Update GitHub Actions workflows. (#878)

This PR was triggered by @t0yv0 generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit
[b888a93605aab0d973777521a03763e13948d127](b888a93605).

Co-authored-by: Pulumi Bot <bot@pulumi.com>

.ci-mgmt.yaml

@@ -0,0 +1,20 @@
+template: native
+provider: docker-build
+major-version: 0
+providerDefaultBranch: main
+providerVersion: github.com/pulumi/pulumi-docker-build/provider.Version
+aws: true
+modulePath: .
+gcp: true
+sdkModuleDir: sdk/go/dockerbuild
+parallel: 3
+esc:
+  enabled: true
+envOverride:
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a

.config/mise.test.toml

@@ -0,0 +1,4 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
+[tools]
+"aqua:gotestyourself/gotestsum" = "1.12.0"

.config/mise.toml

@@ -0,0 +1,35 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+# You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
+
+[env]
+_.vfox-pulumi = { module_path = "." } # Sets GO_VERSION_MISE and PULUMI_VERSION_MISE
+PULUMI_HOME = "{{config_root}}/.pulumi"
+
+[tools]
+
+# Runtimes
+go = "{{ env.GO_VERSION_MISE }}"
+node = '20.19.5'
+python = '3.11.8'
+"vfox:version-fox/vfox-dotnet" = "8.0.20" # vfox backend doesn't work on Windows, gives "error converting Lua table to PreInstall (no version returned from vfox plugin)" https://github.com/jdx/mise/discussions/5876 https://github.com/jdx/mise/discussions/5550
+# Corretto version used as Java SE/OpenJDK version no longer offered
+java = 'corretto-11'
+
+# Executable tools
+"github:pulumi/pulumi" = "{{ env.PULUMI_VERSION_MISE }}"
+"github:pulumi/pulumictl" = '0.0.50'
+"github:pulumi/schema-tools" = "0.6.0"
+"go:github.com/pulumi/upgrade-provider" = "main"
+"aqua:gradle/gradle-distributions" = '7.6.6'
+golangci-lint = "2.9.0" # See note about about overrides if you need to customize this.
+"npm:yarn" = "1.22.22"
+
+[settings]
+experimental = true # Required for Go binaries (e.g. pulumictl).
+lockfile = false
+http_retries = 3
+pin = true # `mise use` should pin versions instead of defaulting to latest.
+fetch_remote_versions_cache = "24h" # Mise queries versions even if they're pinned to confirm they exist. Reduce GitHub API calls by doing that less often.
+
+[plugins]
+vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"

.devcontainer.json

@@ -0,0 +1,68 @@
+// Reference:
+// - https://containers.dev/features
+// - https://containers.dev/implementors/features
+// - https://code.visualstudio.com/docs/getstarted/settings
+{
+  "name": "pulumi",
+  "image": "ghcr.io/pulumi/devcontainer",
+  "customizations": {
+    "vscode": {
+      "settings": [
+        "go.testTags", "all",
+        "go.buildTags", "all",
+        "editor.minimap.enabled", false,
+        "explorer.openEditors.visible", 1,
+        "editor.quickSuggestionsDelay", 0,
+        "editor.suggestSelection", "first",
+        "editor.snippetSuggestions", "top",
+        "editor.gotoLocation.multipleReferences", "goto",
+        "editor.gotoLocation.multipleDefinitions", "goto",
+        "editor.gotoLocation.multipleDeclarations", "goto",
+        "editor.gotoLocation.multipleImplementations", "goto",
+        "editor.gotoLocation.multipleTypeDefinitions", "goto",
+        "editor.terminal.integrated.shell.linux", "/usr/bin/zsh",
+        "files.trimTrailingWhitespace", true,
+        "files.trimFinalNewlines", true
+      ],
+      "extensions": [
+        "golang.go",
+        "vscodevim.vim",
+        "github.copilot",
+        "ms-python.python",
+        "jetpack-io.devbox",
+        "redhat.vscode-yaml",
+        "esbenp.prettier-vscode",
+        "ms-vscode.makefile-tools",
+        "ms-azuretools.vscode-docker",
+        "github.vscode-pull-request-github",
+        "ms-vscode-remote.remote-containers",
+        "visualstudioexptteam.vscodeintellicode",
+        "bierner.markdown-preview-github-styles"
+      ]
+    }
+  },
+  "features": {
+    "ghcr.io/devcontainers/features/common-utils:2": {
+        "installZsh": true,
+        "configureZshAsDefaultShell": true,
+        "installOhMyZsh": true,
+        "installOhMyZshConfig": true,
+        "upgradePackages": true,
+        "nonFreePackages": true,
+        "username": "vscode",
+        "userUid": "automatic",
+        "userGid": "automatic"
+    },
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {
+        "moby": false,
+        "installDockerBuildx": true,
+        "version": "latest",
+        "dockerDashComposeVersion": "v2"
+    }
+  },
+  "postCreateCommand": "git submodule update --init --recursive",
+  "remoteUser": "vscode",
+  "forwardPorts": [1313],
+  "runArgs": ["--network=host"]
+}
+

.gitattributes

@@ -0,0 +1,2 @@
+sdk/**/* linguist-generated=true
+.github/workflows/*.lock.yml linguist-generated=true merge=ours

.github/ISSUE_TEMPLATE/bug.yaml

@@ -0,0 +1,69 @@
+name: Bug Report
+description: Report something that's not working correctly
+labels: ["kind/bug", "needs-triage"]
+body:
+  - type: markdown
+    attributes:
+      value: |
+        Thanks for taking the time to fill out this bug report! 
+        You can also ask questions on our [Community Slack](https://slack.pulumi.com/).
+  - type: textarea
+    id: what-happened
+    attributes:
+      label: Describe what happened
+      description: Please summarize what happened, including what Pulumi commands you ran, as well as
+        an inline snippet of any relevant error or console output.
+    validations:
+      required: true
+  - type: textarea
+    id: sample-program
+    attributes:
+      label: Sample program
+      description: |
+        <details><summary>Provide a reproducible sample program</summary>
+        If this is a bug you encountered while running a Pulumi command, please provide us with a minimal, 
+        self-contained Pulumi program that reproduces this behavior so that we can investigate on our end. 
+        Without a functional reproduction, we will not be able to prioritize this bug.
+        **Note:** If the program output is more than a few lines, please send us a Gist or a link to a file.
+        </details>
+    validations:
+      required: true
+  - type: textarea
+    id: log-output
+    attributes:
+      label: Log output
+      description: |
+        <details><summary>How to Submit Logs</summary>
+        If this is something that is dependent on your environment, please also provide us with the output of
+        `pulumi up --logtostderr --logflow -v=10` from the root of your project.
+        We may also ask you to supply us with debug output following [these steps](https://www.pulumi.com/docs/using-pulumi/pulumi-packages/debugging-provider-packages/).
+        **Note:** If the log output is more than a few lines, please send us a Gist or a link to a file.
+        </details>
+  - type: textarea
+    id: resources
+    attributes:
+      label: Affected Resource(s)
+      description: Please list the affected Pulumi Resource(s) or Function(s).
+    validations:
+      required: false
+  - type: textarea
+    id: versions
+    attributes:
+      label: Output of `pulumi about`
+      description: Provide the output of `pulumi about` from the root of your project.
+    validations:
+      required: true
+  - type: textarea
+    id: ctx
+    attributes:
+      label: Additional context
+      description: Anything else you would like to add?
+    validations:
+      required: false
+  - type: textarea
+    id: voting
+    attributes:
+      label: Contributing
+      value: |
+        Vote on this issue by adding a 👍 reaction. 
+        To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).

.github/ISSUE_TEMPLATE/epic.md

@@ -0,0 +1,35 @@
+---
+name: Epic
+about: Tracks a shippable unit of work
+title: '[Epic] {your-title-here}'
+labels: kind/epic
+projects: ['pulumi/32']
+assignees: ''
+type: Epic
+---
+
+## Overview
+<!-- Start with a one- to three-sentence summary that should be understandable by any Pulumian or community member, even those without any context on the work. -->
+
+## Key KPIs
+<!-- What KPIs should this Epic will move; what could we measure to observe that this project was successful? -->
+
+## Key Stakeholders
+- Product and Engineering: <!-- Teams and individuals involved in the design and implementation -->
+- Documentation: <!-- Representative from the docs team -->
+- Marketing/Partnerships: <!-- Representative from the Marketing team -->
+- Customers: <!-- [Tracking Issue](add-link-and-uncomment) -->
+
+## Key Deliverables
+<!-- List any discrete chunks of work or milestones that are planned in the epic (eg. subcomponent A, dogfood release, beta, etc.) -->
+
+### References 📔
+
+<!-- Any project that is more than one iteration should have a Project Board using this [template](https://github.com/orgs/pulumi/projects/131).  -->
+- [ ] Project View <!-- [Link](add-link-and-uncomment) -->
+- [ ] PR/FAQ <!-- [Link](add-link-and-uncomment) -->
+- [ ] Design Doc <!-- [Link](add-link-and-uncomment) -->
+- [ ] UX Designs <!-- [Link](add-link-and-uncomment) -->
+- [ ] Decision Log <!-- [Link](add-link-and-uncomment) -->
+
+<!-- Work items should be added to the project board linked above  -->

.github/actions/download-provider/action.yml

@@ -0,0 +1,19 @@
+name: Download Provider Binary
+description: Downloads the provider binary artifact and restores executable permissions
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download provider
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+
+    - name: UnTar provider binaries
+      shell: bash
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
+
+    - name: Restore Binary Permissions
+      shell: bash
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;

.github/actions/download-sdk/action.yml

@@ -0,0 +1,20 @@
+name: Download SDK
+description: Downloads and extracts SDK artifacts for a specific language
+
+inputs:
+  language:
+    description: 'The SDK language to download (nodejs, python, dotnet, java)'
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Download SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: ${{ inputs.language }}-sdk.tar.gz
+        path: ${{ github.workspace }}/sdk/
+
+    - name: UnTar SDK folder
+      shell: bash
+      run: tar -zxf ${{ github.workspace }}/sdk/${{ inputs.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ inputs.language }}

.github/actions/esc-action/action.yaml

@@ -0,0 +1,12 @@
+name: "Load secrets"
+description: |
+  This is a temporary action which assists with our migration to ESC. Instead
+  of surrounding every step that references secrets with an "if ESC" block, we
+  instead modify those steps to consume their secrets from this step's outputs.
+  Then, later, we can replace this action with esc-action to actually load
+  secrets from ESC.
+inputs: {}
+outputs: {}
+runs:
+  using: "node20"
+  main: "index.js"

.github/actions/esc-action/index.js

@@ -0,0 +1,14 @@
+const fs = require("fs");
+
+const file = process.env["GITHUB_OUTPUT"];
+var stream = fs.createWriteStream(file, { flags: "a" });
+
+for (const [name, value] of Object.entries(process.env)) {
+  try {
+    stream.write(`${name}<<EEEOOOFFF\n${value}\nEEEOOOFFF\n`); // << syntax accommodates multiline strings.
+  } catch (err) {
+    console.log(`error: failed to set output for ${name}: ${err.message}`);
+  }
+}
+
+stream.end();

.github/actions/setup-tools/action.yml

@@ -0,0 +1,41 @@
+name: Setup Tools
+description: Installs all tools (Go, Node, Python, .NET, Java, Pulumi, etc.) using mise
+
+inputs:
+  cache:
+    description: Enable caching
+    required: false
+    default: "false"
+  github_token:
+    description: GitHub token
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Setup mise
+      uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
+      env:
+        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
+      with:
+        version: 2026.3.7
+        cache_save: ${{ inputs.cache }}
+        github_token: ${{ inputs.github_token }}
+
+    - name: Setup Go Cache
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
+      with:
+        cache: ${{ inputs.cache }}
+        cache-dependency-path: |
+          provider/*.sum
+          upstream/*.sum
+          sdk/go/*.sum
+          sdk/*.sum
+          *.sum
+
+    - name: Setup Node
+      uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
+      with:
+        # we don't set node-version because we install with mise.
+        # this step is needed to setup npm auth
+        registry-url: https://registry.npmjs.org

.github/agents/agentic-workflows.agent.md

@@ -0,0 +1,177 @@
+---
+description: GitHub Agentic Workflows (gh-aw) - Create, debug, and upgrade AI-powered workflows with intelligent prompt routing
+disable-model-invocation: true
+---
+
+# GitHub Agentic Workflows Agent
+
+This agent helps you work with **GitHub Agentic Workflows (gh-aw)**, a CLI extension for creating AI-powered workflows in natural language using markdown files.
+
+## What This Agent Does
+
+This is a **dispatcher agent** that routes your request to the appropriate specialized prompt based on your task:
+
+- **Creating new workflows**: Routes to `create` prompt
+- **Updating existing workflows**: Routes to `update` prompt
+- **Debugging workflows**: Routes to `debug` prompt  
+- **Upgrading workflows**: Routes to `upgrade-agentic-workflows` prompt
+- **Creating report-generating workflows**: Routes to `report` prompt — consult this whenever the workflow posts status updates, audits, analyses, or any structured output as issues, discussions, or comments
+- **Creating shared components**: Routes to `create-shared-agentic-workflow` prompt
+- **Fixing Dependabot PRs**: Routes to `dependabot` prompt — use this when Dependabot opens PRs that modify generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`). Never merge those PRs directly; instead update the source `.md` files and rerun `gh aw compile --dependabot` to bundle all fixes
+- **Analyzing test coverage**: Routes to `test-coverage` prompt — consult this whenever the workflow reads, analyzes, or reports on test coverage data from PRs or CI runs
+
+Workflows may optionally include:
+
+- **Project tracking / monitoring** (GitHub Projects updates, status reporting)
+- **Orchestration / coordination** (one workflow assigning agents or dispatching and coordinating other workflows)
+
+## Files This Applies To
+
+- Workflow files: `.github/workflows/*.md` and `.github/workflows/**/*.md`
+- Workflow lock files: `.github/workflows/*.lock.yml`
+- Shared components: `.github/workflows/shared/*.md`
+- Configuration: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/github-agentic-workflows.md
+
+## Problems This Solves
+
+- **Workflow Creation**: Design secure, validated agentic workflows with proper triggers, tools, and permissions
+- **Workflow Debugging**: Analyze logs, identify missing tools, investigate failures, and fix configuration issues
+- **Version Upgrades**: Migrate workflows to new gh-aw versions, apply codemods, fix breaking changes
+- **Component Design**: Create reusable shared workflow components that wrap MCP servers
+
+## How to Use
+
+When you interact with this agent, it will:
+
+1. **Understand your intent** - Determine what kind of task you're trying to accomplish
+2. **Route to the right prompt** - Load the specialized prompt file for your task
+3. **Execute the task** - Follow the detailed instructions in the loaded prompt
+
+## Available Prompts
+
+### Create New Workflow
+**Load when**: User wants to create a new workflow from scratch, add automation, or design a workflow that doesn't exist yet
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/create-agentic-workflow.md
+
+**Use cases**:
+- "Create a workflow that triages issues"
+- "I need a workflow to label pull requests"
+- "Design a weekly research automation"
+
+### Update Existing Workflow  
+**Load when**: User wants to modify, improve, or refactor an existing workflow
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/update-agentic-workflow.md
+
+**Use cases**:
+- "Add web-fetch tool to the issue-classifier workflow"
+- "Update the PR reviewer to use discussions instead of issues"
+- "Improve the prompt for the weekly-research workflow"
+
+### Debug Workflow  
+**Load when**: User needs to investigate, audit, debug, or understand a workflow, troubleshoot issues, analyze logs, or fix errors
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/debug-agentic-workflow.md
+
+**Use cases**:
+- "Why is this workflow failing?"
+- "Analyze the logs for workflow X"
+- "Investigate missing tool calls in run #12345"
+
+### Upgrade Agentic Workflows
+**Load when**: User wants to upgrade workflows to a new gh-aw version or fix deprecations
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/upgrade-agentic-workflows.md
+
+**Use cases**:
+- "Upgrade all workflows to the latest version"
+- "Fix deprecated fields in workflows"
+- "Apply breaking changes from the new release"
+
+### Create a Report-Generating Workflow
+**Load when**: The workflow being created or updated produces reports — recurring status updates, audit summaries, analyses, or any structured output posted as a GitHub issue, discussion, or comment
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/report.md
+
+**Use cases**:
+- "Create a weekly CI health report"
+- "Post a daily security audit to Discussions"
+- "Add a status update comment to open PRs"
+
+### Create Shared Agentic Workflow
+**Load when**: User wants to create a reusable workflow component or wrap an MCP server
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/create-shared-agentic-workflow.md
+
+**Use cases**:
+- "Create a shared component for Notion integration"
+- "Wrap the Slack MCP server as a reusable component"
+- "Design a shared workflow for database queries"
+
+### Fix Dependabot PRs
+**Load when**: User needs to close or fix open Dependabot PRs that update dependencies in generated manifest files (`.github/workflows/package.json`, `.github/workflows/requirements.txt`, `.github/workflows/go.mod`)
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/dependabot.md
+
+**Use cases**:
+- "Fix the open Dependabot PRs for npm dependencies"
+- "Bundle and close the Dependabot PRs for workflow dependencies"
+- "Update @playwright/test to fix the Dependabot PR"
+
+### Analyze Test Coverage
+**Load when**: The workflow reads, analyzes, or reports test coverage — whether triggered by a PR, a schedule, or a slash command. Always consult this prompt before designing the coverage data strategy.
+
+**Prompt file**: https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/test-coverage.md
+
+**Use cases**:
+- "Create a workflow that comments coverage on PRs"
+- "Analyze coverage trends over time"
+- "Add a coverage gate that blocks PRs below a threshold"
+
+## Instructions
+
+When a user interacts with you:
+
+1. **Identify the task type** from the user's request
+2. **Load the appropriate prompt** from the GitHub repository URLs listed above
+3. **Follow the loaded prompt's instructions** exactly
+4. **If uncertain**, ask clarifying questions to determine the right prompt
+
+## Quick Reference
+
+```bash
+# Initialize repository for agentic workflows
+gh aw init
+
+# Generate the lock file for a workflow
+gh aw compile [workflow-name]
+
+# Debug workflow runs
+gh aw logs [workflow-name]
+gh aw audit <run-id>
+
+# Upgrade workflows
+gh aw fix --write
+gh aw compile --validate
+```
+
+## Key Features of gh-aw
+
+- **Natural Language Workflows**: Write workflows in markdown with YAML frontmatter
+- **AI Engine Support**: Copilot, Claude, Codex, or custom engines
+- **MCP Server Integration**: Connect to Model Context Protocol servers for tools
+- **Safe Outputs**: Structured communication between AI and GitHub API
+- **Strict Mode**: Security-first validation and sandboxing
+- **Shared Components**: Reusable workflow building blocks
+- **Repo Memory**: Persistent git-backed storage for agents
+- **Sandboxed Execution**: All workflows run in the Agent Workflow Firewall (AWF) sandbox, enabling full `bash` and `edit` tools by default
+
+## Important Notes
+
+- Always reference the instructions file at https://github.com/github/gh-aw/blob/v0.56.2/.github/aw/github-agentic-workflows.md for complete documentation
+- Use the MCP tool `agentic-workflows` when running in GitHub Copilot Cloud
+- Workflows must be compiled to `.lock.yml` files before running in GitHub Actions
+- **Bash tools are enabled by default** - Don't restrict bash commands unnecessarily since workflows are sandboxed by the AWF
+- Follow security best practices: minimal permissions, explicit network access, no template injection
+- **Single-file output**: When creating a workflow, produce exactly **one** workflow `.md` file. Do not create separate documentation files (architecture docs, runbooks, usage guides, etc.). If documentation is needed, add a brief `## Usage` section inside the workflow file itself.

.github/aw/actions-lock.json

@@ -0,0 +1,41 @@
+{
+  "entries": {
+    "actions/github-script@v9.0.0": {
+      "repo": "actions/github-script",
+      "version": "v9.0.0",
+      "sha": "3a2844b7e9c422d3c10d287c895573f7108da1b3"
+    },
+    "github/gh-aw-actions/setup@v0.76.1": {
+      "repo": "github/gh-aw-actions/setup",
+      "version": "v0.76.1",
+      "sha": "46d564922b082d0db93244972e8005ea6904ee5f"
+    },
+    "github/gh-aw/actions/setup@v0.76.1": {
+      "repo": "github/gh-aw/actions/setup",
+      "version": "v0.76.1",
+      "sha": "58d1bedbb7200f59c2d224151339e38fd8687d05"
+    }
+  },
+  "containers": {
+    "ghcr.io/github/gh-aw-firewall/agent:0.25.55": {
+      "image": "ghcr.io/github/gh-aw-firewall/agent:0.25.55",
+      "digest": "sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731",
+      "pinned_image": "ghcr.io/github/gh-aw-firewall/agent:0.25.55@sha256:138c363411decc9a61a5af9b95e8d64c76648b00add0ba06fc7ba786f0e72731"
+    },
+    "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55": {
+      "image": "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55",
+      "digest": "sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3",
+      "pinned_image": "ghcr.io/github/gh-aw-firewall/api-proxy:0.25.55@sha256:4142b873b678cd3279b98dcbe464857d56ea2f2348719b00379cdf35dd843ff3"
+    },
+    "ghcr.io/github/gh-aw-firewall/squid:0.25.55": {
+      "image": "ghcr.io/github/gh-aw-firewall/squid:0.25.55",
+      "digest": "sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca",
+      "pinned_image": "ghcr.io/github/gh-aw-firewall/squid:0.25.55@sha256:74084b704d8d3664a363655986664d70bd9cdb4830532d0b35cd784d867aabca"
+    },
+    "ghcr.io/github/gh-aw-mcpg:v0.3.19": {
+      "image": "ghcr.io/github/gh-aw-mcpg:v0.3.19",
+      "digest": "sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f",
+      "pinned_image": "ghcr.io/github/gh-aw-mcpg:v0.3.19@sha256:a6c890d7c24d7190c9ef97b9c954cc4cffaae6b01c371ced1f959f1370b1f68f"
+    }
+  }
+}

.github/workflows/build.yml

@@ -0,0 +1,562 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+name: main # For consistency with bridged providers.
+on:
+  push:
+    branches:
+    - master
+    - main
+    - feature-**
+    paths-ignore:
+    - CHANGELOG.md
+    tags-ignore:
+    - v*
+    - sdk/*
+    - "**"
+  workflow_dispatch: {}
+env:
+  PROVIDER: docker-build
+  TRAVIS_OS_NAME: linux
+  GOVERSION: "1.21.x"
+  NODEVERSION: "20.x"
+  PYTHONVERSION: "3.11.8"
+  DOTNETVERSION: "8.0.x"
+  JAVAVERSION: "11"
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  TF_APPEND_USER_AGENT: pulumi
+
+jobs:
+  prerequisites:
+    runs-on: ubuntu-latest
+    name: prerequisites
+    permissions:
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        cache: 'true'
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+    - if: github.event_name == 'pull_request'
+      name: Install Schema Tools
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      with:
+        repo: pulumi/schema-tools
+    - name: Build codegen binaries
+      run: make codegen
+    - name: Build Schema
+      run: make generate_schema
+    - if: github.event_name == 'pull_request'
+      name: Check Schema is Valid
+      run: >-
+        {
+          echo 'SCHEMA_CHANGES<<EOF';
+
+          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+
+          echo 'EOF';
+        } >> "$GITHUB_ENV"
+      env:
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
+      name: Comment on PR with Details of Schema Check
+      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
+      with:
+        message: |
+          ${{ env.SCHEMA_CHANGES }}
+        comment-tag: schemaCheck
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    - if: contains(env.SCHEMA_CHANGES, 'Looking good! No breaking changes found.') &&
+        github.actor == 'pulumi-bot'
+      name: Add label if no breaking changes
+      uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
+      with:
+        labels: impact/no-changelog-required
+        number: ${{ github.event.issue.number }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build Provider
+      run: make provider
+    - name: Check worktree clean
+      id: worktreeClean
+      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
+      with:
+        allowed-changes: |-
+          sdk/**/pulumi-plugin.json
+          sdk/dotnet/*.*.csproj
+          sdk/dotnet/version.txt
+          sdk/go/**/pulumiUtilities.go
+          sdk/nodejs/package.json
+          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+    - run: git status --porcelain
+    - name: Tar provider binaries
+      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
+        pulumi-gen-${{ env.PROVIDER}}
+    - name: Upload artifacts
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin/provider.tar.gz
+    - name: Test Provider Library
+      run: make test_provider
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+      env:
+        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in building provider prerequisites
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  build_sdks:
+    needs: prerequisites
+    runs-on: pulumi-ubuntu-8core
+    strategy:
+      fail-fast: ${{ ! contains(github.actor, 'renovate') }}
+      matrix:
+        language:
+        - nodejs
+        - python
+        - dotnet
+        - go
+        - java
+    name: build_sdks
+    permissions:
+      pull-requests: write # For Renovate SDK updates.
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
+    - name: Generate SDK
+      run: make generate_${{ matrix.language }}
+    - name: Build SDK
+      run: make build_${{ matrix.language }}
+    - name: Check worktree clean
+      id: worktreeClean
+      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
+      with:
+        allowed-changes: |-
+          sdk/**/pulumi-plugin.json
+          sdk/dotnet/*.*.csproj
+          sdk/dotnet/version.txt
+          sdk/go/**/pulumiUtilities.go
+          sdk/nodejs/package.json
+          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+    - run: git status --porcelain
+    - name: Tar SDK folder
+      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
+    - name: Upload artifacts
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: ${{ matrix.language  }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
+        retention-days: 30
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure while building SDKs
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+
+  tag_release_if_labeled_needs_release:
+    name: Tag release if labeled as needs-release
+    needs: publish
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - name: check if this commit needs release
+      if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
+      uses: pulumi/action-release-by-pr-label@main
+      with:
+        command: "release-if-needed"
+        repo: ${{ github.repository }}
+        commit: ${{ github.sha }}
+        slack_channel: C02MGR8JVST
+      env:
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+  test:
+    runs-on: pulumi-ubuntu-8core
+    needs:
+    - build_sdks
+    strategy:
+      fail-fast: true
+      matrix:
+        language:
+        - nodejs
+        - python
+        - dotnet
+        - go
+        - java
+        - yaml
+    name: test
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets and Pulumi access token OIDC.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
+    - name: Download SDK
+      if: ${{ matrix.language != 'yaml' }}
+      uses: ./.github/actions/download-sdk
+      with:
+        language: ${{ matrix.language }}
+    - name: Update path
+      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+    - name: Install Node dependencies
+      run: yarn global add typescript
+    - run: dotnet nuget add source ${{ github.workspace }}/nuget
+    - name: Install Python deps
+      run: |-
+        pip3 install virtualenv==20.0.23
+        pip3 install pipenv
+    - name: Install dependencies
+      if: ${{ matrix.language != 'yaml' }}
+      run: make install_${{ matrix.language}}_sdk
+    - name: Generate Pulumi Access Token
+      id: generate_pulumi_token
+      uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+      with:
+        organization: pulumi
+        requested-token-type: urn:pulumi:token-type:access_token:organization
+        export-environment-variables: false
+    - name: Export AWS Credentials
+      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      env:
+        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+      with:
+        environment: logins/pulumi-ci
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      with:
+        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
+          }}/locations/global/workloadIdentityPools/${{
+          env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{
+          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
+        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
+    - name: Setup gcloud auth
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      with:
+        install_components: gke-gcloud-auth-plugin
+    - name: Install gotestfmt
+      uses: GoTestTools/gotestfmt-action@v2
+      with:
+        version: v2.5.0
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run tests
+      run: >-
+        set -euo pipefail
+
+        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in SDK tests
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  publish:
+    runs-on: ubuntu-latest
+    needs: test
+    name: publish
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Clear GitHub Actions Ubuntu runner disk space
+      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+      with:
+        tool-cache: false
+        dotnet: false
+        android: true
+        haskell: true
+        swap-storage: true
+        large-packages: false
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+      with:
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
+        aws-region: us-east-2
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+        role-duration-seconds: 7200
+        role-session-name: ${{ env.PROVIDER }}@githubActions
+        role-external-id: upload-pulumi-release
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
+    - name: Run GoReleaser
+      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+      env:
+        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
+        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
+        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
+        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
+        AZURE_SIGNING_ACCOUNT_ENDPOINT: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT }}
+        AZURE_SIGNING_ACCOUNT_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME }}
+        AZURE_SIGNING_CERT_PROFILE_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME }}
+        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME == '' }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+      with:
+        args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
+        version: latest
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in publishing binaries
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  publish_sdk:
+    runs-on: ubuntu-latest
+    needs: publish
+    name: publish_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Checkout Scripts Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        path: ci-scripts
+        repository: pulumi/scripts
+    - run: echo "ci-scripts" >> .git/info/exclude
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download python SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: python-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress python SDK
+      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
+        ${{github.workspace}}/sdk/python
+    - name: Download dotnet SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: dotnet-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress dotnet SDK
+      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
+        ${{github.workspace}}/sdk/dotnet
+    - name: Download nodejs SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: nodejs-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress nodejs SDK
+      run: tar -zxf ${{github.workspace}}/sdk/nodejs.tar.gz -C
+        ${{github.workspace}}/sdk/nodejs
+    - name: Install Twine
+      run: python -m pip install twine==5.0.0
+    - name: Publish SDKs
+      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
+      env:
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        PYPI_PUBLISH_ARTIFACTS: all
+        PYPI_USERNAME: __token__
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in publishing SDK
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  lint:
+    name: lint
+    uses: ./.github/workflows/lint.yml
+    secrets: inherit

.github/workflows/claude.yml

@@ -0,0 +1,139 @@
+name: Claude Code
+
+on:
+  # Responds to @claude mentions in comments.
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    # Only run when @claude is mentioned by a trusted user (OWNER, MEMBER, or COLLABORATOR)
+    # Note: the claude-code-action can only be triggered by users with write access to the repository so this is extra
+    # see https://github.com/anthropics/claude-code-action/blob/main/docs/security.md
+    if: |
+      (github.event_name == 'issue_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review' &&
+        contains(github.event.review.body, '@claude') &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) ||
+      (github.event_name == 'issues' &&
+        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+      issues: write
+      id-token: write
+      actions: read
+    steps:
+      - env:
+          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+          ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+          ESC_ACTION_OIDC_AUTH: "true"
+          ESC_ACTION_OIDC_ORGANIZATION: pulumi
+          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+        id: esc-secrets
+        name: Fetch secrets from ESC
+        uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          fetch-depth: 0
+      - name: Checkout PR head (if applicable)
+        if: ${{ github.event.pull_request.number || (github.event.issue.pull_request && github.event.issue.number) }}
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+        run: gh pr checkout "$PR_NUMBER"
+      - name: Setup mise
+        uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
+        env:
+          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
+        with:
+          version: 2026.3.7
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          # only saving the cache in the prerequisites job
+          cache_save: false
+      - name: Set git identity
+        run: |-
+          git config --global user.name "claude[bot]"
+          git config --global user.email "bot@pulumi.com"
+        shell: bash
+      - name: Prepare local workspace
+        # this runs install_plugins and upstream
+        run: make prepare_local_workspace
+      - name: Run Claude Code Review
+        # Comment must contain '@claude review'
+        if: |
+          (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude review')) ||
+          (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude review')) ||
+          (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude review'))
+        id: claude-review
+        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1
+        with:
+          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+
+            Review this pull request using the provider-code-review skill for guidelines.
+            The PR branch is already checked out in the current working directory.
+
+            Use `gh pr comment` for top-level feedback.
+            Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues.
+            Only post GitHub comments - don't submit review text as messages.
+          # Taken from https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md
+          claude_args: |
+            --allowedTools "Skill,Bash(gh issue view *),Bash(gh search *),Bash(gh issue list *),Bash(gh pr comment *),Bash(gh pr diff *),Bash(gh pr view *),Bash(gh pr list *),mcp__github_inline_comment__create_inline_comment"
+      - name: Run Claude Code
+        # Comment must contain '@claude', but not '@claude review'
+        if: |
+          !contains(github.event.comment.body, '@claude review') &&
+          !contains(github.event.review.body, '@claude review')
+        id: claude-action
+        uses: anthropics/claude-code-action@787c5a0ce96a9a6cfb050ea0c8f4c05f2447c251 # v1
+        with:
+          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
+          # This allows claude to read github action logs
+          additional_permissions: |
+            actions: read
+          # Sandbox settings: --allowedTools controls which tools Claude can invoke,
+          # but the sandbox also enforces OS-level filesystem restrictions. Edit()
+          # rules in permissions.allow control all bash filesystem writes (mkdir,
+          # output redirection, etc.), not just the Edit tool. Without these, commands
+          # like `mkdir .pulumi` or `cmd > file.txt` would be blocked by the sandbox.
+          settings: |
+            {
+              "permissions": {
+                "allow": ["Edit(./**)", "Edit(/tmp/**)"]
+              }
+            }
+          claude_args: |
+            --max-turns 50
+            --allowedTools "Skill,Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(upgrade-provider *),Bash(./scripts/upstream.sh *),Bash(git *),Bash(GIT_EDITOR=* git *),Bash(make *),Bash(gh *),Bash(mkdir *),Bash(go mod tidy *),Bash(ls *),Bash(test *),Bash(cat *),Bash(pwd),Bash(head *),Bash(tail *),Bash(tee *),Bash(rg *),Bash(grep *),Bash(sed *),Bash(awk *),Bash(find *)"
+        # If the claude action fails you don't get any logs on what claude was doing
+        # Uploading the artifact allows you to download the artifact from the UI
+      - name: Upload Claude review output on failure
+        if: failure() && steps.claude-review.outputs.execution_file
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: claude-review-execution-log
+          path: ${{ steps.claude-review.outputs.execution_file }}
+          retention-days: 7
+      - name: Upload Claude output on failure
+        if: failure() && steps.claude-action.outputs.execution_file
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
+        with:
+          name: claude-execution-log
+          path: ${{ steps.claude-action.outputs.execution_file }}
+          retention-days: 7

.github/workflows/command-dispatch.yml

@@ -0,0 +1,53 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
+env:
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
+  TF_APPEND_USER_AGENT: pulumi
+
+jobs:
+  command-dispatch-for-testing:
+    name: command-dispatch-for-testing
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: peter-evans/slash-command-dispatch@5c11dc7efead556e3bdabf664302212f79eb26fa # v5
+      with:
+        commands: |
+          run-acceptance-tests
+          release
+        issue-type: pull-request
+        permission: write
+        reaction-token: ${{ secrets.GITHUB_TOKEN }}
+        repository: pulumi/pulumi-docker-build
+        token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+name: command-dispatch
+on:
+  issue_comment:
+    types:
+    - created
+    - edited

.github/workflows/comment-on-stale-issues.yml

@@ -0,0 +1,44 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+name: "Comment on stale issues"
+
+on:
+  workflow_dispatch: {}
+  schedule:
+  - cron: "46 4 * * *" # run once per day
+
+jobs:
+  cleanup:
+    runs-on: ubuntu-latest
+    name: Stale issue job
+    steps:
+    - uses: pose/stale-issue-cleanup@d2922f61fc5669f4154408689f9bb2a981996112
+      with:
+        issue-types: issues # only look at issues (ignore pull-requests)
+
+        # Setting messages to an empty string causes the automation to skip that category
+        ancient-issue-message: "Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still experiencing this issue, could you leave a quick comment to let us know so we can prioritize it?"
+        ancient-pr-message: ""
+        stale-issue-message: ""
+        stale-pr-message: ""
+
+        # These labels are required
+        stale-issue-label: awaiting-feedback # somewhat confusingly, this is also used for when labeling "ancient" issues
+        exempt-issue-labels: kind/enhancement,kind/task,kind/epic,kind/engineering, awaiting-upstream # only run on kind/bug for now, ignore awaiting-upstream too.
+        stale-pr-label: no-pr-activity # unused because we aren't processing PRs
+        exempt-pr-labels: awaiting-approval # unused because we aren't processing PRs
+        response-requested-label: response-requested # unused because we don't set a "stale-issue-message" above
+
+        # Issue timing
+        days-before-close: 10000 # this action lacks the option not to close, so just set this indefinitly far in the future
+        days-before-ancient: 180 # 6 months
+
+        # If you don't want to mark a issue as being ancient based on a
+        # threshold of "upvotes", you can set this here. An "upvote" is
+        # the total number of +1, heart, hooray, and rocket reactions
+        # on an issue.
+        minimum-upvotes-to-exempt: 2
+
+        repo-token: ${{ secrets.GITHUB_TOKEN }}
+        loglevel: DEBUG
+        # Set dry-run to true to not perform label or close actions.
+        dry-run: true

.github/workflows/community-moderation.yml

@@ -0,0 +1,43 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
+jobs:
+  warn_codegen:
+    name: warn_codegen
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false
+    - id: schema_changed
+      name: Check for diff in schema
+      uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      with:
+        filters: "changed: 'provider/cmd/**/schema.json'"
+    - id: sdk_changed
+      if: steps.schema_changed.outputs.changed == 'false'
+      name: Check for diff in sdk/**
+      uses: dorny/paths-filter@fbd0ab8f3e69293af611ebaee6363fc25e6d187d # v4.0.1
+      with:
+        filters: "changed: 'sdk/**'"
+    - if: steps.sdk_changed.outputs.changed == 'true' &&
+        github.event.pull_request.head.repo.full_name != github.repository
+      name: Send codegen warning as comment on PR
+      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
+      with:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        message: >
+          Hello and thank you for your pull request! :heart: :sparkles:
+
+          It looks like you're directly modifying files in the language SDKs, many of which are autogenerated.
+
+          Be sure any files you're editing do not begin with a code generation warning.
+
+          For generated files, you will need to make changes in `resources.go` instead, and [generate the code](https://github.com/pulumi/${{ github.event.repository.name }}/blob/master/CONTRIBUTING.md#committing-generated-code).
+name: warn-codegen
+on:
+  pull_request_target:
+    branches:
+    - main
+    types:
+    - opened

.github/workflows/export-repo-secrets.yml

@@ -0,0 +1,25 @@
+permissions: write-all # Equivalent to default permissions plus id-token: write
+name: Export secrets to ESC
+on: [workflow_dispatch]
+jobs:
+  export-to-esc:
+    runs-on: ubuntu-latest
+    name: export GitHub secrets to ESC
+    steps:
+      - name: Generate a GitHub token
+        id: generate-token
+        uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3
+        with:
+          app-id: 1256780 # Export Secrets GitHub App
+          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
+      - name: Export secrets to ESC
+        uses: pulumi/esc-export-secrets-action@9d6485759b6adff2538ae91f1b77cc96265c9dad # v1
+        with:
+          organization: pulumi
+          org-environment: imports/github-secrets
+          exclude-secrets: EXPORT_SECRETS_PRIVATE_KEY
+          github-token: ${{ steps.generate-token.outputs.token }}
+          oidc-auth: true
+          oidc-requested-token-type: urn:pulumi:token-type:access_token:organization
+        env:
+          GITHUB_SECRETS: ${{ toJSON(secrets) }}

.github/workflows/gh-aw-pr-rereview.md

@@ -0,0 +1,20 @@
+---
+on:
+  slash_command:
+    events:
+    - pull_request_comment
+    - pull_request_review_comment
+    name: review-again
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: read
+imports:
+- shared/review.md
+- shared/plugins/code-review/code-review.md
+description: Run PR re-review on explicit maintainer slash command.
+source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-rereview.md@8a92f53fac170563f7727cacab2dbedb5d5b9e29
+strict: true
+timeout-minutes: 15
+---
+# Internal PR Re-Review (Slash Command)

.github/workflows/gh-aw-pr-review.md

@@ -0,0 +1,25 @@
+---
+on:
+  pull_request:
+    types:
+    - opened
+    - ready_for_review
+  workflow_dispatch:
+    inputs:
+      pr_number:
+        description: Pull request number to review
+        required: true
+        type: string
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: read
+imports:
+- shared/review.md
+- shared/plugins/code-review/code-review.md
+description: Automated PR review for trusted internal contributors.
+source: pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@8a92f53fac170563f7727cacab2dbedb5d5b9e29
+strict: true
+timeout-minutes: 15
+---
+# Internal Trusted PR Reviewer

.github/workflows/lint.yml

@@ -0,0 +1,66 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
+name: lint
+
+on:
+  workflow_call:
+    inputs: {}
+
+env:
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
+  TF_APPEND_USER_AGENT: pulumi
+
+jobs:
+  lint:
+    name: lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - name: Setup mise
+      uses: jdx/mise-action@8d3b0ba20a9cea7b883d922ea958553c941ab082
+      env:
+        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
+      with:
+        version: 2026.3.7
+        github_token: ${{ steps.app-auth.outputs.token }}
+        cache_save: false # A different job handles caching our tools.
+    - name: prepare workspace
+      continue-on-error: true
+      run: make prepare_local_workspace
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: lint
+      run: make lint

.github/workflows/prerelease.yml

@@ -0,0 +1,603 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+name: prerelease
+on:
+  push:
+    tags:
+    - v*.*.*-**
+env:
+  PROVIDER: docker-build
+  TRAVIS_OS_NAME: linux
+  GOVERSION: "1.21.x"
+  NODEVERSION: "20.x"
+  PYTHONVERSION: "3.11.8"
+  DOTNETVERSION: "8.0.x"
+  JAVAVERSION: "11"
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  TF_APPEND_USER_AGENT: pulumi
+  IS_PRERELEASE: true
+
+jobs:
+  prerequisites:
+    runs-on: ubuntu-latest
+    name: prerequisites
+    permissions:
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        cache: 'true'
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+    - if: github.event_name == 'pull_request'
+      name: Install Schema Tools
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      with:
+        repo: pulumi/schema-tools
+    - name: Build codegen binaries
+      run: make codegen
+    - name: Build Schema
+      run: make generate_schema
+    - if: github.event_name == 'pull_request'
+      name: Check Schema is Valid
+      run: >-
+        {
+          echo 'SCHEMA_CHANGES<<EOF';
+
+          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+
+          echo 'EOF';
+        } >> "$GITHUB_ENV"
+      env:
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
+      name: Comment on PR with Details of Schema Check
+      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
+      with:
+        message: |
+          ${{ env.SCHEMA_CHANGES }}
+        comment-tag: schemaCheck
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    - if: contains(env.SCHEMA_CHANGES, 'Looking good! No breaking changes found.') &&
+        github.actor == 'pulumi-bot'
+      name: Add label if no breaking changes
+      uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
+      with:
+        labels: impact/no-changelog-required
+        number: ${{ github.event.issue.number }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build Provider
+      run: make provider
+    - name: Check worktree clean
+      id: worktreeClean
+      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
+      with:
+        allowed-changes: |-
+          sdk/**/pulumi-plugin.json
+          sdk/dotnet/*.*.csproj
+          sdk/dotnet/version.txt
+          sdk/go/**/pulumiUtilities.go
+          sdk/nodejs/package.json
+          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+    - run: git status --porcelain
+    - name: Tar provider binaries
+      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
+        pulumi-gen-${{ env.PROVIDER}}
+    - name: Upload artifacts
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin/provider.tar.gz
+    - name: Test Provider Library
+      run: make test_provider
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+      env:
+        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in building provider prerequisites
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  build_sdks:
+    needs: prerequisites
+    runs-on: pulumi-ubuntu-8core
+    strategy:
+      fail-fast: ${{ ! contains(github.actor, 'renovate') }}
+      matrix:
+        language:
+        - nodejs
+        - python
+        - dotnet
+        - go
+        - java
+    name: build_sdks
+    permissions:
+      pull-requests: write # For Renovate SDK updates.
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
+    - name: Generate SDK
+      run: make generate_${{ matrix.language }}
+    - name: Build SDK
+      run: make build_${{ matrix.language }}
+    - name: Check worktree clean
+      id: worktreeClean
+      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
+      with:
+        allowed-changes: |-
+          sdk/**/pulumi-plugin.json
+          sdk/dotnet/*.*.csproj
+          sdk/dotnet/version.txt
+          sdk/go/**/pulumiUtilities.go
+          sdk/nodejs/package.json
+          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+    - run: git status --porcelain
+    - name: Tar SDK folder
+      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
+    - name: Upload artifacts
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: ${{ matrix.language  }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure while building SDKs
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  test:
+    runs-on: pulumi-ubuntu-8core
+    needs:
+    - build_sdks
+    strategy:
+      fail-fast: true
+      matrix:
+        language:
+        - nodejs
+        - python
+        - dotnet
+        - go
+        - java
+        - yaml
+    name: test
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets and Pulumi access token OIDC.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
+    - name: Download SDK
+      if: ${{ matrix.language != 'yaml' }}
+      uses: ./.github/actions/download-sdk
+      with:
+        language: ${{ matrix.language }}
+    - name: Update path
+      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+    - name: Install Node dependencies
+      run: yarn global add typescript
+    - run: dotnet nuget add source ${{ github.workspace }}/nuget
+    - name: Install Python deps
+      run: |-
+        pip3 install virtualenv==20.0.23
+        pip3 install pipenv
+    - name: Install dependencies
+      if: ${{ matrix.language != 'yaml' }}
+      run: make install_${{ matrix.language}}_sdk
+    - name: Generate Pulumi Access Token
+      id: generate_pulumi_token
+      uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+      with:
+        organization: pulumi
+        requested-token-type: urn:pulumi:token-type:access_token:organization
+        export-environment-variables: false
+    - name: Export AWS Credentials
+      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      env:
+        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+      with:
+        environment: logins/pulumi-ci
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      with:
+        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
+          }}/locations/global/workloadIdentityPools/${{
+          env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{
+          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
+        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
+    - name: Setup gcloud auth
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      with:
+        install_components: gke-gcloud-auth-plugin
+    - name: Install gotestfmt
+      uses: GoTestTools/gotestfmt-action@v2
+      with:
+        version: v2.5.0
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run tests
+      run: >-
+        set -euo pipefail
+
+        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in SDK tests
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  publish:
+    runs-on: ubuntu-latest
+    needs: test
+    name: publish
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Clear GitHub Actions Ubuntu runner disk space
+      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+      with:
+        tool-cache: false
+        dotnet: false
+        android: true
+        haskell: true
+        swap-storage: true
+        large-packages: false
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+      with:
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
+        aws-region: us-east-2
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+        role-duration-seconds: 7200
+        role-session-name: ${{ env.PROVIDER }}@githubActions
+        role-external-id: upload-pulumi-release
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
+    - name: Run GoReleaser
+      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+      env:
+        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
+        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
+        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
+        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
+        AZURE_SIGNING_ACCOUNT_ENDPOINT: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT }}
+        AZURE_SIGNING_ACCOUNT_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME }}
+        AZURE_SIGNING_CERT_PROFILE_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME }}
+        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME == '' }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+      with:
+        args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
+        version: latest
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in publishing binaries
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  publish_sdk:
+    runs-on: ubuntu-latest
+    needs: publish
+    name: publish_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Checkout Scripts Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        path: ci-scripts
+        repository: pulumi/scripts
+    - run: echo "ci-scripts" >> .git/info/exclude
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download python SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: python-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress python SDK
+      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
+        ${{github.workspace}}/sdk/python
+    - name: Download dotnet SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: dotnet-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress dotnet SDK
+      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
+        ${{github.workspace}}/sdk/dotnet
+    - name: Download nodejs SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: nodejs-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress nodejs SDK
+      run: tar -zxf ${{github.workspace}}/sdk/nodejs.tar.gz -C
+        ${{github.workspace}}/sdk/nodejs
+    - name: Install Twine
+      run: python -m pip install twine==5.0.0
+    - name: Publish SDKs
+      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
+      env:
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        PYPI_PUBLISH_ARTIFACTS: all
+        PYPI_USERNAME: __token__
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in publishing SDK
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  publish_java_sdk:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    needs: publish
+    name: publish_java_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download java SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: java-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress java SDK
+      run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
+        ${{github.workspace}}/sdk/java
+    - name: Setup Gradle
+      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
+      with:
+        gradle-version: "7.6"
+    - name: Publish Java SDK
+      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
+      env:
+        PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
+  publish_go_sdk:
+    runs-on: ubuntu-latest
+    name: publish-go-sdk
+    needs: publish_sdk
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Download go SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: go-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress go SDK
+      run: tar -zxf ${{github.workspace}}/sdk/go.tar.gz -C
+        ${{github.workspace}}/sdk/go
+    - name: Publish Go SDK
+      uses: pulumi/publish-go-sdk-action@v1
+      with:
+        repository: ${{ github.repository }}
+        base-ref: ${{ github.sha }}
+        source: sdk/go/dockerbuild
+        path: sdk/go/dockerbuild
+        version: ${{ steps.version.outputs.version }}
+        additive: false
+        files: "**"

.github/workflows/pull-request.yml

@@ -0,0 +1,24 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+name: pull-request
+on:
+  pull_request_target: {}
+
+jobs:
+  comment-on-pr:
+    runs-on: ubuntu-latest
+    name: comment-on-pr
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true
+    - name: Comment PR
+      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
+      with:
+        message: >
+          PR is now waiting for a maintainer to run the acceptance tests.
+
+          **Note for the maintainer:** To run the acceptance tests, please comment */run-acceptance-tests* on the PR
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    if: github.event.pull_request.head.repo.full_name != github.repository

.github/workflows/release.yml

@@ -0,0 +1,639 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+name: release
+on:
+  push:
+    tags:
+    - v*.*.*
+    - "!v*.*.*-**"
+env:
+  PROVIDER: docker-build
+  TRAVIS_OS_NAME: linux
+  GOVERSION: "1.21.x"
+  NODEVERSION: "20.x"
+  PYTHONVERSION: "3.11.8"
+  DOTNETVERSION: "8.0.x"
+  JAVAVERSION: "11"
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  TF_APPEND_USER_AGENT: pulumi
+
+jobs:
+  prerequisites:
+    runs-on: ubuntu-latest
+    name: prerequisites
+    permissions:
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        cache: 'true'
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - if: github.event_name == 'pull_request'
+      name: Install Schema Tools
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      with:
+        repo: pulumi/schema-tools
+    - name: Build codegen binaries
+      run: make codegen
+    - name: Build Schema
+      run: make generate_schema
+    - if: github.event_name == 'pull_request'
+      name: Check Schema is Valid
+      run: >-
+        {
+          echo 'SCHEMA_CHANGES<<EOF';
+
+          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+
+          echo 'EOF';
+        } >> "$GITHUB_ENV"
+      env:
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
+      name: Comment on PR with Details of Schema Check
+      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
+      with:
+        message: |
+          ${{ env.SCHEMA_CHANGES }}
+        comment-tag: schemaCheck
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    - if: contains(env.SCHEMA_CHANGES, 'Looking good! No breaking changes found.') &&
+        github.actor == 'pulumi-bot'
+      name: Add label if no breaking changes
+      uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
+      with:
+        labels: impact/no-changelog-required
+        number: ${{ github.event.issue.number }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build Provider
+      run: make provider
+    - name: Check worktree clean
+      id: worktreeClean
+      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
+      with:
+        allowed-changes: |-
+          sdk/**/pulumi-plugin.json
+          sdk/dotnet/*.*.csproj
+          sdk/dotnet/version.txt
+          sdk/go/**/pulumiUtilities.go
+          sdk/nodejs/package.json
+          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+    - run: git status --porcelain
+    - name: Tar provider binaries
+      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
+        pulumi-gen-${{ env.PROVIDER}}
+    - name: Upload artifacts
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin/provider.tar.gz
+    - name: Test Provider Library
+      run: make test_provider
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+      env:
+        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in building provider prerequisites
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  build_sdks:
+    needs: prerequisites
+    runs-on: pulumi-ubuntu-8core
+    strategy:
+      fail-fast: ${{ ! contains(github.actor, 'renovate') }}
+      matrix:
+        language:
+        - nodejs
+        - python
+        - dotnet
+        - go
+        - java
+    name: build_sdks
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
+    - name: Generate SDK
+      run: make generate_${{ matrix.language }}
+    - name: Build SDK
+      run: make build_${{ matrix.language }}
+    - name: Check worktree clean
+      id: worktreeClean
+      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
+      with:
+        allowed-changes: |-
+          sdk/**/pulumi-plugin.json
+          sdk/dotnet/*.*.csproj
+          sdk/dotnet/version.txt
+          sdk/go/**/pulumiUtilities.go
+          sdk/nodejs/package.json
+          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+    - run: git status --porcelain
+    - name: Tar SDK folder
+      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
+    - name: Upload artifacts
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: ${{ matrix.language  }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure while building SDKs
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  test:
+    runs-on: pulumi-ubuntu-8core
+    needs:
+    - build_sdks
+    strategy:
+      fail-fast: true
+      matrix:
+        language:
+        - nodejs
+        - python
+        - dotnet
+        - go
+        - java
+        - yaml
+    name: test
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download Provider Binary
+      uses: ./.github/actions/download-provider
+    - name: Download SDK
+      if: ${{ matrix.language != 'yaml' }}
+      uses: ./.github/actions/download-sdk
+      with:
+        language: ${{ matrix.language }}
+    - name: Update path
+      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+    - name: Install Node dependencies
+      run: yarn global add typescript
+    - run: dotnet nuget add source ${{ github.workspace }}/nuget
+    - name: Install Python deps
+      run: |-
+        pip3 install virtualenv==20.0.23
+        pip3 install pipenv
+    - name: Install dependencies
+      if: ${{ matrix.language != 'yaml' }}
+      run: make install_${{ matrix.language}}_sdk
+    - name: Generate Pulumi Access Token
+      id: generate_pulumi_token
+      uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+      with:
+        organization: pulumi
+        requested-token-type: urn:pulumi:token-type:access_token:organization
+        export-environment-variables: false
+    - name: Export AWS Credentials
+      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      env:
+        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+      with:
+        environment: logins/pulumi-ci
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      with:
+        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
+          }}/locations/global/workloadIdentityPools/${{
+          env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{
+          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
+        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
+    - name: Setup gcloud auth
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      with:
+        install_components: gke-gcloud-auth-plugin
+    - name: Install gotestfmt
+      uses: GoTestTools/gotestfmt-action@v2
+      with:
+        version: v2.5.0
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run tests
+      run: >-
+        set -euo pipefail
+
+        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
+      env:
+        GTIHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in SDK tests
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  publish:
+    runs-on: ubuntu-latest
+    needs: test
+    name: publish
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Clear GitHub Actions Ubuntu runner disk space
+      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
+      with:
+        tool-cache: false
+        dotnet: false
+        android: true
+        haskell: true
+        swap-storage: true
+        large-packages: false
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
+      with:
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
+        aws-region: us-east-2
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
+        role-duration-seconds: 7200
+        role-session-name: ${{ env.PROVIDER }}@githubActions
+        role-external-id: upload-pulumi-release
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
+    - name: Run GoReleaser
+      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
+      env:
+        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
+        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
+        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
+        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
+        AZURE_SIGNING_ACCOUNT_ENDPOINT: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT }}
+        AZURE_SIGNING_ACCOUNT_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME }}
+        AZURE_SIGNING_CERT_PROFILE_NAME: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME }}
+        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_ENDPOINT == '' && steps.esc-secrets.outputs.AZURE_SIGNING_ACCOUNT_NAME == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CERT_PROFILE_NAME == '' }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+      with:
+        args: -p 3 release --clean --timeout 60m0s
+        version: latest
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in publishing binaries
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  publish_sdk:
+    runs-on: ubuntu-latest
+    needs: publish
+    name: publish_sdks
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Checkout Scripts Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        path: ci-scripts
+        repository: pulumi/scripts
+    - run: echo "ci-scripts" >> .git/info/exclude
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download python SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: python-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress python SDK
+      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
+        ${{github.workspace}}/sdk/python
+    - name: Download dotnet SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: dotnet-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress dotnet SDK
+      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
+        ${{github.workspace}}/sdk/dotnet
+    - name: Download nodejs SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: nodejs-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress nodejs SDK
+      run: tar -zxf ${{github.workspace}}/sdk/nodejs.tar.gz -C
+        ${{github.workspace}}/sdk/nodejs
+    - name: Install Twine
+      run: python -m pip install twine==5.0.0
+    - name: Publish SDKs
+      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
+      env:
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
+        PYPI_PUBLISH_ARTIFACTS: all
+        PYPI_USERNAME: __token__
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in publishing SDK
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+  publish_java_sdk:
+    runs-on: ubuntu-latest
+    continue-on-error: true
+    needs: publish
+    name: publish_java_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download java SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: java-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress java SDK
+      run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
+        ${{github.workspace}}/sdk/java
+    - name: Setup Gradle
+      uses: gradle/actions/setup-gradle@50e97c2cd7a37755bbfafc9c5b7cafaece252f6e # v6.1.0
+      with:
+        gradle-version: "7.6"
+    - name: Publish Java SDK
+      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
+      env:
+        PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
+  publish_go_sdk:
+    runs-on: ubuntu-latest
+    name: publish-go-sdk
+    needs: publish_sdk
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Download go SDK
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: go-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: Uncompress go SDK
+      run: tar -zxf ${{github.workspace}}/sdk/go.tar.gz -C
+        ${{github.workspace}}/sdk/go
+    - name: Publish Go SDK
+      uses: pulumi/publish-go-sdk-action@v1
+      with:
+        repository: ${{ github.repository }}
+        base-ref: ${{ github.sha }}
+        source: sdk/go/dockerbuild
+        path: sdk/go/dockerbuild
+        version: ${{ steps.version.outputs.version }}
+        additive: false
+        files: "**"
+  dispatch_docs_build:
+    runs-on: ubuntu-latest
+    needs: publish_go_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - name: Install pulumictl
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      with:
+        repo: pulumi/pulumictl
+    - name: Dispatch Event
+      run: pulumictl create docs-build pulumi-${{ env.PROVIDER }}
+        "${GITHUB_REF#refs/tags/}"
+      env:
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+    name: dispatch_docs_build

.github/workflows/release_command.yml

@@ -0,0 +1,54 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
+name: release-command
+on:
+  repository_dispatch:
+    types:
+    - release-command
+jobs:
+  should_release:
+    name: Should release PR
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        persist-credentials: false    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - name: Should release PR
+      uses: pulumi/action-release-by-pr-label@main
+      with:
+        command: "should-release"
+        repo: ${{ github.repository }}
+        pr: ${{ github.event.client_payload.pull_request.number }}
+        version: ${{ github.event.client_payload.slash_command.args.all }}
+        slack_channel: ${{ steps.esc-secrets.outputs.RELEASE_OPS_STAGING_SLACK_CHANNEL }}
+      env:
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - if: failure()
+      name: Notify failure
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
+        body: |
+          "release command failed: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
+    - if: success()
+      name: Notify success
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+        comment-id: ${{ github.event.client_payload.github.payload.comment.id }}
+        reaction-type: hooray

.github/workflows/run-acceptance-tests.yml

@@ -0,0 +1,536 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+name: run-acceptance-tests
+on:
+  repository_dispatch:
+    types:
+    - run-acceptance-tests-command
+  pull_request:
+    paths-ignore:
+    - CHANGELOG.md
+  workflow_dispatch: {}
+env:
+  PROVIDER: docker-build
+  TRAVIS_OS_NAME: linux
+  GOVERSION: "1.21.x"
+  NODEVERSION: "20.x"
+  PYTHONVERSION: "3.11.8"
+  DOTNETVERSION: "8.0.x"
+  JAVAVERSION: "11"
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
+  TF_APPEND_USER_AGENT: pulumi
+  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
+jobs:
+  comment-notification:
+    if: github.event_name == 'repository_dispatch'
+    runs-on: ubuntu-latest
+    name: comment-notification
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}
+    - name: Create URL to the run output
+      id: vars
+      run: echo
+        "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+        >> "$GITHUB_OUTPUT"
+    - name: Update with Result
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
+        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
+  prerequisites:
+    runs-on: ubuntu-latest
+    name: prerequisites
+    permissions:
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        cache: 'true'
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - if: github.event_name == 'pull_request'
+      name: Install Schema Tools
+      uses: jaxxstorm/action-install-gh-release@25e24d2d23ae098373794ef1d6faecb48ee52da8 # v3.0.0
+      with:
+        repo: pulumi/schema-tools
+    - name: Build codegen binaries
+      run: make codegen
+    - name: Build Schema
+      run: make generate_schema
+    - if: github.event_name == 'pull_request'
+      name: Check Schema is Valid
+      run: >-
+        {
+          echo 'SCHEMA_CHANGES<<EOF';
+
+          schema-tools compare -p ${{ env.PROVIDER }} -o ${{ github.event.repository.default_branch }} -n --local-path=provider/cmd/pulumi-resource-${{ env.PROVIDER }}/schema.json;
+
+          echo 'EOF';
+        } >> "$GITHUB_ENV"
+      env:
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
+      name: Comment on PR with Details of Schema Check
+      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
+      with:
+        message: |
+          ${{ env.SCHEMA_CHANGES }}
+        comment-tag: schemaCheck
+        github-token: ${{ secrets.GITHUB_TOKEN }}
+    - if: contains(env.SCHEMA_CHANGES, 'Looking good! No breaking changes found.') &&
+        github.actor == 'pulumi-bot'
+      name: Add label if no breaking changes
+      uses: actions-ecosystem/action-add-labels@18f1af5e3544586314bbe15c0273249c770b2daf # v1.1.3
+      with:
+        labels: impact/no-changelog-required
+        number: ${{ github.event.issue.number }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Build Provider
+      run: make provider
+    - name: Check worktree clean
+      id: worktreeClean
+      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
+      with:
+        allowed-changes: |-
+          sdk/**/pulumi-plugin.json
+          sdk/dotnet/*.*.csproj
+          sdk/dotnet/version.txt
+          sdk/go/**/pulumiUtilities.go
+          sdk/nodejs/package.json
+          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+      # This worktree check is a safeguard against someone forgetting to
+      # re-build and commit locally, but we handle that commit automatically in
+      # the case of dependency bumps.
+      continue-on-error: ${{ contains(github.actor, 'renovate') }}
+    - name: Commit SDK changes for Renovate
+      if: steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+
+        # Apply and add our changes, but don't commit any files we expect to
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json
+
+        git reset sdk/python/*/pulumi-plugin.json \
+            sdk/python/pyproject.toml \
+            sdk/dotnet/pulumi-plugin.json \
+            sdk/dotnet/*.*.csproj \
+            sdk/dotnet/version.txt \
+            sdk/go/*/pulumi-plugin.json \
+            sdk/go/*/internal/pulumiUtilities.go \
+            sdk/nodejs/package.json
+
+        git commit -m 'Commit SDK for Renovate'
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
+    - run: git status --porcelain
+    - name: Tar provider binaries
+      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
+        pulumi-gen-${{ env.PROVIDER}}
+    - name: Upload artifacts
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin/provider.tar.gz
+    - name: Test Provider Library
+      run: make test_provider
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@e79a6962e0d4c0c17b229090214935d2e33f8354 # v6.0.1
+      env:
+        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in building provider prerequisites
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+  build_sdks:
+    needs: prerequisites
+    runs-on: pulumi-ubuntu-8core
+    strategy:
+      fail-fast: ${{ ! contains(github.actor, 'renovate') }}
+      matrix:
+        language:
+        - nodejs
+        - python
+        - dotnet
+        - go
+        - java
+    name: build_sdks
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download provider
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
+    - name: Generate SDK
+      run: make generate_${{ matrix.language }}
+    - name: Build SDK
+      run: make build_${{ matrix.language }}
+    - name: Check worktree clean
+      id: worktreeClean
+      uses: pulumi/git-status-check-action@54000b91124a8dd9fd6a872cb41f5dd246a46e7c # v1.1.1
+      with:
+        allowed-changes: |-
+          sdk/**/pulumi-plugin.json
+          sdk/dotnet/*.*.csproj
+          sdk/dotnet/version.txt
+          sdk/go/**/pulumiUtilities.go
+          sdk/nodejs/package.json
+          sdk/python/pyproject.toml
+          sdk/java/build.gradle
+      continue-on-error: ${{ contains(github.actor, 'renovate') }}
+    - name: Commit SDK changes for Renovate
+      if: steps.worktreeClean.outcome == 'failure' &&
+        contains(github.actor, 'renovate') && github.event_name ==
+        'pull_request'
+      shell: bash
+      run: >
+        git config --global user.email "bot@pulumi.com"
+
+        git config --global user.name "pulumi-bot"
+
+        # Stash local changes and check out the PR's branch directly.
+
+        git stash
+
+        git fetch
+
+        git checkout "origin/$HEAD_REF"
+
+        # Apply and add our changes, but don't commit any files we expect to
+        # always change due to versioning.
+
+        git stash pop
+
+        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json
+
+        git reset sdk/python/*/pulumi-plugin.json \
+            sdk/python/pyproject.toml \
+            sdk/dotnet/pulumi-plugin.json \
+            sdk/dotnet/*.*.csproj \
+            sdk/dotnet/version.txt \
+            sdk/go/*/pulumi-plugin.json \
+            sdk/go/*/internal/pulumiUtilities.go \
+            sdk/nodejs/package.json
+
+        git commit -m 'Commit SDK for Renovate'
+
+        # Push with pulumi-bot credentials to trigger a re-run of the
+        # workflow. https://github.com/orgs/community/discussions/25702
+
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+      env:
+        HEAD_REF: ${{ github.head_ref }}
+    - run: git status --porcelain
+    - name: Tar SDK folder
+      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
+    - name: Upload artifacts
+      uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
+      with:
+        name: ${{ matrix.language  }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
+        retention-days: 30
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure while building SDKs
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+  test:
+    runs-on: pulumi-ubuntu-8core
+    needs:
+    - build_sdks
+    strategy:
+      fail-fast: true
+      matrix:
+        language:
+        - nodejs
+        - python
+        - dotnet
+        - go
+        - java
+        - yaml
+    name: test
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - id: version
+      name: Set Provider Version
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
+      with:
+        set-env: PROVIDER_VERSION
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Download provider
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
+        path: ${{ github.workspace }}/bin
+    - name: UnTar provider binaries
+      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
+        github.workspace}}/bin
+    - name: Restore Binary Permissions
+      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
+        -exec chmod +x {} \;
+    - name: Download SDK
+      if: ${{ matrix.language != 'yaml' }}
+      uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1
+      with:
+        name: ${{ matrix.language }}-sdk.tar.gz
+        path: ${{ github.workspace}}/sdk/
+    - name: UnTar SDK folder
+      if: ${{ matrix.language != 'yaml' }}
+      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
+        github.workspace}}/sdk/${{ matrix.language}}
+    - name: Update path
+      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
+    - name: Install Node dependencies
+      run: yarn global add typescript
+    - run: dotnet nuget add source ${{ github.workspace }}/nuget
+    - name: Install Python deps
+      run: |-
+        pip3 install virtualenv==20.0.23
+        pip3 install pipenv
+    - name: Install dependencies
+      if: ${{ matrix.language != 'yaml' }}
+      run: make install_${{ matrix.language}}_sdk
+    - name: Generate Pulumi Access Token
+      id: generate_pulumi_token
+      uses: pulumi/auth-actions@1c89817aab0c66407723cdef72b05266e7376640 # v1.0.1
+      with:
+        organization: pulumi
+        requested-token-type: urn:pulumi:token-type:access_token:organization
+        export-environment-variables: false
+    - name: Export AWS Credentials
+      uses: pulumi/esc-action@f3cfbabf37488463817366338165b92b5f99117e
+      env:
+        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
+      with:
+        environment: logins/pulumi-ci
+    - name: Authenticate to Google Cloud
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
+      with:
+        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
+          }}/locations/global/workloadIdentityPools/${{
+          env.GOOGLE_CI_WORKLOAD_IDENTITY_POOL }}/providers/${{
+          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
+        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
+    - name: Setup gcloud auth
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
+      with:
+        install_components: gke-gcloud-auth-plugin
+    - name: Install gotestfmt
+      uses: GoTestTools/gotestfmt-action@v2
+      with:
+        version: v2.5.0
+        token: ${{ secrets.GITHUB_TOKEN }}
+    - name: Run tests
+      run: >-
+        set -euo pipefail
+
+        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - if: failure() && github.event_name == 'push'
+      name: Notify Slack
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
+      with:
+        author_name: Failure in SDK tests
+        fields: repo,commit,author,action
+        status: ${{ job.status }}
+      env:
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+  sentinel:
+    runs-on: ubuntu-latest
+    name: sentinel
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - name: Mark workflow as successful
+      uses: guibranco/github-status-action-v2@77639353504055053524efa7a3719aaf0b731ce9 # v1.2.4
+      with:
+        authToken: ${{ secrets.GITHUB_TOKEN }}
+        context: Sentinel
+        state: success
+        description: Sentinel checks passed
+        sha: ${{ github.event.pull_request.head.sha || github.sha }}
+    permissions:
+      statuses: write
+      id-token: write # For ESC secrets.
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+    needs:
+    - test
+    - prerequisites
+    - lint
+  lint:
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository
+    name: lint
+    uses: ./.github/workflows/lint.yml
+    secrets: inherit

.github/workflows/shared/plugins/code-review/code-review.md

@@ -0,0 +1,214 @@
+---
+description: High-signal PR review for gh-aw workflows using safe outputs
+---
+
+Provide a code review for the given pull request.
+
+**Agent assumptions (applies to all agents and subagents):**
+- All tools are functional and will work without error. Do not test tools or make exploratory calls. Make sure this is clear to every subagent that is launched.
+- Only call a tool if it is required to complete the task. Every tool call should have a clear purpose.
+- Use GitHub MCP tools for repository reads. Do not use `gh` CLI commands for repository inspection or for posting review output.
+- Use the workflow PR number as the authoritative target.
+- Review output must be terse and issue-focused. Do not praise the PR, narrate checks that passed, explain why code is correct, or offer "good change" commentary.
+- Use only gh-aw safe outputs for review side effects:
+  - `create-pull-request-review-comment` for actionable inline findings on changed lines
+  - `resolve-pull-request-review-thread` for unresolved bot-authored review threads that are now fixed or clearly acknowledged
+  - `submit-pull-request-review` for the final review decision
+  - `noop` when no action should be taken
+- Use cache-memory only for short-lived continuity and deduplication hints. Treat live PR state and current review threads as the source of truth.
+- Never post free-form issue comments or use any side channel for review output.
+- Respect the workflow safe-output limits. Prioritize the highest-signal unique findings and keep the inline review set within the configured maximum.
+- Consult `.gitattributes` when relevant and treat files matched there as generated by default. Ignore findings that exist only in generated outputs such as `.lock.yml` files unless the corresponding source-of-truth files show a real behavioral problem.
+
+To do this, follow these steps precisely:
+
+1. Create a short todo list for yourself before starting.
+
+2. Launch a fast subagent to check if any of the following are true:
+   - The pull request is closed
+   - The pull request is a draft
+   - The pull request does not need code review (e.g. automated PR, trivial change that is obviously correct)
+   - Required PR context cannot be read from the workflow tools
+
+   If any condition is true, call `noop` with a brief reason and stop.
+
+Note: Do not skip solely because prior automated review comments exist. Use prior comments for deduplication and stale-thread cleanup instead.
+
+3. Read any prior review memory for this PR from cache-memory before you start detailed analysis.
+
+   Use a PR-specific file such as:
+   - `/tmp/gh-aw/cache-memory/pr-${PR_NUMBER}.json`
+
+   If a prior memory file exists, use it only as a hint for:
+   - Previously reported issues
+   - Dedupe patterns
+   - Prior review timestamps
+   - Risk areas worth re-checking
+
+   Do not trust cache-memory over current GitHub state. If memory conflicts with the live PR, changed files, or review threads, trust the live PR and ignore stale memory.
+
+4. Launch a fast subagent to return a list of file paths (not their contents) for all relevant `CLAUDE.md` files including:
+   - The root CLAUDE.md file, if it exists
+   - Any CLAUDE.md files in directories containing files modified by the pull request
+
+5. Launch a subagent to summarize:
+   - The PR title and description
+   - The changed files
+   - The main behavioral changes in the diff
+   - Any obvious risk areas worth checking carefully
+
+6. Fetch existing review comments and review threads on the PR before preparing any new findings. Use them to identify:
+   - Similar issues already flagged
+   - Threads where a human already acknowledged the feedback
+   - Comments on code that has changed since the earlier review and may now be stale
+   - Unresolved bot-authored review threads that may now be fixed or obsolete
+
+7. Launch 4 review subagents in parallel. Each agent should return a list of candidate issues, where each issue includes:
+   - A concise description
+   - The reason it was flagged (for example `CLAUDE.md adherence` or `bug`)
+   - The changed file path
+   - The changed line or closest changed hunk
+   - Why the issue is likely real
+
+   Agents 1 + 2: CLAUDE.md compliance sonnet agents
+   Audit changes for `CLAUDE.md` compliance in parallel. When evaluating a file, only consider `CLAUDE.md` files that share a path scope with that file or its parents.
+
+   Agent 3: bug-focused review agent
+   Scan for obvious bugs. Focus only on the diff itself without reading extra context. Flag only significant bugs; ignore nitpicks and likely false positives. Do not flag issues that you cannot validate without looking at context outside of the git diff.
+
+   Agent 4: behavior-focused review agent
+   Look for problems introduced by the new code, including security issues, incorrect logic, regressions, and missing error handling. Only look for issues that fall within changed code.
+
+   **CRITICAL: We only want HIGH SIGNAL issues.** Flag issues where:
+   - The code will fail to compile or parse (syntax errors, type errors, missing imports, unresolved references)
+   - The code will definitely produce wrong results regardless of inputs (clear logic errors)
+   - The code introduces a clear security or regression bug in changed lines
+   - Clear, unambiguous `CLAUDE.md` violations where you can quote the exact rule being broken
+
+   Do NOT flag:
+   - Code style or quality concerns
+   - Potential issues that depend on specific inputs or state
+   - Subjective suggestions or improvements
+
+   If you are not certain an issue is real, do not flag it. False positives erode trust and waste reviewer time.
+
+   Each review subagent should receive the PR title and description so it can evaluate intent.
+
+8. For each candidate issue, launch validation subagents in parallel. Each validator should receive the PR title, description, issue description, affected file, and affected hunk. The validator must confirm that the issue is real with high confidence.
+
+   For bug and logic issues, verify the changed code actually causes the stated problem.
+
+   For `CLAUDE.md` issues, verify both:
+   - The cited rule exists
+   - The rule applies to that file path and is actually violated
+
+9. Filter out any issue that fails validation.
+
+10. Deduplicate and prune the validated issue list. Remove:
+   - Issues already covered by an existing review comment
+   - Issues in threads where a human has already acknowledged the feedback
+   - Issues that were present in an earlier revision but are fixed in the latest code
+   - Duplicate findings reported by multiple subagents
+   - Findings that are not on changed lines or cannot be tied to a changed hunk
+   - Findings that only came from cache-memory and are not confirmed by the current PR state
+
+   Also create a separate internal list of review threads to resolve. A thread is eligible for resolution only when all of the following are true:
+   - The thread is currently unresolved
+   - The thread was started by this automation or another bot, not by a human reviewer
+   - The underlying issue is fixed in the latest diff, outdated, or explicitly acknowledged by a human as intentionally left as-is
+   - You have high confidence that resolving it will not hide an outstanding real issue
+
+   Never resolve human-authored review threads. When uncertain, leave the thread unresolved.
+
+11. Classify the remaining issues:
+   - `Blocking`: correctness, security, regression, data loss, or clear required-rule violations
+   - `Non-blocking`: actionable but not merge-blocking concerns that are still worth interrupting the author for now
+
+   Drop any candidate that is merely:
+   - praise
+   - reassurance
+   - a follow-up idea
+   - a readability suggestion with no concrete risk
+   - an observation that does not require author action
+
+12. Produce a short internal summary of findings for yourself:
+   - If issues remain, list the highest-signal ones first
+   - If no issues remain, summarize that no actionable high-signal issues were found
+
+13. If no actionable issues remain, submit exactly one final review with `submit-pull-request-review`:
+   - Use `APPROVE`
+   - Use one short sentence only, such as `No actionable issues found.`
+   - Do not create inline comments
+   - Do not include praise, summaries of what was checked, or correctness narration
+   - Before stopping, write a compact review memory file for this PR containing:
+     - review timestamp
+     - PR number
+     - files reviewed
+     - summary of what was checked
+     - `issues_reported: []`
+   - Stop after the final review is submitted and memory is updated
+
+14. If actionable issues remain, choose the highest-signal unique issues up to the safe-output comment limit. Create a list of planned inline comments for yourself before posting anything.
+
+   Prefer zero comments over low-signal comments. Non-blocking comments should be rare.
+
+15. Post one inline comment per chosen issue using `create-pull-request-review-comment`. For each comment:
+   - Provide a brief description of the issue
+   - Explain why it matters
+   - Reference the exact changed line
+   - Cite the relevant `CLAUDE.md` rule when applicable
+   - Keep the comment concise and actionable
+   - Do not post comments that merely suggest optional follow-up cleanup or extra documentation
+   - Do not post comments whose conclusion is that the code is acceptable as-is
+   - Do not post duplicate comments for the same issue
+
+16. Resolve eligible stale review threads using `resolve-pull-request-review-thread` before submitting the final review.
+   - Resolve only threads from your internal resolution list
+   - Resolve only bot-authored threads
+   - Do not add explanatory comments when resolving
+   - If no threads qualify, do nothing
+
+17. Submit exactly one final review using `submit-pull-request-review`:
+   - Use `REQUEST_CHANGES` when at least one blocking issue remains
+   - Use `APPROVE` otherwise, including when only non-blocking inline comments were left
+   - Do not use `COMMENT` as the final review state
+   - Keep the summary to one or two short sentences
+   - Do not restate inline comments in the final review; point readers to the inline comments instead
+   - Do not include praise, correctness checklists, or "overall LGTM" framing unless there are zero inline comments and you are using the exact terse approval style above
+
+18. After the final review is submitted, update the PR-specific cache-memory file with a compact record of this review. Store only short-lived operational state such as:
+   - review timestamp
+   - PR number
+   - files reviewed
+   - issue fingerprints or short summaries
+   - whether the final review was `APPROVE` or `REQUEST_CHANGES`
+
+   Do not store secrets, tokens, personal data, or large blobs. Keep the file concise so future runs can use it for continuity and dedupe.
+
+Use this list when evaluating issues in Steps 4 and 5 (these are false positives, do NOT flag):
+
+- Pre-existing issues
+- Something that appears to be a bug but is actually correct
+- Pedantic nitpicks that a senior engineer would not flag
+- Issues that a linter will catch (do not run the linter to verify)
+- General code quality concerns (e.g., lack of test coverage, general security issues) unless explicitly required in CLAUDE.md
+- Issues mentioned in CLAUDE.md but explicitly silenced in the code (e.g., via a lint ignore comment)
+- Differences that exist only in files classified as generated by `.gitattributes`, unless they expose a real issue in the source workflow, prompt, or other source-of-truth file
+- Explanations that a change is good, correct, well-structured, or acceptable as-is
+- Non-blocking observations that do not require the author to change anything now
+- Requests for extra comments or documentation unless their absence creates a concrete correctness risk
+
+Notes:
+
+- Use GitHub tools for all repository reads. Do not use web fetch.
+- Always operate on the workflow PR target rather than guessing from local git state.
+- Inline comments should only be created for actionable issues on changed lines.
+- If you leave inline comments, the final review should not repeat them.
+- Cache-memory is best-effort and may be missing or stale. Use it to improve continuity, never to override current repository state.
+- When linking to code in an inline comment, use a full GitHub blob URL with a full SHA and a line range, for example: https://github.com/anthropics/claude-code/blob/c21d3c10bc8e898b7ac1a2d745bdc9bc4e423afe/package.json#L10-L15
+  - Requires full git sha
+  - Do not use shell substitution in the URL
+  - Repo name must match the repo you're code reviewing
+  - Use `#L[start]-L[end]`
+  - Provide at least one line of context before and after when possible
+- If context checks fail or the PR is not reviewable, call `noop` with a brief explanation instead of exiting silently.

.github/workflows/shared/review.md

@@ -0,0 +1,74 @@
+---
+permissions:
+  contents: read
+  pull-requests: read
+  id-token: write
+engine:
+  id: claude
+  env:
+    ANTHROPIC_API_KEY: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY || '__GH_AW_ACTIVATION_PLACEHOLDER__' }}
+steps:
+  - env:
+      ESC_ACTION_ENVIRONMENT: imports/github-secrets
+      ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+      ESC_ACTION_OIDC_AUTH: "true"
+      ESC_ACTION_OIDC_ORGANIZATION: pulumi
+      ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+    id: esc-secrets
+    name: Fetch secrets from ESC
+    uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5  # v1.5.0
+  - name: Validate ESC secret output
+    env:
+      ANTHROPIC_API_KEY_FROM_ESC: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
+    run: |
+      test -n "$ANTHROPIC_API_KEY_FROM_ESC" || {
+        echo "ESC did not return ANTHROPIC_API_KEY";
+        exit 1;
+      }
+tools:
+  cache-memory: true
+  github:
+    toolsets: [pull_requests, repos]
+safe-outputs:
+  threat-detection: false
+  create-pull-request-review-comment:
+    max: 12
+    side: "RIGHT"
+    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
+    target-repo: "${{ github.repository }}"
+  resolve-pull-request-review-thread:
+    max: 12
+    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
+    target-repo: "${{ github.repository }}"
+  submit-pull-request-review:
+    max: 1
+    allowed-events: [APPROVE, REQUEST_CHANGES, COMMENT]
+    target: "${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}"
+  noop:
+    max: 1
+  messages:
+    footer: "> Reviewed by [{workflow_name}]({run_url})"
+    run-started: "Started automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
+    run-success: "Finished automated PR review for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}."
+    run-failure: "Automated PR review failed for #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} ({status})."
+---
+
+
+Review pull request #${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }} in repository `${{ github.repository }}`.
+
+Workflow-specific rules:
+- Use `${{ github.event.pull_request.number || github.event.inputs.pr_number || github.event.issue.number }}` as the authoritative PR target.
+- Treat the imported review prompt as the source of the review procedure.
+- Use only gh-aw safe outputs for side effects:
+  - `create-pull-request-review-comment` for actionable inline findings on changed lines
+  - `resolve-pull-request-review-thread` for previously reported bot-authored threads that are now fixed or clearly acknowledged
+  - `submit-pull-request-review` for the final review
+  - `noop` when the PR is not reviewable or required context is missing
+- Submit exactly one final review:
+  - `REQUEST_CHANGES` when at least one blocking issue exists.
+  - `APPROVE` otherwise, including when only non-blocking observations exist.
+  - Do not submit `COMMENT` as the final review state.
+- Do not post free-form issue comments outside safe outputs.
+- Respect the configured inline comment limit and prioritize the highest-signal unique findings.
+- Use cache-memory only as a best-effort continuity aid; live PR state and current review threads are authoritative.
+- Ignore discovery steps intended for runs without PR context.

.github/workflows/weekly-pulumi-update.yml

@@ -0,0 +1,115 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+name: weekly-pulumi-update
+on:
+  schedule:
+  - cron: 35 12 * * 4
+  workflow_dispatch: {}
+env:
+  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  PROVIDER: docker-build
+  TRAVIS_OS_NAME: linux
+  GOVERSION: "1.21.x"
+  NODEVERSION: "20.x"
+  PYTHONVERSION: "3.11.8"
+  DOTNETVERSION: "8.0.x"
+  JAVAVERSION: "11"
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
+  TF_APPEND_USER_AGENT: pulumi
+
+jobs:
+  weekly-pulumi-update:
+    runs-on: ubuntu-latest
+    permissions: write-all
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@bcd2ba49218906704ab6c1aa796996da409d3eb1 # v3.2.0
+      id: app-auth
+      with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Update Pulumi/Pulumi
+      id: gomod
+      run: >-
+        git config --local user.email 'bot@pulumi.com'
+
+        git config --local user.name 'pulumi-bot'
+
+        git checkout -b update-pulumi/${{ github.run_id }}-${{ github.run_number }}
+
+        gh repo view pulumi/pulumi --json latestRelease --jq .latestRelease.tagName | sed 's/^v//' > .pulumi.version
+
+        VERSION=$(cat .pulumi.version) find . -name go.mod -execdir sh -c 'go get github.com/pulumi/pulumi/pkg/v3@v${VERSION} github.com/pulumi/pulumi/sdk/v3@v${VERSION}; go mod tidy' \;
+
+        git update-index -q --refresh
+
+        if ! git diff-files --quiet; then echo changes=1 >> "$GITHUB_OUTPUT"; fi
+    - name: Provider with Pulumi Upgrade
+      if: steps.gomod.outputs.changes != 0
+      run: >-
+        make codegen && make local_generate
+
+        git add sdk/nodejs
+
+        git commit -m "Regenerating Node.js SDK based on updated modules" || echo "ignore commit failure, may be empty"
+
+        git add sdk/python
+
+        git commit -m "Regenerating Python SDK based on updated modules" || echo "ignore commit failure, may be empty"
+
+        git add sdk/dotnet
+
+        git commit -m "Regenerating .NET SDK based on updated modules" || echo "ignore commit failure, may be empty"
+
+        git add sdk/go*
+
+        git commit -m "Regenerating Go SDK based on updated modules" || echo "ignore commit failure, may be empty"
+
+        git add sdk/java*
+
+        git commit -m "Regenerating Java SDK based on updated modules" || echo "ignore commit failure, may be empty"
+
+        git add .
+
+        git commit -m "Updated modules" || echo "ignore commit failure, may be empty"
+
+        git push origin update-pulumi/${{ github.run_id }}-${{ github.run_number }}
+    - name: Create PR
+      id: create-pr
+      if: steps.gomod.outputs.changes != 0
+      run: >
+        ver=$(cat .pulumi.version)
+
+        msg="Automated upgrade: bump pulumi/pulumi to ${ver}"
+
+        gh pr create -t "$msg" -b "$msg"
+      env:
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
+    name: weekly-pulumi-update

.gitignore

@@ -0,0 +1,22 @@
+/vendor/
+**/bin/
+**/obj/
+**/node_modules/
+**/.vs
+**/.idea
+**/.ionide
+**/.vscode
+*.swp
+.pulumi
+Pulumi.*.yaml
+yarn.lock
+ci-scripts
+nuget/
+coverage.txt
+
+
+sdk/dotnet/version.txt
+sdk/java/.gradle
+sdk/java/build/
+sdk/java/build.gradle
+sdk/python/venv

.gitmodules

@@ -0,0 +1,3 @@
+[submodule ".devcontainer"]
+	path = .devcontainer
+	url = https://github.com/pulumi/devcontainer

.golangci.yml

@@ -0,0 +1,53 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
+version: "2"
+linters:
+  enable:
+    - goconst
+    - gosec
+    - lll
+    - misspell
+    - nakedret
+    - revive
+    - unconvert
+  exclusions:
+    generated: lax
+    presets:
+      - comments
+      - common-false-positives
+      - legacy
+      - std-error-handling
+    paths:
+      - schema.go
+      - pulumiManifest.go
+      - pkg/vendored
+      - third_party$
+      - builtin$
+      - examples$
+    rules:
+      - linters:
+          - revive
+        path: pkg/
+        text: "var-naming" # https://github.com/pulumi/ci-mgmt/issues/2100
+formatters:
+  enable:
+    - gci
+    - gofmt
+  settings:
+    gci:
+      sections:
+        - standard # Standard section: captures all standard library packages.
+        - blank # Blank section: contains all blank imports.
+        - default # Default section: contains all imports that could not be matched to another section type.
+        - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
+        - prefix(github.com/pulumi/pulumi-docker-build) # Custom section: local imports
+      custom-order: true
+  exclusions:
+    generated: lax
+    paths:
+      - schema.go
+      - pulumiManifest.go
+      - pkg/vendored
+      - third_party$
+      - builtin$
+      - examples$

.goreleaser.prerelease.yml

@@ -0,0 +1,57 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+project_name: pulumi-docker-build
+builds:
+- id: build-provider
+  dir: provider
+  env:
+  - CGO_ENABLED=0
+  - GO111MODULE=on
+  goos:
+  - darwin
+  - linux
+  goarch:
+  - amd64
+  - arm64
+  ignore: &a1 []
+  main: ./cmd/pulumi-resource-docker-build/
+  ldflags: &a2
+    - -s
+    - -w
+    - -X
+      github.com/pulumi/pulumi-docker-build/provider/pkg/version.Version={{.Tag}}
+    - -X github.com/pulumi/pulumi-docker-build/provider.Version={{.Tag}}
+  binary: pulumi-resource-docker-build
+- id: build-provider-sign-windows
+  dir: provider
+  env:
+  - CGO_ENABLED=0
+  - GO111MODULE=on
+  goos:
+  - windows
+  goarch:
+  - amd64
+  - arm64
+  ignore: *a1
+  main: ./cmd/pulumi-resource-docker-build/
+  ldflags: *a2
+  binary: pulumi-resource-docker-build
+  hooks:
+    post:
+    - make sign-goreleaser-exe-{{ .Arch }}
+archives:
+- name_template: "{{ .Binary }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
+  id: archive
+snapshot:
+  name_template: "{{ .Tag }}-SNAPSHOT"
+changelog:
+  skip: true
+release:
+  disable: true
+blobs:
+- provider: s3
+  region: us-west-2
+  bucket: get.pulumi.com
+  folder: releases/plugins/
+  ids:
+  - archive

.goreleaser.yml

@@ -0,0 +1,56 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+project_name: pulumi-docker-build
+builds:
+- id: build-provider
+  dir: provider
+  env:
+  - CGO_ENABLED=0
+  - GO111MODULE=on
+  goos:
+  - darwin
+  - linux
+  goarch:
+  - amd64
+  - arm64
+  ignore: &a1 []
+  main: ./cmd/pulumi-resource-docker-build/
+  ldflags: &a2
+    - -s
+    - -w
+    - -X
+      github.com/pulumi/pulumi-docker-build/provider/pkg/version.Version={{.Tag}}
+    - -X github.com/pulumi/pulumi-docker-build/provider.Version={{.Tag}}
+  binary: pulumi-resource-docker-build
+- id: build-provider-sign-windows
+  dir: provider
+  env:
+  - CGO_ENABLED=0
+  - GO111MODULE=on
+  goos:
+  - windows
+  goarch:
+  - amd64
+  - arm64
+  ignore: *a1
+  main: ./cmd/pulumi-resource-docker-build/
+  ldflags: *a2
+  binary: pulumi-resource-docker-build
+  hooks:
+    post:
+    - make sign-goreleaser-exe-{{ .Arch }}
+archives:
+- name_template: "{{ .Binary }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
+  id: archive
+snapshot:
+  name_template: "{{ .Tag }}-SNAPSHOT"
+changelog:
+  skip: true
+release:
+  disable: false
+blobs:
+- provider: s3
+  region: us-west-2
+  bucket: get.pulumi.com
+  folder: releases/plugins/
+  ids:
+  - archive

.pulumi.version

@@ -0,0 +1 @@
+3.239.0

CHANGELOG.md

@@ -0,0 +1,143 @@
+## Unreleased
+
+### Fixed
+
+- Fixes a regression where a 404 status code during deletion wasn't considered deleted. (https://github.com/pulumi/pulumi-docker-build/issues/849)
+
+## 0.0.15 (2025-10-17)
+
+### Changed
+
+- Arguments `CacheFromGitHubActions.URL` and `CacheFromGitHubActions.Token` have been removed. If the previous behaviour is desired, set the `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_TOKEN` environment variables. (https://github.com/pulumi/pulumi-docker-build/issues/75)
+
+## 0.0.14 (2025-09-30)
+
+### Fixed
+
+- A warning is no longer emitted for the reserved `__internal` key. (https://github.com/pulumi/pulumi-docker-build/issues/579)
+
+## 0.0.13 (2025-08-27)
+
+### Changed
+
+- Docker Build Cloud and `exec` errors are more helpful. (https://github.com/pulumi/pulumi-docker-build/issues/549)
+
+### Fixed
+
+- The provider is no longer replaced on version changes. (https://github.com/pulumi/pulumi-docker-build/issues/581)
+
+## 0.0.12 (2025-05-16)
+
+### Changed
+
+- Upgraded pulumi-go-provider to v1.0.0-rc2.
+
+### Fixed
+
+- Builds now respect cancellation. (https://github.com/pulumi/pulumi-docker-build/issues/533, https://github.com/pulumi/pulumi-docker-build/pull/522)
+
+## 0.0.11 (2025-04-11)
+
+### Changed
+
+- Upgraded buildx from 0.18.0 to 0.20.1 to remain compatible with upcoming
+  changes to GitHub Actions. (https://github.com/pulumi/pulumi-docker-build/pull/519)
+
+### Fixed
+
+- Upgrading docker-build no longer causes resource replacements. (<https://github.com/pulumi/pulumi-docker-build/issues/404>)
+- Fixed a panic that could occur in `exec` mode. (https://github.com/pulumi/pulumi-docker-build/issues/482)
+- The default GitHub Actions cache scope is now correctly set as `buildkit`. (https://github.com/pulumi/pulumi-docker-build/issues/496)
+
+## 0.0.10 (2025-01-27)
+
+### Changed
+
+- Windows binaries are now signed. (https://github.com/pulumi/pulumi-docker-build/pull/429)
+
+## 0.0.9 (2025-01-16)
+
+### Changed
+
+- Upgraded pulumi-go-provider to v0.24.1. (https://github.com/pulumi/pulumi-docker-build/pull/413)
+
+### Fixed
+
+- `ACTIONS_RUNTIME_TOKEN` is now correctly marked as a secret. (https://github.com/pulumi/pulumi-docker-build/issues/403)
+
+## 0.0.8 (2024-12-10)
+
+### Added
+
+- Multiple exports are now allowed if the build daemon is detected to have
+  version 0.13 of Buildkit or newer.
+  (https://github.com/pulumi/pulumi-docker-build/issues/21)
+
+### Changed
+
+- Upgraded buildx from 0.16.0 to 0.18.0.
+
+### Fixed
+
+- Custom `# syntax=` directives no longer cause validation errors.
+  (https://github.com/pulumi/pulumi-docker-build/issues/300)
+
+## 0.0.7 (2024-10-16)
+
+### Fixed
+
+- Fixed an issue where registry authentication couldn't be specified on the
+  provider. (<https://github.com/pulumi/pulumi-docker-build/issues/262>)
+
+## 0.0.6 (2024-08-13)
+
+### Fixed
+
+- Refreshing an `Index` resource will no longer fail if its stored credentials
+  have expired. (<https://github.com/pulumi/pulumi-docker-build/pull/194>)
+
+### Changed
+
+- Local and tar exporters will now trigger an update if an export doesn't exist
+  at the expected path. (<https://github.com/pulumi/pulumi-docker-build/pull/195>)
+
+## 0.0.5 (2024-08-08)
+
+### Fixed
+
+- Fixed Go SDK publishing.
+
+### Changed
+
+- Upgraded docker from 27.0.3 to 27.1.0.
+
+## 0.0.4 (2024-07-15)
+
+### Changed
+
+- Upgraded buildkit from 0.13.0 to 0.15.0.
+- Upgraded buildx from 0.13.1. to 0.16.0.
+- Upgraded docker from 26.0.0-rc1 to 27.0.3.
+- Fixed an issue where warnings were not displayed correctly.
+
+## 0.0.3 (2024-05-31)
+
+### Fixed
+
+- Fixed the default value for `ACTIONS_CACHE_URL` when using GitHub action caching. (<https://github.com/pulumi/pulumi-docker-build/pull/80>)
+- Fixed Java SDK publishing. (<https://github.com/pulumi/pulumi-docker-build/pull/89>)
+- Fixed a panic that could occur when `context` was omitted. (<https://github.com/pulumi/pulumi-docker-build/pull/83>)
+
+### Changed
+
+- The provider will now wait for new builders to fully boot.
+
+## 0.0.2 (2024-04-25)
+
+### Fixed
+
+- Upgraded pulumi-go-provider to fix a panic during cancellation.
+
+## 0.0.1 (2024-04-23)
+
+Initial release.

CODE-OF-CONDUCT.md

@@ -0,0 +1,80 @@
+# Contributor Covenant Code of Conduct
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as
+contributors and maintainers pledge to making participation in our project and
+our community a harassment-free experience for everyone, regardless of age, body
+size, disability, ethnicity, gender identity and expression, level of experience,
+education, socio-economic status, nationality, personal appearance, race,
+religion, or sexual identity and orientation.
+
+## Our Standards
+
+Examples of behavior that contributes to creating a positive environment
+include:
+
+* Using welcoming and inclusive language
+* Being respectful of differing viewpoints and experiences
+* Gracefully accepting constructive criticism
+* Focusing on what is best for the community
+* Showing empathy towards other community members
+* Contribute in a positive and constructive way
+
+Examples of unacceptable behavior by participants include:
+
+* The use of sexualized language or imagery and unwelcome sexual attention or
+  advances
+* Trolling, insulting/derogatory comments, and personal or political attacks
+* Public or private harassment
+* Publishing others' private information, such as a physical or electronic
+  address, without explicit permission
+* Other conduct which could reasonably be considered inappropriate in a
+  professional setting
+  
+## Our Community Guidelines
+* Be clear and stay on topic. Communicating with strangers on the Internet can make it hard to convey or read tone, and sarcasm is frequently misunderstood. Try to use clear language, and think about how the other person will receive it.
+* Don’t cross-post the same thing in multiple GitHub Discussion topics or multiple Slack channels. This can make it difficult for people answering your questions and creates "scrollback spam".
+* Public discussion is preferred to private. Avoid using Slack DMs for questions, and instead share them in public Slack channels or GitHub Discussion threads. This allows a larger audience to both share their knowledge as well as learn from your question or issue. If you're having a problem, chances are someone else is having a similar problem. Learning in public is a community contribution.
+* Minimize notifications to other community members. Avoid tagging other community members in Slack messages or Discussion threads, unless you are replying to something specific. Community members are here to help each other, but are not "on call" for support, and we expect everyone to try to minimize "notification fatigue". If your issue is time-sensitive or critical, use methods like support@pulumi.com instead.
+
+## Our Responsibilities
+
+Project maintainers are responsible for clarifying the standards of acceptable
+behavior and are expected to take appropriate and fair corrective action in
+response to any instances of unacceptable behavior.
+
+Project maintainers have the right and responsibility to remove, edit, or
+reject comments, commits, code, wiki edits, issues, GitHub Discussions posts, 
+and other contributions that are not aligned to this Code of Conduct, or to ban 
+temporarily or permanently any contributor for other behaviors that they deem 
+inappropriate, threatening, offensive, or harmful.
+
+## Scope
+
+This Code of Conduct applies both within project spaces (including the Community Slack
+and GitHub Discussions forums) and in public spaces when an individual is representing the 
+project or its community. Examples of representing a project or community include 
+using an official project e-mail address, posting via an official social media account, 
+or acting as an appointed representative at an online or offline event. Representation 
+of a project may be further defined and clarified by project maintainers.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported by contacting the project team at code-of-conduct@pulumi.com. All
+complaints will be reviewed and investigated and will result in a response that
+is deemed necessary and appropriate to the circumstances. The project team is
+obligated to maintain confidentiality with regard to the reporter of an incident.
+Further details of specific enforcement policies may be posted separately.
+
+Project maintainers who do not follow or enforce the Code of Conduct in good
+faith may face temporary or permanent repercussions as determined by other
+members of the project's leadership.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 1.4,
+available at https://www.contributor-covenant.org/version/1/4/code-of-conduct.html
+
+[homepage]: https://www.contributor-covenant.org

Makefile

@@ -0,0 +1,315 @@
+PROJECT_NAME := Pulumi Docker Build Resource Provider
+
+PACK             := docker-build
+PACKDIR          := sdk
+PROJECT          := github.com/pulumi/pulumi-docker-build
+NODE_MODULE_NAME := @pulumi/docker-build
+NUGET_PKG_NAME   := Pulumi.DockerBuild
+
+PROVIDER         := pulumi-resource-${PACK}
+PROVIDER_PATH    := provider
+VERSION_PATH     := ${PROVIDER_PATH}.Version
+SCHEMA_PATH      := ${PROVIDER_PATH}/cmd/pulumi-resource-${PACK}/schema.json
+
+GOPATH			 := $(shell go env GOPATH)
+
+WORKING_DIR      := $(shell pwd)
+EXAMPLES_DIR     := ${WORKING_DIR}/examples/yaml
+TESTPARALLELISM  := 4
+
+PULUMI           := pulumi
+GOGLANGCILINT    := golangci-lint
+GOTEST           := go test
+
+# Override during CI using `make [TARGET] PROVIDER_VERSION=""` or by setting a PROVIDER_VERSION environment variable
+# Local & branch builds will just used this fixed default version unless specified
+PROVIDER_VERSION ?= 0.1.0-alpha.0+dev
+# Use this normalised version everywhere rather than the raw input to ensure consistency.
+VERSION_GENERIC = $(shell pulumictl convert-version --language generic --version "$(PROVIDER_VERSION)")
+
+export PULUMI_IGNORE_AMBIENT_PLUGINS = true
+export PULUMI_DISABLE_AUTOMATIC_PLUGIN_ACQUISITION = true
+
+.PHONY: ensure
+ensure:: tidy lint test_provider examples
+
+.PHONY: tidy
+tidy:
+	go mod tidy
+
+.PHONY: provider
+provider: bin/${PROVIDER} bin/pulumi-gen-${PACK} # Required by CI
+
+.PHONY: local_generate
+local_generate: sdk # Required by CI
+
+provider_debug::
+	(cd provider && go build -o $(WORKING_DIR)/bin/${PROVIDER} -gcflags="all=-N -l" -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
+
+test_provider:: # Required by CI
+	${GOTEST} -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
+
+test_examples: install_nodejs_sdk install_dotnet_sdk
+	${GOTEST} -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
+
+test_all:: test_provider test_examples
+
+.PHONY:
+gen_examples:
+
+examples: $(shell mkdir -p examples)
+examples: sdk examples/yaml examples/go examples/nodejs examples/python examples/dotnet examples/java examples/hcl
+
+examples/yaml:
+	rm -rf ${WORKING_DIR}/examples/yaml/app
+	cp -r ${WORKING_DIR}/examples/app ${WORKING_DIR}/examples/yaml/app
+
+examples/go: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+	$(call example,go)
+	@git checkout examples/go/go.mod
+
+examples/nodejs: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+	$(call example,nodejs)
+	@git checkout examples/nodejs/package.json
+
+examples/python: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+	$(call example,python)
+	@git checkout examples/python/requirements.txt
+
+examples/dotnet: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+	$(call example,dotnet)
+	@git checkout examples/dotnet/provider-docker-build.csproj
+
+examples/java: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+	$(call example,java)
+	@git checkout examples/java/pom.xml
+
+examples/hcl: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+	$(call example,hcl)
+
+define pulumi_login
+    export PULUMI_CONFIG_PASSPHRASE=asdfqwerty1234; \
+    pulumi login --local;
+endef
+
+define example
+	rm -rf ${WORKING_DIR}/examples/$(1)
+	pulumi convert \
+		--cwd ${WORKING_DIR}/examples/yaml \
+		--logtostderr \
+		--generate-only \
+		--non-interactive \
+		--language $(1) \
+		--out ${WORKING_DIR}/examples/$(1)
+	cp -r ${WORKING_DIR}/examples/app ${WORKING_DIR}/examples/$(1)/app
+	cp ${WORKING_DIR}/examples/yaml/.dockerignore ${WORKING_DIR}/examples/$(1)/.dockerignore
+endef
+
+up::
+	$(call pulumi_login) \
+	cd ${EXAMPLES_DIR} && \
+	pulumi stack init dev && \
+	pulumi stack select dev && \
+	pulumi config set name dev && \
+	pulumi up -y
+
+down::
+	$(call pulumi_login) \
+	cd ${EXAMPLES_DIR} && \
+	pulumi stack select dev && \
+	pulumi destroy -y && \
+	pulumi stack rm dev -y
+
+devcontainer::
+	git submodule update --init --recursive .devcontainer
+	git submodule update --remote --merge .devcontainer
+	cp -f .devcontainer/devcontainer.json .devcontainer.json
+
+.PHONY: build
+build:: provider sdk/dotnet sdk/go sdk/nodejs sdk/python sdk/java ${SCHEMA_PATH}
+
+# Required for the codegen action that runs in pulumi/pulumi
+only_build:: build
+
+.PHONY: lint
+lint:
+	${GOGLANGCILINT} run --fix -c .golangci.yml
+
+install:: install_nodejs_sdk install_dotnet_sdk
+	cp $(WORKING_DIR)/bin/${PROVIDER} ${GOPATH}/bin
+
+
+install_dotnet_sdk:: # Required by CI
+	rm -rf $(WORKING_DIR)/nuget/$(NUGET_PKG_NAME).*.nupkg
+	mkdir -p $(WORKING_DIR)/nuget
+	find . -name '*.nupkg' -print -exec cp -p {} ${WORKING_DIR}/nuget \;
+
+install_python_sdk:: # Required by CI
+
+install_go_sdk:: # Required by CI
+
+install_nodejs_sdk:: # Required by CI
+	-yarn unlink --cwd $(WORKING_DIR)/sdk/nodejs/bin
+	yarn link --cwd $(WORKING_DIR)/sdk/nodejs/bin
+
+.PHONY: codegen
+codegen: # Required by CI
+
+.PHONY: generate_schema
+generate_schema: ${SCHEMA_PATH} # Required by CI
+
+.PHONY: build_go install_go_sdk
+generate_go: sdk/go # Required by CI
+build_go: # Required by CI
+
+.PHONY: build_java install_java_sdk
+generate_java: sdk/java # Required by CI
+build_java: # Required by CI
+
+.PHONY: build_python install_python_sdk
+generate_python: sdk/python # Required by CI
+build_python: # Required by CI
+
+.PHONY: build_nodejs install_nodejs_sdk
+generate_nodejs: sdk/nodejs # Required by CI
+build_nodejs: # Required by CI
+
+.PHONY: build_dotnet install_dotnet_sdk
+generate_dotnet: sdk/dotnet # Required by CI
+build_dotnet: # Required by CI
+
+${SCHEMA_PATH}: bin/${PROVIDER}
+	pulumi package get-schema ./bin/${PROVIDER} | jq 'del(.version)' > $(SCHEMA_PATH)
+
+bin/${PROVIDER}: $(shell find ./provider -name '*.go') go.mod
+	(cd provider && go build -o ../bin/${PROVIDER} -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
+
+bin/pulumi-gen-${PACK}: # Required by CI
+	@mkdir -p bin
+	touch bin/pulumi-gen-${PACK}
+
+go.mod: $(shell find . -name '*.go')
+go.sum: go.mod
+
+sdk: $(shell mkdir -p sdk)
+sdk: sdk/python sdk/nodejs sdk/java sdk/python sdk/go sdk/dotnet
+
+# Folders can't be used for up-to-date checks as they will be marked as up-to-date even if the step fails - leading to a broken state.
+.PHONY: sdk/*
+
+sdk/python: TMPDIR := $(shell mktemp -d)
+sdk/python: bin/${PROVIDER}
+	rm -rf sdk/python
+	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language python -o ${TMPDIR}
+	cp README.md ${TMPDIR}/python/
+	cd ${TMPDIR}/python/ && \
+		rm -rf ./bin/ ../python.bin/ && cp -R . ../python.bin && mv ../python.bin ./bin && \
+		python3 -m venv venv && \
+		./venv/bin/python -m pip install build && \
+		cd ./bin && \
+		../venv/bin/python -m build .
+	mv -f ${TMPDIR}/python ${WORKING_DIR}/sdk/.
+
+sdk/nodejs: TMPDIR := $(shell mktemp -d)
+sdk/nodejs: bin/${PROVIDER}
+	rm -rf sdk/nodejs
+	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
+	cp README.md LICENSE ${TMPDIR}/nodejs
+	cd ${TMPDIR}/nodejs/ && \
+		yarn install && \
+		yarn run tsc && \
+		cp README.md LICENSE package.json yarn.lock bin/
+	mv -f ${TMPDIR}/nodejs ${WORKING_DIR}/sdk/.
+
+sdk/go: TMPDIR := $(shell mktemp -d)
+sdk/go: PATH := "$(WORKING_DIR)/bin:$(PATH)"
+sdk/go: bin/${PROVIDER}
+	rm -rf sdk/go
+	PATH=$(PATH) $(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language go -o ${TMPDIR}
+	cp go.mod ${TMPDIR}/go/dockerbuild/go.mod
+	cd ${TMPDIR}/go/dockerbuild && \
+		go mod edit -module=github.com/pulumi/pulumi-${PACK}/${PACKDIR}/go/dockerbuild && \
+		go mod tidy
+	mv -f ${TMPDIR}/go ${WORKING_DIR}/sdk/go
+
+sdk/dotnet: TMPDIR := $(shell mktemp -d)
+sdk/dotnet: bin/${PROVIDER}
+	rm -rf sdk/dotnet
+	$(PULUMI) package gen-sdk ./bin/${PROVIDER} --language dotnet -o ${TMPDIR}
+	cd ${TMPDIR}/dotnet/ && \
+		echo "$(VERSION_GENERIC)" > version.txt && \
+		dotnet build
+	mv -f ${TMPDIR}/dotnet ${WORKING_DIR}/sdk/.
+
+sdk/java: PACKAGE_VERSION := $(shell pulumictl convert-version --language generic -v "$(VERSION_GENERIC)")
+sdk/java: TMPDIR := $(shell mktemp -d)
+sdk/java: bin/${PROVIDER}
+	rm -rf sdk/java
+	$(PULUMI) package gen-sdk --language java ./bin/${PROVIDER} -o ${TMPDIR}
+	cd ${TMPDIR}/java/ && gradle --console=plain build
+	mv -f ${TMPDIR}/java ${WORKING_DIR}/sdk/.
+
+docs: $(shell find docs/yaml -type f) $(shell find ./provider/internal/embed -name '*.md') ${SCHEMA_PATH}
+	go generate docs/generate.go
+	@touch docs
+
+# Set these variables to enable signing of the windows binary with Azure Trusted Signing.
+AZURE_SIGNING_CLIENT_ID ?=
+AZURE_SIGNING_CLIENT_SECRET ?=
+AZURE_SIGNING_TENANT_ID ?=
+AZURE_SIGNING_ACCOUNT_ENDPOINT ?=
+AZURE_SIGNING_ACCOUNT_NAME ?=
+AZURE_SIGNING_CERT_PROFILE_NAME ?=
+SKIP_SIGNING ?=
+
+bin/jsign-7.4.jar:
+	@mkdir -p bin
+	wget https://github.com/ebourg/jsign/releases/download/7.4/jsign-7.4.jar --output-document=bin/jsign-7.4.jar
+
+sign-goreleaser-exe-amd64: GORELEASER_ARCH := amd64_v1
+sign-goreleaser-exe-arm64: GORELEASER_ARCH := arm64
+
+# Set the shell to bash to allow for the use of bash syntax.
+sign-goreleaser-exe-%: SHELL:=/bin/bash
+sign-goreleaser-exe-%: bin/jsign-7.4.jar
+	@# Only sign windows binary if fully configured.
+	@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
+	@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
+	@set -e; \
+	if [[ "${SKIP_SIGNING}" != "true" ]]; then \
+		if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_ACCOUNT_ENDPOINT}|${AZURE_SIGNING_ACCOUNT_NAME}|${AZURE_SIGNING_CERT_PROFILE_NAME}|" == *"||"* ]]; then \
+			echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_ACCOUNT_ENDPOINT, AZURE_SIGNING_ACCOUNT_NAME, AZURE_SIGNING_CERT_PROFILE_NAME"; \
+			echo "To rebuild with signing delete the unsigned windows exe file and rebuild with the fixed configuration"; \
+			if [[ "${CI}" == "true" ]]; then exit 1; fi; \
+		else \
+			file=dist/build-provider-sign-windows_windows_${GORELEASER_ARCH}/pulumi-resource-docker-build.exe; \
+			mv $${file} $${file}.unsigned; \
+			az login --service-principal \
+				--username "${AZURE_SIGNING_CLIENT_ID}" \
+				--password "${AZURE_SIGNING_CLIENT_SECRET}" \
+				--tenant "${AZURE_SIGNING_TENANT_ID}" \
+				--output none; \
+			ACCESS_TOKEN=$$(az account get-access-token --resource "https://codesigning.azure.net" | jq -r .accessToken); \
+			ENDPOINT_HOST="$${AZURE_SIGNING_ACCOUNT_ENDPOINT#https://}"; \
+			ENDPOINT_HOST="$${ENDPOINT_HOST#http://}"; \
+			ENDPOINT_HOST="$${ENDPOINT_HOST%/}"; \
+			java -jar bin/jsign-7.4.jar \
+				--storetype TRUSTEDSIGNING \
+				--keystore "$${ENDPOINT_HOST}" \
+				--storepass "$${ACCESS_TOKEN}" \
+				--alias "${AZURE_SIGNING_ACCOUNT_NAME}/${AZURE_SIGNING_CERT_PROFILE_NAME}" \
+				$${file}.unsigned; \
+			mv $${file}.unsigned $${file}; \
+			az logout; \
+		fi; \
+	fi
+
+# To make an immediately observable change to .ci-mgmt.yaml:
+#
+# - Edit .ci-mgmt.yaml
+# - Run make ci-mgmt to apply the change locally.
+#
+ci-mgmt: .ci-mgmt.yaml
+	go run github.com/pulumi/ci-mgmt/provider-ci@master generate
+.PHONY: ci-mgmt
+	fi

codecov.yml

@@ -0,0 +1,12 @@
+comment:
+  layout: "header, files, footer"
+  hide_project_coverage: false
+
+coverage:
+  status:
+    project:
+      default:
+        informational: true
+    patch:
+      default:
+        informational: true

docs/_index.md

@@ -0,0 +1,428 @@
+---
+title: Docker Build
+meta_desc: Provides an overview of the Docker Build Provider for Pulumi.
+layout: package
+---
+
+The Docker Build provider leverages [buildx and BuildKit](https://docs.docker.com/build/architecture/) to build modern Docker images with Pulumi.
+
+Not to be confused with the earlier
+[Docker](../docker) provider, which is still
+appropriate for managing resources unrelated to building images.
+
+| Provider               | Use cases                                                               |
+| ----------------       | ----------------------------------------------------------------------- |
+| `@pulumi/docker-build` | Anything related to building images with `docker build`.                |
+| `@pulumi/docker`       | Everything else -- including running containers and creating networks.  |
+
+## Example
+
+If your Pulumi program has a directory called `app` alongside it, containing a
+file named "Dockerfile" (which can be as simple as `FROM alpine` for the
+purpose of example), then the code below shows how to build a multi-platform
+image, publish it to a remote AWS ECR registry, and use an [inline
+cache](https://docs.docker.com/build/cache/backends/inline/) to speed up
+subsequent builds.
+
+{{< chooser language "typescript,python,csharp,go,yaml,java" >}}
+
+{{% choosable language typescript %}}
+
+```typescript
+import * as aws from "@pulumi/aws";
+import * as docker_build from "@pulumi/docker-build";
+
+// Create an ECR repository for pushing.
+const ecrRepository = new aws.ecr.Repository("ecr-repository", {});
+
+// Grab auth credentials for ECR.
+const authToken = aws.ecr.getAuthorizationTokenOutput({
+    registryId: ecrRepository.registryId,
+});
+
+// Build and push an image to ECR with inline caching.
+const myImage = new docker_build.Image("my-image", {
+    // Tag our image with our ECR repository's address.
+    tags: [pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`],
+    context: {
+        location: "./app",
+    },
+    // Use the pushed image as a cache source.
+    cacheFrom: [{
+        registry: {
+            ref: pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`,
+        },
+    }],
+    // Include an inline cache with our pushed image.
+    cacheTo: [{
+        inline: {},
+    }],
+    // Build a multi-platform image manifest for ARM and AMD.
+    platforms: [
+        "linux/amd64",
+        "linux/arm64",
+    ],
+    // Push the final result to ECR.
+    push: true,
+    // Provide our ECR credentials.
+    registries: [{
+        address: ecrRepository.repositoryUrl,
+        password: authToken.password,
+        username: authToken.userName,
+    }],
+});
+
+// Export a ref for the pushed images so we can deploy it.
+export const ref = myImage.ref;
+```
+
+{{% /choosable %}}
+
+{{% choosable language python %}}
+
+```python
+import pulumi
+import pulumi_aws as aws
+import pulumi_docker_build as docker_build
+
+# Create an ECR repository for pushing.
+ecr_repository = aws.ecr.Repository("ecr-repository")
+
+# Grab auth credentials for ECR.
+auth_token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
+
+# Build and push an image to ECR with inline caching.
+my_image = docker_build.Image("my-image",
+    # Tag our image with our ECR repository's address.
+    tags=[ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest")],
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    # Use the pushed image as a cache source.
+    cache_from=[docker_build.CacheFromArgs(
+        registry=docker_build.CacheFromRegistryArgs(
+            ref=ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest"),
+        ),
+    )],
+    # Include an inline cache with our pushed image.
+    cache_to=[docker_build.CacheToArgs(
+        inline=docker_build.CacheToInlineArgs(),
+    )],
+    # Build a multi-platform image manifest for ARM and AMD.
+    platforms=[
+        docker_build.Platform.LINUX_AMD64,
+        docker_build.Platform.LINUX_ARM64,
+    ],
+    # Push the final result to ECR.
+    push=True,
+    # Provide our ECR credentials.
+    registries=[docker_build.RegistryArgs(
+        address=ecr_repository.repository_url,
+        password=auth_token.password,
+        username=auth_token.user_name,
+    )],
+)
+
+# Export a ref for the pushed images so we can deploy it.
+pulumi.export("ref", my_image.ref)
+```
+
+{{% /choosable %}}
+
+{{% choosable language csharp %}}
+
+```csharp
+using System.Collections.Generic;
+using System.Linq;
+using Pulumi;
+using Aws = Pulumi.Aws;
+using DockerBuild = Pulumi.DockerBuild;
+
+return await Deployment.RunAsync(() =>
+{
+    // Create an ECR repository for pushing.
+    var ecrRepository = new Aws.Ecr.Repository("ecr-repository");
+
+    // Grab auth credentials for ECR.
+    var authToken = Aws.Ecr.GetAuthorizationToken.Invoke(new()
+    {
+        RegistryId = ecrRepository.RegistryId,
+    });
+
+    // Build and push an image to ECR with inline caching.
+    var myImage = new DockerBuild.Image("my-image", new()
+    {
+        // Tag our image with our ECR repository's address.
+        Tags = new[]
+        {
+            ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        // Use the pushed image as a cache source.
+        CacheFrom = new[]
+        {
+            new DockerBuild.Inputs.CacheFromArgs
+            {
+                Registry = new DockerBuild.Inputs.CacheFromRegistryArgs
+                {
+                    Ref = ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
+                },
+            },
+        },
+        // Include an inline cache with our pushed image.
+        CacheTo = new[]
+        {
+            new DockerBuild.Inputs.CacheToArgs
+            {
+                Inline = null,
+            },
+        },
+        // Build a multi-platform image manifest for ARM and AMD.
+        Platforms = new[]
+        {
+            DockerBuild.Platform.Linux_amd64,
+            DockerBuild.Platform.Linux_arm64,
+        },
+        // Push the final result to ECR.
+        Push = true,
+        // Provide our ECR credentials.
+        Registries = new[]
+        {
+            new DockerBuild.Inputs.RegistryArgs
+            {
+                Address = ecrRepository.RepositoryUrl,
+                Password = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.Password),
+                Username = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.UserName),
+            },
+        },
+    });
+
+    // Export a ref for the pushed images so we can deploy it.
+    return new Dictionary<string, object?>
+    {
+        ["ref"] = myImage.Ref,
+    };
+});
+
+```
+
+{{% /choosable %}}
+
+{{% choosable language go %}}
+
+```go
+package main
+
+import (
+    "fmt"
+
+    "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
+    "github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
+    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+)
+
+func main() {
+    pulumi.Run(func(ctx *pulumi.Context) error {
+        // Create an ECR repository for pushing.
+        ecrRepository, err := ecr.NewRepository(ctx, "ecr-repository", nil)
+        if err != nil {
+            return err
+        }
+
+        // Grab auth credentials for ECR.
+        authToken := ecr.GetAuthorizationTokenOutput(ctx, ecr.GetAuthorizationTokenOutputArgs{
+            RegistryId: ecrRepository.RegistryId,
+        }, nil)
+
+        // Build and push an image to ECR with inline caching.
+        myImage, err := dockerbuild.NewImage(ctx, "my-image", &dockerbuild.ImageArgs{
+            // Tag our image with our ECR repository's address.
+            Tags: pulumi.StringArray{
+                ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
+                    return fmt.Sprintf("%v:latest", repositoryUrl), nil
+                }).(pulumi.StringOutput),
+            },
+            Context: &dockerbuild.BuildContextArgs{
+                Location: pulumi.String("./app"),
+            },
+            // Use the pushed image as a cache source.
+            CacheFrom: dockerbuild.CacheFromArray{
+                &dockerbuild.CacheFromArgs{
+                    Registry: &dockerbuild.CacheFromRegistryArgs{
+                        Ref: ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
+                            return fmt.Sprintf("%v:latest", repositoryUrl), nil
+                        }).(pulumi.StringOutput),
+                    },
+                },
+            },
+            // Include an inline cache with our pushed image.
+            CacheTo: dockerbuild.CacheToArray{
+                &dockerbuild.CacheToArgs{
+                    Inline: nil,
+                },
+            },
+            // Build a multi-platform image manifest for ARM and AMD.
+            Platforms: dockerbuild.PlatformArray{
+                dockerbuild.Platform_Linux_amd64,
+                dockerbuild.Platform_Linux_arm64,
+            },
+            // Push the final result to ECR.
+            Push: pulumi.Bool(true),
+            // Provide our ECR credentials.
+            Registries: dockerbuild.RegistryArray{
+                &dockerbuild.RegistryArgs{
+                    Address: ecrRepository.RepositoryUrl,
+                    Password: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
+                        return &authToken.Password, nil
+                    }).(pulumi.StringPtrOutput),
+                    Username: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
+                        return &authToken.UserName, nil
+                    }).(pulumi.StringPtrOutput),
+                },
+            },
+        })
+        if err != nil {
+            return err
+        }
+
+        // Export a ref for the pushed images so we can deploy it.
+        ctx.Export("ref", myImage.Ref)
+        return nil
+    })
+}
+```
+
+{{% /choosable %}}
+
+{{% choosable language yaml %}}
+
+```yaml
+description: Push to AWS ECR with caching
+name: ecr
+outputs:
+    ref: ${my-image.ref}
+resources:
+    # Create an ECR repository for pushing.
+    ecr-repository:
+        type: aws:ecr:Repository
+
+    # Build and push an image to ECR with inline caching.
+    my-image:
+        type: docker-build:Image
+        properties:
+            # Tag our image with our ECR repository's address.
+            tags:
+                - ${ecr-repository.repositoryUrl}:latest
+            context:
+                location: ./app
+            # Use the pushed image as a cache source.
+            cacheFrom:
+                - registry:
+                    ref: ${ecr-repository.repositoryUrl}:latest
+            # Include an inline cache with our pushed image.
+            cacheTo:
+                - inline: {}
+            # Build a multi-platform image manifest for ARM and AMD.
+            platforms:
+                - linux/amd64
+                - linux/arm64
+            # Push the final result to ECR.
+            push: true
+            # Provide our ECR credentials.
+            registries:
+                - address: ${ecr-repository.repositoryUrl}
+                  password: ${auth-token.password}
+                  username: ${auth-token.userName}
+
+runtime: yaml
+variables:
+    auth-token:
+        # Grab auth credentials for ECR.
+        fn::aws:ecr:getAuthorizationToken:
+            registryId: ${ecr-repository.registryId}
+```
+
+{{% /choosable %}}
+
+{{% choosable language java %}}
+
+```java
+package myapp;
+
+import com.pulumi.Context;
+import com.pulumi.Pulumi;
+import com.pulumi.core.Output;
+import com.pulumi.aws.ecr.Repository;
+import com.pulumi.aws.ecr.EcrFunctions;
+import com.pulumi.aws.ecr.inputs.GetAuthorizationTokenArgs;
+import com.pulumi.dockerbuild.Image;
+import com.pulumi.dockerbuild.ImageArgs;
+import com.pulumi.dockerbuild.inputs.CacheFromArgs;
+import com.pulumi.dockerbuild.inputs.CacheFromRegistryArgs;
+import com.pulumi.dockerbuild.inputs.CacheToArgs;
+import com.pulumi.dockerbuild.inputs.CacheToInlineArgs;
+import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import com.pulumi.dockerbuild.inputs.RegistryArgs;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Map;
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+public class App {
+    public static void main(String[] args) {
+        Pulumi.run(App::stack);
+    }
+
+    public static void stack(Context ctx) {
+        // Create an ECR repository for pushing.
+        var ecrRepository = new Repository("ecrRepository");
+
+        // Grab auth credentials for ECR.
+        final var authToken = EcrFunctions.getAuthorizationToken(GetAuthorizationTokenArgs.builder()
+            .registryId(ecrRepository.registryId())
+            .build());
+
+        // Build and push an image to ECR with inline caching.
+        var myImage = new Image("myImage", ImageArgs.builder()
+            // Tag our image with our ECR repository's address.
+            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
+            .context(BuildContextArgs.builder()
+                .location("./app")
+                .build())
+            // Use the pushed image as a cache source.
+            .cacheFrom(CacheFromArgs.builder()
+                .registry(CacheFromRegistryArgs.builder()
+                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
+                    .build())
+                .build())
+            // Include an inline cache with our pushed image.
+            .cacheTo(CacheToArgs.builder()
+                .inline()
+                .build())
+            // Build a multi-platform image manifest for ARM and AMD.
+            .platforms(
+                "linux/amd64",
+                "linux/arm64")
+            // Push the final result to ECR.
+            .push(true)
+            // Provide our ECR credentials.
+            .registries(RegistryArgs.builder()
+                .address(ecrRepository.repositoryUrl())
+                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
+                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
+                .build())
+            .build());
+
+        ctx.export("ref", myImage.ref());
+    }
+}
+```
+
+{{% /choosable %}}
+
+{{< /chooser >}}

docs/generate.go

@@ -0,0 +1,224 @@
+// Copyright 2024, Pulumi Corporation.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+//go:generate go run generate.go yaml ../provider/internal/embed
+
+// Package main ingests a multi-document YAML file and converts it into
+// Markdown examples.
+package main
+
+import (
+	"fmt"
+	"io"
+	"log"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"gopkg.in/yaml.v3"
+
+	"github.com/pulumi/pulumi/sdk/v3/go/common/util/contract"
+)
+
+func main() {
+	if len(os.Args) < 3 {
+		_, _ = fmt.Fprintf(os.Stdout, "Usage: %s <yaml source dir path> <markdown destination path>\n", os.Args[0])
+		os.Exit(1)
+	}
+	yamlPath := os.Args[1]
+	mdPath := os.Args[2]
+
+	if !filepath.IsAbs(yamlPath) {
+		cwd, err := os.Getwd()
+		contract.AssertNoErrorf(err, "getting working directory")
+		yamlPath = filepath.Join(cwd, yamlPath)
+	}
+
+	if err := os.MkdirAll(mdPath, 0o750); err != nil {
+		panic(err)
+	}
+	fileInfo, err := os.Lstat(mdPath)
+	if err != nil || !fileInfo.IsDir() {
+		fmt.Fprintf(os.Stderr, "Expect markdown destination %q to be a directory\n", mdPath)
+		os.Exit(1)
+	}
+
+	yamlFiles, err := os.ReadDir(yamlPath)
+	if err != nil {
+		panic(err)
+	}
+	for _, yamlFile := range yamlFiles {
+		if err := processYaml(filepath.Join(yamlPath, yamlFile.Name()), mdPath); err != nil {
+			log.Fatal(fmt.Errorf("processing %q: %w", yamlFile.Name(), err))
+		}
+	}
+}
+
+func markdownExamples(examples []string) string {
+	s := "{{% examples %}}\n## Example Usage\n"
+	for _, example := range examples {
+		s += example
+	}
+	s += "{{% /examples %}}"
+	return s
+}
+
+func markdownExample(description string,
+	typescript string,
+	python string,
+	csharp string,
+	golang string,
+	yaml string,
+	hcl string,
+	java string,
+) string {
+	return fmt.Sprintf("{{%% example %%}}\n### %s\n\n"+
+		"```typescript\n%s```\n"+
+		"```python\n%s```\n"+
+		"```csharp\n%s```\n"+
+		"```go\n%s```\n"+
+		"```yaml\n%s```\n"+
+		"```hcl\n%s```\n"+
+		"```java\n%s```\n"+
+		"{{%% /example %%}}\n",
+		description, typescript, python, csharp, golang, yaml, hcl, java)
+}
+
+func convert(language, tempDir, programFile string) (string, error) {
+	exampleDir := filepath.Join(tempDir, "example"+language)
+	//nolint:gosec // No user-provided input.
+	cmd := exec.Command(
+		"pulumi",
+		"convert",
+		"--language",
+		language,
+		"--out",
+		filepath.Clean(filepath.Join(tempDir, exampleDir)),
+		"--generate-only",
+	)
+
+	cmd.Stderr = os.Stderr
+	cmd.Stdout = os.Stdout
+	cmd.Dir = tempDir
+	if err := cmd.Run(); err != nil {
+		return "", fmt.Errorf("converting: %w", err)
+	}
+	content, err := os.ReadFile(filepath.Clean(filepath.Join(tempDir, exampleDir, programFile)))
+	if err != nil {
+		return "", fmt.Errorf("reading: %w", err)
+	}
+
+	return string(content), nil
+}
+
+func processYaml(path, mdDir string) error {
+	yamlFile, err := os.Open(filepath.Clean(path))
+	if err != nil {
+		return err
+	}
+
+	base := filepath.Base(path)
+	md := strings.NewReplacer(".yaml", ".md", ".yml", ".md").Replace(base)
+
+	defer contract.IgnoreClose(yamlFile)
+	decoder := yaml.NewDecoder(yamlFile)
+	exampleStrings := []string{}
+	for {
+		keepGoing, err := func() (bool, error) {
+			example := map[string]interface{}{}
+			err := decoder.Decode(&example)
+			if err == io.EOF {
+				return false, nil
+			}
+
+			description, ok := example["description"].(string)
+			if !ok {
+				description = ""
+			}
+			dir, err := os.MkdirTemp("", "")
+			if err != nil {
+				return false, err
+			}
+
+			defer func() {
+				contract.IgnoreError(os.RemoveAll(dir))
+			}()
+
+			src, err := os.OpenFile(filepath.Clean(filepath.Join(dir, "Pulumi.yaml")), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
+			if err != nil {
+				return false, err
+			}
+
+			fmt.Println("Converting:", example)
+
+			if err := yaml.NewEncoder(src).Encode(example); err != nil {
+				return false, err
+			}
+			contract.AssertNoErrorf(src.Close(), "closing")
+
+			typescript, err := convert("typescript", dir, "index.ts")
+			if err != nil {
+				return false, err
+			}
+			python, err := convert("python", dir, "__main__.py")
+			if err != nil {
+				return false, err
+			}
+			csharp, err := convert("csharp", dir, "Program.cs")
+			if err != nil {
+				return false, err
+			}
+			golang, err := convert("go", dir, "main.go")
+			if err != nil {
+				return false, err
+			}
+			java, err := convert("java", dir, "src/main/java/generated_program/App.java")
+			if err != nil {
+				return false, err
+			}
+			hcl, err := convert("hcl", dir, "program.hcl")
+			if err != nil {
+				return false, err
+			}
+
+			yamlContent, err := os.ReadFile(filepath.Clean(filepath.Join(dir, "Pulumi.yaml")))
+			if err != nil {
+				return false, err
+			}
+			yaml := string(yamlContent)
+
+			exampleStrings = append(exampleStrings, markdownExample(
+				description, typescript, python, csharp, golang, yaml, hcl, java,
+			))
+
+			return true, nil
+		}()
+		if err != nil {
+			return err
+		}
+		if !keepGoing {
+			break
+		}
+	}
+	_, _ = fmt.Fprintf(os.Stdout, "Writing %s\n", filepath.Join(mdDir, md))
+	f, err := os.OpenFile(filepath.Clean(filepath.Join(mdDir, md)), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0o600)
+	if err != nil {
+		return err
+	}
+	defer contract.IgnoreClose(f)
+	_, err = f.WriteString(markdownExamples(exampleStrings))
+	contract.AssertNoErrorf(err, "writing examples")
+	return nil
+}

docs/installation-configuration.md

@@ -0,0 +1,33 @@
+---
+title: Docker-Build Installation & Configuration
+meta_desc: Provides an overview on how to configure the Pulumi Docker-Build Provider.
+layout: package
+---
+
+The Pulumi Docker-build provider builds modern Docker images with [buildx](https://docs.docker.com/reference/cli/docker/buildx/) and [BuildKit](https://docs.docker.com/build/buildkit/).
+
+## Installation
+
+The Docker-Build provider is available as a package in all Pulumi languages:
+
+* JavaScript/TypeScript: [`@pulumi/docker-build`](https://www.npmjs.com/package/@pulumi/docker-build)
+* Python: [`pulumi-docker-build`](https://pypi.org/project/pulumi-docker-build/)
+* Go: [`github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild`](https://github.com/pulumi/pulumi-docker-build)
+* .NET: [`Pulumi.DockerBuild`](https://www.nuget.org/packages/Pulumi.DockerBuild)
+* Java: [`com.pulumi/docker-build`](https://central.sonatype.com/artifact/com.pulumi/docker-build)
+
+## Configuring The Provider
+
+### Host
+
+The `DOCKER_HOST` environment variable can be used to specify a custom build daemon's location.
+
+```bash
+$ export DOCKER_HOST=tcp://127.0.0.1:2376/
+```
+
+This can also be specified in your stack's configuration:
+
+```bash
+$ pulumi config set docker-build:host tcp://127.0.0.1:2376/
+```

docs/yaml/image-examples.yaml

@@ -0,0 +1,190 @@
+name: ecr
+description: Push to AWS ECR with caching
+outputs:
+  ref: ${my-image.ref}
+resources:
+  ecr-repository:
+    type: aws:ecr:Repository
+  my-image:
+    type: docker-build:Image
+    properties:
+      tags:
+        - ${ecr-repository.repositoryUrl}:latest
+      push: true
+      context:
+        location: ./app
+      cacheFrom:
+        - registry:
+            ref: ${ecr-repository.repositoryUrl}:cache
+      cacheTo:
+        - registry:
+            ref: ${ecr-repository.repositoryUrl}:cache
+            imageManifest: true
+            ociMediaTypes: true
+      registries:
+        - username: ${auth-token.userName}
+          password: ${auth-token.password}
+          address: ${ecr-repository.repositoryUrl}
+runtime: yaml
+variables:
+  auth-token:
+    fn::aws:ecr:getAuthorizationToken:
+      registryId: ${ecr-repository.registryId}
+---
+name: multi-platform
+runtime: yaml
+description: Multi-platform image
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      context:
+        location: "app"
+      platforms:
+        - plan9/amd64
+        - plan9/386
+      push: false
+---
+name: registry
+runtime: yaml
+description: Registry export
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      tags:
+        - "docker.io/pulumi/pulumi:3.107.0"
+      context:
+        location: "app"
+      push: true
+      registries:
+        - address: docker.io
+          username: pulumibot
+          password: ${dockerHubPassword}
+outputs:
+  ref: ${image.ref}
+---
+name: caching
+runtime: yaml
+description: Caching
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      context:
+        location: "app"
+      cacheTo:
+        - local:
+            dest: tmp/cache
+            mode: max
+      cacheFrom:
+        - local:
+            src: tmp/cache
+      push: false
+---
+name: dbc
+runtime: yaml
+description: Docker Build Cloud
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      context:
+        location: "app"
+      exec: true
+      builder:
+        name: cloud-builder-name
+      push: false
+---
+name: build-args
+runtime: yaml
+description: Build arguments
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      context:
+        location: "app"
+      buildArgs:
+        SET_ME_TO_TRUE: "true"
+      push: false
+---
+name: build-target
+runtime: yaml
+description: Build target
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      context:
+        location: "app"
+      target: "build-me"
+      push: false
+---
+name: named-contexts
+runtime: yaml
+description: Named contexts
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      context:
+        location: app
+        named:
+          "golang:latest":
+            location: "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984"
+      push: false
+---
+name: remote-context
+runtime: yaml
+description: Remote context
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      context:
+        location: "https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile"
+      push: false
+
+---
+name: inline
+runtime: yaml
+description: Inline Dockerfile
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      dockerfile:
+        inline: |
+          FROM busybox
+          COPY hello.c ./
+      context:
+        location: "app"
+      push: false
+---
+name: remote-context
+runtime: yaml
+description: Remote context
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      dockerfile:
+        location: app/Dockerfile
+      context:
+        location: "https://github.com/docker-library/hello-world.git"
+      push: false
+---
+name: docker-load
+runtime: yaml
+description: Local export
+resources:
+  image:
+    type: docker-build:Image
+    properties:
+      context:
+        location: "app"
+      exports:
+        - docker:
+            tar: true
+      push: false

docs/yaml/index-examples.yaml

@@ -0,0 +1,48 @@
+name: registry-caching
+description: Multi-platform registry caching
+runtime: yaml
+resources:
+  arm64:
+    type: docker-build:Image
+    properties:
+      context:
+        location: "app"
+      platforms:
+        - linux/arm64
+      tags:
+        - "docker.io/pulumi/pulumi:3.107.0-arm64"
+      cacheTo:
+        - registry:
+            ref: "docker.io/pulumi/pulumi:cache-arm64"
+            mode: max
+      cacheFrom:
+        - registry:
+            ref: "docker.io/pulumi/pulumi:cache-arm64"
+
+  amd64:
+    type: docker-build:Image
+    properties:
+      context:
+        location: "app"
+      platforms:
+        - linux/amd64
+      tags:
+        - "docker.io/pulumi/pulumi:3.107.0-amd64"
+      cacheTo:
+        - registry:
+            ref: "docker.io/pulumi/pulumi:cache-amd64"
+            mode: max
+      cacheFrom:
+        - registry:
+            ref: "docker.io/pulumi/pulumi:cache-amd64"
+
+  index:
+    type: docker-build:Index
+    properties:
+      tag: "docker.io/pulumi/pulumi:3.107.0"
+      sources:
+        - ${amd64.ref}
+        - ${arm64.ref}
+
+outputs:
+  ref: ${index.ref}

examples/app/Dockerfile

@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo 👍

examples/app/Dockerfile.buildArgs

@@ -0,0 +1,5 @@
+FROM alpine
+
+ARG SET_ME_TO_TRUE
+RUN [ "$SET_ME_TO_TRUE" = "true" ]
+RUN echo "That's the correct build arg, thanks! 👍"

examples/app/Dockerfile.emptyContext

@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo "This image doesn't use any local files, so it doesn't need a context parameter 👍"

examples/app/Dockerfile.extraHosts

@@ -0,0 +1,3 @@
+FROM bash AS base
+
+RUN getent hosts metadata.google.internal

examples/app/Dockerfile.multiPlatform

@@ -0,0 +1,7 @@
+FROM --platform=$BUILDPLATFORM alpine as build
+RUN echo ${BUILDPLATFORM} > buildplatform
+RUN echo ${TARGETPLATFORM} > targetplatform
+
+FROM build
+RUN cat buildplatform
+RUN cat targetplatform

examples/app/Dockerfile.namedContexts

@@ -0,0 +1,5 @@
+# syntax=docker/dockerfile:1.4
+FROM golang:latest
+
+RUN version="$(go version)" && echo $version && [ "$version" = "go version go1.21.7 linux/amd64" ]
+RUN echo "This image uses named contexts to pin golang:latest to a specific SHA 👍"

examples/app/Dockerfile.secrets

@@ -0,0 +1,4 @@
+FROM alpine
+
+RUN --mount=type=secret,id=password [ "$(cat /run/secrets/password)" = "hunter2" ]
+

examples/app/Dockerfile.sshMount

@@ -0,0 +1,5 @@
+FROM alpine
+
+RUN apk add openssh-client
+
+RUN --mount=type=ssh ssh-add -l

examples/app/Dockerfile.target

@@ -0,0 +1,8 @@
+FROM alpine as build-me
+RUN echo 👍
+
+FROM build-me as also-build-me
+RUN echo 🤙
+
+FROM build-me as dont-build-me
+RUN [ "true" = "false" ]

examples/dotnet/.dockerignore

@@ -0,0 +1,2 @@
+command-output
+tmp

examples/dotnet/.gitignore

@@ -0,0 +1,353 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+##
+## Get latest from https://github.com/github/gitignore/blob/master/VisualStudio.gitignore
+
+# User-specific files
+*.rsuser
+*.suo
+*.user
+*.userosscache
+*.sln.docstates
+
+# User-specific files (MonoDevelop/Xamarin Studio)
+*.userprefs
+
+# Mono auto generated files
+mono_crash.*
+
+# Build results
+[Dd]ebug/
+[Dd]ebugPublic/
+[Rr]elease/
+[Rr]eleases/
+x64/
+x86/
+[Aa][Rr][Mm]/
+[Aa][Rr][Mm]64/
+bld/
+[Bb]in/
+[Oo]bj/
+[Ll]og/
+[Ll]ogs/
+
+# Visual Studio 2015/2017 cache/options directory
+.vs/
+# Uncomment if you have tasks that create the project's static files in wwwroot
+#wwwroot/
+
+# Visual Studio 2017 auto generated files
+Generated\ Files/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+# NUnit
+*.VisualState.xml
+TestResult.xml
+nunit-*.xml
+
+# Build Results of an ATL Project
+[Dd]ebugPS/
+[Rr]eleasePS/
+dlldata.c
+
+# Benchmark Results
+BenchmarkDotNet.Artifacts/
+
+# .NET Core
+project.lock.json
+project.fragment.lock.json
+artifacts/
+
+# StyleCop
+StyleCopReport.xml
+
+# Files built by Visual Studio
+*_i.c
+*_p.c
+*_h.h
+*.ilk
+*.meta
+*.obj
+*.iobj
+*.pch
+*.pdb
+*.ipdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*_wpftmp.csproj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.svclog
+*.scc
+
+# Chutzpah Test files
+_Chutzpah*
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opendb
+*.opensdf
+*.sdf
+*.cachefile
+*.VC.db
+*.VC.VC.opendb
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+*.sap
+
+# Visual Studio Trace Files
+*.e2e
+
+# TFS 2012 Local Workspace
+$tf/
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+*.DotSettings.user
+
+# JustCode is a .NET coding add-in
+.JustCode
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# AxoCover is a Code Coverage Tool
+.axoCover/*
+!.axoCover/settings.json
+
+# Visual Studio code coverage results
+*.coverage
+*.coveragexml
+
+# NCrunch
+_NCrunch_*
+.*crunch*.local.xml
+nCrunchTemp_*
+
+# MightyMoose
+*.mm.*
+AutoTest.Net/
+
+# Web workbench (sass)
+.sass-cache/
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.[Pp]ublish.xml
+*.azurePubxml
+# Note: Comment the next line if you want to checkin your web deploy settings,
+# but database connection strings (with potential passwords) will be unencrypted
+*.pubxml
+*.publishproj
+
+# Microsoft Azure Web App publish settings. Comment the next line if you want to
+# checkin your Azure Web App publish settings, but sensitive information contained
+# in these scripts will be unencrypted
+PublishScripts/
+
+# NuGet Packages
+*.nupkg
+# NuGet Symbol Packages
+*.snupkg
+# The packages folder can be ignored because of Package Restore
+**/[Pp]ackages/*
+# except build/, which is used as an MSBuild target.
+!**/[Pp]ackages/build/
+# Uncomment if necessary however generally it will be regenerated when needed
+#!**/[Pp]ackages/repositories.config
+# NuGet v3's project.json files produces more ignorable files
+*.nuget.props
+*.nuget.targets
+
+# Microsoft Azure Build Output
+csx/
+*.build.csdef
+
+# Microsoft Azure Emulator
+ecf/
+rcf/
+
+# Windows Store app package directories and files
+AppPackages/
+BundleArtifacts/
+Package.StoreAssociation.xml
+_pkginfo.txt
+*.appx
+*.appxbundle
+*.appxupload
+
+# Visual Studio cache files
+# files ending in .cache can be ignored
+*.[Cc]ache
+# but keep track of directories ending in .cache
+!?*.[Cc]ache/
+
+# Others
+ClientBin/
+~$*
+*~
+*.dbmdl
+*.dbproj.schemaview
+*.jfm
+*.pfx
+*.publishsettings
+orleans.codegen.cs
+
+# Including strong name files can present a security risk
+# (https://github.com/github/gitignore/pull/2483#issue-259490424)
+#*.snk
+
+# Since there are multiple workflows, uncomment next line to ignore bower_components
+# (https://github.com/github/gitignore/pull/1529#issuecomment-104372622)
+#bower_components/
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file
+# to a newer Visual Studio version. Backup files are not needed,
+# because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+ServiceFabricBackup/
+*.rptproj.bak
+
+# SQL Server files
+*.mdf
+*.ldf
+*.ndf
+
+# Business Intelligence projects
+*.rdl.data
+*.bim.layout
+*.bim_*.settings
+*.rptproj.rsuser
+*- [Bb]ackup.rdl
+*- [Bb]ackup ([0-9]).rdl
+*- [Bb]ackup ([0-9][0-9]).rdl
+
+# Microsoft Fakes
+FakesAssemblies/
+
+# GhostDoc plugin setting file
+*.GhostDoc.xml
+
+# Node.js Tools for Visual Studio
+.ntvs_analysis.dat
+node_modules/
+
+# Visual Studio 6 build log
+*.plg
+
+# Visual Studio 6 workspace options file
+*.opt
+
+# Visual Studio 6 auto-generated workspace file (contains which files were open etc.)
+*.vbw
+
+# Visual Studio LightSwitch build output
+**/*.HTMLClient/GeneratedArtifacts
+**/*.DesktopClient/GeneratedArtifacts
+**/*.DesktopClient/ModelManifest.xml
+**/*.Server/GeneratedArtifacts
+**/*.Server/ModelManifest.xml
+_Pvt_Extensions
+
+# Paket dependency manager
+.paket/paket.exe
+paket-files/
+
+# FAKE - F# Make
+.fake/
+
+# CodeRush personal settings
+.cr/personal
+
+# Python Tools for Visual Studio (PTVS)
+__pycache__/
+*.pyc
+
+# Cake - Uncomment if you are using it
+# tools/**
+# !tools/packages.config
+
+# Tabs Studio
+*.tss
+
+# Telerik's JustMock configuration file
+*.jmconfig
+
+# BizTalk build output
+*.btp.cs
+*.btm.cs
+*.odx.cs
+*.xsd.cs
+
+# OpenCover UI analysis results
+OpenCover/
+
+# Azure Stream Analytics local run output
+ASALocalRun/
+
+# MSBuild Binary and Structured Log
+*.binlog
+
+# NVidia Nsight GPU debugger configuration file
+*.nvuser
+
+# MFractors (Xamarin productivity tool) working folder
+.mfractor/
+
+# Local History for Visual Studio
+.localhistory/
+
+# BeatPulse healthcheck temp database
+healthchecksdb
+
+# Backup folder for Package Reference Convert tool in Visual Studio 2017
+MigrationBackup/
+
+# Ionide (cross platform F# VS Code tools) working folder
+.ionide/

examples/dotnet/Program.cs

@@ -0,0 +1,268 @@
+using System.Collections.Generic;
+using System.Linq;
+using Pulumi;
+using DockerBuild = Pulumi.DockerBuild;
+
+return await Deployment.RunAsync(() => 
+{
+    var config = new Config();
+    var dockerHubPassword = config.Require("dockerHubPassword");
+    var multiPlatform = new DockerBuild.Image("multiPlatform", new()
+    {
+        Push = false,
+        Dockerfile = new DockerBuild.Inputs.DockerfileArgs
+        {
+            Location = "./app/Dockerfile.multiPlatform",
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        Platforms = new[]
+        {
+            DockerBuild.Platform.Plan9_amd64,
+            DockerBuild.Platform.Plan9_386,
+        },
+    });
+
+    var registryPush = new DockerBuild.Image("registryPush", new()
+    {
+        Push = false,
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        Tags = new[]
+        {
+            "docker.io/pulumibot/buildkit-e2e:example",
+        },
+        Exports = new[]
+        {
+            new DockerBuild.Inputs.ExportArgs
+            {
+                Registry = new DockerBuild.Inputs.ExportRegistryArgs
+                {
+                    OciMediaTypes = true,
+                    Push = false,
+                },
+            },
+        },
+        Registries = new[]
+        {
+            new DockerBuild.Inputs.RegistryArgs
+            {
+                Address = "docker.io",
+                Username = "pulumibot",
+                Password = dockerHubPassword,
+            },
+        },
+    });
+
+    var cached = new DockerBuild.Image("cached", new()
+    {
+        Push = false,
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        CacheTo = new[]
+        {
+            new DockerBuild.Inputs.CacheToArgs
+            {
+                Local = new DockerBuild.Inputs.CacheToLocalArgs
+                {
+                    Dest = "tmp/cache",
+                    Mode = DockerBuild.CacheMode.Max,
+                },
+            },
+        },
+        CacheFrom = new[]
+        {
+            new DockerBuild.Inputs.CacheFromArgs
+            {
+                Local = new DockerBuild.Inputs.CacheFromLocalArgs
+                {
+                    Src = "tmp/cache",
+                },
+            },
+        },
+    });
+
+    var buildArgs = new DockerBuild.Image("buildArgs", new()
+    {
+        Push = false,
+        Dockerfile = new DockerBuild.Inputs.DockerfileArgs
+        {
+            Location = "./app/Dockerfile.buildArgs",
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        BuildArgs = 
+        {
+            { "SET_ME_TO_TRUE", "true" },
+        },
+    });
+
+    var extraHosts = new DockerBuild.Image("extraHosts", new()
+    {
+        Push = false,
+        Dockerfile = new DockerBuild.Inputs.DockerfileArgs
+        {
+            Location = "./app/Dockerfile.extraHosts",
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        AddHosts = new[]
+        {
+            "metadata.google.internal:169.254.169.254",
+        },
+    });
+
+    var sshMount = new DockerBuild.Image("sshMount", new()
+    {
+        Push = false,
+        Dockerfile = new DockerBuild.Inputs.DockerfileArgs
+        {
+            Location = "./app/Dockerfile.sshMount",
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        Ssh = new[]
+        {
+            new DockerBuild.Inputs.SSHArgs
+            {
+                Id = "default",
+            },
+        },
+    });
+
+    var secrets = new DockerBuild.Image("secrets", new()
+    {
+        Push = false,
+        Dockerfile = new DockerBuild.Inputs.DockerfileArgs
+        {
+            Location = "./app/Dockerfile.secrets",
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        Secrets = 
+        {
+            { "password", "hunter2" },
+        },
+    });
+
+    var labels = new DockerBuild.Image("labels", new()
+    {
+        Push = false,
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        Labels = 
+        {
+            { "description", "This image will get a descriptive label 👍" },
+        },
+    });
+
+    var target = new DockerBuild.Image("target", new()
+    {
+        Push = false,
+        Dockerfile = new DockerBuild.Inputs.DockerfileArgs
+        {
+            Location = "./app/Dockerfile.target",
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        Target = "build-me",
+    });
+
+    var namedContexts = new DockerBuild.Image("namedContexts", new()
+    {
+        Push = false,
+        Dockerfile = new DockerBuild.Inputs.DockerfileArgs
+        {
+            Location = "./app/Dockerfile.namedContexts",
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+            Named = 
+            {
+                { "golang:latest", new DockerBuild.Inputs.ContextArgs
+                {
+                    Location = "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984",
+                } },
+            },
+        },
+    });
+
+    var remoteContext = new DockerBuild.Image("remoteContext", new()
+    {
+        Push = false,
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile",
+        },
+    });
+
+    var remoteContextWithInline = new DockerBuild.Image("remoteContextWithInline", new()
+    {
+        Push = false,
+        Dockerfile = new DockerBuild.Inputs.DockerfileArgs
+        {
+            Inline = @"FROM busybox
+COPY hello.c ./
+",
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "https://github.com/docker-library/hello-world.git",
+        },
+    });
+
+    var inline = new DockerBuild.Image("inline", new()
+    {
+        Push = false,
+        Dockerfile = new DockerBuild.Inputs.DockerfileArgs
+        {
+            Inline = @"FROM alpine
+RUN echo ""This uses an inline Dockerfile! 👍""
+",
+        },
+    });
+
+    var dockerLoad = new DockerBuild.Image("dockerLoad", new()
+    {
+        Push = false,
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        Exports = new[]
+        {
+            new DockerBuild.Inputs.ExportArgs
+            {
+                Docker = new DockerBuild.Inputs.ExportDockerArgs
+                {
+                    Tar = true,
+                },
+            },
+        },
+    });
+
+    return new Dictionary<string, object?>
+    {
+        ["platforms"] = multiPlatform.Platforms,
+    };
+});
+

examples/dotnet/Pulumi.yaml

@@ -0,0 +1,10 @@
+name: provider-docker-build
+runtime: dotnet
+config:
+  dockerHubPassword:
+    type: string
+    secret: true
+plugins:
+  providers:
+    - name: docker-build
+      path: ../../bin

examples/dotnet/app/Dockerfile

@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo 👍

examples/dotnet/app/Dockerfile.buildArgs

@@ -0,0 +1,5 @@
+FROM alpine
+
+ARG SET_ME_TO_TRUE
+RUN [ "$SET_ME_TO_TRUE" = "true" ]
+RUN echo "That's the correct build arg, thanks! 👍"

examples/dotnet/app/Dockerfile.emptyContext

@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo "This image doesn't use any local files, so it doesn't need a context parameter 👍"

examples/dotnet/app/Dockerfile.extraHosts

@@ -0,0 +1,3 @@
+FROM bash AS base
+
+RUN getent hosts metadata.google.internal

examples/dotnet/app/Dockerfile.multiPlatform

@@ -0,0 +1,7 @@
+FROM --platform=$BUILDPLATFORM alpine as build
+RUN echo ${BUILDPLATFORM} > buildplatform
+RUN echo ${TARGETPLATFORM} > targetplatform
+
+FROM build
+RUN cat buildplatform
+RUN cat targetplatform

examples/dotnet/app/Dockerfile.namedContexts

@@ -0,0 +1,5 @@
+# syntax=docker/dockerfile:1.4
+FROM golang:latest
+
+RUN version="$(go version)" && echo $version && [ "$version" = "go version go1.21.7 linux/amd64" ]
+RUN echo "This image uses named contexts to pin golang:latest to a specific SHA 👍"

examples/dotnet/app/Dockerfile.secrets

@@ -0,0 +1,4 @@
+FROM alpine
+
+RUN --mount=type=secret,id=password [ "$(cat /run/secrets/password)" = "hunter2" ]
+

examples/dotnet/app/Dockerfile.sshMount

@@ -0,0 +1,5 @@
+FROM alpine
+
+RUN apk add openssh-client
+
+RUN --mount=type=ssh ssh-add -l

examples/dotnet/app/Dockerfile.target

@@ -0,0 +1,8 @@
+FROM alpine as build-me
+RUN echo 👍
+
+FROM build-me as also-build-me
+RUN echo 🤙
+
+FROM build-me as dont-build-me
+RUN [ "true" = "false" ]

examples/dotnet/provider-docker-build.csproj

@@ -0,0 +1,14 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+	<PropertyGroup>
+		<OutputType>Exe</OutputType>
+		<TargetFramework>net8.0</TargetFramework>
+		<Nullable>enable</Nullable>
+	</PropertyGroup>
+
+	<ItemGroup>
+		<PackageReference Include="Pulumi" Version="3.*" />
+		<PackageReference Include="Pulumi.DockerBuild" Version="0.0.2-alpha.1712594380+4cd6d49b.dirty" />
+	</ItemGroup>
+
+</Project>

examples/dotnet_test.go

@@ -0,0 +1,40 @@
+//go:build dotnet || all
+// +build dotnet all
+
+package examples
+
+import (
+	"os"
+	"os/exec"
+	"path"
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+)
+
+func TestDotNetExample(t *testing.T) {
+	cwd, err := os.Getwd()
+	require.NoError(t, err)
+
+	nuget := filepath.Join(cwd, "../nuget")
+	t.Setenv("PULUMI_LOCAL_NUGET", nuget)
+
+	cmd := exec.Command("dotnet", "nuget", "add", "source", nuget)
+	_ = cmd.Run()
+
+	test := integration.ProgramTestOptions{
+		Dir: path.Join(cwd, "dotnet"),
+		Dependencies: []string{
+			"Pulumi.DockerBuild",
+		},
+		Secrets: map[string]string{
+			"dockerHubPassword": os.Getenv("DOCKER_HUB_PASSWORD"),
+		},
+		NoParallel: true,
+	}
+
+	integration.ProgramTest(t, &test)
+}

examples/go/.dockerignore

@@ -0,0 +1,2 @@
+command-output
+tmp

examples/go/Pulumi.yaml

@@ -0,0 +1,10 @@
+name: provider-docker-build
+runtime: go
+config:
+  dockerHubPassword:
+    type: string
+    secret: true
+plugins:
+  providers:
+    - name: docker-build
+      path: ../../bin

examples/go/app/Dockerfile

@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo 👍

examples/go/app/Dockerfile.buildArgs

@@ -0,0 +1,5 @@
+FROM alpine
+
+ARG SET_ME_TO_TRUE
+RUN [ "$SET_ME_TO_TRUE" = "true" ]
+RUN echo "That's the correct build arg, thanks! 👍"

examples/go/app/Dockerfile.emptyContext

@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo "This image doesn't use any local files, so it doesn't need a context parameter 👍"

examples/go/app/Dockerfile.extraHosts

@@ -0,0 +1,3 @@
+FROM bash AS base
+
+RUN getent hosts metadata.google.internal

examples/go/app/Dockerfile.multiPlatform

@@ -0,0 +1,7 @@
+FROM --platform=$BUILDPLATFORM alpine as build
+RUN echo ${BUILDPLATFORM} > buildplatform
+RUN echo ${TARGETPLATFORM} > targetplatform
+
+FROM build
+RUN cat buildplatform
+RUN cat targetplatform

examples/go/app/Dockerfile.namedContexts

@@ -0,0 +1,5 @@
+# syntax=docker/dockerfile:1.4
+FROM golang:latest
+
+RUN version="$(go version)" && echo $version && [ "$version" = "go version go1.21.7 linux/amd64" ]
+RUN echo "This image uses named contexts to pin golang:latest to a specific SHA 👍"

examples/go/app/Dockerfile.secrets

@@ -0,0 +1,4 @@
+FROM alpine
+
+RUN --mount=type=secret,id=password [ "$(cat /run/secrets/password)" = "hunter2" ]
+

examples/go/app/Dockerfile.sshMount

@@ -0,0 +1,5 @@
+FROM alpine
+
+RUN apk add openssh-client
+
+RUN --mount=type=ssh ssh-add -l

examples/go/app/Dockerfile.target

@@ -0,0 +1,8 @@
+FROM alpine as build-me
+RUN echo 👍
+
+FROM build-me as also-build-me
+RUN echo 🤙
+
+FROM build-me as dont-build-me
+RUN [ "true" = "false" ]

examples/go/go.mod

@@ -0,0 +1,119 @@
+module provider-docker-build
+
+go 1.25.8
+
+require (
+	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.18
+	github.com/pulumi/pulumi/sdk/v3 v3.242.0
+)
+
+require (
+	dario.cat/mergo v1.0.1 // indirect
+	github.com/Microsoft/go-winio v0.6.2 // indirect
+	github.com/ProtonMail/go-crypto v1.2.0 // indirect
+	github.com/agext/levenshtein v1.2.3 // indirect
+	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
+	github.com/atotto/clipboard v0.1.4 // indirect
+	github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect
+	github.com/blang/semver v3.5.1+incompatible // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
+	github.com/cespare/xxhash/v2 v2.3.0 // indirect
+	github.com/charmbracelet/bubbles v1.0.0 // indirect
+	github.com/charmbracelet/bubbletea v1.3.10 // indirect
+	github.com/charmbracelet/colorprofile v0.4.3 // indirect
+	github.com/charmbracelet/lipgloss v1.1.0 // indirect
+	github.com/charmbracelet/x/ansi v0.11.7 // indirect
+	github.com/charmbracelet/x/cellbuf v0.0.15 // indirect
+	github.com/charmbracelet/x/term v0.2.2 // indirect
+	github.com/cheggaaa/pb v1.0.29 // indirect
+	github.com/clipperhouse/displaywidth v0.11.0 // indirect
+	github.com/clipperhouse/uax29/v2 v2.7.0 // indirect
+	github.com/cloudflare/circl v1.6.3 // indirect
+	github.com/cyphar/filepath-securejoin v0.6.1 // indirect
+	github.com/djherbis/times v1.6.0 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f // indirect
+	github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 // indirect
+	github.com/go-git/go-billy/v5 v5.9.0 // indirect
+	github.com/go-git/go-git/v5 v5.19.0 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
+	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/golang/glog v1.2.5 // indirect
+	github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 // indirect
+	github.com/google/uuid v1.6.0 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 // indirect
+	github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
+	github.com/hashicorp/go-version v1.9.0 // indirect
+	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
+	github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 // indirect
+	github.com/json-iterator/go v1.1.12 // indirect
+	github.com/kevinburke/ssh_config v1.2.0 // indirect
+	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/cpuid/v2 v2.3.0 // indirect
+	github.com/lucasb-eyer/go-colorful v1.4.0 // indirect
+	github.com/mattn/go-isatty v0.0.22 // indirect
+	github.com/mattn/go-localereader v0.0.1 // indirect
+	github.com/mattn/go-runewidth v0.0.23 // indirect
+	github.com/mitchellh/go-ps v1.0.0 // indirect
+	github.com/mitchellh/go-wordwrap v1.0.1 // indirect
+	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
+	github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 // indirect
+	github.com/muesli/cancelreader v0.2.2 // indirect
+	github.com/muesli/termenv v0.16.0 // indirect
+	github.com/opentracing/basictracer-go v1.1.0 // indirect
+	github.com/opentracing/opentracing-go v1.2.0 // indirect
+	github.com/pgavlin/fx v0.1.6 // indirect
+	github.com/pgavlin/fx/v2 v2.0.12 // indirect
+	github.com/pjbgf/sha1cd v0.6.0 // indirect
+	github.com/pkg/errors v0.9.1 // indirect
+	github.com/pkg/term v1.1.0 // indirect
+	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
+	github.com/pulumi/esc v0.24.0 // indirect
+	github.com/rivo/uniseg v0.4.7 // indirect
+	github.com/rogpeppe/go-internal v1.14.1 // indirect
+	github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 // indirect
+	github.com/sergi/go-diff v1.4.0 // indirect
+	github.com/skeema/knownhosts v1.3.1 // indirect
+	github.com/spf13/cast v1.5.0 // indirect
+	github.com/spf13/cobra v1.10.2 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/texttheater/golang-levenshtein v1.0.1 // indirect
+	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
+	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
+	github.com/xanzy/ssh-agent v0.3.3 // indirect
+	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
+	github.com/zclconf/go-cty v1.17.0 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/collector/featuregate v1.58.0 // indirect
+	go.opentelemetry.io/collector/pdata v1.58.0 // indirect
+	go.opentelemetry.io/otel v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 // indirect
+	go.opentelemetry.io/otel/metric v1.43.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.43.0 // indirect
+	go.opentelemetry.io/otel/trace v1.43.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
+	go.uber.org/atomic v1.11.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/crypto v0.51.0 // indirect
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
+	golang.org/x/mod v0.35.0 // indirect
+	golang.org/x/net v0.54.0 // indirect
+	golang.org/x/sync v0.20.0 // indirect
+	golang.org/x/sys v0.44.0 // indirect
+	golang.org/x/term v0.43.0 // indirect
+	golang.org/x/text v0.37.0 // indirect
+	golang.org/x/tools v0.44.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260519071638-aa98bba5eb94 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94 // indirect
+	google.golang.org/grpc v1.81.1 // indirect
+	google.golang.org/protobuf v1.36.11 // indirect
+	gopkg.in/warnings.v0 v0.1.2 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
+	lukechampine.com/frand v1.5.1 // indirect
+)

examples/go/go.sum

@@ -0,0 +1,358 @@
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+github.com/HdrHistogram/hdrhistogram-go v1.1.2 h1:5IcZpTvzydCQeHzK4Ef/D5rrSqwxob0t8PQPMybUNFM=
+github.com/HdrHistogram/hdrhistogram-go v1.1.2/go.mod h1:yDgFjdqOqDEKOvasDdhWNXYg9BVp4O+o5f6V/ehm6Oo=
+github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
+github.com/ProtonMail/go-crypto v1.2.0 h1:+PhXXn4SPGd+qk76TlEePBfOfivE0zkWFenhGhFLzWs=
+github.com/ProtonMail/go-crypto v1.2.0/go.mod h1:9whxjD8Rbs29b4XWbB8irEcE8KHMqaR2e7GWU1R+/PE=
+github.com/agext/levenshtein v1.2.3 h1:YB2fHEn0UJagG8T1rrWknE3ZQzWM06O8AMAatNn7lmo=
+github.com/agext/levenshtein v1.2.3/go.mod h1:JEDfjyjHDjOF/1e4FlBE/PkbqA9OfWu2ki2W0IB5558=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8=
+github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4=
+github.com/apparentlymart/go-textseg/v15 v15.0.0 h1:uYvfpb3DyLSCGWnctWKGj857c6ew1u1fNQOlOtuGxQY=
+github.com/apparentlymart/go-textseg/v15 v15.0.0/go.mod h1:K8XmNZdhEBkdlyDdvbmmsvpAG721bKi0joRfFdHIWJ4=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio=
+github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs=
+github.com/atotto/clipboard v0.1.4 h1:EH0zSVneZPSuFR11BlR9YppQTVDbh5+16AmcJi4g1z4=
+github.com/atotto/clipboard v0.1.4/go.mod h1:ZY9tmq7sm5xIbd9bOK4onWV4S6X0u6GY7Vn0Yu86PYI=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1 h1:HwpRHbFMcZLEVr42D4p7XBqjyuxQH5SMiErDT4WkJ2k=
+github.com/aymanbagabas/go-osc52/v2 v2.0.1/go.mod h1:uYgXzlJ7ZpABp8OJ+exZzJJhRNQ2ASbcXHWsFqH8hp8=
+github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
+github.com/blang/semver v3.5.1+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
+github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
+github.com/charmbracelet/bubbles v1.0.0 h1:12J8/ak/uCZEMQ6KU7pcfwceyjLlWsDLAxB5fXonfvc=
+github.com/charmbracelet/bubbles v1.0.0/go.mod h1:9d/Zd5GdnauMI5ivUIVisuEm3ave1XwXtD1ckyV6r3E=
+github.com/charmbracelet/bubbletea v1.3.10 h1:otUDHWMMzQSB0Pkc87rm691KZ3SWa4KUlvF9nRvCICw=
+github.com/charmbracelet/bubbletea v1.3.10/go.mod h1:ORQfo0fk8U+po9VaNvnV95UPWA1BitP1E0N6xJPlHr4=
+github.com/charmbracelet/colorprofile v0.4.3 h1:QPa1IWkYI+AOB+fE+mg/5/4HRMZcaXex9t5KX76i20Q=
+github.com/charmbracelet/colorprofile v0.4.3/go.mod h1:/zT4BhpD5aGFpqQQqw7a+VtHCzu+zrQtt1zhMt9mR4Q=
+github.com/charmbracelet/lipgloss v1.1.0 h1:vYXsiLHVkK7fp74RkV7b2kq9+zDLoEU4MZoFqR/noCY=
+github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30=
+github.com/charmbracelet/x/ansi v0.11.7 h1:kzv1kJvjg2S3r9KHo8hDdHFQLEqn4RBCb39dAYC84jI=
+github.com/charmbracelet/x/ansi v0.11.7/go.mod h1:9qGpnAVYz+8ACONkZBUWPtL7lulP9No6p1epAihUZwQ=
+github.com/charmbracelet/x/cellbuf v0.0.15 h1:ur3pZy0o6z/R7EylET877CBxaiE1Sp1GMxoFPAIztPI=
+github.com/charmbracelet/x/cellbuf v0.0.15/go.mod h1:J1YVbR7MUuEGIFPCaaZ96KDl5NoS0DAWkskup+mOY+Q=
+github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk=
+github.com/charmbracelet/x/term v0.2.2/go.mod h1:kF8CY5RddLWrsgVwpw4kAa6TESp6EB5y3uxGLeCqzAI=
+github.com/cheggaaa/pb v1.0.29 h1:FckUN5ngEk2LpvuG0fw1GEFx6LtyY2pWI/Z2QgCnEYo=
+github.com/cheggaaa/pb v1.0.29/go.mod h1:W40334L7FMC5JKWldsTWbdGjLo0RxUKK73K+TuPxX30=
+github.com/clipperhouse/displaywidth v0.11.0 h1:lBc6kY44VFw+TDx4I8opi/EtL9m20WSEFgwIwO+UVM8=
+github.com/clipperhouse/displaywidth v0.11.0/go.mod h1:bkrFNkf81G8HyVqmKGxsPufD3JhNl3dSqnGhOoSD/o0=
+github.com/clipperhouse/uax29/v2 v2.7.0 h1:+gs4oBZ2gPfVrKPthwbMzWZDaAFPGYK72F0NJv2v7Vk=
+github.com/clipperhouse/uax29/v2 v2.7.0/go.mod h1:EFJ2TJMRUaplDxHKj1qAEhCtQPW2tJSwu5BF98AuoVM=
+github.com/cloudflare/circl v1.6.3 h1:9GPOhQGF9MCYUeXyMYlqTR6a5gTrgR/fBLXvUgtVcg8=
+github.com/cloudflare/circl v1.6.3/go.mod h1:2eXP6Qfat4O/Yhh8BznvKnJ+uzEoTQ6jVKJRn81BiS4=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
+github.com/cyphar/filepath-securejoin v0.6.1 h1:5CeZ1jPXEiYt3+Z6zqprSAgSWiggmpVyciv8syjIpVE=
+github.com/cyphar/filepath-securejoin v0.6.1/go.mod h1:A8hd4EnAeyujCJRrICiOWqjS1AX0a9kM5XL+NwKoYSc=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/djherbis/times v1.6.0 h1:w2ctJ92J8fBvWPxugmXIv7Nz7Q3iDMKNx9v5ocVH20c=
+github.com/djherbis/times v1.6.0/go.mod h1:gOHeRAz2h+VJNZ5Gmc/o7iD9k4wW7NMVqieYCY99oc0=
+github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o=
+github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f h1:Y/CXytFA4m6baUTXGLOoWe4PQhGxaX0KpnayAqC48p4=
+github.com/erikgeiser/coninput v0.0.0-20211004153227-1c3628e74d0f/go.mod h1:vw97MGsxSvLiUE2X8qFplwetxpGLQrlU1Q9AUEIzCaM=
+github.com/fatih/color v1.9.0/go.mod h1:eQcE1qtQxscV5RaZvpXrrb8Drkc3/DdQ+uUYCNjL+zU=
+github.com/fatih/color v1.18.0 h1:S8gINlzdQ840/4pfAwic/ZE0djQEH3wM94VfqLTZcOM=
+github.com/fatih/color v1.18.0/go.mod h1:4FelSpRwEGDpQ12mAdzqdOukCy4u8WUtOY6lkT/6HfU=
+github.com/frankban/quicktest v1.14.3 h1:FJKSZTDHjyhriyC81FLQ0LY93eSai0ZyR/ZIkd3ZUKE=
+github.com/frankban/quicktest v1.14.3/go.mod h1:mgiwOwqx65TmIk1wJ6Q7wvnVMocbUorkibMOrVTHZps=
+github.com/gliderlabs/ssh v0.3.8 h1:a4YXD1V7xMF9g5nTkdfnja3Sxy1PVDCj1Zg4Wb8vY6c=
+github.com/gliderlabs/ssh v0.3.8/go.mod h1:xYoytBv1sV0aL3CavoDuJIQNURXkkfPA/wxQ1pL1fAU=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376 h1:+zs/tPmkDkHx3U66DAb0lQFJrpS6731Oaa12ikc+DiI=
+github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmSxCcxctByoQdvwPiA7DTK7jaaFDBTtu0ic=
+github.com/go-git/go-billy/v5 v5.9.0 h1:jItGXszUDRtR/AlferWPTMN4j38BQ88XnXKbilmmBPA=
+github.com/go-git/go-billy/v5 v5.9.0/go.mod h1:jCnQMLj9eUgGU7+ludSTYoZL/GGmii14RxKFj7ROgHw=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
+github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
+github.com/go-git/go-git/v5 v5.19.0 h1:+WkVUQZSy/F1Gb13udrMKjIM2PrzsNfDKFSfo5tkMtc=
+github.com/go-git/go-git/v5 v5.19.0/go.mod h1:Pb1v0c7/g8aGQJwx9Us09W85yGoyvSwuhEGMH7zjDKQ=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang/glog v1.2.5 h1:DrW6hGnjIhtvhOIiAKT6Psh/Kd/ldepEa81DKeiRJ5I=
+github.com/golang/glog v1.2.5/go.mod h1:6AhwSGph0fcJtXVM/PEHPqZlFeoLxhs7/t5UDAwmO+w=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
+github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
+github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
+github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
+github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
+github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
+github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 h1:5VipnvEpbqr2gA2VbM+nYVbkIF28c5ZQfqCBQ5g2xfk=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0/go.mod h1:Hyl3n6Twe1hvtd9XUXDec4pTvgMSEixRuQKPTMH2bNs=
+github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645 h1:MJG/KsmcqMwFAkh8mTnAwhyKoB+sTAnY4CACC110tbU=
+github.com/grpc-ecosystem/grpc-opentracing v0.0.0-20180507213350-8e809c8a8645/go.mod h1:6iZfnjpejD4L/4DwD7NryNaJyCQdzwWwH2MWhCA90Kw=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-version v1.9.0 h1:CeOIz6k+LoN3qX9Z0tyQrPtiB1DFYRPfCIBtaXPSCnA=
+github.com/hashicorp/go-version v1.9.0/go.mod h1:fltr4n8CU8Ke44wwGCBoEymUuxUHl09ZGVZPK5anwXA=
+github.com/hashicorp/hcl/v2 v2.24.0 h1:2QJdZ454DSsYGoaE6QheQZjtKZSUs9Nh2izTWiwQxvE=
+github.com/hashicorp/hcl/v2 v2.24.0/go.mod h1:oGoO1FIQYfn/AgyOhlg9qLC6/nOJPX3qGbkZpYAcqfM=
+github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8=
+github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99 h1:BQSFePA1RWJOlocH6Fxy8MmwDt+yVQYULKfN0RoTN8A=
+github.com/jbenet/go-context v0.0.0-20150711004518-d14ea06fba99/go.mod h1:1lJo3i6rXxKeerYnT8Nvf0QmHCRC1n8sfWVwXF2Frvo=
+github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
+github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4=
+github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM=
+github.com/kisielk/errcheck v1.2.0/go.mod h1:/BMXB+zMLi60iA8Vv6Ksmxu/1UDYcXs4uQLJ+jE2L00=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
+github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
+github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/cpuid/v2 v2.3.0 h1:S4CRMLnYUhGeDFDqkGriYKdfoFlDnMtqTiI/sFzhA9Y=
+github.com/klauspost/cpuid/v2 v2.3.0/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
+github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
+github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/lucasb-eyer/go-colorful v1.4.0 h1:UtrWVfLdarDgc44HcS7pYloGHJUjHV/4FwW4TvVgFr4=
+github.com/lucasb-eyer/go-colorful v1.4.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0=
+github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=
+github.com/mattn/go-colorable v0.1.14 h1:9A9LHSqF/7dyVVX6g0U9cwm9pG3kP9gSzcuIPHPsaIE=
+github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stgPZH1UqBm1s8=
+github.com/mattn/go-isatty v0.0.8/go.mod h1:Iq45c/XA43vh69/j3iqttzPXn0bhXyGjM0Hdxcsrc5s=
+github.com/mattn/go-isatty v0.0.11/go.mod h1:PhnuNfih5lzO57/f3n+odYbM4JtupLOxQOAqxQCu2WE=
+github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4=
+github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
+github.com/mattn/go-localereader v0.0.1 h1:ygSAOl7ZXTx4RdPYinUpg6W99U8jWvWi9Ye2JC/oIi4=
+github.com/mattn/go-localereader v0.0.1/go.mod h1:8fBrzywKY7BI3czFoHkuzRoWE9C+EiG4R1k4Cjx5p88=
+github.com/mattn/go-runewidth v0.0.4/go.mod h1:LwmH8dsx7+W8Uxz3IHJYH5QSwggIsqBzpuz5H//U1FU=
+github.com/mattn/go-runewidth v0.0.23 h1:7ykA0T0jkPpzSvMS5i9uoNn2Xy3R383f9HDx3RybWcw=
+github.com/mattn/go-runewidth v0.0.23/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs=
+github.com/mitchellh/go-ps v1.0.0 h1:i6ampVEEF4wQFF+bkYfwYgY+F/uYJDktmvLPf7qIgjc=
+github.com/mitchellh/go-ps v1.0.0/go.mod h1:J4lOc8z8yJs6vUwklHw2XEIiT4z4C40KtWVN3nvg8Pg=
+github.com/mitchellh/go-wordwrap v1.0.1 h1:TLuKupo69TCn6TQSyGxwI1EblZZEsQ0vMlAFQflz0v0=
+github.com/mitchellh/go-wordwrap v1.0.1/go.mod h1:R62XHJLzvMFRBbcrT7m7WgmE1eOyTSsCt+hzestvNj0=
+github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
+github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
+github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6 h1:ZK8zHtRHOkbHy6Mmr5D264iyp3TiX5OmNcI5cIARiQI=
+github.com/muesli/ansi v0.0.0-20230316100256-276c6243b2f6/go.mod h1:CJlz5H+gyd6CUWT45Oy4q24RdLyn7Md9Vj2/ldJBSIo=
+github.com/muesli/cancelreader v0.2.2 h1:3I4Kt4BQjOR54NavqnDogx/MIoWBFa0StPA8ELUXHmA=
+github.com/muesli/cancelreader v0.2.2/go.mod h1:3XuTXfFS2VjM+HTLZY9Ak0l6eUKfijIfMUZ4EgX0QYo=
+github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc=
+github.com/muesli/termenv v0.16.0/go.mod h1:ZRfOIKPFDYQoDFF4Olj7/QJbW60Ol/kL1pU3VfY/Cnk=
+github.com/onsi/gomega v1.34.1 h1:EUMJIKUjM8sKjYbtxQI9A4z2o+rruxnzNvpknOXie6k=
+github.com/onsi/gomega v1.34.1/go.mod h1:kU1QgUvBDLXBJq618Xvm2LUX6rSAfRaFRTcdOeDLwwY=
+github.com/opentracing/basictracer-go v1.1.0 h1:Oa1fTSBvAl8pa3U+IJYqrKm0NALwH9OsgwOqDv4xJW0=
+github.com/opentracing/basictracer-go v1.1.0/go.mod h1:V2HZueSJEp879yv285Aap1BS69fQMD+MNP1mRs6mBQc=
+github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
+github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
+github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
+github.com/pgavlin/fx v0.1.6 h1:r9jEg69DhNoCd3Xh0+5mIbdbS3PqWrVWujkY76MFRTU=
+github.com/pgavlin/fx v0.1.6/go.mod h1:KWZJ6fqBBSh8GxHYqwYCf3rYE7Gp2p0N8tJp8xv9u9M=
+github.com/pgavlin/fx/v2 v2.0.12 h1:SjjaJ68Dt8Z4zHwOpY/RPijd7lShs6xYupJbF9ra00M=
+github.com/pgavlin/fx/v2 v2.0.12/go.mod h1:M/nF/ooAOy+NUBooYYXl2REARzJ/giPJxfMs8fINfKc=
+github.com/pjbgf/sha1cd v0.6.0 h1:3WJ8Wz8gvDz29quX1OcEmkAlUg9diU4GxJHqs0/XiwU=
+github.com/pjbgf/sha1cd v0.6.0/go.mod h1:lhpGlyHLpQZoxMv8HcgXvZEhcGs0PG/vsZnEJ7H0iCM=
+github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
+github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
+github.com/pkg/term v1.1.0 h1:xIAAdCMh3QIAy+5FrE8Ad8XoDhEU4ufwbaSozViP9kk=
+github.com/pkg/term v1.1.0/go.mod h1:E25nymQcrSllhX42Ok8MRm1+hyBdHY0dCeiKZ9jpNGw=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
+github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
+github.com/pulumi/esc v0.24.0 h1:sCtiB0qbyrlU1ZNzJn4dTLYiChl8xeCBFbHWl1YoXJg=
+github.com/pulumi/esc v0.24.0/go.mod h1:eCOOkcDJS6eooGwdE4/E0+pOsvUWG254+KBmPCFwJpA=
+github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.18 h1:emkSEfjXfz7i2vNDi43WTqABhP9TY2mQnO2zdL683hw=
+github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.18/go.mod h1:BriBqoV2I/58/AZy4/4oJfoiJYX7Nf/NxsAmGXDgvgo=
+github.com/pulumi/pulumi/sdk/v3 v3.242.0 h1:gQIZ1ALbT5gCMuRoBscGzk7Rdbx9mbOc+YwDFxvRyss=
+github.com/pulumi/pulumi/sdk/v3 v3.242.0/go.mod h1:P9VS6pQws3YBu67uszFRHn24n5AwzeMlyC2hIiHGWHg=
+github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
+github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
+github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1 h1:lZUw3E0/J3roVtGQ+SCrUrg3ON6NgVqpn3+iol9aGu4=
+github.com/santhosh-tekuri/jsonschema/v5 v5.3.1/go.mod h1:uToXkOrWAZ6/Oc07xWQrPOhJotwFIyu2bBVN41fcDUY=
+github.com/sergi/go-diff v1.4.0 h1:n/SP9D5ad1fORl+llWyN+D6qoUETXNZARKjyY2/KVCw=
+github.com/sergi/go-diff v1.4.0/go.mod h1:A0bzQcvG0E7Rwjx0REVgAGH58e96+X0MeOfepqsbeW4=
+github.com/sirupsen/logrus v1.7.0/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
+github.com/skeema/knownhosts v1.3.1 h1:X2osQ+RAjK76shCbvhHHHVl3ZlgDm8apHEHFqRjnBY8=
+github.com/skeema/knownhosts v1.3.1/go.mod h1:r7KTdC8l4uxWRyK2TpQZ/1o5HaSzh06ePQNxPwTcfiY=
+github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
+github.com/spf13/cast v1.5.0/go.mod h1:SpXXQ5YoyJw6s3/6cMTQuxvgRl3PCJiyaX9p6b155UU=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
+github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
+github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
+github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
+github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/texttheater/golang-levenshtein v1.0.1 h1:+cRNoVrfiwufQPhoMzB6N0Yf/Mqajr6t1lOv8GyGE2U=
+github.com/texttheater/golang-levenshtein v1.0.1/go.mod h1:PYAKrbF5sAiq9wd+H82hs7gNaen0CplQ9uvm6+enD/8=
+github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaOOb6ThwMmTEbhRwtKR97o=
+github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
+github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg=
+github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
+github.com/xanzy/ssh-agent v0.3.3 h1:+/15pJfg/RsTxqYcX6fHqOXZwwMP+2VyYWJeWM2qQFM=
+github.com/xanzy/ssh-agent v0.3.3/go.mod h1:6dzNDKs0J9rVPHPhaGCukekBHKqfl+L3KghI1Bc68Uw=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no=
+github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/zclconf/go-cty v1.17.0 h1:seZvECve6XX4tmnvRzWtJNHdscMtYEx5R7bnnVyd/d0=
+github.com/zclconf/go-cty v1.17.0/go.mod h1:wqFzcImaLTI6A5HfsRwB0nj5n0MRZFwmey8YoFPPs3U=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/collector/featuregate v1.58.0 h1:Kh6Dpgbxywv/Q3D6qPehaSxNCxvr/U/ki7CL4y3udCo=
+go.opentelemetry.io/collector/featuregate v1.58.0/go.mod h1:4ga1QBMPEejXXmpyJS8lmaRpknJ3Lb9Bvk6e420bUFU=
+go.opentelemetry.io/collector/internal/testutil v0.152.0 h1:8LGwekR7mLcUDhT1ofLmdnrHRFuUa3U7PBd95ZvJEjQ=
+go.opentelemetry.io/collector/internal/testutil v0.152.0/go.mod h1:Jkjs6rkqs973LqgZ0Fe3zrokQRKULYXPIf4HuqStiEE=
+go.opentelemetry.io/collector/pdata v1.58.0 h1:5Lxut3NxKp87066Pzt+3q7+JUuFI5B3teCyLZIF8wIs=
+go.opentelemetry.io/collector/pdata v1.58.0/go.mod h1:4vZtODINbC/JF3eGocnatdImzbRHseOywIcr+aULjCg=
+go.opentelemetry.io/otel v1.43.0 h1:mYIM03dnh5zfN7HautFE4ieIig9amkNANT+xcVxAj9I=
+go.opentelemetry.io/otel v1.43.0/go.mod h1:JuG+u74mvjvcm8vj8pI5XiHy1zDeoCS2LB1spIq7Ay0=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0 h1:88Y4s2C8oTui1LGM6bTWkw0ICGcOLCAI5l6zsD1j20k=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.43.0/go.mod h1:Vl1/iaggsuRlrHf/hfPJPvVag77kKyvrLeD10kpMl+A=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0 h1:RAE+JPfvEmvy+0LzyUA25/SGawPwIUbZ6u0Wug54sLc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.43.0/go.mod h1:AGmbycVGEsRx9mXMZ75CsOyhSP6MFIcj/6dnG+vhVjk=
+go.opentelemetry.io/otel/metric v1.43.0 h1:d7638QeInOnuwOONPp4JAOGfbCEpYb+K6DVWvdxGzgM=
+go.opentelemetry.io/otel/metric v1.43.0/go.mod h1:RDnPtIxvqlgO8GRW18W6Z/4P462ldprJtfxHxyKd2PY=
+go.opentelemetry.io/otel/sdk v1.43.0 h1:pi5mE86i5rTeLXqoF/hhiBtUNcrAGHLKQdhg4h4V9Dg=
+go.opentelemetry.io/otel/sdk v1.43.0/go.mod h1:P+IkVU3iWukmiit/Yf9AWvpyRDlUeBaRg6Y+C58QHzg=
+go.opentelemetry.io/otel/sdk/metric v1.43.0 h1:S88dyqXjJkuBNLeMcVPRFXpRw2fuwdvfCGLEo89fDkw=
+go.opentelemetry.io/otel/sdk/metric v1.43.0/go.mod h1:C/RJtwSEJ5hzTiUz5pXF1kILHStzb9zFlIEe85bhj6A=
+go.opentelemetry.io/otel/trace v1.43.0 h1:BkNrHpup+4k4w+ZZ86CZoHHEkohws8AY+WTX09nk+3A=
+go.opentelemetry.io/otel/trace v1.43.0/go.mod h1:/QJhyVBUUswCphDVxq+8mld+AvhXZLhe+8WVFxiFff0=
+go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
+go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
+go.opentelemetry.io/proto/slim/otlp v1.10.0 h1:iR97Vs/ZDR+y9TfuP9b1XBtdPWeC+OMslIBmhcLU7jM=
+go.opentelemetry.io/proto/slim/otlp v1.10.0/go.mod h1:lV9250stpjYLPNA5viFabIgP2QlUGRT1GdTgAf8SIUk=
+go.opentelemetry.io/proto/slim/otlp/collector/profiles/v1development v0.3.0 h1:RUF5rO0hAlgiJt1fzQVzcVs3vZVNHIcMLgOgG4rWNcQ=
+go.opentelemetry.io/proto/slim/otlp/collector/profiles/v1development v0.3.0/go.mod h1:I89cynRj8y+383o7tEQVg2SVA6SRgDVIouWPUVXjx0U=
+go.opentelemetry.io/proto/slim/otlp/profiles/v1development v0.3.0 h1:CQvJSldHRUN6Z8jsUeYv8J0lXRvygALXIzsmAeCcZE0=
+go.opentelemetry.io/proto/slim/otlp/profiles/v1development v0.3.0/go.mod h1:xSQ+mEfJe/GjK1LXEyVOoSI1N9JV9ZI923X5kup43W4=
+go.uber.org/atomic v1.11.0 h1:ZvwS0R+56ePWxUNi+Atn9dWONBPp/AUETXlHW0DxSjE=
+go.uber.org/atomic v1.11.0/go.mod h1:LUxbIzbOniOlMKjJjyPfpl4v+PKK2cNJn91OQbhoJI0=
+go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
+go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
+golang.org/x/crypto v0.51.0 h1:IBPXwPfKxY7cWQZ38ZCIRPI50YLeevDLlLnyC5wRGTI=
+golang.org/x/crypto v0.51.0/go.mod h1:8AdwkbraGNABw2kOX6YFPs3WM22XqI4EXEd8g+x7Oc8=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
+golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
+golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
+golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
+golang.org/x/net v0.54.0 h1:2zJIZAxAHV/OHCDTCOHAYehQzLfSXuf/5SoL/Dv6w/w=
+golang.org/x/net v0.54.0/go.mod h1:Sj4oj8jK6XmHpBZU/zWHw3BV3abl4Kvi+Ut7cQcY+cQ=
+golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
+golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200909081042-eff7692f9009/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.44.0 h1:ildZl3J4uzeKP07r2F++Op7E9B29JRUy+a27EibtBTQ=
+golang.org/x/sys v0.44.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
+golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4=
+golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.37.0 h1:Cqjiwd9eSg8e0QAkyCaQTNHFIIzWtidPahFWR83rTrc=
+golang.org/x/text v0.37.0/go.mod h1:a5sjxXGs9hsn/AJVwuElvCAo9v8QYLzvavO5z2PiM38=
+golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
+golang.org/x/tools v0.44.0 h1:UP4ajHPIcuMjT1GqzDWRlalUEoY+uzoZKnhOjbIPD2c=
+golang.org/x/tools v0.44.0/go.mod h1:KA0AfVErSdxRZIsOVipbv3rQhVXTnlU6UhKxHd1seDI=
+golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
+google.golang.org/genproto/googleapis/api v0.0.0-20260519071638-aa98bba5eb94 h1:DddG61lE5LkX6144z22i0gma9BMBs5aZ9B8lZLobxyw=
+google.golang.org/genproto/googleapis/api v0.0.0-20260519071638-aa98bba5eb94/go.mod h1:1dCETSCY2YKZNXQE3h4fun3TYwF5p8jejRKZgfWAgAY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94 h1:eZCjr/aAF8c5ccm5pb6T4EXgIei5MlAAPWPJk+5ArfY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260519071638-aa98bba5eb94/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ=
+google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
+gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
+gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
+gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
+gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
+gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+lukechampine.com/frand v1.5.1 h1:fg0eRtdmGFIxhP5zQJzM1lFDbD6CUfu/f+7WgAZd5/w=
+lukechampine.com/frand v1.5.1/go.mod h1:4VstaWc2plN4Mjr10chUD46RAVGWhpkZ5Nja8+Azp0Q=
+pgregory.net/rapid v1.2.0 h1:keKAYRcjm+e1F0oAuU5F5+YPAWcyxNNRK2wud503Gnk=
+pgregory.net/rapid v1.2.0/go.mod h1:PY5XlDGj0+V1FCq0o192FdRhpKHGTRIWBgqjDBTrq04=

examples/go/main.go

@@ -0,0 +1,234 @@
+package main
+
+import (
+	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+	"github.com/pulumi/pulumi/sdk/v3/go/pulumi/config"
+
+	"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
+)
+
+func main() {
+	pulumi.Run(func(ctx *pulumi.Context) error {
+		cfg := config.New(ctx, "")
+		dockerHubPassword := cfg.Require("dockerHubPassword")
+		multiPlatform, err := dockerbuild.NewImage(ctx, "multiPlatform", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Dockerfile: &dockerbuild.DockerfileArgs{
+				Location: pulumi.String("./app/Dockerfile.multiPlatform"),
+			},
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			Platforms: dockerbuild.PlatformArray{
+				dockerbuild.Platform_Plan9_amd64,
+				dockerbuild.Platform_Plan9_386,
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "registryPush", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			Tags: pulumi.StringArray{
+				pulumi.String("docker.io/pulumibot/buildkit-e2e:example"),
+			},
+			Exports: dockerbuild.ExportArray{
+				&dockerbuild.ExportArgs{
+					Registry: &dockerbuild.ExportRegistryArgs{
+						OciMediaTypes: pulumi.Bool(true),
+						Push:          pulumi.Bool(false),
+					},
+				},
+			},
+			Registries: dockerbuild.RegistryArray{
+				&dockerbuild.RegistryArgs{
+					Address:  pulumi.String("docker.io"),
+					Username: pulumi.String("pulumibot"),
+					Password: pulumi.String(dockerHubPassword),
+				},
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "cached", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			CacheTo: dockerbuild.CacheToArray{
+				&dockerbuild.CacheToArgs{
+					Local: &dockerbuild.CacheToLocalArgs{
+						Dest: pulumi.String("tmp/cache"),
+						Mode: dockerbuild.CacheModeMax,
+					},
+				},
+			},
+			CacheFrom: dockerbuild.CacheFromArray{
+				&dockerbuild.CacheFromArgs{
+					Local: &dockerbuild.CacheFromLocalArgs{
+						Src: pulumi.String("tmp/cache"),
+					},
+				},
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "buildArgs", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Dockerfile: &dockerbuild.DockerfileArgs{
+				Location: pulumi.String("./app/Dockerfile.buildArgs"),
+			},
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			BuildArgs: pulumi.StringMap{
+				"SET_ME_TO_TRUE": pulumi.String("true"),
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "extraHosts", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Dockerfile: &dockerbuild.DockerfileArgs{
+				Location: pulumi.String("./app/Dockerfile.extraHosts"),
+			},
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			AddHosts: pulumi.StringArray{
+				pulumi.String("metadata.google.internal:169.254.169.254"),
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "sshMount", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Dockerfile: &dockerbuild.DockerfileArgs{
+				Location: pulumi.String("./app/Dockerfile.sshMount"),
+			},
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			Ssh: dockerbuild.SSHArray{
+				&dockerbuild.SSHArgs{
+					Id: pulumi.String("default"),
+				},
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "secrets", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Dockerfile: &dockerbuild.DockerfileArgs{
+				Location: pulumi.String("./app/Dockerfile.secrets"),
+			},
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			Secrets: pulumi.StringMap{
+				"password": pulumi.String("hunter2"),
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "labels", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			Labels: pulumi.StringMap{
+				"description": pulumi.String("This image will get a descriptive label 👍"),
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "target", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Dockerfile: &dockerbuild.DockerfileArgs{
+				Location: pulumi.String("./app/Dockerfile.target"),
+			},
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			Target: pulumi.String("build-me"),
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "namedContexts", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Dockerfile: &dockerbuild.DockerfileArgs{
+				Location: pulumi.String("./app/Dockerfile.namedContexts"),
+			},
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+				Named: dockerbuild.ContextMap{
+					"golang:latest": &dockerbuild.ContextArgs{
+						Location: pulumi.String("docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984"),
+					},
+				},
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "remoteContext", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile"),
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "remoteContextWithInline", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Dockerfile: &dockerbuild.DockerfileArgs{
+				Inline: pulumi.String("FROM busybox\nCOPY hello.c ./\n"),
+			},
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("https://github.com/docker-library/hello-world.git"),
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "inline", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Dockerfile: &dockerbuild.DockerfileArgs{
+				Inline: pulumi.String("FROM alpine\nRUN echo \"This uses an inline Dockerfile! 👍\"\n"),
+			},
+		})
+		if err != nil {
+			return err
+		}
+		_, err = dockerbuild.NewImage(ctx, "dockerLoad", &dockerbuild.ImageArgs{
+			Push: pulumi.Bool(false),
+			Context: &dockerbuild.BuildContextArgs{
+				Location: pulumi.String("./app"),
+			},
+			Exports: dockerbuild.ExportArray{
+				&dockerbuild.ExportArgs{
+					Docker: &dockerbuild.ExportDockerArgs{
+						Tar: pulumi.Bool(true),
+					},
+				},
+			},
+		})
+		if err != nil {
+			return err
+		}
+		ctx.Export("platforms", multiPlatform.Platforms)
+		return nil
+	})
+}

examples/go_test.go

@@ -0,0 +1,31 @@
+//go:build go || all
+// +build go all
+
+package examples
+
+import (
+	"os"
+	"path"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/pulumi/pulumi/pkg/v3/testing/integration"
+)
+
+func TestGoExample(t *testing.T) {
+	cwd, err := os.Getwd()
+	require.NoError(t, err)
+
+	test := integration.ProgramTestOptions{
+		Dir: path.Join(cwd, "go"),
+		Dependencies: []string{
+			"github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild=../sdk/go/dockerbuild",
+		},
+		Secrets: map[string]string{
+			"dockerHubPassword": os.Getenv("DOCKER_HUB_PASSWORD"),
+		},
+	}
+
+	integration.ProgramTest(t, &test)
+}

examples/hcl/.dockerignore

@@ -0,0 +1,2 @@
+command-output
+tmp

examples/hcl/Pulumi.yaml

@@ -0,0 +1,10 @@
+name: provider-docker-build
+runtime: hcl
+config:
+  dockerHubPassword:
+    type: string
+    secret: true
+plugins:
+  providers:
+    - name: docker-build
+      path: ../../bin

examples/hcl/app/Dockerfile

@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo 👍

examples/hcl/app/Dockerfile.buildArgs

@@ -0,0 +1,5 @@
+FROM alpine
+
+ARG SET_ME_TO_TRUE
+RUN [ "$SET_ME_TO_TRUE" = "true" ]
+RUN echo "That's the correct build arg, thanks! 👍"

examples/hcl/app/Dockerfile.emptyContext

@@ -0,0 +1,2 @@
+FROM alpine
+RUN echo "This image doesn't use any local files, so it doesn't need a context parameter 👍"

examples/hcl/app/Dockerfile.extraHosts

@@ -0,0 +1,3 @@
+FROM bash AS base
+
+RUN getent hosts metadata.google.internal

examples/hcl/app/Dockerfile.multiPlatform

@@ -0,0 +1,7 @@
+FROM --platform=$BUILDPLATFORM alpine as build
+RUN echo ${BUILDPLATFORM} > buildplatform
+RUN echo ${TARGETPLATFORM} > targetplatform
+
+FROM build
+RUN cat buildplatform
+RUN cat targetplatform

examples/hcl/app/Dockerfile.namedContexts

@@ -0,0 +1,5 @@
+# syntax=docker/dockerfile:1.4
+FROM golang:latest
+
+RUN version="$(go version)" && echo $version && [ "$version" = "go version go1.21.7 linux/amd64" ]
+RUN echo "This image uses named contexts to pin golang:latest to a specific SHA 👍"

examples/hcl/app/Dockerfile.secrets

@@ -0,0 +1,4 @@
+FROM alpine
+
+RUN --mount=type=secret,id=password [ "$(cat /run/secrets/password)" = "hunter2" ]
+

examples/hcl/app/Dockerfile.sshMount

@@ -0,0 +1,5 @@
+FROM alpine
+
+RUN apk add openssh-client
+
+RUN --mount=type=ssh ssh-add -l

examples/hcl/app/Dockerfile.target

@@ -0,0 +1,8 @@
+FROM alpine as build-me
+RUN echo 👍
+
+FROM build-me as also-build-me
+RUN echo 🤙
+
+FROM build-me as dont-build-me
+RUN [ "true" = "false" ]

examples/hcl/program.hcl

@@ -0,0 +1,171 @@
+pulumi {
+  required_providers {
+    docker-build = {
+      source  = "pulumi/docker-build"
+      version = "0.1.0-alpha.0+dev"
+    }
+  }
+}
+
+resource "docker-build_image" "multiPlatform" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.multiPlatform"
+  }
+  context = {
+    location = "./app"
+  }
+  platforms = ["plan9/amd64", "plan9/386"]
+}
+resource "docker-build_image" "registryPush" {
+  push = false
+  context = {
+    location = "./app"
+  }
+  tags = ["docker.io/pulumibot/buildkit-e2e:example"]
+  exports {
+    registry = {
+      oci_media_types = true
+      push            = false
+    }
+  }
+  registries {
+    address  = "docker.io"
+    username = "pulumibot"
+    password = var.dockerHubPassword
+  }
+}
+resource "docker-build_image" "cached" {
+  push = false
+  context = {
+    location = "./app"
+  }
+  cache_to {
+    local = {
+      dest = "tmp/cache"
+      mode = "max"
+    }
+  }
+  cache_from {
+    local = {
+      src = "tmp/cache"
+    }
+  }
+}
+resource "docker-build_image" "buildArgs" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.buildArgs"
+  }
+  context = {
+    location = "./app"
+  }
+  build_args = {
+    "SET_ME_TO_TRUE" = "true"
+  }
+}
+resource "docker-build_image" "extraHosts" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.extraHosts"
+  }
+  context = {
+    location = "./app"
+  }
+  add_hosts = ["metadata.google.internal:169.254.169.254"]
+}
+resource "docker-build_image" "sshMount" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.sshMount"
+  }
+  context = {
+    location = "./app"
+  }
+  ssh {
+    id = "default"
+  }
+}
+resource "docker-build_image" "secrets" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.secrets"
+  }
+  context = {
+    location = "./app"
+  }
+  secrets = {
+    "password" = "hunter2"
+  }
+}
+resource "docker-build_image" "labels" {
+  push = false
+  context = {
+    location = "./app"
+  }
+  labels = {
+    "description" = "This image will get a descriptive label 👍"
+  }
+}
+resource "docker-build_image" "target" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.target"
+  }
+  context = {
+    location = "./app"
+  }
+  target = "build-me"
+}
+resource "docker-build_image" "namedContexts" {
+  push = false
+  dockerfile = {
+    location = "./app/Dockerfile.namedContexts"
+  }
+  context = {
+    location = "./app"
+    named = {
+      "golang:latest" = {
+        location = "docker-image://golang@sha256:b8e62cf593cdaff36efd90aa3a37de268e6781a2e68c6610940c48f7cdf36984"
+      }
+    }
+  }
+}
+resource "docker-build_image" "remoteContext" {
+  push = false
+  context = {
+    location = "https://raw.githubusercontent.com/pulumi/pulumi-docker/api-types/provider/testdata/Dockerfile"
+  }
+}
+resource "docker-build_image" "remoteContextWithInline" {
+  push = false
+  dockerfile = {
+    inline = "FROM busybox\nCOPY hello.c ./\n"
+  }
+  context = {
+    location = "https://github.com/docker-library/hello-world.git"
+  }
+}
+resource "docker-build_image" "inline" {
+  push = false
+  dockerfile = {
+    inline = "FROM alpine\nRUN echo \"This uses an inline Dockerfile! 👍\"\n"
+  }
+}
+resource "docker-build_image" "dockerLoad" {
+  push = false
+  context = {
+    location = "./app"
+  }
+  exports {
+    docker = {
+      tar = true
+    }
+  }
+}
+variable "dockerHubPassword" {
+  type = string
+}
+output "platforms" {
+  value = docker-build_image.multiPlatform.platforms
+}