[internal] Update GitHub Actions workflow files

Update GitHub Actions workflows. (#751 )
This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 62def83b594d72ccf4eab97cdf5b566ebb910e83. Co-authored-by: Pulumi Bot <bot@pulumi.com>
2026-02-03 21:31:05 +00:00 · 2026-02-03 05:54:15 +00:00 · 2026-01-30 19:09:44 +00:00 · 2026-01-29 19:33:01 +00:00 · 2026-01-29 05:54:00 +00:00 · 2026-01-28 05:43:20 +00:00
28 changed files with 508 additions and 542 deletions
--- a/.config/mise.test.toml
+++ b/.config/mise.test.toml
@@ -1,11 +1,3 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-# Overrides for test workflows
+# Overrides for test workflows -- currently empty.
 [env]
 # Acceptance (specifically providertest) tests require that PULUMI_HOME be the default
 PULUMI_HOME = "{{ env.HOME }}/.pulumi"
 [tools]
 # always use pulumi latest for tests
 pulumi = "latest"
--- a/.config/mise.toml
+++ b/.config/mise.toml
@@ -2,27 +2,34 @@
 # You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
 [env]
-_.source = "{{config_root}}/scripts/get-versions.sh"
+_.vfox-pulumi = { module_path = "." } # Sets GO_VERSION_MISE and PULUMI_VERSION_MISE
 PULUMI_HOME = "{{config_root}}/.pulumi"
 [tools]
 # Runtimes
-# TODO: we may not need `get_env` once https://github.com/jdx/mise/discussions/6339 is fixed
+# TODO: we may not need 'get_env' once https://github.com/jdx/mise/discussions/6339 is fixed
 go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}"
 node = '20.19.5'
 python = '3.11.8'
-dotnet = '8.0.414'
+"vfox:version-fox/vfox-dotnet" = "8.0.20" # vfox backend doesn't work on Windows, gives "error converting Lua table to PreInstall (no version returned from vfox plugin)" https://github.com/jdx/mise/discussions/5876 https://github.com/jdx/mise/discussions/5550
 # Corretto version used as Java SE/OpenJDK version no longer offered
 java = 'corretto-11'
 # Executable tools
-pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
+"github:pulumi/pulumi" = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
-"github:pulumi/pulumictl" = 'latest'
+"github:pulumi/pulumictl" = '0.0.50'
-"github:pulumi/schema-tools" = "latest"
+"github:pulumi/schema-tools" = "0.6.0"
-gradle = '7.6'
+"aqua:gradle/gradle-distributions" = '7.6.6'
 golangci-lint = "1.64.8" # See note about about overrides if you need to customize this.
 "npm:yarn" = "1.22.22"
 [settings]
 experimental = true # Required for Go binaries (e.g. pulumictl).
-lockfile = true
+lockfile = false
 http_retries = 3
 pin = true # `mise use` should pin versions instead of defaulting to latest.
 fetch_remote_versions_cache = "24h" # Mise queries versions even if they're pinned to confirm they exist. Reduce GitHub API calls by doing that less often.
 [plugins]
 vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"
--- a/.github/actions/download-provider/action.yml
+++ b/.github/actions/download-provider/action.yml
@@ -5,7 +5,7 @@ runs:
  using: "composite"
  steps:
    - name: Download provider
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
--- a/.github/actions/download-sdk/action.yml
+++ b/.github/actions/download-sdk/action.yml
@@ -10,7 +10,7 @@ runs:
  using: "composite"
  steps:
    - name: Download SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: ${{ inputs.language }}-sdk.tar.gz
        path: ${{ github.workspace }}/sdk/
--- a/.github/actions/setup-tools/action.yml
+++ b/.github/actions/setup-tools/action.yml
@@ -14,14 +14,17 @@ runs:
  using: "composite"
  steps:
    - name: Setup mise
-      uses: jdx/mise-action@d16887ba50704baed7de72bd1e82e04391e4457a # v3
+      uses: blampe/mise-action@blampe/plugins
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        version: 2025.11.6
+        version: 2026.1.1
        cache_save: ${{ inputs.cache }}
        github_token: ${{ inputs.github_token }}
        plugin_install: https://github.com/pulumi/vfox-pulumi
    - name: Setup Go Cache
-      uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
+      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
      with:
        cache: ${{ inputs.cache }}
        cache-dependency-path: |
@@ -32,7 +35,7 @@ runs:
          *.sum
    - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6
+      uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6
      with:
        # we don't set node-version because we install with mise.
        # this step is needed to setup npm auth
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -47,7 +47,7 @@ jobs:
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -59,6 +59,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -122,61 +128,13 @@ jobs:
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
    - name: Commit SDK changes for Renovate
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
@@ -218,7 +176,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -230,6 +188,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -240,7 +204,7 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download Provider Binary
      uses: ./.github/actions/download-provider
    - name: Generate SDK
@@ -259,59 +223,11 @@ jobs:
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
    - name: Commit SDK changes for Renovate
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
@@ -335,7 +251,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -380,7 +296,7 @@ jobs:
      id-token: write # For ESC secrets and Pulumi access token OIDC.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -392,6 +308,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -402,7 +324,7 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download Provider Binary
      uses: ./.github/actions/download-provider
    - name: Download SDK
@@ -430,7 +352,7 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
+      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
@@ -477,7 +399,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -489,6 +411,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -499,7 +427,7 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
@@ -510,7 +438,7 @@ jobs:
        swap-storage: true
        large-packages: false
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
      with:
        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
@@ -550,7 +478,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -562,6 +490,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -570,7 +504,7 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        path: ci-scripts
        repository: pulumi/scripts
@@ -578,9 +512,9 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download python SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -588,7 +522,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -596,7 +530,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -628,26 +562,6 @@ jobs:
      env:
        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  lint:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
        github_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Disarm go:embed directives to enable linters that compile source code
      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
        's/go:embed/ goembed/g'
    - name: golangci-lint provider pkg
      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
      with:
        install-mode: none # Handled by mise.
        working-directory: .
    name: lint
-    if: github.event_name == 'repository_dispatch' ||
+    uses: ./.github/workflows/lint.yml
-      github.event.pull_request.head.repo.full_name == github.repository
+    secrets: inherit
--- a/.github/workflows/claude.yml
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,135 @@
 name: Claude Code
 on:
  # Responds to @claude mentions in comments.
  issue_comment:
    types: [created]
  pull_request_review_comment:
    types: [created]
  issues:
    types: [opened]
  pull_request_review:
    types: [submitted]
 jobs:
  claude:
    # Only run when @claude is mentioned by a trusted user (OWNER, MEMBER, or COLLABORATOR)
    # Note: the claude-code-action can only be triggered by users with write access to the repository so this is extra
    # see https://github.com/anthropics/claude-code-action/blob/main/docs/security.md
    if: |
      (github.event_name == 'issue_comment' &&
        contains(github.event.comment.body, '@claude') &&
        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
      (github.event_name == 'pull_request_review_comment' &&
        contains(github.event.comment.body, '@claude') &&
        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
      (github.event_name == 'pull_request_review' &&
        contains(github.event.review.body, '@claude') &&
        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) ||
      (github.event_name == 'issues' &&
        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association))
    runs-on: ubuntu-latest
    permissions:
      contents: write
      pull-requests: write
      issues: write
      id-token: write
      actions: read
    steps:
      - env:
          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
          ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
          ESC_ACTION_OIDC_AUTH: "true"
          ESC_ACTION_OIDC_ORGANIZATION: pulumi
          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
        id: esc-secrets
        name: Fetch secrets from ESC
        uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          fetch-depth: 0
      - name: Checkout PR head (if applicable)
        if: ${{ github.event.pull_request.number || (github.event.issue.pull_request && github.event.issue.number) }}
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
        run: gh pr checkout "$PR_NUMBER"
      - name: Setup mise
        uses: blampe/mise-action@blampe/plugins
        env:
          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
        with:
          version: 2026.1.1
          github_token: ${{ secrets.GITHUB_TOKEN }}
          plugin_install: https://github.com/pulumi/vfox-pulumi
          # only saving the cache in the prerequisites job
          cache_save: false
      - name: Prepare local workspace
        # this runs install_plugins and upstream
        run: make prepare_local_workspace
      - name: Run Claude Code Review
        # Comment must contain '@claude review'
        if: |
          (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude review')) ||
          (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude review')) ||
          (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude review'))
        id: claude-review
        uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
        with:
          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
          prompt: |
            REPO: ${{ github.repository }}
            PR NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
            Review this pull request using the provider-code-review skill for guidelines.
            The PR branch is already checked out in the current working directory.
            Use `gh pr comment` for top-level feedback.
            Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues.
            Only post GitHub comments - don't submit review text as messages.
          # Taken from https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md
          claude_args: |
            --allowedTools "Skill,Bash(gh issue view *),Bash(gh search *),Bash(gh issue list *),Bash(gh pr comment *),Bash(gh pr diff *),Bash(gh pr view *),Bash(gh pr list *),mcp__github_inline_comment__create_inline_comment"
      - name: Run Claude Code
        # Comment must contain '@claude', but not '@claude review'
        if: |
          !contains(github.event.comment.body, '@claude review') &&
          !contains(github.event.review.body, '@claude review')
        id: claude-action
        uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
        with:
          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
          # This allows claude to read github action logs
          additional_permissions: |
            actions: read
          # Sandbox settings: --allowedTools controls which tools Claude can invoke,
          # but the sandbox also enforces OS-level filesystem restrictions. Edit()
          # rules in permissions.allow control all bash filesystem writes (mkdir,
          # output redirection, etc.), not just the Edit tool. Without these, commands
          # like `mkdir .pulumi` or `cmd > file.txt` would be blocked by the sandbox.
          settings: |
            {
              "permissions": {
                "allow": ["Edit(./**)", "Edit(/tmp/**)"]
              }
            }
          claude_args: |
            --max-turns 50
            --allowedTools "Skill,Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(upgrade-provider *),Bash(./scripts/upstream.sh *),Bash(git *),Bash(GIT_EDITOR=* git *),Bash(make *),Bash(gh *),Bash(mkdir *),Bash(go install *),Bash(ls *),Bash(test *),Bash(cat *),Bash(pwd),Bash(head *),Bash(tail *),Bash(tee *),Bash(rg *),Bash(grep *),Bash(sed *),Bash(awk *),Bash(find *)"
        # If the claude action fails you don't get any logs on what claude was doing
        # Uploading the artifact allows you to download the artifact from the UI
      - name: Upload Claude review output on failure
        if: failure() && steps.claude-review.outputs.execution_file
        uses: actions/upload-artifact@v4
        with:
          name: claude-review-execution-log
          path: ${{ steps.claude-review.outputs.execution_file }}
          retention-days: 7
      - name: Upload Claude output on failure
        if: failure() && steps.claude-action.outputs.execution_file
        uses: actions/upload-artifact@v4
        with:
          name: claude-execution-log
          path: ${{ steps.claude-action.outputs.execution_file }}
          retention-days: 7
--- a/.github/workflows/command-dispatch.yml
+++ b/.github/workflows/command-dispatch.yml
@@ -14,6 +14,7 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
 jobs:
  command-dispatch-for-testing:
@@ -24,7 +25,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        persist-credentials: false    
    - env:
@@ -36,7 +37,7 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
-    - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4
+    - uses: peter-evans/slash-command-dispatch@5c11dc7efead556e3bdabf664302212f79eb26fa # v5
      with:
        commands: |
          run-acceptance-tests
--- a/.github/workflows/comment-on-stale-issues.yml
+++ b/.github/workflows/comment-on-stale-issues.yml
@@ -1,6 +1,8 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 name: "Comment on stale issues"
 on:
  workflow_dispatch: {}
  schedule:
  - cron: "46 4 * * *" # run once per day
@@ -9,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    name: Stale issue job
    steps:
-    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc # v7.1.0
+    - uses: pose/stale-issue-cleanup@d2922f61fc5669f4154408689f9bb2a981996112
      with:
        issue-types: issues # only look at issues (ignore pull-requests)
--- a/.github/workflows/community-moderation.yml
+++ b/.github/workflows/community-moderation.yml
@@ -6,7 +6,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        persist-credentials: false
    - id: schema_changed
--- a/.github/workflows/export-repo-secrets.yml
+++ b/.github/workflows/export-repo-secrets.yml
@@ -8,7 +8,7 @@ jobs:
    steps:
      - name: Generate a GitHub token
        id: generate-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: 1256780 # Export Secrets GitHub App
          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,69 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 name: lint
 on:
  workflow_call:
    inputs: {}
 env:
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
  GOOGLE_PROJECT: pulumi-ci-gcp-provider
  GOOGLE_PROJECT_NUMBER: "895284651812"
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
 jobs:
  lint:
    name: lint
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        persist-credentials: false    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - name: Setup mise
      uses: blampe/mise-action@blampe/plugins
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
        version: 2026.1.1
        github_token: ${{ steps.app-auth.outputs.token }}
        plugin_install: https://github.com/pulumi/vfox-pulumi
        cache_save: false # A different job handles caching our tools.
    - name: prepare workspace
      continue-on-error: true
      run: make prepare_local_workspace
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: lint
      run: make lint
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -34,9 +34,12 @@ jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    permissions:
      id-token: write # For ESC secrets.
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -48,6 +51,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -111,61 +120,13 @@ jobs:
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
    - name: Commit SDK changes for Renovate
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
@@ -207,7 +168,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -219,6 +180,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -229,7 +196,7 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download Provider Binary
      uses: ./.github/actions/download-provider
    - name: Generate SDK
@@ -248,59 +215,11 @@ jobs:
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
    - name: Commit ${{ matrix.language }} SDK changes for Renovate
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
@@ -333,7 +252,7 @@ jobs:
      id-token: write # For ESC secrets and Pulumi access token OIDC.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -345,6 +264,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -355,7 +280,7 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download Provider Binary
      uses: ./.github/actions/download-provider
    - name: Download SDK
@@ -383,7 +308,7 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
+      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
@@ -430,7 +355,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -442,6 +367,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -452,7 +383,7 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
@@ -463,7 +394,7 @@ jobs:
        swap-storage: true
        large-packages: false
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
      with:
        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
@@ -503,7 +434,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -515,6 +446,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -523,7 +460,7 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        path: ci-scripts
        repository: pulumi/scripts
@@ -531,9 +468,9 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download python SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -541,7 +478,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -549,7 +486,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -585,7 +522,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -597,6 +534,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -607,9 +550,9 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download java SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: java-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -635,7 +578,7 @@ jobs:
    needs: publish_sdk
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
    - id: version
@@ -646,7 +589,7 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download go SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: go-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -10,7 +10,7 @@ jobs:
    name: comment-on-pr
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
    - name: Comment PR
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -39,7 +39,7 @@ jobs:
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -51,6 +51,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -62,7 +68,7 @@ jobs:
      uses: ./.github/actions/setup-tools
      with:
        cache: 'true'
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -114,61 +120,13 @@ jobs:
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
    - name: Commit SDK changes for Renovate
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
@@ -210,7 +168,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -222,6 +180,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -232,7 +196,7 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download Provider Binary
      uses: ./.github/actions/download-provider
    - name: Generate SDK
@@ -251,59 +215,11 @@ jobs:
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
    - name: Commit SDK changes for Renovate
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
@@ -336,7 +252,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -348,6 +264,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -358,7 +280,7 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download Provider Binary
      uses: ./.github/actions/download-provider
    - name: Download SDK
@@ -386,7 +308,7 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
+      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
@@ -433,7 +355,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -445,6 +367,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -455,7 +383,7 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
@@ -466,7 +394,7 @@ jobs:
        swap-storage: true
        large-packages: false
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
      with:
        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
@@ -506,7 +434,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -518,6 +446,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -526,7 +460,7 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        path: ci-scripts
        repository: pulumi/scripts
@@ -534,9 +468,9 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download python SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -544,7 +478,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -552,7 +486,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -588,7 +522,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -600,6 +534,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -610,9 +550,9 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download java SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: java-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -638,7 +578,7 @@ jobs:
    needs: publish_sdk
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
    - id: version
@@ -649,7 +589,7 @@ jobs:
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download go SDK
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: go-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -674,7 +614,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -686,6 +626,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
--- a/.github/workflows/release_command.yml
+++ b/.github/workflows/release_command.yml
@@ -11,7 +11,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        persist-credentials: false    
    - env:
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -32,6 +32,7 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 jobs:
  comment-notification:
@@ -40,7 +41,7 @@ jobs:
    name: comment-notification
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
@@ -65,7 +66,7 @@ jobs:
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
@@ -79,6 +80,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -90,7 +97,7 @@ jobs:
      uses: ./.github/actions/setup-tools
      with:
        cache: 'true'
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -142,14 +149,16 @@ jobs:
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
      # This worktree check is a safeguard against someone forgetting to
      # re-build and commit locally, but we handle that commit automatically in
      # the case of dependency bumps.
      continue-on-error: ${{ contains(github.actor, 'renovate') }}
    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+      if: steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
@@ -164,12 +173,11 @@ jobs:
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
-        git add sdk
+        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
@@ -182,9 +190,7 @@ jobs:
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
@@ -196,7 +202,7 @@ jobs:
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
@@ -240,7 +246,7 @@ jobs:
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
@@ -254,6 +260,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -264,9 +276,9 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download provider
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -292,14 +304,13 @@ jobs:
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
      continue-on-error: ${{ contains(github.actor, 'renovate') }}
    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+      if: steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
@@ -312,14 +323,12 @@ jobs:
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
-        git add sdk
+        git add sdk provider/cmd/pulumi-resource-docker-build/schema.json
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
@@ -333,7 +342,6 @@ jobs:
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
@@ -343,7 +351,7 @@ jobs:
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
@@ -379,7 +387,7 @@ jobs:
      id-token: write
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
@@ -393,6 +401,12 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
@@ -403,9 +417,9 @@ jobs:
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Download provider
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -417,7 +431,7 @@ jobs:
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+      uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0
      with:
        name: ${{ matrix.language }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -445,7 +459,7 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
+      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
@@ -490,7 +504,7 @@ jobs:
    name: sentinel
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
@@ -525,7 +539,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
--- a/.github/workflows/weekly-pulumi-update.yml
+++ b/.github/workflows/weekly-pulumi-update.yml
@@ -29,6 +29,7 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
 jobs:
  weekly-pulumi-update:
@@ -36,7 +37,7 @@ jobs:
    permissions: write-all
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
@@ -48,10 +49,16 @@ jobs:
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
      id: app-auth
      with:
        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
        owner: ${{ github.repository_owner }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        github_token: ${{ secrets.GITHUB_TOKEN }}
+        github_token: ${{ steps.app-auth.outputs.token }}
    - name: Update Pulumi/Pulumi
      id: gomod
      run: >-
@@ -61,10 +68,10 @@ jobs:
        git checkout -b update-pulumi/${{ github.run_id }}-${{ github.run_number }}
        find . -name go.mod -execdir sh -c 'go get github.com/pulumi/pulumi/pkg/v3 github.com/pulumi/pulumi/sdk/v3; go mod tidy' \;
        gh repo view pulumi/pulumi --json latestRelease --jq .latestRelease.tagName | sed 's/^v//' > .pulumi.version
        VERSION=$(cat .pulumi.version) find . -name go.mod -execdir sh -c 'go get github.com/pulumi/pulumi/pkg/v3@v${VERSION} github.com/pulumi/pulumi/sdk/v3@v${VERSION}; go mod tidy' \;
        git update-index -q --refresh
        if ! git diff-files --quiet; then echo changes=1 >> "$GITHUB_OUTPUT"; fi
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,7 @@
 **/.ionide
 **/.vscode
 *.swp
 .pulumi
 Pulumi.*.yaml
 yarn.lock
 ci-scripts
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,104 +1,37 @@
-run:
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
  timeout: 10m
 linters:
  enable-all: false
  enable:
-    - depguard
+  - errcheck
-    - errcheck
+  - gci
-    - exhaustive
+  - goconst
-    - copyloopvar
+  - gofmt
-    - gci
+  - gosec
-    - gocritic
+  - govet
-    - gofumpt
+  - ineffassign
-    - goheader
+  - lll
-    - gosec
+  - gosimple
-    - govet
+  - staticcheck
-    - importas
+  - misspell
-    - ineffassign
+  - nakedret
-    - lll
+  - revive
-    - misspell
+  - unconvert
-    - nakedret
+  - unused
-    - nolintlint
+  enable-all: false
-    - paralleltest
+issues:
-    - perfsprint
+  exclude-dirs:
-    - prealloc
+  - pkg/vendored
-    - revive
+  exclude-files:
-    - unconvert
+  - schema.go
-    - unused
+  - pulumiManifest.go
-
+run:
  timeout: 20m
 linters-settings:
  depguard:
    rules:
      protobuf:
        deny:
          - pkg: "github.com/golang/protobuf"
            desc: Use google.golang.org/protobuf instead
  gci:
    sections:
      - standard # Standard section: captures all standard library packages.
      - blank # Blank section: contains all blank imports.
      - default # Default section: contains all imports that could not be matched to another section type.
      - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
-      - prefix(github.com/pulumi/pulumi-dockerbuild/) # Custom section: local imports
+      - prefix(github.com/pulumi/pulumi-docker-build) # Custom section: local imports
    custom-order: true
  gocritic:
    enable-all: true
    disabled-checks:
      - hugeParam
      - importShadow
  goheader:
    template: |-
      Copyright 2024, Pulumi Corporation.
      Licensed under the Apache License, Version 2.0 (the "License");
      you may not use this file except in compliance with the License.
      You may obtain a copy of the License at
          http://www.apache.org/licenses/LICENSE-2.0
      Unless required by applicable law or agreed to in writing, software
      distributed under the License is distributed on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
      See the License for the specific language governing permissions and
      limitations under the License.
  govet:
    enable:
      - nilness
      # Reject comparisons of reflect.Value with DeepEqual or '=='.
      - reflectvaluecompare
      # Reject sort.Slice calls with a non-slice argument.
      - sortslice
      # Detect write to struct/arrays by-value that aren't read again.
      - unusedwrite
  nakedret:
    # Make an issue if func has more lines of code than this setting, and it has naked returns.
    # Default: 30
    max-func-lines: 60
  nolintlint:
    # Some linter exclusions are added to generated or templated files
    # pre-emptively.
    # Don't complain about these.
    allow-unused: true
 issues:
  exclude-use-default: false
  exclude-rules:
    # Don't warn on unused parameters.
    # Parameter names are useful; replacing them with '_' is undesirable.
    - linters: [revive]
      text: 'unused-parameter: parameter \S+ seems to be unused, consider removing or renaming it as _'
    # staticcheck already has smarter checks for empty blocks.
    # revive's empty-block linter has false positives.
    # For example, as of writing this, the following is not allowed.
    #   for foo() { }
    - linters: [revive]
      text: "empty-block: this block is empty, you can remove it"
    # We *frequently* use the term 'new' in the context of properties
    # (new and old properties),
    # and we rarely use the 'new' built-in function.
    # It's fine to ignore these cases.
    - linters: [revive]
      text: "redefines-builtin-id: redefinition of the built-in function new"
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,5 +1,4 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 project_name: pulumi-docker-build
 builds:
 - id: build-provider
--- a/examples/nodejs/package.json
+++ b/examples/nodejs/package.json
@@ -5,6 +5,6 @@
  },
  "dependencies": {
    "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.210.0"
+    "@pulumi/pulumi": "3.212.0"
  }
 }
--- a/examples/tests/caching/package.json
+++ b/examples/tests/caching/package.json
@@ -4,6 +4,6 @@
    "@types/node": "^20.0.0"
  },
  "dependencies": {
-    "@pulumi/pulumi": "3.210.0"
+    "@pulumi/pulumi": "3.212.0"
  }
 }
--- a/examples/tests/caching/yarn.lock
+++ b/examples/tests/caching/yarn.lock
@@ -369,10 +369,10 @@
  resolved "https://registry.yarnpkg.com/@protobufjs/utf8/-/utf8-1.1.0.tgz#a777360b5b39a1a2e5106f8e858f2fd2d060c570"
  integrity sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==
-"@pulumi/pulumi@3.210.0":
+"@pulumi/pulumi@3.212.0":
-  version "3.210.0"
+  version "3.212.0"
-  resolved "https://registry.yarnpkg.com/@pulumi/pulumi/-/pulumi-3.210.0.tgz#c5d59ebaded83f5baf571e0c5c1b6a766fc694ea"
+  resolved "https://registry.yarnpkg.com/@pulumi/pulumi/-/pulumi-3.212.0.tgz#2aed99e9be253beed0f4c7663c6a2a98f302f89f"
-  integrity sha512-ZMe4oH8nFNi3Tig1U8mTEuqrjTyEz0aVkn+DvvjcBPvM7WzZSdB6xR9MiRK/ZUi0G5O+H7fx2gEEeq1vYcM5Jg==
+  integrity sha512-UXV6UQLS2elP0yQNWCQWKjY+dc8w0TXC9uJLIiybzEpFyeKdPhuA0zJrI1zOql5Y7V9q5xtF2sqmHh52HLJVKg==
  dependencies:
    "@grpc/grpc-js" "^1.10.1"
    "@logdna/tail-file" "^2.0.6"
--- a/examples/tests/config/package.json
+++ b/examples/tests/config/package.json
@@ -4,6 +4,6 @@
    "@types/node": "^20.0.0"
  },
  "dependencies": {
-    "@pulumi/pulumi": "3.210.0"
+    "@pulumi/pulumi": "3.212.0"
  }
 }
--- a/examples/upgrade-node/package.json
+++ b/examples/upgrade-node/package.json
@@ -5,6 +5,6 @@
  },
  "dependencies": {
    "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.210.0"
+    "@pulumi/pulumi": "3.212.0"
  }
 }
--- a/go.mod
+++ b/go.mod
@@ -14,7 +14,7 @@ require (
 	github.com/moby/patternmatcher v0.6.0
 	github.com/muesli/reflow v0.3.0
 	github.com/otiai10/copy v1.14.0
-	github.com/pulumi/providertest v0.3.1
+	github.com/pulumi/providertest v0.6.0
 	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef
 	github.com/pulumi/pulumi-go-provider v1.1.2
 	github.com/pulumi/pulumi-java/pkg v1.16.0
--- a/go.sum
+++ b/go.sum
@@ -892,8 +892,8 @@ github.com/pulumi/esc v0.20.0 h1:LZn4sjAsI76x10ZuZXXyh2ExGcP7AHmjOzCi/p3/fpQ=
 github.com/pulumi/esc v0.20.0/go.mod h1:h1VjdedI0K84MhMzaR9ZKbEpU6SfZMOZF4ZrVgQyNLY=
 github.com/pulumi/inflector v0.2.1 h1:bqyiish3tq//vLeLiEstSFE5K7RNjy/ce47ed4QATu8=
 github.com/pulumi/inflector v0.2.1/go.mod h1:HUFCjcPTz96YtTuUlwG3i3EZG4WlniBvR9bd+iJxCUY=
-github.com/pulumi/providertest v0.3.1 h1:vlftr7TZlObh81mL88IhhF0/9ZbLrZZos4NAvR4HUUw=
+github.com/pulumi/providertest v0.6.0 h1:ZnefsbhkPE+BpKienHgb38P/6SEtXjjOXGGdMEUIOgk=
-github.com/pulumi/providertest v0.3.1/go.mod h1:fFHUP4/9DRyYnHWiRnwcynMtM/a7hHR/QcJfcuZKO3A=
+github.com/pulumi/providertest v0.6.0/go.mod h1:OBpIGSQrw1FW9VNaHBtKCRxEoTISvx8JsxECmRqRgRQ=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef h1:cxRa9R9To6OYKacIG2Em6zcM7BDNr6joC43uiV1lSVY=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef/go.mod h1:VLcnE1lj92EfRi7CRMzdPkQ9OQvrlg2upJM1lBZzNmg=
 github.com/pulumi/pulumi-go-provider v1.1.2 h1:NUQDXaftBDFTPMBPwxo8FhJUX0ymkv6a1XiXTnCDpvg=
Author	SHA1	Message	Date
Pulumi Bot	a8b86588d3	[internal] Update GitHub Actions workflow files	2026-02-03 21:31:05 +00:00
pulumi-provider-automation[bot]	f5d459e624	Update GitHub Actions workflows. (#751 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 62def83b594d72ccf4eab97cdf5b566ebb910e83. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-02-03 05:54:15 +00:00
pulumi-provider-automation[bot]	d5e5c8a482	Update GitHub Actions workflows. (#750 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit f51ba6a8731f22e9b3cf35393bf9c792097e4aa1. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-01-30 19:09:44 +00:00
pulumi-renovate[bot]	d0bb326600	Update module github.com/pulumi/providertest to v0.6.0 (#749 ) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [github.com/pulumi/providertest](https://redirect.github.com/pulumi/providertest) \| require \| minor \| `v0.5.1-0.20251217173405-3861778549dd` -> `v0.6.0` \| --- ### Release Notes <details> <summary>pulumi/providertest (github.com/pulumi/providertest)</summary> ### [`v0.6.0`](https://redirect.github.com/pulumi/providertest/releases/tag/v0.6.0) [Compare Source](https://redirect.github.com/pulumi/providertest/compare/v0.5.1...v0.6.0) ##### What's Changed - feat: Add local python SDK replacement option via pip by [@rshade](https://redirect.github.com/rshade) in [https://github.com/pulumi/providertest/pull/150](https://redirect.github.com/pulumi/providertest/pull/150) Full Changelog: https://github.com/pulumi/providertest/compare/v0.5.1...v0.6.0 </details> --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC). 🚦 Automerge: Enabled. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19--> Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>	2026-01-29 19:33:01 +00:00
pulumi-provider-automation[bot]	534bc6c172	Update GitHub Actions workflows. (#745 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 1131c4d395e39e42386bf9a4dfb975eb219d604b. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-01-29 05:54:00 +00:00
pulumi-provider-automation[bot]	570f83ca62	Update GitHub Actions workflows. (#743 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit a3bb44291e85389589513a73050a049a024bd800. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-01-28 05:43:20 +00:00
pulumi-provider-automation[bot]	b35af1d86d	Update GitHub Actions workflows. (#742 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 5c1afa4cb1107d1ea52e86433fcd7d54b28925ab. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-01-26 16:00:41 +00:00
pulumi-provider-automation[bot]	62db1d7f3b	Update GitHub Actions workflows. (#740 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit d825a77c6fb8405f61d1283d494a3a2c1cba3587. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-01-23 12:49:06 +00:00
pulumi-provider-automation[bot]	9b5a5d4371	Update GitHub Actions workflows. (#737 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 16d6357b115512b7bf916a73a75b78fa24fef858. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-01-16 05:39:51 +00:00
pulumi-provider-automation[bot]	8809a8c708	Update GitHub Actions workflows. (#735 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit dfe81431707efb057395e33fe5234f01031ecd95. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-01-15 05:40:12 +00:00
pulumi-provider-automation[bot]	cc1bda22e5	Update GitHub Actions workflows. (#734 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 329ced61750d1b5d3027894c5e0c79ac08f71378. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-01-13 05:38:49 +00:00
pulumi-provider-automation[bot]	f820f6547c	Update GitHub Actions workflows. (#733 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit ea67003b42b286f2a9d25c2a5e878fc1aacf5c94. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2026-01-10 05:38:03 +00:00
pulumi-provider-automation[bot]	214793b929	Update GitHub Actions workflows. (#730 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 4cdb4b8cad405d730db594e8adb73ee1b875b4a6. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2025-12-30 05:45:22 +00:00
pulumi-provider-automation[bot]	9e8c685bc8	Update GitHub Actions workflows. (#728 ) This PR was automatically generated by the update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt repo, from commit 021a1f6c9360e1b569457868b4c0c3ecbfc62ff4. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2025-12-23 19:01:30 +00:00
pulumi-provider-automation[bot]	09f7b32602	Update GitHub Actions workflows. (#727 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 6693889d5ebbe0416302e06ac701da21580fbd2d. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2025-12-23 15:40:07 +00:00
pulumi-provider-automation[bot]	1e00e5dc89	Update GitHub Actions workflows. (#724 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 90795a3949f95304f4bd3a9dea2ace1ca3465403. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2025-12-23 05:44:49 +00:00
pulumi-provider-automation[bot]	93fae0c1a4	Update GitHub Actions workflows. (#723 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 1901fce160a37d0c537d831ce6f96e72bf7c9427. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2025-12-20 05:44:19 +00:00
pulumi-provider-automation[bot]	4c85816954	Update GitHub Actions workflows. (#721 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 217fd547b64df90c7919b206f17362d4baec9aa3. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2025-12-19 20:07:45 +00:00
pulumi-provider-automation[bot]	4e3830ca83	Update GitHub Actions workflows. (#720 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 0b04a21b810fd7b4a412c1f42867a70f65c14758. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2025-12-19 05:44:14 +00:00
pulumi-provider-automation[bot]	3f329778cf	Update GitHub Actions workflows. (#718 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit f0ec8c55b928cc870e533b367aaba1f9af2330ad. Co-authored-by: Pulumi Bot <bot@pulumi.com>	2025-12-18 05:44:56 +00:00
pulumi-provider-automation[bot]	c64d5baba6	Update GitHub Actions workflows. (#716 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 02f02bb0bfe879d167ed8f335b4950208454bafb. --------- Co-authored-by: Pulumi Bot <bot@pulumi.com> Co-authored-by: Bryce Lampe <bryce@pulumi.com>	2025-12-17 18:20:54 +00:00
pulumi-renovate[bot]	4c8968185c	Update dependency @pulumi/pulumi to v3.212.0 (#710 ) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [@pulumi/pulumi](https://redirect.github.com/pulumi/pulumi) ([source](https://redirect.github.com/pulumi/pulumi/tree/HEAD/sdk/nodejs)) \| dependencies \| minor \| [`3.211.0` -> `3.212.0`](https://renovatebot.com/diffs/npm/@pulumi%2fpulumi/3.211.0/3.212.0) \| --- ### Release Notes <details> <summary>pulumi/pulumi (@pulumi/pulumi)</summary> ### [`v3.212.0`](https://redirect.github.com/pulumi/pulumi/releases/tag/v3.212.0) [Compare Source](https://redirect.github.com/pulumi/pulumi/compare/v3.211.0...v3.212.0) ##### 3.212.0 (2025-12-12) ##### Bug Fixes - \[yaml] Update pulumi-yaml to v1.26.1 </details> --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC). 🚦 Automerge: Enabled. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19--> Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>	2025-12-12 22:13:17 +00:00
pulumi-renovate[bot]	7a75efe8c4	Update dependency @pulumi/pulumi to v3.211.0 (#708 ) This PR contains the following updates: \| Package \| Type \| Update \| Change \| \|---\|---\|---\|---\| \| [@pulumi/pulumi](https://redirect.github.com/pulumi/pulumi) ([source](https://redirect.github.com/pulumi/pulumi/tree/HEAD/sdk/nodejs)) \| dependencies \| minor \| [`3.210.0` -> `3.211.0`](https://renovatebot.com/diffs/npm/@pulumi%2fpulumi/3.210.0/3.211.0) \| --- ### Release Notes <details> <summary>pulumi/pulumi (@pulumi/pulumi)</summary> ### [`v3.211.0`](https://redirect.github.com/pulumi/pulumi/releases/tag/v3.211.0) [Compare Source](https://redirect.github.com/pulumi/pulumi/compare/v3.210.0...v3.211.0) #### 3.211.0 (2025-12-11) ##### Features - \[cli/about] Print Node.js package manager information in `pulumi about` [#21163](https://redirect.github.com/pulumi/pulumi/pull/21163) - \[backend/diy] Add stack tags support for DIY backends (S3, Postgres, file-based, etc.). DIY backends now support stack tags functionality, bringing feature parity with cloud backends. This includes: - Full CRUD operations for stack tags (create, read, update, delete) - Automatic system tag injection (e.g., `pulumi:project`) - Tag filtering support in stack listing operations - Backward compatibility with existing stacks (no tags file required) - Atomic operations with caching for performance - Automatic cleanup of tag files when stacks are deleted Tags are stored as separate `.pulumi-tags` files alongside stack checkpoints, using a versioned JSON format. The implementation works across all DIY backend storage types including S3, Azure Blob, Google Cloud Storage, PostgreSQL, and local file systems. Example usage: ```bash pulumi stack tag set environment production pulumi stack tag set owner backend-team pulumi stack ls --tag-filter environment=production ``` [#19882](https://redirect.github.com/pulumi/pulumi/pull/19882) - \[backend/service] Improve startup performance with the service as backend [#21176](https://redirect.github.com/pulumi/pulumi/pull/21176) - \[sdk/nodejs] Add support for `replacement_trigger` in the NodeJS SDK [#20939](https://redirect.github.com/pulumi/pulumi/pull/20939) - \[sdk/python] Allow setting version for python component providers [#21149](https://redirect.github.com/pulumi/pulumi/pull/21149) ##### Bug Fixes - \[cli/package] Correctly identify the innermost Project/Plugin when running `pulumi package add` [#21137](https://redirect.github.com/pulumi/pulumi/pull/21137) - \[engine] Allow referencing multiple git/github/gitlab components from the same repo [#21119](https://redirect.github.com/pulumi/pulumi/pull/21119) - \[programgen/go] Account for name conflicts in resource creation functions [#21107](https://redirect.github.com/pulumi/pulumi/pull/21107) - \[sdk/python] Fix cancellation handling in a few places in the python language host [#21145](https://redirect.github.com/pulumi/pulumi/pull/21145) - \[sdkgen/go] Fix generation of lifted single-value calls in parameterized SDKs [#21115](https://redirect.github.com/pulumi/pulumi/pull/21115) ##### Miscellaneous - \[cli] Don't attempt to re-install plugin dependencies on load failure for plugins based on git with a nested path [#21148](https://redirect.github.com/pulumi/pulumi/pull/21148) - \[sdk/{dotnet,java,yaml}] Bump language runtimes for dotnet, java, and yaml [#21201](https://redirect.github.com/pulumi/pulumi/pull/21201) - \[cli/engine] Add language runtime metadata to update metadata [#21186](https://redirect.github.com/pulumi/pulumi/pull/21186) </details> --- ### Configuration 📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC). 🚦 Automerge: Enabled. ♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yNjQuMCIsInVwZGF0ZWRJblZlciI6IjM5LjI2NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJpbXBhY3Qvbm8tY2hhbmdlbG9nLXJlcXVpcmVkIl19--> Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>	2025-12-12 05:11:26 +00:00