[internal] Update GitHub Actions workflow files

.github/workflows/lint.yml

@@ -1,4 +1,4 @@
-# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 
 name: lint
 
@@ -7,15 +7,6 @@ on:
     inputs: {}
 
 env:
-  PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  GOVERSION: "1.21.x"
-  NODEVERSION: "20.x"
-  PYTHONVERSION: "3.11.8"
-  DOTNETVERSION: "8.0.x"
-  JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
@@ -29,29 +20,50 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
 
 jobs:
   lint:
+    name: lint
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       with:
-        lfs: true
+        persist-credentials: false    
-        persist-credentials: false
+    - env:
-        ref: ${{ env.PR_COMMIT_SHA }}
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-    - name: Setup Tools
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-      uses: ./.github/actions/setup-tools
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+    - uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2.2.1
+      id: app-auth
       with:
+        app-id: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_APP_ID }}
+        private-key: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_PRIVATE_KEY }}
+        owner: ${{ github.repository_owner }}
+    - name: Setup mise
+      uses: blampe/mise-action@blampe/plugins
+      env:
+        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
+      with:
+        version: 2026.1.1
         github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Disarm go:embed directives to enable linters that compile source code
+        plugin_install: https://github.com/pulumi/vfox-pulumi
-      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
+        cache_save: false # A different job handles caching our tools.
-        's/go:embed/ goembed/g'
+    - name: prepare workspace
-    - name: golangci-lint provider pkg
+      continue-on-error: true
-      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+      run: make prepare_local_workspace
-      with:
+      env:
-        install-mode: none # Handled by mise.
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        working-directory: .
+
-    name: lint
+    - name: lint
-    if: github.event_name == 'repository_dispatch' ||
+      run: make lint
-      github.event.pull_request.head.repo.full_name == github.repository

.golangci.yml

@@ -1,104 +1,37 @@
-run:
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-  timeout: 10m
 
 linters:
-  enable-all: false
   enable:
-    - depguard
+  - errcheck
-    - errcheck
+  - gci
-    - exhaustive
+  - goconst
-    - copyloopvar
+  - gofmt
-    - gci
+  - gosec
-    - gocritic
+  - govet
-    - gofumpt
+  - ineffassign
-    - goheader
+  - lll
-    - gosec
+  - gosimple
-    - govet
+  - staticcheck
-    - importas
+  - misspell
-    - ineffassign
+  - nakedret
-    - lll
+  - revive
-    - misspell
+  - unconvert
-    - nakedret
+  - unused
-    - nolintlint
+  enable-all: false
-    - paralleltest
+issues:
-    - perfsprint
+  exclude-dirs:
-    - prealloc
+  - pkg/vendored
-    - revive
+  exclude-files:
-    - unconvert
+  - schema.go
-    - unused
+  - pulumiManifest.go
-
+run:
+  timeout: 20m
 linters-settings:
-  depguard:
-    rules:
-      protobuf:
-        deny:
-          - pkg: "github.com/golang/protobuf"
-            desc: Use google.golang.org/protobuf instead
   gci:
     sections:
       - standard # Standard section: captures all standard library packages.
       - blank # Blank section: contains all blank imports.
       - default # Default section: contains all imports that could not be matched to another section type.
       - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
-      - prefix(github.com/pulumi/pulumi-dockerbuild/) # Custom section: local imports
+      - prefix(github.com/pulumi/pulumi-docker-build) # Custom section: local imports
     custom-order: true
-  gocritic:
-    enable-all: true
-    disabled-checks:
-      - hugeParam
-      - importShadow
-  goheader:
-    template: |-
-      Copyright 2024, Pulumi Corporation.
-
-      Licensed under the Apache License, Version 2.0 (the "License");
-      you may not use this file except in compliance with the License.
-      You may obtain a copy of the License at
-
-          http://www.apache.org/licenses/LICENSE-2.0
-
-      Unless required by applicable law or agreed to in writing, software
-      distributed under the License is distributed on an "AS IS" BASIS,
-      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-      See the License for the specific language governing permissions and
-      limitations under the License.
-  govet:
-    enable:
-      - nilness
-      # Reject comparisons of reflect.Value with DeepEqual or '=='.
-      - reflectvaluecompare
-      # Reject sort.Slice calls with a non-slice argument.
-      - sortslice
-      # Detect write to struct/arrays by-value that aren't read again.
-      - unusedwrite
-  nakedret:
-    # Make an issue if func has more lines of code than this setting, and it has naked returns.
-    # Default: 30
-    max-func-lines: 60
-  nolintlint:
-    # Some linter exclusions are added to generated or templated files
-    # pre-emptively.
-    # Don't complain about these.
-    allow-unused: true
-
-issues:
-  exclude-use-default: false
-  exclude-rules:
-    # Don't warn on unused parameters.
-    # Parameter names are useful; replacing them with '_' is undesirable.
-    - linters: [revive]
-      text: 'unused-parameter: parameter \S+ seems to be unused, consider removing or renaming it as _'
-
-    # staticcheck already has smarter checks for empty blocks.
-    # revive's empty-block linter has false positives.
-    # For example, as of writing this, the following is not allowed.
-    #   for foo() { }
-    - linters: [revive]
-      text: "empty-block: this block is empty, you can remove it"
-
-    # We *frequently* use the term 'new' in the context of properties
-    # (new and old properties),
-    # and we rarely use the 'new' built-in function.
-    # It's fine to ignore these cases.
-    - linters: [revive]
-      text: "redefines-builtin-id: redefinition of the built-in function new"