[internal] Update GitHub Actions workflow files

chore: update modulePath in ci-mgmt (#607 )
This is needed for https://github.com/pulumi/ci-mgmt/pull/1730
2025-09-29 18:05:11 +00:00 · 2025-09-29 12:01:37 -04:00 · 2025-09-16 05:49:46 +00:00 · 2025-09-12 23:58:08 +00:00 · 2025-09-11 19:03:02 +00:00 · 2025-09-10 14:19:45 -07:00
31 changed files with 992 additions and 459 deletions
--- a/.ci-mgmt.yaml
+++ b/.ci-mgmt.yaml
@@ -4,23 +4,26 @@ major-version: 0
 providerDefaultBranch: main
 providerVersion: github.com/pulumi/pulumi-docker-build/provider.Version
 aws: true
 modulePath: .
 gcp: true
 sdkModuleDir: sdk/go/dockerbuild
 parallel: 3
 esc:
    enabled: true
 envOverride:
-  AWS_REGION: us-west-2
+    AWS_REGION: us-west-2
-  PULUMI_API: "https://api.pulumi-staging.io"
+    PULUMI_API: "https://api.pulumi-staging.io"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+    ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+    ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+    ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+    ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-  AZURE_LOCATION: westus
+    AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+    DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+    GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
-  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+    GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
-  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+    GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
-  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+    GOOGLE_PROJECT: pulumi-ci-gcp-provider
-  GOOGLE_PROJECT_NUMBER: 895284651812
+    GOOGLE_PROJECT_NUMBER: 895284651812
-  GOOGLE_REGION: us-central1
+    GOOGLE_REGION: us-central1
-  GOOGLE_ZONE: us-central1-a
+    GOOGLE_ZONE: us-central1-a
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
+    DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
--- a/.config/mise.lock
+++ b/.config/mise.lock
@@ -0,0 +1,60 @@
 [[tools.dotnet]]
 version = "8.0.414"
 backend = "asdf:dotnet"
 [[tools."github:pulumi/pulumictl"]]
 version = "0.0.50"
 backend = "github:pulumi/pulumictl"
 [tools."github:pulumi/pulumictl".platforms.linux-x64]
 checksum = "blake3:c128dd74993f779c613296fe7cd21c20cbd323f24e59cb76e007620660b60348"
 size = 27744219
 url = "https://github.com/pulumi/pulumictl/releases/download/v0.0.50/pulumictl-v0.0.50-linux-amd64.tar.gz"
 [[tools."github:pulumi/schema-tools"]]
 version = "0.6.0"
 backend = "github:pulumi/schema-tools"
 [tools."github:pulumi/schema-tools".platforms.linux-x64]
 checksum = "blake3:82dfe616fee18b4258f6e3d2dc3c4e9f14afd43a0a4cc33eff2d2a04088d6ca3"
 size = 14282746
 url = "https://github.com/pulumi/schema-tools/releases/download/v0.6.0/schema-tools-v0.6.0-linux-amd64.tar.gz"
 [[tools.go]]
 version = "1.24.1"
 backend = "core:go"
 [[tools.gradle]]
 version = "7.6.6"
 backend = "aqua:gradle/gradle"
 [tools.gradle.platforms.linux-x64]
 checksum = "blake3:5cad8fc455b720b68a0bd2907d435e2919581708243f84f27845fe8812a09323"
 size = 128439774
 url = "https://github.com/gradle/gradle-distributions/releases/download/v7.6.6/gradle-7.6.6-bin.zip"
 [[tools.java]]
 version = "corretto-11.0.28.6.1"
 backend = "core:java"
 [tools.java.platforms.linux-x64]
 checksum = "sha256:70734c46e0bbeb7f45b721756ba0b2f1f1e1ef85a11e10d5a488f06b257dadd9"
 size = 195648709
 url = "https://corretto.aws/downloads/resources/11.0.28.6.1/amazon-corretto-11.0.28.6.1-linux-x64.tar.gz"
 [[tools.node]]
 version = "20.19.5"
 backend = "core:node"
 [tools.node.platforms.linux-x64]
 checksum = "sha256:4eba5fbe1fb10753bc06e42f001a91c5cec16798b7764a3e9257adc59af47fe1"
 size = 47041607
 url = "https://nodejs.org/dist/v20.19.5/node-v20.19.5-linux-x64.tar.gz"
 [[tools.pulumi]]
 version = "3.192.0"
 backend = "aqua:pulumi/pulumi"
 [[tools.python]]
 version = "3.11.8"
 backend = "core:python"
--- a/.config/mise.test.toml
+++ b/.config/mise.test.toml
@@ -0,0 +1,7 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 # Overrides tool versions for test workflows
 [tools]
 # always use pulumi latest for tests
 pulumi = "latest"
--- a/.config/mise.toml
+++ b/.config/mise.toml
@@ -0,0 +1,26 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 # You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
 [env]
 _.source = "{{config_root}}/scripts/get-versions.sh"
 [tools]
 # Runtimes
 # TODO: we may not need `get_env` once https://github.com/jdx/mise/discussions/6339 is fixed
 go = "{{ get_env(name='MISE_GO_VERSION', default='latest') }}"
 node = '20'
 python = '3.11.8'
 dotnet = '8.0'
 # Corretto version used as Java SE/OpenJDK version no longer offered
 java = 'corretto-11'
 # Executable tools
 pulumi = "{{ get_env(name='MISE_PULUMI_VERSION', default='latest') }}"
 "github:pulumi/pulumictl" = 'latest'
 "github:pulumi/schema-tools" = "latest"
 gradle = '7.6'
 [settings]
 experimental = true # Required for Go binaries (e.g. pulumictl).
 lockfile = true
--- a/.github/actions/esc-action/action.yaml
+++ b/.github/actions/esc-action/action.yaml
@@ -0,0 +1,12 @@
 name: "Load secrets"
 description: |
  This is a temporary action which assists with our migration to ESC. Instead
  of surrounding every step that references secrets with an "if ESC" block, we
  instead modify those steps to consume their secrets from this step's outputs.
  Then, later, we can replace this action with esc-action to actually load
  secrets from ESC.
 inputs: {}
 outputs: {}
 runs:
  using: "node20"
  main: "index.js"
--- a/.github/actions/esc-action/index.js
+++ b/.github/actions/esc-action/index.js
@@ -0,0 +1,14 @@
 const fs = require("fs");
 const file = process.env["GITHUB_OUTPUT"];
 var stream = fs.createWriteStream(file, { flags: "a" });
 for (const [name, value] of Object.entries(process.env)) {
  try {
    stream.write(`${name}<<EEEOOOFFF\n${value}\nEEEOOOFFF\n`); // << syntax accommodates multiline strings.
  } catch (err) {
    console.log(`error: failed to set output for ${name}: ${err.message}`);
  }
 }
 stream.end();
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,14 +15,6 @@ on:
    - "**"
  workflow_dispatch: {}
 env:
  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
@@ -33,13 +25,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -48,20 +37,35 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
 jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    permissions:
      id-token: write # For ESC secrets.
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -72,7 +76,7 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -93,7 +97,7 @@ jobs:
          echo 'EOF';
        } >> "$GITHUB_ENV"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
      name: Comment on PR with Details of Schema Check
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -168,7 +172,7 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
@@ -183,10 +187,15 @@ jobs:
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -195,7 +204,7 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  build_sdks:
    needs: prerequisites
    runs-on: pulumi-ubuntu-8core
@@ -209,16 +218,30 @@ jobs:
        - go
        - java
    name: build_sdks
    permissions:
      pull-requests: write # For Renovate SDK updates.
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -229,32 +252,32 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -324,7 +347,7 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
@@ -344,13 +367,29 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  tag_release_if_labeled_needs_release:
    name: Tag release if labeled as needs-release
    needs: publish
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: check if this commit needs release
      if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
      uses: pulumi/action-release-by-pr-label@main
@@ -358,10 +397,10 @@ jobs:
        command: "release-if-needed"
        repo: ${{ github.repository }}
        commit: ${{ github.sha }}
-        slack_channel: ${{ secrets.RELEASE_OPS_SLACK_CHANNEL }}
+        slack_channel: C02MGR8JVST
      env:
-        RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  test:
@@ -381,17 +420,28 @@ jobs:
    name: test
    permissions:
      contents: read
-      id-token: write
+      id-token: write # For ESC secrets and Pulumi access token OIDC.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -402,32 +452,32 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -439,7 +489,7 @@ jobs:
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: ${{ matrix.language }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -473,7 +523,7 @@ jobs:
      with:
        environment: logins/pulumi-ci
    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
      with:
        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
          }}/locations/global/workloadIdentityPools/${{
@@ -481,7 +531,7 @@ jobs:
          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
    - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      with:
        install_components: gke-gcloud-auth-plugin
    - name: Install gotestfmt
@@ -494,6 +544,8 @@ jobs:
        set -euo pipefail
        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -502,21 +554,35 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish:
    runs-on: ubuntu-latest
    needs: test
    name: publish
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -536,21 +602,27 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
        role-duration-seconds: 7200
        role-session-name: ${{ env.PROVIDER }}@githubActions
        role-external-id: upload-pulumi-release
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
      env:
        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
        version: latest
@@ -562,23 +634,37 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_sdk:
    runs-on: ubuntu-latest
    needs: publish
    name: publish_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        path: ci-scripts
        repository: pulumi/scripts
@@ -593,22 +679,22 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Download python SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -616,7 +702,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -624,7 +710,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -636,16 +722,16 @@ jobs:
    - name: Publish SDKs
      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
      env:
-        NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        PYPI_PUBLISH_ARTIFACTS: all
        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
-        SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
-        PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -654,12 +740,12 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  lint:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
--- a/.github/workflows/command-dispatch.yml
+++ b/.github/workflows/command-dispatch.yml
@@ -2,13 +2,10 @@
 env:
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -17,15 +14,28 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
 jobs:
  command-dispatch-for-testing:
    name: command-dispatch-for-testing
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        persist-credentials: false
+        persist-credentials: false    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4
      with:
        commands: |
@@ -35,7 +45,7 @@ jobs:
        permission: write
        reaction-token: ${{ secrets.GITHUB_TOKEN }}
        repository: pulumi/pulumi-docker-build
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
 name: command-dispatch
 on:
  issue_comment:
--- a/.github/workflows/community-moderation.yml
+++ b/.github/workflows/community-moderation.yml
@@ -1,14 +1,12 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 jobs:
  warn_codegen:
    name: warn_codegen
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        persist-credentials: false
    - id: schema_changed
--- a/.github/workflows/export-repo-secrets.yml
+++ b/.github/workflows/export-repo-secrets.yml
@@ -0,0 +1,25 @@
 permissions: write-all # Equivalent to default permissions plus id-token: write
 name: Export secrets to ESC
 on: [workflow_dispatch]
 jobs:
  export-to-esc:
    runs-on: ubuntu-latest
    name: export GitHub secrets to ESC
    steps:
      - name: Generate a GitHub token
        id: generate-token
        uses: actions/create-github-app-token@v1
        with:
          app-id: 1256780 # Export Secrets GitHub App
          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
      - name: Export secrets to ESC
        uses: pulumi/esc-export-secrets-action@9d6485759b6adff2538ae91f1b77cc96265c9dad # v1
        with:
          organization: pulumi
          org-environment: imports/github-secrets
          exclude-secrets: EXPORT_SECRETS_PRIVATE_KEY
          github-token: ${{ steps.generate-token.outputs.token }}
          oidc-auth: true
          oidc-requested-token-type: urn:pulumi:token-type:access_token:organization
        env:
          GITHUB_SECRETS: ${{ toJSON(secrets) }}
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -6,14 +6,6 @@ on:
    tags:
    - v*.*.*-**
 env:
  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
@@ -24,13 +16,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -40,20 +29,32 @@ env:
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  IS_PRERELEASE: true
 jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -64,7 +65,7 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -85,7 +86,7 @@ jobs:
          echo 'EOF';
        } >> "$GITHUB_ENV"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
      name: Comment on PR with Details of Schema Check
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -160,7 +161,7 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
@@ -175,10 +176,15 @@ jobs:
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -187,7 +193,7 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  build_sdks:
    needs: prerequisites
    runs-on: pulumi-ubuntu-8core
@@ -201,16 +207,30 @@ jobs:
        - go
        - java
    name: build_sdks
    permissions:
      pull-requests: write # For Renovate SDK updates.
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -221,32 +241,32 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -316,7 +336,7 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
@@ -335,7 +355,7 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  test:
    runs-on: pulumi-ubuntu-8core
    needs:
@@ -353,17 +373,28 @@ jobs:
    name: test
    permissions:
      contents: read
-      id-token: write
+      id-token: write # For ESC secrets and Pulumi access token OIDC.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -374,32 +405,32 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -411,7 +442,7 @@ jobs:
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: ${{ matrix.language }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -445,7 +476,7 @@ jobs:
      with:
        environment: logins/pulumi-ci
    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
      with:
        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
          }}/locations/global/workloadIdentityPools/${{
@@ -453,7 +484,7 @@ jobs:
          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
    - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      with:
        install_components: gke-gcloud-auth-plugin
    - name: Install gotestfmt
@@ -466,6 +497,8 @@ jobs:
        set -euo pipefail
        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -474,21 +507,35 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish:
    runs-on: ubuntu-latest
    needs: test
    name: publish
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -508,21 +555,27 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
        role-duration-seconds: 7200
        role-session-name: ${{ env.PROVIDER }}@githubActions
        role-external-id: upload-pulumi-release
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
      env:
        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
        version: latest
@@ -534,23 +587,37 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_sdk:
    runs-on: ubuntu-latest
    needs: publish
    name: publish_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        path: ci-scripts
        repository: pulumi/scripts
@@ -565,22 +632,22 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Download python SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -588,7 +655,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -596,7 +663,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -608,11 +675,11 @@ jobs:
    - name: Publish SDKs
      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
      env:
-        NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        PYPI_PUBLISH_ARTIFACTS: all
        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -621,22 +688,36 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_java_sdk:
    runs-on: ubuntu-latest
    continue-on-error: true
    needs: publish
    name: publish_java_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -647,45 +728,45 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download java SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: java-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
    - name: Uncompress java SDK
      run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
        ${{github.workspace}}/sdk/java
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Publish Java SDK
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
      env:
        PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
      with:
        arguments: publishToSonatype closeAndReleaseSonatypeStagingRepository
        build-root-directory: ./sdk/java
        gradle-version: 7.4.1
  publish_go_sdk:
    runs-on: ubuntu-latest
    name: publish-go-sdk
    needs: publish_sdk
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
    - id: version
@@ -693,8 +774,10 @@ jobs:
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download go SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: go-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -3,41 +3,14 @@
 name: pull-request
 on:
  pull_request_target: {}
-env:
+
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  TRAVIS_OS_NAME: linux
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  GOVERSION: "1.21.x"
  NODEVERSION: "20.x"
  PYTHONVERSION: "3.11.8"
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
  GOOGLE_PROJECT: pulumi-ci-gcp-provider
  GOOGLE_PROJECT_NUMBER: "895284651812"
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
 jobs:
  comment-on-pr:
    runs-on: ubuntu-latest
    name: comment-on-pr
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
    - name: Comment PR
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,14 +7,6 @@ on:
    - v*.*.*
    - "!v*.*.*-**"
 env:
  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
@@ -25,13 +17,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -40,20 +29,35 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
 jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    permissions:
      id-token: write # For ESC secrets.
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -64,7 +68,7 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -85,7 +89,7 @@ jobs:
          echo 'EOF';
        } >> "$GITHUB_ENV"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
      name: Comment on PR with Details of Schema Check
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -160,7 +164,7 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
@@ -175,10 +179,15 @@ jobs:
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -187,7 +196,7 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  build_sdks:
    needs: prerequisites
    runs-on: pulumi-ubuntu-8core
@@ -201,16 +210,30 @@ jobs:
        - go
        - java
    name: build_sdks
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -221,32 +244,32 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -316,7 +339,7 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
@@ -335,7 +358,7 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  test:
    runs-on: pulumi-ubuntu-8core
    needs:
@@ -353,17 +376,28 @@ jobs:
    name: test
    permissions:
      contents: read
-      id-token: write
+      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -374,32 +408,32 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -411,7 +445,7 @@ jobs:
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: ${{ matrix.language }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -445,7 +479,7 @@ jobs:
      with:
        environment: logins/pulumi-ci
    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
      with:
        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
          }}/locations/global/workloadIdentityPools/${{
@@ -453,7 +487,7 @@ jobs:
          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
    - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      with:
        install_components: gke-gcloud-auth-plugin
    - name: Install gotestfmt
@@ -466,6 +500,8 @@ jobs:
        set -euo pipefail
        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
      env:
        GTIHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -474,21 +510,35 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish:
    runs-on: ubuntu-latest
    needs: test
    name: publish
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -508,21 +558,27 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
        role-duration-seconds: 7200
        role-session-name: ${{ env.PROVIDER }}@githubActions
        role-external-id: upload-pulumi-release
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
      env:
        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 release --clean --timeout 60m0s
        version: latest
@@ -534,23 +590,37 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_sdk:
    runs-on: ubuntu-latest
    needs: publish
    name: publish_sdks
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        path: ci-scripts
        repository: pulumi/scripts
@@ -565,22 +635,22 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Download python SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -588,7 +658,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -596,7 +666,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -608,11 +678,11 @@ jobs:
    - name: Publish SDKs
      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
      env:
-        NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        PYPI_PUBLISH_ARTIFACTS: all
        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -621,22 +691,36 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_java_sdk:
    runs-on: ubuntu-latest
    continue-on-error: true
    needs: publish
    name: publish_java_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -647,45 +731,45 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download java SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: java-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
    - name: Uncompress java SDK
      run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
        ${{github.workspace}}/sdk/java
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Publish Java SDK
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
      env:
        PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
      with:
        arguments: publishToSonatype closeAndReleaseSonatypeStagingRepository
        build-root-directory: ./sdk/java
        gradle-version: 7.4.1
  publish_go_sdk:
    runs-on: ubuntu-latest
    name: publish-go-sdk
    needs: publish_sdk
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
    - id: version
@@ -693,8 +777,10 @@ jobs:
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download go SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: go-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -714,7 +800,23 @@ jobs:
  dispatch_docs_build:
    runs-on: ubuntu-latest
    needs: publish_go_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
@@ -723,5 +825,5 @@ jobs:
      run: pulumictl create docs-build pulumi-${{ env.PROVIDER }}
        "${GITHUB_REF#refs/tags/}"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    name: dispatch_docs_build
--- a/.github/workflows/release_command.yml
+++ b/.github/workflows/release_command.yml
@@ -11,9 +11,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        persist-credentials: false
+        persist-credentials: false    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: Should release PR
      uses: pulumi/action-release-by-pr-label@main
      with:
@@ -21,10 +30,10 @@ jobs:
        repo: ${{ github.repository }}
        pr: ${{ github.event.client_payload.pull_request.number }}
        version: ${{ github.event.client_payload.slash_command.args.all }}
-        slack_channel: ${{ secrets.RELEASE_OPS_STAGING_SLACK_CHANNEL }}
+        slack_channel: ${{ steps.esc-secrets.outputs.RELEASE_OPS_STAGING_SLACK_CHANNEL }}
      env:
-        RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure()
      name: Notify failure
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -10,7 +10,6 @@ on:
    - CHANGELOG.md
  workflow_dispatch: {}
 env:
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
@@ -21,13 +20,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -39,9 +35,16 @@ env:
  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 jobs:
  comment-notification:
    if: github.event_name == 'repository_dispatch'
    runs-on: ubuntu-latest
    name: comment-notification
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}
    - name: Create URL to the run output
      id: vars
      run: echo
@@ -50,26 +53,39 @@ jobs:
    - name: Update with Result
      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
      with:
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
    if: github.event_name == 'repository_dispatch'
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    permissions:
      id-token: write # For ESC secrets.
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
+        ref: ${{ env.PR_COMMIT_SHA }}    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -80,7 +96,7 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -101,7 +117,7 @@ jobs:
          echo 'EOF';
        } >> "$GITHUB_ENV"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
      name: Comment on PR with Details of Schema Check
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -176,7 +192,7 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
@@ -191,10 +207,15 @@ jobs:
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -203,7 +224,7 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
  build_sdks:
@@ -219,18 +240,32 @@ jobs:
        - go
        - java
    name: build_sdks
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
+        ref: ${{ env.PR_COMMIT_SHA }}    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -241,32 +276,32 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -335,7 +370,7 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
@@ -355,7 +390,7 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
  test:
@@ -378,16 +413,27 @@ jobs:
      id-token: write
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
+        ref: ${{ env.PR_COMMIT_SHA }}    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -398,32 +444,32 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
-      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
+      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
-      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3.5.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -435,7 +481,7 @@ jobs:
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
      with:
        name: ${{ matrix.language }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -469,7 +515,7 @@ jobs:
      with:
        environment: logins/pulumi-ci
    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
      with:
        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
          }}/locations/global/workloadIdentityPools/${{
@@ -477,7 +523,7 @@ jobs:
          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
    - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      with:
        install_components: gke-gcloud-auth-plugin
    - name: Install gotestfmt
@@ -490,6 +536,8 @@ jobs:
        set -euo pipefail
        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -498,13 +546,28 @@ jobs:
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
  sentinel:
    runs-on: ubuntu-latest
    name: sentinel
    steps:
    - name: Checkout Repo
      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: Mark workflow as successful
      uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
      with:
@@ -515,6 +578,7 @@ jobs:
        sha: ${{ github.event.pull_request.head.sha || github.sha }}
    permissions:
      statuses: write
      id-token: write # For ESC secrets.
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
    needs:
@@ -525,7 +589,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
        lfs: true
        persist-credentials: false
--- a/.github/workflows/weekly-pulumi-update.yml
+++ b/.github/workflows/weekly-pulumi-update.yml
@@ -17,13 +17,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -32,14 +29,25 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
 jobs:
  weekly-pulumi-update:
    runs-on: ubuntu-latest
    permissions: write-all
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
      with:
-        lfs: true
+        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: Install Go
      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
      with:
@@ -50,20 +58,30 @@ jobs:
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
    - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
      uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
      with:
        gradle-version: "7.6"
    - name: Update Pulumi/Pulumi
      id: gomod
      run: >-
@@ -122,5 +140,5 @@ jobs:
        gh pr create -t "$msg" -b "$msg" --head "$(git branch --show-current)"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    name: weekly-pulumi-update
--- a/.pulumi.version
+++ b/.pulumi.version
@@ -1 +1 @@
-3.187.0
+3.192.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,15 @@
 ## Unreleased
 ## 0.0.13 (2025-08-27)
 ### Changed
 - Docker Build Cloud and `exec` errors are more helpful. (https://github.com/pulumi/pulumi-docker-build/issues/549)
 ### Fixed
 - The provider is no longer replaced on version changes. (https://github.com/pulumi/pulumi-docker-build/issues/581)
 ## 0.0.12 (2025-05-16)
 ### Changed
--- a/examples/go/go.mod
+++ b/examples/go/go.mod
@@ -6,7 +6,7 @@ toolchain go1.24.5
 require (
 	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12
-	github.com/pulumi/pulumi/sdk/v3 v3.187.0
+	github.com/pulumi/pulumi/sdk/v3 v3.192.0
 )
 require (
@@ -62,7 +62,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.14.3 // indirect
+	github.com/pulumi/esc v0.17.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
--- a/examples/go/go.sum
+++ b/examples/go/go.sum
@@ -159,12 +159,12 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.14.3 h1:Zli+9LiSDT/W+Fsfr8tITxCo+5wn969tLrE4KLv44G8=
+github.com/pulumi/esc v0.17.0 h1:oaVOIyFTENlYDuqc3pW75lQT9jb2cd6ie/4/Twxn66w=
-github.com/pulumi/esc v0.14.3/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
+github.com/pulumi/esc v0.17.0/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12 h1:uzmw+0iic764m0Yvh4I/jRV1x3q49dVh5Ctq9RllsQ8=
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12/go.mod h1:6zFMe786NvFDO03BVJwdw1R/Yms4F6vAU49iBHo8zbQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0 h1:BflBBeD/qaoKN4Tov11g4aHzJ7pTXBSb8otgmteRer0=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0/go.mod h1:BnpKxUc6QlxqoCqobHNZsUuIuY27H6ZFUk0Cp+0JN5U=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
--- a/examples/nodejs_test.go
+++ b/examples/nodejs_test.go
@@ -181,8 +181,9 @@ func TestConfig(t *testing.T) {
 	require.NoError(t, err)
 	test := integration.ProgramTestOptions{
-		Dir:          path.Join(cwd, "tests", "config"),
+		Dir:                    path.Join(cwd, "tests", "config"),
-		Dependencies: []string{"@pulumi/docker-build"},
+		Dependencies:           []string{"@pulumi/docker-build"},
 		SkipEmptyPreviewUpdate: true,
 	}
 	integration.ProgramTest(t, &test)
--- a/go.mod
+++ b/go.mod
@@ -16,14 +16,14 @@ require (
 	github.com/otiai10/copy v1.14.0
 	github.com/pulumi/providertest v0.3.1
 	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef
-	github.com/pulumi/pulumi-go-provider v1.1.0
+	github.com/pulumi/pulumi-go-provider v1.1.1
 	github.com/pulumi/pulumi-java/pkg v1.16.0
 	github.com/pulumi/pulumi-yaml v1.21.2
-	github.com/pulumi/pulumi/pkg/v3 v3.187.0
+	github.com/pulumi/pulumi/pkg/v3 v3.192.0
 	github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815
 	github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815
 	github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815
-	github.com/pulumi/pulumi/sdk/v3 v3.187.0
+	github.com/pulumi/pulumi/sdk/v3 v3.192.0
 	github.com/regclient/regclient v0.7.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.14.0
--- a/go.sum
+++ b/go.sum
@@ -896,22 +896,22 @@ github.com/pulumi/providertest v0.3.1 h1:vlftr7TZlObh81mL88IhhF0/9ZbLrZZos4NAvR4
 github.com/pulumi/providertest v0.3.1/go.mod h1:fFHUP4/9DRyYnHWiRnwcynMtM/a7hHR/QcJfcuZKO3A=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef h1:cxRa9R9To6OYKacIG2Em6zcM7BDNr6joC43uiV1lSVY=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef/go.mod h1:VLcnE1lj92EfRi7CRMzdPkQ9OQvrlg2upJM1lBZzNmg=
-github.com/pulumi/pulumi-go-provider v1.1.0 h1:TNrLoQ7LrT6Z2xPbspJKXE3pKZsz+pCVo62zKFGxjBI=
+github.com/pulumi/pulumi-go-provider v1.1.1 h1:4UT3LeNT9CdGhkq8OSWKJsmKTW9Tg+vsfOO/hsFVyb4=
-github.com/pulumi/pulumi-go-provider v1.1.0/go.mod h1:bWvFWytb2ULBefjDW/YG+GcjHbzVojwtl1RW5afMvR0=
+github.com/pulumi/pulumi-go-provider v1.1.1/go.mod h1:3lNIuxT/BArFyiKrVfv+UT7gMMtplss7V69KuBZ4zIk=
 github.com/pulumi/pulumi-java/pkg v1.16.0 h1:8KCiIXWv2uxfIks0SdgOezyXg4HZIoPfHID9eMg4nuM=
 github.com/pulumi/pulumi-java/pkg v1.16.0/go.mod h1:VeMZ1s9LfXBypao4A1tRF3EB7fYnYZ1LwImyg6FBX0c=
 github.com/pulumi/pulumi-yaml v1.21.2 h1:czqC5AazinfX6Bj0nqAAQ6x/Cr8/3oUz3HUjJg6tJ4o=
 github.com/pulumi/pulumi-yaml v1.21.2/go.mod h1:KOqDnuJksfIq8belFVFN3IEI4r0NgW69M0QPSj54On4=
-github.com/pulumi/pulumi/pkg/v3 v3.187.0 h1:VTbireKCxG/wKPX3slHNb3Zk3xKMr5CvcvjH8194H2I=
+github.com/pulumi/pulumi/pkg/v3 v3.192.0 h1:gZRMPaNpW+VN3ng3h9r8De8wI0keWC9fIP0rcUDatMA=
-github.com/pulumi/pulumi/pkg/v3 v3.187.0/go.mod h1:3y5nyMg62dd+DBzYW/P4d+Ye9pJ/zhJd+aGzMzfUL1g=
+github.com/pulumi/pulumi/pkg/v3 v3.192.0/go.mod h1:+Zp3EzjzGW4PlcW8oITZgeOfFzIVbLWvHtUVixvGQcs=
 github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815 h1:tipGG4aEPejP424igQYxJ6TOtWVtZJa0z679oIv00ho=
 github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815/go.mod h1:V2MMs29cFeGBdZyFKxNqTGVfBgDLhIOGfrXOxheieuI=
 github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815 h1:+QJTFK7UcOFTYCg3XaSTrRZHWJ6Hqza8w9oADa4pPcM=
 github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815/go.mod h1:0kA9b5LsaXLEKQzo0o9UUsHtZkACthHYLyBVUDUVMxc=
 github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815 h1:bkvtySMos0ij3fWZWZaU5sVrvGvU0dZCusoxpgEtX6I=
 github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815/go.mod h1:SJtr0N/XFyelI7M7U0UbJXr15pgEdSmpN40cglTsRTA=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0 h1:BflBBeD/qaoKN4Tov11g4aHzJ7pTXBSb8otgmteRer0=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0/go.mod h1:BnpKxUc6QlxqoCqobHNZsUuIuY27H6ZFUk0Cp+0JN5U=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
 github.com/quasilyte/go-ruleguard v0.4.2 h1:htXcXDK6/rO12kiTHKfHuqR4kr3Y4M0J0rOL6CH/BYs=
 github.com/quasilyte/go-ruleguard v0.4.2/go.mod h1:GJLgqsLeo4qgavUoL8JeGFNS7qcisx3awV/w9eWTmNI=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE=
--- a/mise.toml
+++ b/mise.toml
@@ -1,19 +0,0 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 [tools]
 # Runtimes
 go = '1.21'
 node = '20'
 python = '3.11.8'
 dotnet = '8.0'
 # Corretto version used as Java SE/OpenJDK version no longer offered
 java = 'corretto-11'
 # Executable tools
 pulumi = 'latest'
 "go:github.com/pulumi/pulumictl/cmd/pulumictl" = 'latest'
 gradle = '7.6'
 [settings]
 experimental = true # Required for Go binaries (e.g. pulumictl).
--- a/scripts/get-versions.sh
+++ b/scripts/get-versions.sh
@@ -0,0 +1,55 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # This script can be simplified to use go when https://github.com/jdx/mise/discussions/6374 is fixed
 # e.g. go list -m -f '{{.GoVersion}}'
 module_path="github.com/pulumi/pulumi/pkg/v3"
 go_mod_path="."
 gomod="go.mod"
 if [[ "$go_mod_path" != "" && "$go_mod_path" != "." ]]; then
  gomod="$go_mod_path/$gomod"
 fi
 if [[ ! -f "$gomod" ]]; then
  echo "missing $gomod" >&2
  exit 1
 fi
 raw_version=$(awk -v module="$module_path" '
    $1 == module || $2 == module {
        for (i = 1; i <= NF; i++) {
            if ($i ~ /^v[0-9]/) {
                sub(/^v/, "", $i)
                print $i
                exit
            }
        }
    }
 ' "$gomod")
 if [[ -z "${raw_version:-}" ]]; then
  echo "failed to determine Pulumi version from $gomod" >&2
  exit 1
 fi
 echo "MISE_PULUMI_VERSION=$raw_version"
 export MISE_PULUMI_VERSION=$raw_version
 # Prefer the toolchain directive if present, otherwise fall back to the `go` version line
 go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod")
 if [[ -n "${go_toolchain:-}" ]]; then
  go_version=${go_toolchain#go}
 else
  go_version=$(awk '/^go[[:space:]]+[0-9]/{ print $2; exit }' "$gomod")
 fi
 if [[ -z "${go_version:-}" ]]; then
  echo "failed to determine Go version from $gomod" >&2
  exit 1
 fi
 echo "MISE_GO_VERSION=$go_version"
 export MISE_GO_VERSION=$go_version
--- a/sdk/go/dockerbuild/go.mod
+++ b/sdk/go/dockerbuild/go.mod
@@ -4,7 +4,7 @@ go 1.24.1
 require (
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/pulumi/pulumi/sdk/v3 v3.187.0
+	github.com/pulumi/pulumi/sdk/v3 v3.192.0
 )
 require (
--- a/sdk/go/dockerbuild/go.sum
+++ b/sdk/go/dockerbuild/go.sum
@@ -164,8 +164,8 @@ github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
 github.com/pulumi/esc v0.17.0 h1:oaVOIyFTENlYDuqc3pW75lQT9jb2cd6ie/4/Twxn66w=
 github.com/pulumi/esc v0.17.0/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0 h1:BflBBeD/qaoKN4Tov11g4aHzJ7pTXBSb8otgmteRer0=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0/go.mod h1:BnpKxUc6QlxqoCqobHNZsUuIuY27H6ZFUk0Cp+0JN5U=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
--- a/sdk/nodejs/image.ts
+++ b/sdk/nodejs/image.ts
@@ -501,7 +501,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--add-host` flag.
     */
-    public readonly addHosts!: pulumi.Output<string[] | undefined>;
+    declare public readonly addHosts: pulumi.Output<string[] | undefined>;
    /**
     * `ARG` names and values to set during the build.
     *
@@ -513,7 +513,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--build-arg` flag.
     */
-    public readonly buildArgs!: pulumi.Output<{[key: string]: string} | undefined>;
+    declare public readonly buildArgs: pulumi.Output<{[key: string]: string} | undefined>;
    /**
     * Setting this to `false` will always skip image builds during previews,
     * and setting it to `true` will always build images during previews.
@@ -527,35 +527,35 @@ export class Image extends pulumi.CustomResource {
     * Defaults to `true` as a safeguard against broken images merging as part
     * of CI pipelines.
     */
-    public readonly buildOnPreview!: pulumi.Output<boolean | undefined>;
+    declare public readonly buildOnPreview: pulumi.Output<boolean | undefined>;
    /**
     * Builder configuration.
     */
-    public readonly builder!: pulumi.Output<outputs.BuilderConfig | undefined>;
+    declare public readonly builder: pulumi.Output<outputs.BuilderConfig | undefined>;
    /**
     * Cache export configuration.
     *
     * Equivalent to Docker's `--cache-from` flag.
     */
-    public readonly cacheFrom!: pulumi.Output<outputs.CacheFrom[] | undefined>;
+    declare public readonly cacheFrom: pulumi.Output<outputs.CacheFrom[] | undefined>;
    /**
     * Cache import configuration.
     *
     * Equivalent to Docker's `--cache-to` flag.
     */
-    public readonly cacheTo!: pulumi.Output<outputs.CacheTo[] | undefined>;
+    declare public readonly cacheTo: pulumi.Output<outputs.CacheTo[] | undefined>;
    /**
     * Build context settings. Defaults to the current directory.
     *
     * Equivalent to Docker's `PATH | URL | -` positional argument.
     */
-    public readonly context!: pulumi.Output<outputs.BuildContext | undefined>;
+    declare public readonly context: pulumi.Output<outputs.BuildContext | undefined>;
    /**
     * A preliminary hash of the image's build context.
     *
     * Pulumi uses this to determine if an image _may_ need to be re-built.
     */
-    public /*out*/ readonly contextHash!: pulumi.Output<string>;
+    declare public /*out*/ readonly contextHash: pulumi.Output<string>;
    /**
     * A SHA256 digest of the image if it was exported to a registry or
     * elsewhere.
@@ -565,13 +565,13 @@ export class Image extends pulumi.CustomResource {
     * Registry images can be referenced precisely as `<tag>@<digest>`. The
     * `ref` output provides one such reference as a convenience.
     */
-    public /*out*/ readonly digest!: pulumi.Output<string>;
+    declare public /*out*/ readonly digest: pulumi.Output<string>;
    /**
     * Dockerfile settings.
     *
     * Equivalent to Docker's `--file` flag.
     */
-    public readonly dockerfile!: pulumi.Output<outputs.Dockerfile | undefined>;
+    declare public readonly dockerfile: pulumi.Output<outputs.Dockerfile | undefined>;
    /**
     * Use `exec` mode to build this image.
     *
@@ -594,7 +594,7 @@ export class Image extends pulumi.CustomResource {
     * are temporarily written to disk in order to provide them to the
     * `docker-buildx` binary.
     */
-    public readonly exec!: pulumi.Output<boolean | undefined>;
+    declare public readonly exec: pulumi.Output<boolean | undefined>;
    /**
     * Controls where images are persisted after building.
     *
@@ -606,13 +606,13 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--output` flag.
     */
-    public readonly exports!: pulumi.Output<outputs.Export[] | undefined>;
+    declare public readonly exports: pulumi.Output<outputs.Export[] | undefined>;
    /**
     * Attach arbitrary key/value metadata to the image.
     *
     * Equivalent to Docker's `--label` flag.
     */
-    public readonly labels!: pulumi.Output<{[key: string]: string} | undefined>;
+    declare public readonly labels: pulumi.Output<{[key: string]: string} | undefined>;
    /**
     * When `true` the build will automatically include a `docker` export.
     *
@@ -620,7 +620,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--load` flag.
     */
-    public readonly load!: pulumi.Output<boolean | undefined>;
+    declare public readonly load: pulumi.Output<boolean | undefined>;
    /**
     * Set the network mode for `RUN` instructions. Defaults to `default`.
     *
@@ -628,25 +628,25 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--network` flag.
     */
-    public readonly network!: pulumi.Output<enums.NetworkMode | undefined>;
+    declare public readonly network: pulumi.Output<enums.NetworkMode | undefined>;
    /**
     * Do not import cache manifests when building the image.
     *
     * Equivalent to Docker's `--no-cache` flag.
     */
-    public readonly noCache!: pulumi.Output<boolean | undefined>;
+    declare public readonly noCache: pulumi.Output<boolean | undefined>;
    /**
     * Set target platform(s) for the build. Defaults to the host's platform.
     *
     * Equivalent to Docker's `--platform` flag.
     */
-    public readonly platforms!: pulumi.Output<enums.Platform[] | undefined>;
+    declare public readonly platforms: pulumi.Output<enums.Platform[] | undefined>;
    /**
     * Always pull referenced images.
     *
     * Equivalent to Docker's `--pull` flag.
     */
-    public readonly pull!: pulumi.Output<boolean | undefined>;
+    declare public readonly pull: pulumi.Output<boolean | undefined>;
    /**
     * When `true` the build will automatically include a `registry` export.
     *
@@ -654,7 +654,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--push` flag.
     */
-    public readonly push!: pulumi.Output<boolean>;
+    declare public readonly push: pulumi.Output<boolean>;
    /**
     * If the image was pushed to any registries then this will contain a
     * single fully-qualified tag including the build's digest.
@@ -671,7 +671,7 @@ export class Image extends pulumi.CustomResource {
     * For more control over tags consumed by downstream resources you should
     * use the `digest` output.
     */
-    public /*out*/ readonly ref!: pulumi.Output<string>;
+    declare public /*out*/ readonly ref: pulumi.Output<string>;
    /**
     * Registry credentials. Required if reading or exporting to private
     * repositories.
@@ -681,7 +681,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Similar to `docker login`.
     */
-    public readonly registries!: pulumi.Output<outputs.Registry[] | undefined>;
+    declare public readonly registries: pulumi.Output<outputs.Registry[] | undefined>;
    /**
     * A mapping of secret names to their corresponding values.
     *
@@ -693,13 +693,13 @@ export class Image extends pulumi.CustomResource {
     *
     * Similar to Docker's `--secret` flag.
     */
-    public readonly secrets!: pulumi.Output<{[key: string]: string} | undefined>;
+    declare public readonly secrets: pulumi.Output<{[key: string]: string} | undefined>;
    /**
     * SSH agent socket or keys to expose to the build.
     *
     * Equivalent to Docker's `--ssh` flag.
     */
-    public readonly ssh!: pulumi.Output<outputs.SSH[] | undefined>;
+    declare public readonly ssh: pulumi.Output<outputs.SSH[] | undefined>;
    /**
     * Name and optionally a tag (format: `name:tag`).
     *
@@ -708,7 +708,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--tag` flag.
     */
-    public readonly tags!: pulumi.Output<string[] | undefined>;
+    declare public readonly tags: pulumi.Output<string[] | undefined>;
    /**
     * Set the target build stage(s) to build.
     *
@@ -716,7 +716,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--target` flag.
     */
-    public readonly target!: pulumi.Output<string | undefined>;
+    declare public readonly target: pulumi.Output<string | undefined>;
    /**
     * Create a Image resource with the given unique name, arguments, and options.
@@ -729,31 +729,31 @@ export class Image extends pulumi.CustomResource {
        let resourceInputs: pulumi.Inputs = {};
        opts = opts || {};
        if (!opts.id) {
-            if ((!args || args.push === undefined) && !opts.urn) {
+            if (args?.push === undefined && !opts.urn) {
                throw new Error("Missing required property 'push'");
            }
-            resourceInputs["addHosts"] = args ? args.addHosts : undefined;
+            resourceInputs["addHosts"] = args?.addHosts;
-            resourceInputs["buildArgs"] = args ? args.buildArgs : undefined;
+            resourceInputs["buildArgs"] = args?.buildArgs;
-            resourceInputs["buildOnPreview"] = (args ? args.buildOnPreview : undefined) ?? true;
+            resourceInputs["buildOnPreview"] = (args?.buildOnPreview) ?? true;
-            resourceInputs["builder"] = args ? args.builder : undefined;
+            resourceInputs["builder"] = args?.builder;
-            resourceInputs["cacheFrom"] = args ? args.cacheFrom : undefined;
+            resourceInputs["cacheFrom"] = args?.cacheFrom;
-            resourceInputs["cacheTo"] = args ? args.cacheTo : undefined;
+            resourceInputs["cacheTo"] = args?.cacheTo;
-            resourceInputs["context"] = args ? args.context : undefined;
+            resourceInputs["context"] = args?.context;
-            resourceInputs["dockerfile"] = args ? args.dockerfile : undefined;
+            resourceInputs["dockerfile"] = args?.dockerfile;
-            resourceInputs["exec"] = args ? args.exec : undefined;
+            resourceInputs["exec"] = args?.exec;
-            resourceInputs["exports"] = args ? args.exports : undefined;
+            resourceInputs["exports"] = args?.exports;
-            resourceInputs["labels"] = args ? args.labels : undefined;
+            resourceInputs["labels"] = args?.labels;
-            resourceInputs["load"] = args ? args.load : undefined;
+            resourceInputs["load"] = args?.load;
-            resourceInputs["network"] = (args ? args.network : undefined) ?? "default";
+            resourceInputs["network"] = (args?.network) ?? "default";
-            resourceInputs["noCache"] = args ? args.noCache : undefined;
+            resourceInputs["noCache"] = args?.noCache;
-            resourceInputs["platforms"] = args ? args.platforms : undefined;
+            resourceInputs["platforms"] = args?.platforms;
-            resourceInputs["pull"] = args ? args.pull : undefined;
+            resourceInputs["pull"] = args?.pull;
-            resourceInputs["push"] = args ? args.push : undefined;
+            resourceInputs["push"] = args?.push;
-            resourceInputs["registries"] = args ? args.registries : undefined;
+            resourceInputs["registries"] = args?.registries;
-            resourceInputs["secrets"] = args ? args.secrets : undefined;
+            resourceInputs["secrets"] = args?.secrets;
-            resourceInputs["ssh"] = args ? args.ssh : undefined;
+            resourceInputs["ssh"] = args?.ssh;
-            resourceInputs["tags"] = args ? args.tags : undefined;
+            resourceInputs["tags"] = args?.tags;
-            resourceInputs["target"] = args ? args.target : undefined;
+            resourceInputs["target"] = args?.target;
            resourceInputs["contextHash"] = undefined /*out*/;
            resourceInputs["digest"] = undefined /*out*/;
            resourceInputs["ref"] = undefined /*out*/;
--- a/sdk/nodejs/index_.ts
+++ b/sdk/nodejs/index_.ts
@@ -113,27 +113,27 @@ export class Index extends pulumi.CustomResource {
     *
     * Defaults to `true`.
     */
-    public readonly push!: pulumi.Output<boolean | undefined>;
+    declare public readonly push: pulumi.Output<boolean | undefined>;
    /**
     * The pushed tag with digest.
     *
     * Identical to the tag if the index was not pushed.
     */
-    public /*out*/ readonly ref!: pulumi.Output<string>;
+    declare public /*out*/ readonly ref: pulumi.Output<string>;
    /**
     * Authentication for the registry where the tagged index will be pushed.
     *
     * Credentials can also be included with the provider's configuration.
     */
-    public readonly registry!: pulumi.Output<outputs.Registry | undefined>;
+    declare public readonly registry: pulumi.Output<outputs.Registry | undefined>;
    /**
     * Existing images to include in the index.
     */
-    public readonly sources!: pulumi.Output<string[]>;
+    declare public readonly sources: pulumi.Output<string[]>;
    /**
     * The tag to apply to the index.
     */
-    public readonly tag!: pulumi.Output<string>;
+    declare public readonly tag: pulumi.Output<string>;
    /**
     * Create a Index resource with the given unique name, arguments, and options.
@@ -146,16 +146,16 @@ export class Index extends pulumi.CustomResource {
        let resourceInputs: pulumi.Inputs = {};
        opts = opts || {};
        if (!opts.id) {
-            if ((!args || args.sources === undefined) && !opts.urn) {
+            if (args?.sources === undefined && !opts.urn) {
                throw new Error("Missing required property 'sources'");
            }
-            if ((!args || args.tag === undefined) && !opts.urn) {
+            if (args?.tag === undefined && !opts.urn) {
                throw new Error("Missing required property 'tag'");
            }
-            resourceInputs["push"] = (args ? args.push : undefined) ?? true;
+            resourceInputs["push"] = (args?.push) ?? true;
-            resourceInputs["registry"] = args ? args.registry : undefined;
+            resourceInputs["registry"] = args?.registry;
-            resourceInputs["sources"] = args ? args.sources : undefined;
+            resourceInputs["sources"] = args?.sources;
-            resourceInputs["tag"] = args ? args.tag : undefined;
+            resourceInputs["tag"] = args?.tag;
            resourceInputs["ref"] = undefined /*out*/;
        } else {
            resourceInputs["push"] = undefined /*out*/;
--- a/sdk/nodejs/provider.ts
+++ b/sdk/nodejs/provider.ts
@@ -25,7 +25,7 @@ export class Provider extends pulumi.ProviderResource {
    /**
     * The build daemon's address.
     */
-    public readonly host!: pulumi.Output<string | undefined>;
+    declare public readonly host: pulumi.Output<string | undefined>;
    /**
     * Create a Provider resource with the given unique name, arguments, and options.
@@ -38,8 +38,8 @@ export class Provider extends pulumi.ProviderResource {
        let resourceInputs: pulumi.Inputs = {};
        opts = opts || {};
        {
-            resourceInputs["host"] = (args ? args.host : undefined) ?? (utilities.getEnv("DOCKER_HOST") || "");
+            resourceInputs["host"] = (args?.host) ?? (utilities.getEnv("DOCKER_HOST") || "");
-            resourceInputs["registries"] = pulumi.output(args ? args.registries : undefined).apply(JSON.stringify);
+            resourceInputs["registries"] = pulumi.output(args?.registries).apply(JSON.stringify);
        }
        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
        super(Provider.__pulumiType, name, resourceInputs, opts);
--- a/sdk/nodejs/tsconfig.json
+++ b/sdk/nodejs/tsconfig.json
@@ -1,7 +1,7 @@
 {
    "compilerOptions": {
        "outDir": "bin",
-        "target": "es2016",
+        "target": "ES2020",
        "module": "commonjs",
        "moduleResolution": "node",
        "declaration": true,
Author	SHA1	Message	Date
Pulumi Bot	9d9c16498f	[internal] Update GitHub Actions workflow files	2025-09-29 18:05:11 +00:00
Cory Hall	6ae16f10ff	chore: update modulePath in ci-mgmt (#607 ) This is needed for https://github.com/pulumi/ci-mgmt/pull/1730	2025-09-29 12:01:37 -04:00
Pulumi Bot	f17e43bad7	Update GitHub Actions workflows. (#604 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 2b81d6d332c32c7ebc106fb53b745cbbfec266c7.	2025-09-16 05:49:46 +00:00
Pulumi Bot	bce330f598	Update GitHub Actions workflows. (#603 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 0337d8381eace02d1b6fb82d43e3ab543bf5774a.	2025-09-12 23:58:08 +00:00
Pulumi Bot	5107181566	Update GitHub Actions workflows. (#602 ) This PR was automatically generated by the update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt repo, from commit c390ce58d72b0eb947d844358c3204353b21839c.	2025-09-11 19:03:02 +00:00
Bryce Lampe	0a2dd6e758	Confirming ESC fixes (#599 ) Validating https://github.com/pulumi/ci-mgmt/pull/1705.	2025-09-10 14:19:45 -07:00
Pulumi Bot	a0e387d0a8	Update GitHub Actions workflows. (#597 ) This PR was automatically generated by the update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt repo, from commit 42e0ba87f4de47d7ab085a3916669e193ec1ff4e. --------- Co-authored-by: Bryce Lampe <bryce@pulumi.com>	2025-09-10 19:49:21 +00:00
Bryce Lampe	daa144c232	Use ESC for secrets (#594 ) Refs https://github.com/pulumi/ci-mgmt/issues/1481	2025-09-10 09:45:06 -07:00
Pulumi Bot	1203c3b31f	Update GitHub Actions workflows. (#595 ) This PR was automatically generated by the update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt repo, from commit 4125efba3dbbc633190a388a9f8b0408d755089c.	2025-09-10 16:11:45 +00:00
Pulumi Bot	62ff8bf2d2	Update GitHub Actions workflows. (#593 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 2ce6f269d9892f74ed14f645f41e402e7ff8d416. Co-authored-by: Bryce Lampe <bryce@pulumi.com>	2025-09-05 21:49:19 +00:00
Pulumi Bot	3b7e31b388	Automated upgrade: bump pulumi/pulumi to 3.192.0 (#592 ) Automated upgrade: bump pulumi/pulumi to 3.192.0 --------- Co-authored-by: Bryce Lampe <bryce@pulumi.com>	2025-09-05 14:36:43 -07:00
Pulumi Bot	c46d343c53	Update GitHub Actions workflows. (#586 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit ed2094cef48b491325b4ceebfceb6c0a555f1c04.	2025-08-28 05:49:05 +00:00
Pulumi Bot	4166f9da1b	Update GitHub Actions workflows. (#585 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 89dd865db8cef8be4f3f0a978cf8007892e51567.	2025-08-27 19:47:54 +00:00
Bryce Lampe	4e934974ee	Update p-go-provider to fix version replacement behavior (#584 ) Updates p-go-provider to pull in https://github.com/pulumi/pulumi-go-provider/pull/410. In particular this fixes an issue where the provider would get replaced on version changes. Fixes https://github.com/pulumi/pulumi-docker-build/issues/581	2025-08-27 11:14:21 -07:00
Pulumi Bot	4262717644	Update GitHub Actions workflows. (#582 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 19c542b12a65e3f3ec1d8213111262a9887dcda0.	2025-08-26 05:48:46 +00:00
Pulumi Bot	997794b59f	Update GitHub Actions workflows. (#580 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit dfe14f327ab8b4653dc5a4edf60e1f13814519e9.	2025-08-23 05:46:29 +00:00
Pulumi Bot	a168c92f12	Update GitHub Actions workflows. (#577 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit 9b60d6c643780f4a645273cb6a5b3dcce6687d94.	2025-08-15 21:38:53 +00:00
Pulumi Bot	91fdae679d	Update GitHub Actions workflows. (#575 ) This PR was automatically generated by the update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt repo, from commit 4ac37ece8be37ce71d07d3e42b89c7c306173b9b.	2025-08-15 16:45:42 +00:00
Pulumi Bot	ee4aa2505e	Update GitHub Actions workflows. (#574 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit f90df7559c86efa5ae3108b58c7d554865f2eb56.	2025-08-15 05:47:34 +00:00
Pulumi Bot	9fa5fcabe5	Update GitHub Actions workflows. (#572 ) This PR was automatically generated by the update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt repo, from commit b21f824c0283ef293cdf550403adf1d4bbfcfdb1.	2025-08-14 05:48:17 +00:00