type=registry"),
+						"exports": resource.NewArrayProperty(
+							[]resource.PropertyValue{
+								resource.NewObjectProperty(resource.PropertyMap{
+									"raw": resource.NewStringProperty("type=registry"),
 								}),
 							},
 						),
-					}),
+					},
 					ExpectFailure: true,
 					CheckFailures: []provider.CheckFailure{
 						{
@@ -159,21 +159,21 @@ func TestImageLifecycle(t *testing.T) {
 		{
 			name:   "invalid exports",
 			client: noClient,
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"push": property.New(false),
-						"tags": property.New(
-							[]property.Value{property.New("invalid-exports")},
+					Inputs: resource.PropertyMap{
+						"push": resource.NewBoolProperty(false),
+						"tags": resource.NewArrayProperty(
+							[]resource.PropertyValue{resource.NewStringProperty("invalid-exports")},
 						),
-						"exports": property.New(
-							[]property.Value{
-								property.New(map[string]property.Value{
-									"raw": property.New("type="),
+						"exports": resource.NewArrayProperty(
+							[]resource.PropertyValue{
+								resource.NewObjectProperty(resource.PropertyMap{
+									"raw": resource.NewStringProperty("type="),
 								}),
 							},
 						),
-					}),
+					},
 					ExpectFailure: true,
 					CheckFailures: []provider.CheckFailure{{
 						Property: "exports[0]",
@@ -192,17 +192,17 @@ func TestImageLifecycle(t *testing.T) {
 				)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"push": property.New(false),
-						"tags": property.New(
-							[]property.Value{property.New("foo")},
+					Inputs: resource.PropertyMap{
+						"push": resource.NewBoolProperty(false),
+						"tags": resource.NewArrayProperty(
+							[]resource.PropertyValue{resource.NewStringProperty("foo")},
 						),
-						"context": property.New(map[string]property.Value{
-							"location": property.New("testdata/noop"),
+						"context": resource.NewObjectProperty(resource.PropertyMap{
+							"location": resource.NewStringProperty("testdata/noop"),
 						}),
-					}),
+					},
 					ExpectFailure: true,
 				}
 			},
@@ -219,17 +219,17 @@ func TestImageLifecycle(t *testing.T) {
 				)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"push": property.New(false),
-						"tags": property.New(
-							[]property.Value{property.New("foo")},
+					Inputs: resource.PropertyMap{
+						"push": resource.NewBoolProperty(false),
+						"tags": resource.NewArrayProperty(
+							[]resource.PropertyValue{resource.NewStringProperty("foo")},
 						),
-						"context": property.New(map[string]property.Value{
-							"location": property.New("testdata/noop"),
+						"context": resource.NewObjectProperty(resource.PropertyMap{
+							"location": resource.NewStringProperty("testdata/noop"),
 						}),
-					}),
+					},
 					ExpectFailure: true,
 				}
 			},
@@ -252,26 +252,26 @@ func TestImageLifecycle(t *testing.T) {
 				c.EXPECT().Delete(gomock.Any(), "default-dockerfile").Return(nil)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"push": property.New(false),
-						"tags": property.New(
-							[]property.Value{
-								property.New("default-dockerfile"),
+					Inputs: resource.PropertyMap{
+						"push": resource.NewBoolProperty(false),
+						"tags": resource.NewArrayProperty(
+							[]resource.PropertyValue{
+								resource.NewStringProperty("default-dockerfile"),
 							},
 						),
-						"context": property.New(map[string]property.Value{
-							"location": property.New("testdata/noop"),
+						"context": resource.NewObjectProperty(resource.PropertyMap{
+							"location": resource.NewStringProperty("testdata/noop"),
 						}),
-					}),
-					Hook: func(_, output property.Map) {
-						dockerfile := output.Get("dockerfile")
+					},
+					Hook: func(_, output resource.PropertyMap) {
+						dockerfile := output["dockerfile"]
 						require.NotNil(t, dockerfile)
-						require.True(t, dockerfile.IsMap())
-						location := dockerfile.AsMap().Get("location")
+						require.True(t, dockerfile.IsObject())
+						location := dockerfile.ObjectValue()["location"]
 						require.True(t, location.IsString())
-						assert.Equal(t, "testdata/noop/Dockerfile", location.AsString())
+						assert.Equal(t, "testdata/noop/Dockerfile", location.StringValue())
 					},
 				}
 			},
@@ -294,27 +294,27 @@ func TestImageLifecycle(t *testing.T) {
 				c.EXPECT().Delete(gomock.Any(), "inline-dockerfile").Return(nil)
 				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"push": property.New(false),
-						"tags": property.New(
-							[]property.Value{
-								property.New("inline-dockerfile"),
+					Inputs: resource.PropertyMap{
+						"push": resource.NewBoolProperty(false),
+						"tags": resource.NewArrayProperty(
+							[]resource.PropertyValue{
+								resource.NewStringProperty("inline-dockerfile"),
 							},
 						),
-						"buildOnPreview": property.New(true),
-						"dockerfile": property.New(map[string]property.Value{
-							"inline": property.New("FROM alpine:latest"),
+						"buildOnPreview": resource.NewBoolProperty(true),
+						"dockerfile": resource.NewObjectProperty(resource.PropertyMap{
+							"inline": resource.NewStringProperty("FROM alpine:latest"),
 						}),
-					}),
-					Hook: func(_, output property.Map) {
-						context := output.Get("context")
+					},
+					Hook: func(_, output resource.PropertyMap) {
+						context := output["context"]
 						require.NotNil(t, context)
-						require.True(t, context.IsMap())
-						location := context.AsMap().Get("location")
+						require.True(t, context.IsObject())
+						location := context.ObjectValue()["location"]
 						require.True(t, location.IsString())
-						assert.Equal(t, ".", location.AsString())
+						assert.Equal(t, ".", location.StringValue())
 					},
 				}
 			},
@@ -328,7 +328,7 @@ func TestImageLifecycle(t *testing.T) {
 				Resource: "docker-build:index:Image",
 				Create:   tt.op(t),
 			}
-			s := newServer(t.Context(), t, mockClientF(tt.client(t)))
+			s := newServer(tt.client(t))
 
 			err := s.Configure(provider.ConfigureRequest{})
 			require.NoError(t, err)
@@ -353,16 +353,21 @@ func TestDelete(t *testing.T) {
 			Delete(gomock.Any(), "docker.io/pulumi/test@sha256:foo").
 			Return(errNotFound{})
 
-		i := &Image{clientF: mockClientF(client)}
+		s := newServer(client)
+		err := s.Configure(provider.ConfigureRequest{})
+		require.NoError(t, err)
 
-		_, err := i.Delete(t.Context(), infer.DeleteRequest[ImageState]{
-			ID: "foo,bar",
-			State: ImageState{
-				ImageArgs: ImageArgs{
-					Tags: []string{"docker.io/pulumi/test:foo"},
-					Push: true,
-				},
-				Digest: "sha256:foo",
+		err = s.Delete(provider.DeleteRequest{
+			ID:  "foo,bar",
+			Urn: _fakeURN,
+			Properties: resource.PropertyMap{
+				"tags": resource.NewArrayProperty([]resource.PropertyValue{
+					resource.NewStringProperty("docker.io/pulumi/test:foo"),
+				}),
+				"push":        resource.NewBoolProperty(true),
+				"digest":      resource.NewStringProperty("sha256:foo"),
+				"contextHash": resource.NewStringProperty(""),
+				"ref":         resource.NewStringProperty(""),
 			},
 		})
 		assert.NoError(t, err)
@@ -386,21 +391,27 @@ func TestRead(t *testing.T) {
 			},
 		}, nil)
 
-	i := &Image{clientF: mockClientF(client)}
+	s := newServer(client)
+	err := s.Configure(provider.ConfigureRequest{})
+	require.NoError(t, err)
 
-	resp, err := i.Read(t.Context(), infer.ReadRequest[ImageArgs, ImageState]{
-		ID: "my-image",
-		State: ImageState{
-			ImageArgs: ImageArgs{
-				Exports: []Export{{Raw: "type=registry"}},
-				Tags:    []string{tag},
-			},
-			Digest: digest,
+	resp, err := s.Read(provider.ReadRequest{
+		ID:  "my-image",
+		Urn: _fakeURN,
+		Properties: resource.PropertyMap{
+			"exports": resource.NewArrayProperty([]resource.PropertyValue{
+				resource.NewObjectProperty(resource.PropertyMap{
+					"raw": resource.NewStringProperty("type=registry"),
+				}),
+			}),
+			"tags": resource.NewArrayProperty([]resource.PropertyValue{
+				resource.NewStringProperty(tag),
+			}),
+			"digest": resource.NewStringProperty(digest),
 		},
 	})
-
 	require.NoError(t, err)
-	assert.Equal(t, []string{tag}, resp.State.Tags)
+	assert.NotNil(t, resp.Properties["exports"].ArrayValue()[0].ObjectValue()["manifest"])
 }
 
 func TestImageDiff(t *testing.T) {
@@ -421,21 +432,21 @@ func TestImageDiff(t *testing.T) {
 	}
 
 	tests := []struct {
-		name   string
-		state  func(*testing.T, ImageState) ImageState
-		inputs func(*testing.T, ImageArgs) ImageArgs
+		name string
+		olds func(*testing.T, ImageState) ImageState
+		news func(*testing.T, ImageArgs) ImageArgs
 
 		wantChanges bool
 	}{
 		{
 			name:        "no diff if build context is unchanged",
-			state:       func(*testing.T, ImageState) ImageState { return baseState },
-			inputs:      func(*testing.T, ImageArgs) ImageArgs { return baseArgs },
+			olds:        func(*testing.T, ImageState) ImageState { return baseState },
+			news:        func(*testing.T, ImageArgs) ImageArgs { return baseArgs },
 			wantChanges: false,
 		},
 		{
 			name: "no diff if registry password changes",
-			state: func(_ *testing.T, s ImageState) ImageState {
+			olds: func(_ *testing.T, s ImageState) ImageState {
 				s.Registries = []Registry{{
 					Address:  "foo",
 					Username: "foo",
@@ -443,7 +454,7 @@ func TestImageDiff(t *testing.T) {
 				}}
 				return s
 			},
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Registries = []Registry{{
 					Address:  "foo",
 					Username: "foo",
@@ -455,11 +466,11 @@ func TestImageDiff(t *testing.T) {
 		},
 		{
 			name: "no diff if pull=true but no exports",
-			state: func(_ *testing.T, is ImageState) ImageState {
+			olds: func(_ *testing.T, is ImageState) ImageState {
 				is.Pull = true
 				return is
 			},
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			news: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Pull = true
 				return ia
 			},
@@ -467,12 +478,12 @@ func TestImageDiff(t *testing.T) {
 		},
 		{
 			name: "diff if pull=true with exports",
-			state: func(_ *testing.T, is ImageState) ImageState {
+			olds: func(_ *testing.T, is ImageState) ImageState {
 				is.Pull = true
 				is.Load = true
 				return is
 			},
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			news: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Pull = true
 				ia.Load = true
 				return ia
@@ -480,9 +491,9 @@ func TestImageDiff(t *testing.T) {
 			wantChanges: true,
 		},
 		{
-			name:  "diff if build context changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(t *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if build context changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(t *testing.T, a ImageArgs) ImageArgs {
 				tmp := filepath.Join(a.Context.Location, "tmp")
 				err := os.WriteFile(tmp, []byte{}, 0o600)
 				require.NoError(t, err)
@@ -492,9 +503,9 @@ func TestImageDiff(t *testing.T) {
 			wantChanges: true,
 		},
 		{
-			name:  "diff if registry added",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if registry added",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Registries = []Registry{{}}
 				return a
 			},
@@ -502,7 +513,7 @@ func TestImageDiff(t *testing.T) {
 		},
 		{
 			name: "diff if registry user changes",
-			state: func(_ *testing.T, s ImageState) ImageState {
+			olds: func(_ *testing.T, s ImageState) ImageState {
 				s.Registries = []Registry{{
 					Address:  "foo",
 					Username: "foo",
@@ -510,7 +521,7 @@ func TestImageDiff(t *testing.T) {
 				}}
 				return s
 			},
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Registries = []Registry{{
 					Address:  "DIFFERENT USER",
 					Username: "foo",
@@ -521,9 +532,9 @@ func TestImageDiff(t *testing.T) {
 			wantChanges: true,
 		},
 		{
-			name:  "diff if buildArgs changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if buildArgs changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.BuildArgs = map[string]string{
 					"foo": "bar",
 				}
@@ -532,36 +543,36 @@ func TestImageDiff(t *testing.T) {
 			wantChanges: true,
 		},
 		{
-			name:  "diff if pull changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			name: "diff if pull changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Pull = true
 				return ia
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if load changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			name: "diff if load changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Load = true
 				return ia
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if push changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			name: "diff if push changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.Push = true
 				return ia
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if buildOnPreview doesn't change",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			name: "diff if buildOnPreview doesn't change",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(t *testing.T, ia ImageArgs) ImageArgs {
 				val := true
 				ia.BuildOnPreview = &val
 				return ia
@@ -569,9 +580,9 @@ func TestImageDiff(t *testing.T) {
 			wantChanges: true,
 		},
 		{
-			name:  "diff if buildOnPreview changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			name: "diff if buildOnPreview changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(t *testing.T, ia ImageArgs) ImageArgs {
 				val := false
 				ia.BuildOnPreview = &val
 				return ia
@@ -579,171 +590,171 @@ func TestImageDiff(t *testing.T) {
 			wantChanges: true,
 		},
 		{
-			name:  "diff if ssh changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			name: "diff if ssh changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.SSH = []SSH{{ID: "default"}}
 				return ia
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if hosts change",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, ia ImageArgs) ImageArgs {
+			name: "diff if hosts change",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(t *testing.T, ia ImageArgs) ImageArgs {
 				ia.AddHosts = []string{"localhost"}
 				return ia
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if cacheFrom changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if cacheFrom changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.CacheFrom = []CacheFrom{{Raw: "a"}}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if cacheTo changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if cacheTo changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.CacheTo = []CacheTo{{Raw: "a"}}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if context changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if context changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Context = &BuildContext{Context: Context{Location: "testdata/ignores"}}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if named context changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if named context changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Context = &BuildContext{Named: NamedContexts{"foo": Context{Location: "bar"}}}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if network changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if network changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Network = &host
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if dockerfile location changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if dockerfile location changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Dockerfile = &Dockerfile{Location: "testdata/ignores/basedir/Dockerfile"}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if dockerfile inline changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if dockerfile inline changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Dockerfile = &Dockerfile{Inline: "FROM scratch"}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if platforms change",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if platforms change",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Platforms = []Platform{"linux/amd64"}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if pull changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if pull changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Pull = true
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if builder changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if builder changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Builder = &BuilderConfig{Name: "foo"}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if tags change",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if tags change",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Tags = []string{"foo"}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if exports change",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if exports change",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Exports = []Export{{Raw: "foo"}}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if target changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if target changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Target = "foo"
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if pulling",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if pulling",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Pull = true
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if noCache changes",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if noCache changes",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.NoCache = true
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if labels change",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if labels change",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Labels = map[string]string{"foo": "bar"}
 				return a
 			},
 			wantChanges: true,
 		},
 		{
-			name:  "diff if secrets change",
-			state: func(*testing.T, ImageState) ImageState { return baseState },
-			inputs: func(_ *testing.T, a ImageArgs) ImageArgs {
+			name: "diff if secrets change",
+			olds: func(*testing.T, ImageState) ImageState { return baseState },
+			news: func(_ *testing.T, a ImageArgs) ImageArgs {
 				a.Secrets = map[string]string{"foo": "bar"}
 				return a
 			},
@@ -751,13 +762,13 @@ func TestImageDiff(t *testing.T) {
 		},
 		{
 			name: "diff if local export doesn't exist",
-			state: func(_ *testing.T, state ImageState) ImageState {
+			olds: func(t *testing.T, state ImageState) ImageState {
 				state.Exports = []Export{
 					{Local: &ExportLocal{Dest: "not-real"}},
 				}
 				return state
 			},
-			inputs: func(_ *testing.T, args ImageArgs) ImageArgs {
+			news: func(_ *testing.T, args ImageArgs) ImageArgs {
 				args.Exports = []Export{
 					{Local: &ExportLocal{Dest: "not-real"}},
 				}
@@ -767,13 +778,13 @@ func TestImageDiff(t *testing.T) {
 		},
 		{
 			name: "diff if tar export doesn't exist",
-			state: func(_ *testing.T, state ImageState) ImageState {
+			olds: func(t *testing.T, state ImageState) ImageState {
 				state.Exports = []Export{
 					{Tar: &ExportTar{ExportLocal: ExportLocal{Dest: "not-real"}}},
 				}
 				return state
 			},
-			inputs: func(_ *testing.T, args ImageArgs) ImageArgs {
+			news: func(_ *testing.T, args ImageArgs) ImageArgs {
 				args.Exports = []Export{
 					{Tar: &ExportTar{ExportLocal: ExportLocal{Dest: "not-real"}}},
 				}
@@ -783,12 +794,12 @@ func TestImageDiff(t *testing.T) {
 		},
 	}
 
-	s := newServer(t.Context(), t, nil)
+	s := newServer(nil)
 
-	encode := func(t *testing.T, x any) property.Map {
+	encode := func(t *testing.T, x any) resource.PropertyMap {
 		raw, err := mapper.New(&mapper.Opts{IgnoreMissing: true}).Encode(x)
 		require.NoError(t, err)
-		return resource.FromResourcePropertyMap(resource.NewPropertyMapFromMap(raw))
+		return resource.NewPropertyMapFromMap(raw)
 	}
 
 	for _, tt := range tests {
@@ -797,9 +808,9 @@ func TestImageDiff(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			resp, err := s.Diff(provider.DiffRequest{
-				Urn:    _fakeURN,
-				State:  encode(t, tt.state(t, baseState)),
-				Inputs: encode(t, tt.inputs(t, baseArgs)),
+				Urn:  _fakeURN,
+				Olds: encode(t, tt.olds(t, baseState)),
+				News: encode(t, tt.news(t, baseArgs)),
 			})
 			assert.NoError(t, err)
 			assert.Equal(t, tt.wantChanges, resp.HasChanges, resp.DetailedDiff)
@@ -917,10 +928,8 @@ func TestValidateImageArgs(t *testing.T) {
 			{
 				name: "gha environment",
 				envs: map[string]string{
-					"ACTIONS_CACHE_URL":        "test-cache-url",
-					"ACTIONS_RUNTIME_TOKEN":    "test-runtime-token",
-					"ACTIONS_RESULTS_URL":      "test-results-url",
-					"ACTIONS_CACHE_SERVICE_V2": "true",
+					"ACTIONS_CACHE_URL":     "test-cache-url",
+					"ACTIONS_RUNTIME_TOKEN": "test-runtime-token",
 				},
 				args: ImageArgs{
 					Context:   &BuildContext{Context: Context{Location: "testdata/noop"}},
@@ -932,17 +941,15 @@ func TestValidateImageArgs(t *testing.T) {
 				wantCacheFrom: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token":  "test-runtime-token",
-						"url":    "test-cache-url",
-						"url_v2": "test-results-url",
+						"token": "test-runtime-token",
+						"url":   "test-cache-url",
 					},
 				},
 				wantCacheTo: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token":  "test-runtime-token",
-						"url":    "test-cache-url",
-						"url_v2": "test-results-url",
+						"token": "test-runtime-token",
+						"url":   "test-cache-url",
 					},
 				},
 			},

provider/internal/index.go

@@ -19,15 +19,16 @@ import (
 	"errors"
 	"fmt"
 	"reflect"
+	"strings"
 
 	// For examples/docs.
 	_ "embed"
 
-	"github.com/containerd/errdefs"
 	"github.com/regclient/regclient/types/errs"
 
 	provider "github.com/pulumi/pulumi-go-provider"
 	"github.com/pulumi/pulumi-go-provider/infer"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
 )
 
 var (
@@ -46,10 +47,7 @@ var (
 var _indexExamples string
 
 // Index is an OCI index or manifest list on a remote registry.
-type Index struct {
-	clientF clientF
-	config  *Config
-}
+type Index struct{}
 
 // IndexArgs instantiate an Index.
 type IndexArgs struct {
@@ -66,14 +64,6 @@ func (i IndexArgs) isPushed() bool {
 	return *i.Push
 }
 
-// GetRegistries returns the index's registry.
-func (i IndexArgs) GetRegistries() []Registry {
-	if i.Registry == nil {
-		return nil
-	}
-	return []Registry{*i.Registry}
-}
-
 // IndexState captures the state of an Index.
 type IndexState struct {
 	IndexArgs
@@ -142,112 +132,88 @@ func (i *IndexState) Annotate(a infer.Annotator) {
 // Create is a passthrough to Update.
 func (i *Index) Create(
 	ctx context.Context,
-	req infer.CreateRequest[IndexArgs],
-) (infer.CreateResponse[IndexState], error) {
-	resp, err := i.Update(ctx,
-		infer.UpdateRequest[IndexArgs, IndexState]{
-			ID:     req.Name,
-			State:  IndexState{},
-			Inputs: req.Inputs,
-			DryRun: req.DryRun,
-		},
-	)
-	return infer.CreateResponse[IndexState]{ID: req.Name, Output: resp.Output}, err
+	name string,
+	input IndexArgs,
+	preview bool,
+) (string, IndexState, error) {
+	state, err := i.Update(ctx, name, IndexState{}, input, preview)
+	return name, state, err
 }
 
 // Update performs `buildx imagetools create` to create a new OCI index /
 // manifest list.
 func (i *Index) Update(
 	ctx context.Context,
-	req infer.UpdateRequest[IndexArgs, IndexState],
-) (infer.UpdateResponse[IndexState], error) {
-	state, input := req.State, req.Inputs
-
+	name string,
+	state IndexState,
+	input IndexArgs,
+	preview bool,
+) (IndexState, error) {
 	state.IndexArgs = input
 	state.Ref = input.Tag
 
-	cli, err := i.client(ctx, input)
+	cli, err := i.client(ctx, state, input)
 	if err != nil {
-		return infer.UpdateResponse[IndexState]{Output: state}, err
+		return state, err
 	}
 
-	if req.DryRun {
-		return infer.UpdateResponse[IndexState]{Output: state}, nil
+	if preview {
+		return state, nil
 	}
 
-	provider.GetLogger(ctx).
-		Debugf("creating index with tag %s and sources %s", input.Tag, input.Sources)
+	provider.GetLogger(ctx).Debugf("creating index with tag %s and sources %s", input.Tag, input.Sources)
 
 	err = cli.ManifestCreate(ctx, input.isPushed(), input.Tag, input.Sources...)
 	if err != nil {
-		return infer.UpdateResponse[IndexState]{Output: state}, fmt.Errorf("creating: %w", err)
+		return state, fmt.Errorf("creating: %w", err)
 	}
 
-	// Read remote manifest information, if it exists.
-	live, err := i.Read(ctx,
-		infer.ReadRequest[IndexArgs, IndexState]{ID: req.ID, Inputs: input, State: state},
-	)
+	_, _, state, err = i.Read(ctx, name, input, state)
 	if err != nil {
-		return infer.UpdateResponse[IndexState]{Output: state}, fmt.Errorf("reading: %w", err)
+		return state, fmt.Errorf("reading: %w", err)
 	}
-	return infer.UpdateResponse[IndexState]{Output: live.State}, nil
+	return state, nil
 }
 
 func (i *Index) Read(
 	ctx context.Context,
-	req infer.ReadRequest[IndexArgs, IndexState],
-) (infer.ReadResponse[IndexArgs, IndexState], error) {
-	state, input := req.State, req.Inputs
-
+	name string,
+	input IndexArgs,
+	state IndexState,
+) (string, IndexArgs, IndexState, error) {
 	state.IndexArgs = input
 	state.Ref = input.Tag
 
 	if !input.isPushed() {
 		provider.GetLogger(ctx).Debug("skipping read because index was not pushed")
-		return infer.ReadResponse[IndexArgs, IndexState]{
-			ID:     req.ID,
-			Inputs: input,
-			State:  state,
-		}, nil // Nothing to read.
+		return name, input, state, nil // Nothing to read.
 	}
 
-	cli, err := i.client(ctx, input)
+	cli, err := i.client(ctx, state, input)
 	if err != nil {
-		return infer.ReadResponse[IndexArgs, IndexState]{
-			ID:     req.ID,
-			Inputs: input,
-			State:  state,
-		}, err
+		return name, input, state, err
 	}
 
 	provider.GetLogger(ctx).Debug("reading index with tag " + input.Tag)
 
 	digest, err := cli.ManifestInspect(ctx, input.Tag)
-	if errdefs.IsNotFound(err) {
+	if errors.Is(err, errs.ErrNotFound) {
 		// A remote tag was expected but isn't there -- delete the resource.
-		return infer.ReadResponse[IndexArgs, IndexState]{ID: "", Inputs: input, State: state}, nil
+		return "", input, state, nil
 	}
 	if errors.Is(err, errs.ErrHTTPUnauthorized) {
 		provider.GetLogger(ctx).Warning("invalid credentials, skipping")
-		return infer.ReadResponse[IndexArgs, IndexState]{
-			ID:     req.ID,
-			Inputs: input,
-			State:  state,
-		}, nil
+		return name, input, state, nil
 	}
 	if err != nil {
-		return infer.ReadResponse[IndexArgs, IndexState]{
-			ID:     req.ID,
-			Inputs: input,
-			State:  state,
-		}, err
+		return name, input, state, err
 	}
 
 	if ref, ok := addDigest(input.Tag, digest); ok {
 		state.Ref = ref
 	}
 
-	return infer.ReadResponse[IndexArgs, IndexState]{ID: req.ID, Inputs: input, State: state}, nil
+	return name, input, state, nil
 }
 
 // Check confirms the Index's tag and source refs are all valid. This doesn't
@@ -256,11 +222,13 @@ func (i *Index) Read(
 // cases for now.
 func (i *Index) Check(
 	ctx context.Context,
-	req infer.CheckRequest,
-) (infer.CheckResponse[IndexArgs], error) {
-	args, failures, err := infer.DefaultCheck[IndexArgs](ctx, req.NewInputs)
+	_ string,
+	_ resource.PropertyMap,
+	news resource.PropertyMap,
+) (IndexArgs, []provider.CheckFailure, error) {
+	args, failures, err := infer.DefaultCheck[IndexArgs](ctx, news)
 	if err != nil {
-		return infer.CheckResponse[IndexArgs]{Failures: failures, Inputs: args}, err
+		return args, failures, err
 	}
 
 	if _, err := normalizeReference(args.Tag); args.Tag != "" && err != nil {
@@ -285,29 +253,27 @@ func (i *Index) Check(
 		}
 	}
 
-	return infer.CheckResponse[IndexArgs]{Failures: failures, Inputs: args}, nil
+	return args, failures, nil
 }
 
 // Delete attempts to delete the remote manifest.
-func (i *Index) Delete(
-	ctx context.Context,
-	req infer.DeleteRequest[IndexState],
-) (infer.DeleteResponse, error) {
-	state := req.State
+func (i *Index) Delete(ctx context.Context, _ string, state IndexState) error {
 	if !state.isPushed() {
-		return infer.DeleteResponse{}, nil // Nothing to delete.
+		return nil // Nothing to delete.
 	}
 
-	cli, err := i.client(ctx, state.IndexArgs)
+	cli, err := i.client(ctx, state, state.IndexArgs)
 	if err != nil {
-		return infer.DeleteResponse{}, err
+		return err
 	}
 
 	err = cli.ManifestDelete(ctx, state.Ref)
-	if errdefs.IsNotFound(err) {
-		return infer.DeleteResponse{}, nil
+	// TODO: Upstream buildx swallows the error types we'd like to test for
+	// here.
+	if err != nil && strings.Contains(err.Error(), "No such manifest:") {
+		return nil
 	}
-	return infer.DeleteResponse{}, err
+	return err
 }
 
 // Diff returns a diff of proposed changes against current state. Ideally we
@@ -316,10 +282,10 @@ func (i *Index) Delete(
 // change all the time due to short-lived AWS credentials).
 func (i *Index) Diff(
 	_ context.Context,
-	req infer.DiffRequest[IndexArgs, IndexState],
+	_ string,
+	olds IndexState,
+	news IndexArgs,
 ) (provider.DiffResponse, error) {
-	olds, news := req.State, req.Inputs
-
 	diff := map[string]provider.PropertyDiff{}
 	update := provider.PropertyDiff{Kind: provider.Update}
 	replace := provider.PropertyDiff{Kind: provider.UpdateReplace}
@@ -357,7 +323,23 @@ func (i *Index) Diff(
 // any host-level credentials.
 func (i *Index) client(
 	ctx context.Context,
+	_ IndexState,
 	args IndexArgs,
 ) (Client, error) {
-	return i.clientF(ctx, i.config.getHost(), i.config, args)
+	cfg := infer.GetConfig[Config](ctx)
+
+	if cli, ok := ctx.Value(_mockClientKey).(Client); ok {
+		return cli, nil
+	}
+
+	// We prefer auth from args, the provider, and state in that order. We
+	// build a slice in reverse order because wrap() will overwrite earlier
+	// entries with later ones.
+	auths := []Registry{}
+	auths = append(auths, cfg.Registries...)
+	if args.Registry != nil {
+		auths = append(auths, *args.Registry)
+	}
+
+	return wrap(cfg.host, auths...)
 }

provider/internal/index_test.go

@@ -24,39 +24,37 @@ import (
 	"go.uber.org/mock/gomock"
 
 	provider "github.com/pulumi/pulumi-go-provider"
-	"github.com/pulumi/pulumi-go-provider/infer"
 	"github.com/pulumi/pulumi-go-provider/integration"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/resource"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/util/mapper"
-	"github.com/pulumi/pulumi/sdk/v3/go/property"
 )
 
 func TestIndexLifecycle(t *testing.T) {
 	t.Parallel()
-	realClient := func(_ *testing.T) clientF { return RealClientF }
+	realClient := func(t *testing.T) Client { return nil }
 
 	tests := []struct {
 		name string
 		skip bool
 
 		op     func(t *testing.T) integration.Operation
-		client func(t *testing.T) clientF
+		client func(t *testing.T) Client
 	}{
 		{
 			name:   "not pushed",
 			client: realClient,
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"tag": property.New(
+					Inputs: resource.PropertyMap{
+						"tag": resource.NewStringProperty(
 							"docker.io/pulumibot/buildkit-e2e:manifest-unit",
 						),
-						"sources": property.New([]property.Value{
-							property.New("docker.io/pulumibot/buildkit-e2e:arm64"),
-							property.New("docker.io/pulumibot/buildkit-e2e:amd64"),
+						"sources": resource.NewArrayProperty([]resource.PropertyValue{
+							resource.NewStringProperty("docker.io/pulumibot/buildkit-e2e:arm64"),
+							resource.NewStringProperty("docker.io/pulumibot/buildkit-e2e:amd64"),
 						}),
-						"push": property.New(false),
-					}),
+						"push": resource.NewBoolProperty(false),
+					},
 				}
 			},
 		},
@@ -64,53 +62,61 @@ func TestIndexLifecycle(t *testing.T) {
 			name:   "pushed",
 			skip:   os.Getenv("DOCKER_HUB_PASSWORD") == "",
 			client: realClient,
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"tag": property.New(
+					Inputs: resource.PropertyMap{
+						"tag": resource.NewStringProperty(
 							"docker.io/pulumibot/buildkit-e2e:manifest",
 						),
-						"sources": property.New([]property.Value{
-							property.New("docker.io/pulumibot/buildkit-e2e:arm64"),
-							property.New("docker.io/pulumibot/buildkit-e2e:amd64"),
+						"sources": resource.NewArrayProperty([]resource.PropertyValue{
+							resource.NewStringProperty("docker.io/pulumibot/buildkit-e2e:arm64"),
+							resource.NewStringProperty("docker.io/pulumibot/buildkit-e2e:amd64"),
 						}),
-						"push": property.New(true),
-						"registry": property.New(map[string]property.Value{
-							"address":  property.New("docker.io"),
-							"username": property.New("pulumibot"),
-							"password": property.New(os.Getenv("DOCKER_HUB_PASSWORD")).WithSecret(true),
+						"push": resource.NewBoolProperty(true),
+						"registry": resource.NewObjectProperty(resource.PropertyMap{
+							"address":  resource.NewStringProperty("docker.io"),
+							"username": resource.NewStringProperty("pulumibot"),
+							"password": resource.NewSecretProperty(&resource.Secret{
+								Element: resource.NewStringProperty(
+									os.Getenv("DOCKER_HUB_PASSWORD"),
+								),
+							}),
 						}),
-					}),
+					},
 				}
 			},
 		},
 		{
 			name: "expired credentials",
-			client: func(_ *testing.T) clientF {
+			client: func(t *testing.T) Client {
 				ctrl := gomock.NewController(t)
 				c := NewMockClient(ctrl)
 				c.EXPECT().ManifestCreate(gomock.Any(), true, gomock.Any(), gomock.Any())
 				c.EXPECT().ManifestInspect(gomock.Any(), gomock.Any()).Return("", errs.ErrHTTPUnauthorized)
 				c.EXPECT().ManifestDelete(gomock.Any(), gomock.Any()).Return(nil)
-				return mockClientF(c)
+				return c
 			},
-			op: func(_ *testing.T) integration.Operation {
+			op: func(t *testing.T) integration.Operation {
 				return integration.Operation{
-					Inputs: property.NewMap(map[string]property.Value{
-						"tag": property.New(
+					Inputs: resource.PropertyMap{
+						"tag": resource.NewStringProperty(
 							"docker.io/pulumibot/buildkit-e2e:manifest",
 						),
-						"sources": property.New([]property.Value{
-							property.New("docker.io/pulumibot/buildkit-e2e:arm64"),
-							property.New("docker.io/pulumibot/buildkit-e2e:amd64"),
+						"sources": resource.NewArrayProperty([]resource.PropertyValue{
+							resource.NewStringProperty("docker.io/pulumibot/buildkit-e2e:arm64"),
+							resource.NewStringProperty("docker.io/pulumibot/buildkit-e2e:amd64"),
 						}),
-						"push": property.New(true),
-						"registry": property.New(map[string]property.Value{
-							"address":  property.New("docker.io"),
-							"username": property.New("pulumibot"),
-							"password": property.New(os.Getenv("DOCKER_HUB_PASSWORD")).WithSecret(true),
+						"push": resource.NewBoolProperty(true),
+						"registry": resource.NewObjectProperty(resource.PropertyMap{
+							"address":  resource.NewStringProperty("docker.io"),
+							"username": resource.NewStringProperty("pulumibot"),
+							"password": resource.NewSecretProperty(&resource.Secret{
+								Element: resource.NewStringProperty(
+									os.Getenv("DOCKER_HUB_PASSWORD"),
+								),
+							}),
 						}),
-					}),
+					},
 				}
 			},
 		},
@@ -126,7 +132,7 @@ func TestIndexLifecycle(t *testing.T) {
 				Resource: "docker-build:index:Index",
 				Create:   tt.op(t),
 			}
-			s := newServer(t.Context(), t, tt.client(t))
+			s := newServer(tt.client(t))
 
 			err := s.Configure(provider.ConfigureRequest{})
 			require.NoError(t, err)
@@ -143,22 +149,22 @@ func TestIndexDiff(t *testing.T) {
 	baseState := IndexState{IndexArgs: baseArgs}
 
 	tests := []struct {
-		name   string
-		state  func(*testing.T, IndexState) IndexState
-		inputs func(*testing.T, IndexArgs) IndexArgs
+		name string
+		olds func(*testing.T, IndexState) IndexState
+		news func(*testing.T, IndexArgs) IndexArgs
 
 		wantChanges bool
 	}{
 		{
 			name:        "no diff if no changes",
-			state:       func(*testing.T, IndexState) IndexState { return baseState },
-			inputs:      func(*testing.T, IndexArgs) IndexArgs { return baseArgs },
+			olds:        func(*testing.T, IndexState) IndexState { return baseState },
+			news:        func(*testing.T, IndexArgs) IndexArgs { return baseArgs },
 			wantChanges: false,
 		},
 		{
-			name:  "diff if tag changes",
-			state: func(*testing.T, IndexState) IndexState { return baseState },
-			inputs: func(_ *testing.T, a IndexArgs) IndexArgs {
+			name: "diff if tag changes",
+			olds: func(*testing.T, IndexState) IndexState { return baseState },
+			news: func(t *testing.T, a IndexArgs) IndexArgs {
 				a.Tag = "new-tag"
 				return a
 			},
@@ -166,7 +172,7 @@ func TestIndexDiff(t *testing.T) {
 		},
 		{
 			name: "no diff if registry password changes",
-			state: func(_ *testing.T, s IndexState) IndexState {
+			olds: func(_ *testing.T, s IndexState) IndexState {
 				s.Registry = &Registry{
 					Address:  "foo",
 					Username: "foo",
@@ -174,7 +180,7 @@ func TestIndexDiff(t *testing.T) {
 				}
 				return s
 			},
-			inputs: func(_ *testing.T, a IndexArgs) IndexArgs {
+			news: func(_ *testing.T, a IndexArgs) IndexArgs {
 				a.Registry = &Registry{
 					Address:  "foo",
 					Username: "foo",
@@ -185,9 +191,9 @@ func TestIndexDiff(t *testing.T) {
 			wantChanges: false,
 		},
 		{
-			name:  "diff if registry added",
-			state: func(*testing.T, IndexState) IndexState { return baseState },
-			inputs: func(_ *testing.T, a IndexArgs) IndexArgs {
+			name: "diff if registry added",
+			olds: func(*testing.T, IndexState) IndexState { return baseState },
+			news: func(_ *testing.T, a IndexArgs) IndexArgs {
 				a.Registry = &Registry{Address: "foo.com", Username: "foo", Password: "foo"}
 				return a
 			},
@@ -195,7 +201,7 @@ func TestIndexDiff(t *testing.T) {
 		},
 		{
 			name: "diff if registry user changes",
-			state: func(_ *testing.T, s IndexState) IndexState {
+			olds: func(_ *testing.T, s IndexState) IndexState {
 				s.Registry = &Registry{
 					Address:  "foo",
 					Username: "foo",
@@ -203,7 +209,7 @@ func TestIndexDiff(t *testing.T) {
 				}
 				return s
 			},
-			inputs: func(_ *testing.T, a IndexArgs) IndexArgs {
+			news: func(_ *testing.T, a IndexArgs) IndexArgs {
 				a.Registry = &Registry{
 					Address:  "DIFFERENT USER",
 					Username: "foo",
@@ -215,47 +221,24 @@ func TestIndexDiff(t *testing.T) {
 		},
 	}
 
-	s := newServer(t.Context(), t, nil)
+	s := newServer(nil)
 
-	encode := func(t *testing.T, x any) property.Map {
+	encode := func(t *testing.T, x any) resource.PropertyMap {
 		raw, err := mapper.New(&mapper.Opts{IgnoreMissing: true}).Encode(x)
 		require.NoError(t, err)
-		return resource.FromResourcePropertyMap(resource.NewPropertyMapFromMap(raw))
+		return resource.NewPropertyMapFromMap(raw)
 	}
 
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
 			resp, err := s.Diff(provider.DiffRequest{
-				Urn:    urn,
-				State:  encode(t, tt.state(t, baseState)),
-				Inputs: encode(t, tt.inputs(t, baseArgs)),
+				Urn:  urn,
+				Olds: encode(t, tt.olds(t, baseState)),
+				News: encode(t, tt.news(t, baseArgs)),
 			})
 			assert.NoError(t, err)
 			assert.Equal(t, tt.wantChanges, resp.HasChanges, resp.DetailedDiff)
 		})
 	}
 }
-
-func TestIndexDelete(t *testing.T) {
-	t.Parallel()
-	t.Run("manifest already deleted (404)", func(t *testing.T) {
-		t.Parallel()
-		ctrl := gomock.NewController(t)
-		client := NewMockClient(ctrl)
-		client.EXPECT().
-			ManifestDelete(gomock.Any(), "docker.io/pulumi/test:manifest").
-			Return(errNotFound{})
-
-		i := &Index{clientF: mockClientF(client)}
-
-		_, err := i.Delete(t.Context(), infer.DeleteRequest[IndexState]{
-			ID: "foo",
-			State: IndexState{
-				IndexArgs: IndexArgs{Tag: "docker.io/pulumi/test:manifest"},
-				Ref:       "docker.io/pulumi/test:manifest",
-			},
-		})
-		assert.NoError(t, err)
-	})
-}

provider/internal/mockcli_test.go

@@ -16,8 +16,12 @@ import (
 	configfile "github.com/docker/cli/cli/config/configfile"
 	docker "github.com/docker/cli/cli/context/docker"
 	store "github.com/docker/cli/cli/context/store"
+	store0 "github.com/docker/cli/cli/manifest/store"
+	client "github.com/docker/cli/cli/registry/client"
 	streams "github.com/docker/cli/cli/streams"
-	client "github.com/docker/docker/client"
+	trust "github.com/docker/cli/cli/trust"
+	client0 "github.com/docker/docker/client"
+	client1 "github.com/theupdateframework/notary/client"
 	metric "go.opentelemetry.io/otel/metric"
 	resource "go.opentelemetry.io/otel/sdk/resource"
 	trace "go.opentelemetry.io/otel/trace"
@@ -130,10 +134,10 @@ func (c *MockCliBuildKitEnabledCall) DoAndReturn(f func() (bool, error)) *MockCl
 }
 
 // Client mocks base method.
-func (m *MockCli) Client() client.APIClient {
+func (m *MockCli) Client() client0.APIClient {
 	m.ctrl.T.Helper()
 	ret := m.ctrl.Call(m, "Client")
-	ret0, _ := ret[0].(client.APIClient)
+	ret0, _ := ret[0].(client0.APIClient)
 	return ret0
 }
 
@@ -150,19 +154,19 @@ type MockCliClientCall struct {
 }
 
 // Return rewrite *gomock.Call.Return
-func (c *MockCliClientCall) Return(arg0 client.APIClient) *MockCliClientCall {
+func (c *MockCliClientCall) Return(arg0 client0.APIClient) *MockCliClientCall {
 	c.Call = c.Call.Return(arg0)
 	return c
 }
 
 // Do rewrite *gomock.Call.Do
-func (c *MockCliClientCall) Do(f func() client.APIClient) *MockCliClientCall {
+func (c *MockCliClientCall) Do(f func() client0.APIClient) *MockCliClientCall {
 	c.Call = c.Call.Do(f)
 	return c
 }
 
 // DoAndReturn rewrite *gomock.Call.DoAndReturn
-func (c *MockCliClientCall) DoAndReturn(f func() client.APIClient) *MockCliClientCall {
+func (c *MockCliClientCall) DoAndReturn(f func() client0.APIClient) *MockCliClientCall {
 	c.Call = c.Call.DoAndReturn(f)
 	return c
 }
@@ -509,6 +513,44 @@ func (c *MockCliInCall) DoAndReturn(f func() *streams.In) *MockCliInCall {
 	return c
 }
 
+// ManifestStore mocks base method.
+func (m *MockCli) ManifestStore() store0.Store {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "ManifestStore")
+	ret0, _ := ret[0].(store0.Store)
+	return ret0
+}
+
+// ManifestStore indicates an expected call of ManifestStore.
+func (mr *MockCliMockRecorder) ManifestStore() *MockCliManifestStoreCall {
+	mr.mock.ctrl.T.Helper()
+	call := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "ManifestStore", reflect.TypeOf((*MockCli)(nil).ManifestStore))
+	return &MockCliManifestStoreCall{Call: call}
+}
+
+// MockCliManifestStoreCall wrap *gomock.Call
+type MockCliManifestStoreCall struct {
+	*gomock.Call
+}
+
+// Return rewrite *gomock.Call.Return
+func (c *MockCliManifestStoreCall) Return(arg0 store0.Store) *MockCliManifestStoreCall {
+	c.Call = c.Call.Return(arg0)
+	return c
+}
+
+// Do rewrite *gomock.Call.Do
+func (c *MockCliManifestStoreCall) Do(f func() store0.Store) *MockCliManifestStoreCall {
+	c.Call = c.Call.Do(f)
+	return c
+}
+
+// DoAndReturn rewrite *gomock.Call.DoAndReturn
+func (c *MockCliManifestStoreCall) DoAndReturn(f func() store0.Store) *MockCliManifestStoreCall {
+	c.Call = c.Call.DoAndReturn(f)
+	return c
+}
+
 // MeterProvider mocks base method.
 func (m *MockCli) MeterProvider() metric.MeterProvider {
 	m.ctrl.T.Helper()
@@ -547,6 +589,45 @@ func (c *MockCliMeterProviderCall) DoAndReturn(f func() metric.MeterProvider) *M
 	return c
 }
 
+// NotaryClient mocks base method.
+func (m *MockCli) NotaryClient(imgRefAndAuth trust.ImageRefAndAuth, actions []string) (client1.Repository, error) {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "NotaryClient", imgRefAndAuth, actions)
+	ret0, _ := ret[0].(client1.Repository)
+	ret1, _ := ret[1].(error)
+	return ret0, ret1
+}
+
+// NotaryClient indicates an expected call of NotaryClient.
+func (mr *MockCliMockRecorder) NotaryClient(imgRefAndAuth, actions any) *MockCliNotaryClientCall {
+	mr.mock.ctrl.T.Helper()
+	call := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "NotaryClient", reflect.TypeOf((*MockCli)(nil).NotaryClient), imgRefAndAuth, actions)
+	return &MockCliNotaryClientCall{Call: call}
+}
+
+// MockCliNotaryClientCall wrap *gomock.Call
+type MockCliNotaryClientCall struct {
+	*gomock.Call
+}
+
+// Return rewrite *gomock.Call.Return
+func (c *MockCliNotaryClientCall) Return(arg0 client1.Repository, arg1 error) *MockCliNotaryClientCall {
+	c.Call = c.Call.Return(arg0, arg1)
+	return c
+}
+
+// Do rewrite *gomock.Call.Do
+func (c *MockCliNotaryClientCall) Do(f func(trust.ImageRefAndAuth, []string) (client1.Repository, error)) *MockCliNotaryClientCall {
+	c.Call = c.Call.Do(f)
+	return c
+}
+
+// DoAndReturn rewrite *gomock.Call.DoAndReturn
+func (c *MockCliNotaryClientCall) DoAndReturn(f func(trust.ImageRefAndAuth, []string) (client1.Repository, error)) *MockCliNotaryClientCall {
+	c.Call = c.Call.DoAndReturn(f)
+	return c
+}
+
 // Out mocks base method.
 func (m *MockCli) Out() *streams.Out {
 	m.ctrl.T.Helper()
@@ -585,6 +666,44 @@ func (c *MockCliOutCall) DoAndReturn(f func() *streams.Out) *MockCliOutCall {
 	return c
 }
 
+// RegistryClient mocks base method.
+func (m *MockCli) RegistryClient(arg0 bool) client.RegistryClient {
+	m.ctrl.T.Helper()
+	ret := m.ctrl.Call(m, "RegistryClient", arg0)
+	ret0, _ := ret[0].(client.RegistryClient)
+	return ret0
+}
+
+// RegistryClient indicates an expected call of RegistryClient.
+func (mr *MockCliMockRecorder) RegistryClient(arg0 any) *MockCliRegistryClientCall {
+	mr.mock.ctrl.T.Helper()
+	call := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "RegistryClient", reflect.TypeOf((*MockCli)(nil).RegistryClient), arg0)
+	return &MockCliRegistryClientCall{Call: call}
+}
+
+// MockCliRegistryClientCall wrap *gomock.Call
+type MockCliRegistryClientCall struct {
+	*gomock.Call
+}
+
+// Return rewrite *gomock.Call.Return
+func (c *MockCliRegistryClientCall) Return(arg0 client.RegistryClient) *MockCliRegistryClientCall {
+	c.Call = c.Call.Return(arg0)
+	return c
+}
+
+// Do rewrite *gomock.Call.Do
+func (c *MockCliRegistryClientCall) Do(f func(bool) client.RegistryClient) *MockCliRegistryClientCall {
+	c.Call = c.Call.Do(f)
+	return c
+}
+
+// DoAndReturn rewrite *gomock.Call.DoAndReturn
+func (c *MockCliRegistryClientCall) DoAndReturn(f func(bool) client.RegistryClient) *MockCliRegistryClientCall {
+	c.Call = c.Call.DoAndReturn(f)
+	return c
+}
+
 // Resource mocks base method.
 func (m *MockCli) Resource() *resource.Resource {
 	m.ctrl.T.Helper()

provider/internal/mockclient_test.go

@@ -3,7 +3,7 @@
 //
 // Generated by this command:
 //
-//	mockgen -typed -package internal -source client.go -destination mockclient_test.go --self_package github.com/pulumi/pulumi-docker-build/provider/internal -imports buildx=github.com/docker/buildx/build
+//	mockgen -typed -package internal -source client.go -destination mockclient_test.go --self_package github.com/pulumi/pulumi-docker-build/provider/internal
 //
 
 // Package internal is a generated GoMock package.
@@ -13,12 +13,7 @@ import (
 	context "context"
 	reflect "reflect"
 
-	buildx "github.com/docker/buildx/build"
-	builder "github.com/docker/buildx/builder"
 	pb "github.com/docker/buildx/controller/pb"
-	confutil "github.com/docker/buildx/util/confutil"
-	dockerutil "github.com/docker/buildx/util/dockerutil"
-	progress "github.com/docker/buildx/util/progress"
 	client "github.com/moby/buildkit/client"
 	session "github.com/moby/buildkit/session"
 	descriptor "github.com/regclient/regclient/types/descriptor"
@@ -537,66 +532,3 @@ func (c *MockBuildShouldExecCall) DoAndReturn(f func() bool) *MockBuildShouldExe
 	c.Call = c.Call.DoAndReturn(f)
 	return c
 }
-
-// MockBuilder is a mock of Builder interface.
-type MockBuilder struct {
-	ctrl     *gomock.Controller
-	recorder *MockBuilderMockRecorder
-	isgomock struct{}
-}
-
-// MockBuilderMockRecorder is the mock recorder for MockBuilder.
-type MockBuilderMockRecorder struct {
-	mock *MockBuilder
-}
-
-// NewMockBuilder creates a new mock instance.
-func NewMockBuilder(ctrl *gomock.Controller) *MockBuilder {
-	mock := &MockBuilder{ctrl: ctrl}
-	mock.recorder = &MockBuilderMockRecorder{mock}
-	return mock
-}
-
-// EXPECT returns an object that allows the caller to indicate expected use.
-func (m *MockBuilder) EXPECT() *MockBuilderMockRecorder {
-	return m.recorder
-}
-
-// Build mocks base method.
-func (m *MockBuilder) Build(ctx context.Context, nodes []builder.Node, opts map[string]buildx.Options, docker *dockerutil.Client, cfg *confutil.Config, w progress.Writer) (map[string]*client.SolveResponse, error) {
-	m.ctrl.T.Helper()
-	ret := m.ctrl.Call(m, "Build", ctx, nodes, opts, docker, cfg, w)
-	ret0, _ := ret[0].(map[string]*client.SolveResponse)
-	ret1, _ := ret[1].(error)
-	return ret0, ret1
-}
-
-// Build indicates an expected call of Build.
-func (mr *MockBuilderMockRecorder) Build(ctx, nodes, opts, docker, cfg, w any) *MockBuilderBuildCall {
-	mr.mock.ctrl.T.Helper()
-	call := mr.mock.ctrl.RecordCallWithMethodType(mr.mock, "Build", reflect.TypeOf((*MockBuilder)(nil).Build), ctx, nodes, opts, docker, cfg, w)
-	return &MockBuilderBuildCall{Call: call}
-}
-
-// MockBuilderBuildCall wrap *gomock.Call
-type MockBuilderBuildCall struct {
-	*gomock.Call
-}
-
-// Return rewrite *gomock.Call.Return
-func (c *MockBuilderBuildCall) Return(resp map[string]*client.SolveResponse, err error) *MockBuilderBuildCall {
-	c.Call = c.Call.Return(resp, err)
-	return c
-}
-
-// Do rewrite *gomock.Call.Do
-func (c *MockBuilderBuildCall) Do(f func(context.Context, []builder.Node, map[string]buildx.Options, *dockerutil.Client, *confutil.Config, progress.Writer) (map[string]*client.SolveResponse, error)) *MockBuilderBuildCall {
-	c.Call = c.Call.Do(f)
-	return c
-}
-
-// DoAndReturn rewrite *gomock.Call.DoAndReturn
-func (c *MockBuilderBuildCall) DoAndReturn(f func(context.Context, []builder.Node, map[string]buildx.Options, *dockerutil.Client, *confutil.Config, progress.Writer) (map[string]*client.SolveResponse, error)) *MockBuilderBuildCall {
-	c.Call = c.Call.DoAndReturn(f)
-	return c
-}

provider/internal/provider.go

@@ -18,11 +18,11 @@ import (
 	"context"
 	"fmt"
 
-	csgen "github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3/codegen"
 	provider "github.com/pulumi/pulumi-go-provider"
 	"github.com/pulumi/pulumi-go-provider/infer"
 	pschema "github.com/pulumi/pulumi-go-provider/middleware/schema"
 	"github.com/pulumi/pulumi-java/pkg/codegen/java"
+	csgen "github.com/pulumi/pulumi/pkg/v3/codegen/dotnet"
 	gogen "github.com/pulumi/pulumi/pkg/v3/codegen/go"
 	tsgen "github.com/pulumi/pulumi/pkg/v3/codegen/nodejs"
 	pygen "github.com/pulumi/pulumi/pkg/v3/codegen/python"
@@ -45,6 +45,9 @@ type Config struct {
 	host *host
 }
 
+// _mockClientKey is used by tests to inject a mock Docker client.
+var _mockClientKey any = "mock-client"
+
 // Annotate provides user-facing descriptions and defaults for Config's fields.
 func (c *Config) Annotate(a infer.Annotator) {
 	a.Describe(&c.Host, "The build daemon's address.")
@@ -61,23 +64,8 @@ func (c *Config) Configure(ctx context.Context) error {
 	return nil
 }
 
-// GetRegistries returns the config's registries, if any.
-func (c Config) GetRegistries() []Registry {
-	return c.Registries
-}
-
-// getHost returns the config's host, or nil if the config is also nil.
-func (c *Config) getHost() *host {
-	if c == nil {
-		return nil
-	}
-	return c.host
-}
-
 // NewBuildxProvider returns a new buildx provider.
-func NewBuildxProvider(clientF clientF) provider.Provider {
-	config := &Config{}
-
+func NewBuildxProvider() provider.Provider {
 	prov := infer.Provider(
 		infer.Options{
 			Metadata: pschema.Metadata{
@@ -125,22 +113,41 @@ func NewBuildxProvider(clientF clientF) provider.Provider {
 				},
 			},
 			Resources: []infer.InferredResource{
-				infer.Resource(&Image{clientF: clientF, config: config}),
-				infer.Resource(&Index{clientF: clientF, config: config}),
+				infer.Resource[*Image](),
+				infer.Resource[*Index](),
 			},
 			ModuleMap: map[tokens.ModuleName]tokens.ModuleName{
 				"internal": "index",
 			},
-			Config: infer.Config(config),
+			Config: infer.Config[*Config](),
 		},
 	)
 
+	prov.DiffConfig = diffConfigIgnoreInternal(prov.DiffConfig)
+
 	return prov
 }
 
+// TODO(pulumi/pulumi-docker-build#404): Remove this function once the bug is fixed in either
+// upstream pu/pu or pulumi-go-provider.
+
+// diffConfigInternalIgnore is a custom DiffConfig implementation for the buildx provider. This is required to
+// circumvent the bug identified in https://github.com/pulumi/pulumi-docker-build/issues/404.
+// Since `__internal` is currently populated in new inputs, but stripped in old state, we need to
+// ignore this field in the diff. There is no easy way to override DiffConfig to compare inputs only.
+func diffConfigIgnoreInternal(
+	diffConfig func(ctx context.Context, req provider.DiffRequest) (provider.DiffResponse, error),
+) func(ctx context.Context, req provider.DiffRequest) (provider.DiffResponse, error) {
+	return func(ctx context.Context, req provider.DiffRequest) (provider.DiffResponse, error) {
+		delete(req.News, "__internal")
+
+		return diffConfig(ctx, req)
+	}
+}
+
 // Schema returns our package specification.
 func Schema(ctx context.Context, version string) schema.PackageSpec {
-	p := NewBuildxProvider(nil)
+	p := NewBuildxProvider()
 	spec, err := provider.GetSchema(ctx, "docker-build", version, p)
 	contract.AssertNoErrorf(err, "missing schema")
 	return spec

provider/internal/provider_test.go

@@ -20,18 +20,18 @@ import (
 
 	"github.com/blang/semver"
 	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
 
 	provider "github.com/pulumi/pulumi-go-provider"
 	"github.com/pulumi/pulumi-go-provider/infer"
 	"github.com/pulumi/pulumi-go-provider/integration"
+	mwcontext "github.com/pulumi/pulumi-go-provider/middleware/context"
 	"github.com/pulumi/pulumi/sdk/v3/go/common/tokens"
 )
 
 func TestConfigure(t *testing.T) {
 	t.Parallel()
 
-	s := newServer(t.Context(), t, nil)
+	s := newServer(nil)
 
 	err := s.Configure(
 		provider.ConfigureRequest{},
@@ -60,7 +60,7 @@ func TestAnnotate(t *testing.T) {
 func TestSchema(t *testing.T) {
 	t.Parallel()
 
-	s := newServer(t.Context(), t, nil)
+	s := newServer(nil)
 
 	_, err := s.GetSchema(provider.GetSchemaRequest{Version: 0})
 	assert.NoError(t, err)
@@ -68,27 +68,21 @@ func TestSchema(t *testing.T) {
 
 type annotator struct{}
 
-func (annotator) Deprecate(_ any, _ string)                   {}
 func (annotator) Describe(_ any, _ string)                    {}
 func (annotator) SetDefault(_, _ any, _ ...string)            {}
 func (annotator) SetToken(tokens.ModuleName, tokens.TypeName) {}
 func (annotator) AddAlias(tokens.ModuleName, tokens.TypeName) {}
 func (annotator) SetResourceDeprecationMessage(_ string)      {}
 
-func newServer(ctx context.Context, t *testing.T, clientF clientF) integration.Server {
-	t.Helper()
+func newServer(client Client) integration.Server {
+	p := NewBuildxProvider()
 
-	if clientF == nil {
-		clientF = RealClientF
+	// Inject a mock client if provided.
+	if client != nil {
+		p = mwcontext.Wrap(p, func(ctx context.Context) context.Context {
+			return context.WithValue(ctx, _mockClientKey, client)
+		})
 	}
 
-	p := NewBuildxProvider(clientF)
-
-	s, err := integration.NewServer(
-		ctx,
-		"docker-build", semver.Version{Major: 0},
-		integration.WithProvider(p),
-	)
-	require.NoError(t, err)
-	return s
+	return integration.NewServer("docker-build", semver.Version{Major: 0}, p)
 }

provider/provider.go

@@ -15,11 +15,15 @@
 package provider
 
 import (
-	gp "github.com/pulumi/pulumi-go-provider"
-	"github.com/pulumi/pulumi/pkg/v3/resource/provider"
-	rpc "github.com/pulumi/pulumi/sdk/v3/proto/go"
+	"context"
+	"encoding/json"
 
 	"github.com/pulumi/pulumi-docker-build/provider/internal"
+	"github.com/pulumi/pulumi-docker-build/provider/internal/deprecated"
+	gp "github.com/pulumi/pulumi-go-provider"
+	"github.com/pulumi/pulumi/pkg/v3/codegen/schema"
+	"github.com/pulumi/pulumi/pkg/v3/resource/provider"
+	rpc "github.com/pulumi/pulumi/sdk/v3/proto/go"
 )
 
 // Version is initialized by the Go linker to contain the semver of this build.
@@ -35,5 +39,37 @@ func Serve() error {
 
 // New creates a new provider.
 func New(host *provider.HostClient) (rpc.ResourceProviderServer, error) {
-	return gp.RawServer(Name, Version, internal.NewBuildxProvider(internal.RealClientF))(host)
+	return gp.RawServer(Name, Version, configurableProvider(internal.NewBuildxProvider()))(host)
+}
+
+// configurableProvider is a workaround for
+// https://github.com/pulumi/pulumi-go-provider/issues/171 and
+// In short, our SDKs send provider Configure requests as simple strings
+// instead of rich objects. We don't want to preserve this behavior in
+// pulumi-go-provider, but we also haven't updated SDKs yet to send rich types.
+//
+// If you find yourself in a position where you need to copy this -- STOP!
+// https://github.com/pulumi/pulumi/pull/15032 should be merged with this fix.
+func configurableProvider(p gp.Provider) gp.Provider {
+	configure := p.Configure
+
+	p.Configure = func(ctx context.Context, req gp.ConfigureRequest) error {
+		r, err := p.GetSchema(ctx, gp.GetSchemaRequest{Version: 0})
+		if err != nil {
+			return err
+		}
+		spec := schema.PackageSpec{}
+		err = json.Unmarshal([]byte(r.Schema), &spec)
+		if err != nil {
+			return err
+		}
+
+		ce := deprecated.New(spec.Config)
+		if props, err := ce.UnmarshalProperties(req.Args); err == nil {
+			req.Args = props
+		}
+		return configure(ctx, req)
+	}
+
+	return p
 }

provider/provider_test.go

@@ -22,8 +22,37 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	emptypb "google.golang.org/protobuf/types/known/emptypb"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/pulumi/pulumi-docker-build/provider/internal"
+	provider "github.com/pulumi/pulumi-go-provider"
+	"github.com/pulumi/pulumi-go-provider/integration"
+	"github.com/pulumi/pulumi/sdk/v3/go/common/resource/plugin"
 )
 
+// TestConfigure checks backwards-compatibility with SDKs that still send
+// provider config as JSON-encoded strings. This test can be removed once we
+// upgrade to a version of pulumi that no longer generates SDKs with that
+// behavior.
+func TestConfigure(t *testing.T) {
+	t.Parallel()
+
+	p := configurableProvider(internal.NewBuildxProvider())
+
+	args, err := structpb.NewStruct(map[string]any{
+		"registries": `[{"address": "docker.io"}]`,
+	})
+	require.NoError(t, err)
+	argsMap, err := plugin.UnmarshalProperties(args, plugin.MarshalOptions{})
+	require.NoError(t, err)
+
+	s := integration.NewServer("docker-build", semver.Version{Major: 0}, p)
+	err = s.Configure(provider.ConfigureRequest{
+		Args: argsMap,
+	})
+	assert.NoError(t, err)
+}
+
 func TestVersion(t *testing.T) {
 	t.Parallel()
 

renovate.json5

@@ -1,23 +0,0 @@
-{
-  $schema: 'https://docs.renovatebot.com/renovate-schema.json',
-  extends: [
-    'github>pulumi/renovate-config//default.json5',
-  ],
-  packageRules: [
-    {
-      matchDatasources: [
-        'go',
-      ],
-      matchPackageNames: [
-        'github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3',
-        'github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3',
-        'github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3',
-        'github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3',
-      ],
-      matchUpdateTypes: [
-        'pin',
-        'digest',
-      ],
-    },
-  ],
-}