[internal] Update GitHub Actions workflow files

Update dependency @pulumi/pulumi to v3.211.0 (#708 )
This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [@pulumi/pulumi](https://redirect.github.com/pulumi/pulumi) ([source](https://redirect.github.com/pulumi/pulumi/tree/HEAD/sdk/nodejs)) | dependencies | minor | [`3.210.0` -> `3.211.0`](https://renovatebot.com/diffs/npm/@pulumi%2fpulumi/3.210.0/3.211.0) | --- ### Release Notes <details> <summary>pulumi/pulumi (@pulumi/pulumi)</summary> ### [`v3.211.0`](https://redirect.github.com/pulumi/pulumi/releases/tag/v3.211.0) [Compare Source](https://redirect.github.com/pulumi/pulumi/compare/v3.210.0...v3.211.0) #### 3.211.0 (2025-12-11) ##### Features - \[cli/about] Print Node.js package manager information in `pulumi about` [#21163](https://redirect.github.com/pulumi/pulumi/pull/21163) - \[backend/diy] Add stack tags support for DIY backends (S3, Postgres, file-based, etc.). DIY backends now support stack tags functionality, bringing feature parity with cloud backends. This includes: - Full CRUD operations for stack tags (create, read, update, delete) - Automatic system tag injection (e.g., `pulumi:project`) - Tag filtering support in stack listing operations - Backward compatibility with existing stacks (no tags file required) - Atomic operations with caching for performance - Automatic cleanup of tag files when stacks are deleted Tags are stored as separate `.pulumi-tags` files alongside stack checkpoints, using a versioned JSON format. The implementation works across all DIY backend storage types including S3, Azure Blob, Google Cloud Storage, PostgreSQL, and local file systems. Example usage: ```bash pulumi stack tag set environment production pulumi stack tag set owner backend-team pulumi stack ls --tag-filter environment=production ``` [#19882](https://redirect.github.com/pulumi/pulumi/pull/19882) - \[backend/service] Improve startup performance with the service as backend [#21176](https://redirect.github.com/pulumi/pulumi/pull/21176) - \[sdk/nodejs] Add support for `replacement_trigger` in the NodeJS SDK [#20939](https://redirect.github.com/pulumi/pulumi/pull/20939) - \[sdk/python] Allow setting version for python component providers [#21149](https://redirect.github.com/pulumi/pulumi/pull/21149) ##### Bug Fixes - \[cli/package] Correctly identify the innermost Project/Plugin when running `pulumi package add` [#21137](https://redirect.github.com/pulumi/pulumi/pull/21137) - \[engine] Allow referencing multiple git/github/gitlab components from the same repo [#21119](https://redirect.github.com/pulumi/pulumi/pull/21119) - \[programgen/go] Account for name conflicts in resource creation functions [#21107](https://redirect.github.com/pulumi/pulumi/pull/21107) - \[sdk/python] Fix cancellation handling in a few places in the python language host [#21145](https://redirect.github.com/pulumi/pulumi/pull/21145) - \[sdkgen/go] Fix generation of lifted single-value calls in parameterized SDKs [#21115](https://redirect.github.com/pulumi/pulumi/pull/21115) ##### Miscellaneous - \[cli] Don't attempt to re-install plugin dependencies on load failure for plugins based on git with a nested path [#21148](https://redirect.github.com/pulumi/pulumi/pull/21148) - \[sdk/{dotnet,java,yaml}] Bump language runtimes for dotnet, java, and yaml [#21201](https://redirect.github.com/pulumi/pulumi/pull/21201) - \[cli/engine] Add language runtime metadata to update metadata [#21186](https://redirect.github.com/pulumi/pulumi/pull/21186) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - Monday through Friday ( * * * * 1-5 ) (UTC). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate).  Co-authored-by: pulumi-renovate[bot] <189166143+pulumi-renovate[bot]@users.noreply.github.com>
2025-12-12 05:32:43 +00:00 · 2025-12-12 05:11:26 +00:00 · 2025-12-03 21:28:06 +00:00 · 2025-11-26 16:17:55 +00:00 · 2025-11-26 01:13:49 +00:00 · 2025-11-22 05:45:33 +00:00
61 changed files with 1937 additions and 2649 deletions
--- a/.ci-mgmt.yaml
+++ b/.ci-mgmt.yaml
@@ -4,23 +4,26 @@ major-version: 0
 providerDefaultBranch: main
 providerVersion: github.com/pulumi/pulumi-docker-build/provider.Version
 aws: true
 modulePath: .
 gcp: true
 sdkModuleDir: sdk/go/dockerbuild
 parallel: 3
 esc:
    enabled: true
 envOverride:
-  AWS_REGION: us-west-2
+    AWS_REGION: us-west-2
-  PULUMI_API: "https://api.pulumi-staging.io"
+    PULUMI_API: "https://api.pulumi-staging.io"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+    ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+    ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+    ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+    ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-  AZURE_LOCATION: westus
+    AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+    DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+    GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
-  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+    GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
-  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+    GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
-  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+    GOOGLE_PROJECT: pulumi-ci-gcp-provider
-  GOOGLE_PROJECT_NUMBER: 895284651812
+    GOOGLE_PROJECT_NUMBER: 895284651812
-  GOOGLE_REGION: us-central1
+    GOOGLE_REGION: us-central1
-  GOOGLE_ZONE: us-central1-a
+    GOOGLE_ZONE: us-central1-a
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
+    DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
--- a/.config/mise.test.toml
+++ b/.config/mise.test.toml
@@ -0,0 +1,11 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 # Overrides for test workflows
 [env]
 # Acceptance (specifically providertest) tests require that PULUMI_HOME be the default
 PULUMI_HOME = "{{ env.HOME }}/.pulumi"
 [tools]
 # always use pulumi latest for tests
 pulumi = "latest"
--- a/.config/mise.toml
+++ b/.config/mise.toml
@@ -0,0 +1,32 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 # You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
 [env]
 _.source = "{{config_root}}/scripts/get-versions.sh"
 PULUMI_HOME = "{{config_root}}/.pulumi"
 [tools]
 # Runtimes
 # TODO: we may not need 'get_env' once https://github.com/jdx/mise/discussions/6339 is fixed
 go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}"
 node = '20.19.5'
 python = '3.11.8'
 dotnet = '8.0.414'
 # Corretto version used as Java SE/OpenJDK version no longer offered
 java = 'corretto-11'
 # Executable tools
 pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
 "github:pulumi/pulumictl" = '0.0.50'
 "github:pulumi/schema-tools" = "0.6.0"
 "aqua:gradle/gradle-distributions" = '7.6.6'
 golangci-lint = "1.64.8" # See note about about overrides if you need to customize this.
 "npm:yarn" = "1.22.22"
 [settings]
 experimental = true # Required for Go binaries (e.g. pulumictl).
 lockfile = false
 [plugins]
 vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"
--- a/.github/actions/download-provider/action.yml
+++ b/.github/actions/download-provider/action.yml
@@ -0,0 +1,19 @@
 name: Download Provider Binary
 description: Downloads the provider binary artifact and restores executable permissions
 runs:
  using: "composite"
  steps:
    - name: Download provider
      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
    - name: UnTar provider binaries
      shell: bash
      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{ github.workspace}}/bin
    - name: Restore Binary Permissions
      shell: bash
      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print -exec chmod +x {} \;
--- a/.github/actions/download-sdk/action.yml
+++ b/.github/actions/download-sdk/action.yml
@@ -0,0 +1,20 @@
 name: Download SDK
 description: Downloads and extracts SDK artifacts for a specific language
 inputs:
  language:
    description: 'The SDK language to download (nodejs, python, dotnet, java)'
    required: true
 runs:
  using: "composite"
  steps:
    - name: Download SDK
      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: ${{ inputs.language }}-sdk.tar.gz
        path: ${{ github.workspace }}/sdk/
    - name: UnTar SDK folder
      shell: bash
      run: tar -zxf ${{ github.workspace }}/sdk/${{ inputs.language }}.tar.gz -C ${{ github.workspace }}/sdk/${{ inputs.language }}
--- a/.github/actions/esc-action/action.yaml
+++ b/.github/actions/esc-action/action.yaml
@@ -0,0 +1,12 @@
 name: "Load secrets"
 description: |
  This is a temporary action which assists with our migration to ESC. Instead
  of surrounding every step that references secrets with an "if ESC" block, we
  instead modify those steps to consume their secrets from this step's outputs.
  Then, later, we can replace this action with esc-action to actually load
  secrets from ESC.
 inputs: {}
 outputs: {}
 runs:
  using: "node20"
  main: "index.js"
--- a/.github/actions/esc-action/index.js
+++ b/.github/actions/esc-action/index.js
@@ -0,0 +1,14 @@
 const fs = require("fs");
 const file = process.env["GITHUB_OUTPUT"];
 var stream = fs.createWriteStream(file, { flags: "a" });
 for (const [name, value] of Object.entries(process.env)) {
  try {
    stream.write(`${name}<<EEEOOOFFF\n${value}\nEEEOOOFFF\n`); // << syntax accommodates multiline strings.
  } catch (err) {
    console.log(`error: failed to set output for ${name}: ${err.message}`);
  }
 }
 stream.end();
--- a/.github/actions/setup-tools/action.yml
+++ b/.github/actions/setup-tools/action.yml
@@ -0,0 +1,41 @@
 name: Setup Tools
 description: Installs all tools (Go, Node, Python, .NET, Java, Pulumi, etc.) using mise
 inputs:
  cache:
    description: Enable caching
    required: false
    default: "false"
  github_token:
    description: GitHub token
    required: true
 runs:
  using: "composite"
  steps:
    - name: Setup mise
      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
        version: 2025.11.6
        cache_save: ${{ inputs.cache }}
        github_token: ${{ inputs.github_token }}
    - name: Setup Go Cache
      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6.1.0
      with:
        cache: ${{ inputs.cache }}
        cache-dependency-path: |
          provider/*.sum
          upstream/*.sum
          sdk/go/*.sum
          sdk/*.sum
          *.sum
    - name: Setup Node
      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
      with:
        # we don't set node-version because we install with mise.
        # this step is needed to setup npm auth
        registry-url: https://registry.npmjs.org
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -15,14 +15,6 @@ on:
    - "**"
  workflow_dispatch: {}
 env:
  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
@@ -33,13 +25,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -48,31 +37,40 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
 jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    permissions:
      id-token: write # For ESC secrets.
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        cache: 'true'
-        cache-dependency-path: "**/*.sum"
+        github_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -93,7 +91,7 @@ jobs:
          echo 'EOF';
        } >> "$GITHUB_ENV"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
      name: Comment on PR with Details of Schema Check
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -123,79 +121,37 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
+          sdk/java/build.gradle
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in building provider prerequisites
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  build_sdks:
    needs: prerequisites
    runs-on: pulumi-ubuntu-8core
@@ -209,61 +165,36 @@ jobs:
        - go
        - java
    name: build_sdks
    permissions:
      pull-requests: write # For Renovate SDK updates.
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
-        cache-dependency-path: "**/*.sum"
+    - name: Download Provider Binary
-    - name: Install pulumictl
+      uses: ./.github/actions/download-provider
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download provider
      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
    - name: UnTar provider binaries
      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin
    - name: Restore Binary Permissions
      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
        -exec chmod +x {} \;
    - name: Generate SDK
      run: make generate_${{ matrix.language }}
    - name: Build SDK
@@ -279,78 +210,47 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
+          sdk/java/build.gradle
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
        retention-days: 30
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure while building SDKs
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  tag_release_if_labeled_needs_release:
    name: Tag release if labeled as needs-release
    needs: publish
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: check if this commit needs release
      if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
      uses: pulumi/action-release-by-pr-label@main
@@ -358,10 +258,10 @@ jobs:
        command: "release-if-needed"
        repo: ${{ github.repository }}
        commit: ${{ github.sha }}
-        slack_channel: ${{ secrets.RELEASE_OPS_SLACK_CHANNEL }}
+        slack_channel: C02MGR8JVST
      env:
-        RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  test:
@@ -381,72 +281,39 @@ jobs:
    name: test
    permissions:
      contents: read
-      id-token: write
+      id-token: write # For ESC secrets and Pulumi access token OIDC.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
-        cache-dependency-path: "**/*.sum"
+    - name: Download Provider Binary
-    - name: Install pulumictl
+      uses: ./.github/actions/download-provider
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download provider
      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
    - name: UnTar provider binaries
      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin
    - name: Restore Binary Permissions
      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: ./.github/actions/download-sdk
      with:
-        name: ${{ matrix.language }}-sdk.tar.gz
+        language: ${{ matrix.language }}
        path: ${{ github.workspace}}/sdk/
    - name: UnTar SDK folder
      if: ${{ matrix.language != 'yaml' }}
      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
        github.workspace}}/sdk/${{ matrix.language}}
    - name: Update path
      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
    - name: Install Node dependencies
@@ -467,13 +334,13 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@efb0bc8946938f0dfbfa00e829196ec95f0d0ea7 # v1.4.0
+      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
        environment: logins/pulumi-ci
    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
      with:
        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
          }}/locations/global/workloadIdentityPools/${{
@@ -481,7 +348,7 @@ jobs:
          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
    - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      with:
        install_components: gke-gcloud-auth-plugin
    - name: Install gotestfmt
@@ -494,34 +361,49 @@ jobs:
        set -euo pipefail
        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in SDK tests
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish:
    runs-on: ubuntu-latest
    needs: test
    name: publish
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
@@ -531,84 +413,78 @@ jobs:
        haskell: true
        swap-storage: true
        large-packages: false
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
        role-duration-seconds: 7200
        role-session-name: ${{ env.PROVIDER }}@githubActions
        role-external-id: upload-pulumi-release
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
      env:
        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
        version: latest
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing binaries
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_sdk:
    runs-on: ubuntu-latest
    needs: publish
    name: publish_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        path: ci-scripts
        repository: pulumi/scripts
    - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Install Go
+    - name: Setup Tools
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Download python SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -616,7 +492,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -624,7 +500,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -636,48 +512,46 @@ jobs:
    - name: Publish SDKs
      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
      env:
-        NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        PYPI_PUBLISH_ARTIFACTS: all
        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
-        SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
-        PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing SDK
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  lint:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}
-    - name: Install Go
+    - name: Setup Tools
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Disarm go:embed directives to enable linters that compile source code
      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
        's/go:embed/ goembed/g'
    - name: golangci-lint provider pkg
      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
      with:
-        version: ${{ env.GOLANGCI_LINT_VERSION }}
+        install-mode: none # Handled by mise.
-        args: -c ../.golangci.yml
+        working-directory: .
        working-directory: provider
    name: lint
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
--- a/.github/workflows/command-dispatch.yml
+++ b/.github/workflows/command-dispatch.yml
@@ -2,13 +2,10 @@
 env:
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -17,16 +14,30 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
 jobs:
  command-dispatch-for-testing:
    name: command-dispatch-for-testing
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        persist-credentials: false    
-    - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4
+    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - uses: peter-evans/slash-command-dispatch@5c11dc7efead556e3bdabf664302212f79eb26fa # v5
      with:
        commands: |
          run-acceptance-tests
@@ -35,7 +46,7 @@ jobs:
        permission: write
        reaction-token: ${{ secrets.GITHUB_TOKEN }}
        repository: pulumi/pulumi-docker-build
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
 name: command-dispatch
 on:
  issue_comment:
--- a/.github/workflows/comment-on-stale-issues.yml
+++ b/.github/workflows/comment-on-stale-issues.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    name: Stale issue job
    steps:
-    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc #v7.1.0
+    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc # v7.1.0
      with:
        issue-types: issues # only look at issues (ignore pull-requests)
--- a/.github/workflows/community-moderation.yml
+++ b/.github/workflows/community-moderation.yml
@@ -1,14 +1,12 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 jobs:
  warn_codegen:
    name: warn_codegen
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        persist-credentials: false
    - id: schema_changed
--- a/.github/workflows/export-repo-secrets.yml
+++ b/.github/workflows/export-repo-secrets.yml
@@ -0,0 +1,25 @@
 permissions: write-all # Equivalent to default permissions plus id-token: write
 name: Export secrets to ESC
 on: [workflow_dispatch]
 jobs:
  export-to-esc:
    runs-on: ubuntu-latest
    name: export GitHub secrets to ESC
    steps:
      - name: Generate a GitHub token
        id: generate-token
        uses: actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf # v2
        with:
          app-id: 1256780 # Export Secrets GitHub App
          private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
      - name: Export secrets to ESC
        uses: pulumi/esc-export-secrets-action@9d6485759b6adff2538ae91f1b77cc96265c9dad # v1
        with:
          organization: pulumi
          org-environment: imports/github-secrets
          exclude-secrets: EXPORT_SECRETS_PRIVATE_KEY
          github-token: ${{ steps.generate-token.outputs.token }}
          oidc-auth: true
          oidc-requested-token-type: urn:pulumi:token-type:access_token:organization
        env:
          GITHUB_SECRETS: ${{ toJSON(secrets) }}
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -6,14 +6,6 @@ on:
    tags:
    - v*.*.*-**
 env:
  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
@@ -24,13 +16,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -40,31 +29,37 @@ env:
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  IS_PRERELEASE: true
 jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        cache: 'true'
-        cache-dependency-path: "**/*.sum"
+        github_token: ${{ secrets.GITHUB_TOKEN }}
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -85,7 +80,7 @@ jobs:
          echo 'EOF';
        } >> "$GITHUB_ENV"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
      name: Comment on PR with Details of Schema Check
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -115,79 +110,37 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
+          sdk/java/build.gradle
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in building provider prerequisites
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  build_sdks:
    needs: prerequisites
    runs-on: pulumi-ubuntu-8core
@@ -201,61 +154,36 @@ jobs:
        - go
        - java
    name: build_sdks
    permissions:
      pull-requests: write # For Renovate SDK updates.
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
-        cache-dependency-path: "**/*.sum"
+    - name: Download Provider Binary
-    - name: Install pulumictl
+      uses: ./.github/actions/download-provider
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download provider
      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
    - name: UnTar provider binaries
      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin
    - name: Restore Binary Permissions
      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
        -exec chmod +x {} \;
    - name: Generate SDK
      run: make generate_${{ matrix.language }}
    - name: Build SDK
@@ -271,71 +199,24 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit ${{ matrix.language }} SDK changes for Renovate
+          sdk/java/build.gradle
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit ${{ matrix.language }} SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure while building SDKs
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  test:
    runs-on: pulumi-ubuntu-8core
    needs:
@@ -353,72 +234,39 @@ jobs:
    name: test
    permissions:
      contents: read
-      id-token: write
+      id-token: write # For ESC secrets and Pulumi access token OIDC.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
-        cache-dependency-path: "**/*.sum"
+    - name: Download Provider Binary
-    - name: Install pulumictl
+      uses: ./.github/actions/download-provider
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download provider
      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
    - name: UnTar provider binaries
      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin
    - name: Restore Binary Permissions
      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: ./.github/actions/download-sdk
      with:
-        name: ${{ matrix.language }}-sdk.tar.gz
+        language: ${{ matrix.language }}
        path: ${{ github.workspace}}/sdk/
    - name: UnTar SDK folder
      if: ${{ matrix.language != 'yaml' }}
      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
        github.workspace}}/sdk/${{ matrix.language}}
    - name: Update path
      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
    - name: Install Node dependencies
@@ -439,13 +287,13 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@efb0bc8946938f0dfbfa00e829196ec95f0d0ea7 # v1.4.0
+      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
        environment: logins/pulumi-ci
    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
      with:
        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
          }}/locations/global/workloadIdentityPools/${{
@@ -453,7 +301,7 @@ jobs:
          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
    - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      with:
        install_components: gke-gcloud-auth-plugin
    - name: Install gotestfmt
@@ -466,34 +314,49 @@ jobs:
        set -euo pipefail
        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in SDK tests
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish:
    runs-on: ubuntu-latest
    needs: test
    name: publish
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
@@ -503,84 +366,78 @@ jobs:
        haskell: true
        swap-storage: true
        large-packages: false
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
        role-duration-seconds: 7200
        role-session-name: ${{ env.PROVIDER }}@githubActions
        role-external-id: upload-pulumi-release
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
      env:
        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
        version: latest
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing binaries
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_sdk:
    runs-on: ubuntu-latest
    needs: publish
    name: publish_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        path: ci-scripts
        repository: pulumi/scripts
    - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Install Go
+    - name: Setup Tools
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Download python SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -588,7 +445,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -596,7 +453,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -608,58 +465,55 @@ jobs:
    - name: Publish SDKs
      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
      env:
-        NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        PYPI_PUBLISH_ARTIFACTS: all
        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing SDK
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_java_sdk:
    runs-on: ubuntu-latest
    continue-on-error: true
    needs: publish
    name: publish_java_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download java SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: java-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -667,34 +521,36 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
        ${{github.workspace}}/sdk/java
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
      with:
        gradle-version: "7.6"
    - name: Publish Java SDK
      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
      env:
        PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
  publish_go_sdk:
    runs-on: ubuntu-latest
    name: publish-go-sdk
    needs: publish_sdk
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download go SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: go-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -3,41 +3,14 @@
 name: pull-request
 on:
  pull_request_target: {}
-env:
+
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  TRAVIS_OS_NAME: linux
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  GOVERSION: "1.21.x"
  NODEVERSION: "20.x"
  PYTHONVERSION: "3.11.8"
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
  GOOGLE_PROJECT: pulumi-ci-gcp-provider
  GOOGLE_PROJECT_NUMBER: "895284651812"
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
 jobs:
  comment-on-pr:
    runs-on: ubuntu-latest
    name: comment-on-pr
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
    - name: Comment PR
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,14 +7,6 @@ on:
    - v*.*.*
    - "!v*.*.*-**"
 env:
  AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
  AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
  AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
  AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
  SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' &&
    secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID
    == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
@@ -25,13 +17,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -40,31 +29,40 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
 jobs:
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    permissions:
      id-token: write # For ESC secrets.
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        cache: 'true'
-        cache-dependency-path: "**/*.sum"
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -85,7 +83,7 @@ jobs:
          echo 'EOF';
        } >> "$GITHUB_ENV"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
      name: Comment on PR with Details of Schema Check
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -115,79 +113,37 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
+          sdk/java/build.gradle
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar provider binaries
      run: tar -zcf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in building provider prerequisites
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  build_sdks:
    needs: prerequisites
    runs-on: pulumi-ubuntu-8core
@@ -201,61 +157,36 @@ jobs:
        - go
        - java
    name: build_sdks
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
-        cache-dependency-path: "**/*.sum"
+    - name: Download Provider Binary
-    - name: Install pulumictl
+      uses: ./.github/actions/download-provider
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download provider
      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
    - name: UnTar provider binaries
      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin
    - name: Restore Binary Permissions
      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
        -exec chmod +x {} \;
    - name: Generate SDK
      run: make generate_${{ matrix.language }}
    - name: Build SDK
@@ -271,71 +202,24 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
-    - name: Commit SDK changes for Renovate
+          sdk/java/build.gradle
      if: failure() && steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
      run: >
        git diff --quiet -- sdk && echo "no changes to sdk" && exit
        git config --global user.email "bot@pulumi.com"
        git config --global user.name "pulumi-bot"
        # Stash local changes and check out the PR's branch directly.
        git stash
        git fetch
        git checkout "origin/$HEAD_REF"
        # Apply and add our changes, but don't commit any files we expect to
        # always change due to versioning.
        git stash pop
        git add sdk
        git reset sdk/python/*/pulumi-plugin.json \
            sdk/python/pyproject.toml \
            sdk/dotnet/pulumi-plugin.json \
            sdk/dotnet/*.*.csproj \
            sdk/dotnet/version.txt \
            sdk/go/*/pulumi-plugin.json \
            sdk/go/*/internal/pulumiUtilities.go \
            sdk/nodejs/package.json
        git commit -m 'Commit SDK for Renovate'
        # Push with pulumi-bot credentials to trigger a re-run of the
        # workflow. https://github.com/orgs/community/discussions/25702
        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure while building SDKs
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  test:
    runs-on: pulumi-ubuntu-8core
    needs:
@@ -353,72 +237,39 @@ jobs:
    name: test
    permissions:
      contents: read
-      id-token: write
+      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
-        cache-dependency-path: "**/*.sum"
+    - name: Download Provider Binary
-    - name: Install pulumictl
+      uses: ./.github/actions/download-provider
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download provider
      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
    - name: UnTar provider binaries
      run: tar -zxf ${{ github.workspace }}/bin/provider.tar.gz -C ${{
        github.workspace}}/bin
    - name: Restore Binary Permissions
      run: find ${{ github.workspace }} -name "pulumi-*-${{ env.PROVIDER }}" -print
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: ./.github/actions/download-sdk
      with:
-        name: ${{ matrix.language }}-sdk.tar.gz
+        language: ${{ matrix.language }}
        path: ${{ github.workspace}}/sdk/
    - name: UnTar SDK folder
      if: ${{ matrix.language != 'yaml' }}
      run: tar -zxf ${{ github.workspace}}/sdk/${{ matrix.language}}.tar.gz -C ${{
        github.workspace}}/sdk/${{ matrix.language}}
    - name: Update path
      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
    - name: Install Node dependencies
@@ -439,13 +290,13 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@efb0bc8946938f0dfbfa00e829196ec95f0d0ea7 # v1.4.0
+      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
        environment: logins/pulumi-ci
    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
      with:
        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
          }}/locations/global/workloadIdentityPools/${{
@@ -453,7 +304,7 @@ jobs:
          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
    - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      with:
        install_components: gke-gcloud-auth-plugin
    - name: Install gotestfmt
@@ -466,34 +317,49 @@ jobs:
        set -euo pipefail
        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
      env:
        GTIHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in SDK tests
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish:
    runs-on: ubuntu-latest
    needs: test
    name: publish
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Clear GitHub Actions Ubuntu runner disk space
      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
      with:
@@ -503,84 +369,78 @@ jobs:
        haskell: true
        swap-storage: true
        large-packages: false
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+      uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
        aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
        role-duration-seconds: 7200
        role-session-name: ${{ env.PROVIDER }}@githubActions
        role-external-id: upload-pulumi-release
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
    - name: Run GoReleaser
      uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
      env:
        GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
      with:
        args: -p 3 release --clean --timeout 60m0s
        version: latest
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing binaries
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_sdk:
    runs-on: ubuntu-latest
    needs: publish
    name: publish_sdks
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Checkout Scripts Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        path: ci-scripts
        repository: pulumi/scripts
    - run: echo "ci-scripts" >> .git/info/exclude
-    - name: Install Go
+    - name: Setup Tools
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Download python SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: python-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -588,7 +448,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
        ${{github.workspace}}/sdk/python
    - name: Download dotnet SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: dotnet-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -596,7 +456,7 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
        ${{github.workspace}}/sdk/dotnet
    - name: Download nodejs SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: nodejs-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -608,58 +468,55 @@ jobs:
    - name: Publish SDKs
      run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
      env:
-        NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        PYPI_PUBLISH_ARTIFACTS: all
        PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in publishing SDK
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
  publish_java_sdk:
    runs-on: ubuntu-latest
    continue-on-error: true
    needs: publish
    name: publish_java_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download java SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: java-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -667,34 +524,36 @@ jobs:
      run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
        ${{github.workspace}}/sdk/java
    - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
      with:
        gradle-version: "7.6"
    - name: Publish Java SDK
      run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
      env:
        PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
  publish_go_sdk:
    runs-on: ubuntu-latest
    name: publish-go-sdk
    needs: publish_sdk
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download go SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: go-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -714,7 +573,23 @@ jobs:
  dispatch_docs_build:
    runs-on: ubuntu-latest
    needs: publish_go_sdk
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
@@ -723,5 +598,5 @@ jobs:
      run: pulumictl create docs-build pulumi-${{ env.PROVIDER }}
        "${GITHUB_REF#refs/tags/}"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    name: dispatch_docs_build
--- a/.github/workflows/release_command.yml
+++ b/.github/workflows/release_command.yml
@@ -11,9 +11,18 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        persist-credentials: false    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: Should release PR
      uses: pulumi/action-release-by-pr-label@main
      with:
@@ -21,14 +30,14 @@ jobs:
        repo: ${{ github.repository }}
        pr: ${{ github.event.client_payload.pull_request.number }}
        version: ${{ github.event.client_payload.slash_command.args.all }}
-        slack_channel: ${{ secrets.RELEASE_OPS_STAGING_SLACK_CHANNEL }}
+        slack_channel: ${{ steps.esc-secrets.outputs.RELEASE_OPS_STAGING_SLACK_CHANNEL }}
      env:
-        RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure()
      name: Notify failure
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
@@ -37,7 +46,7 @@ jobs:
          "release command failed: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
    - if: success()
      name: Notify success
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
        token: ${{ secrets.GITHUB_TOKEN }}
        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -10,7 +10,6 @@ on:
    - CHANGELOG.md
  workflow_dispatch: {}
 env:
  GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
  PROVIDER: docker-build
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  TRAVIS_OS_NAME: linux
@@ -21,13 +20,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -36,51 +32,66 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 jobs:
  comment-notification:
    if: github.event_name == 'repository_dispatch'
    runs-on: ubuntu-latest
    name: comment-notification
    steps:
    - name: Checkout Repo
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}
    - name: Create URL to the run output
      id: vars
      run: echo
        "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
        >> "$GITHUB_OUTPUT"
    - name: Update with Result
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ secrets.GITHUB_TOKEN }}
        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
    if: github.event_name == 'repository_dispatch'
  prerequisites:
    runs-on: ubuntu-latest
    name: prerequisites
    permissions:
      id-token: write # For ESC secrets.
      pull-requests: write # For schema check comment.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        cache: 'true'
-        cache-dependency-path: "**/*.sum"
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - if: github.event_name == 'pull_request'
      name: Install Schema Tools
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -101,7 +112,7 @@ jobs:
          echo 'EOF';
        } >> "$GITHUB_ENV"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
      name: Comment on PR with Details of Schema Check
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -131,8 +142,13 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
      # This worktree check is a safeguard against someone forgetting to
      # re-build and commit locally, but we handle that commit automatically in
      # the case of dependency bumps.
      continue-on-error: ${{ contains(github.actor, 'renovate') }}
    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+      if: steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
@@ -176,7 +192,7 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
@@ -185,25 +201,30 @@ jobs:
        github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
        pulumi-gen-${{ env.PROVIDER}}
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin/provider.tar.gz
    - name: Test Provider Library
      run: make test_provider
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in building provider prerequisites
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
  build_sdks:
@@ -219,54 +240,38 @@ jobs:
        - go
        - java
    name: build_sdks
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -291,8 +296,10 @@ jobs:
          sdk/go/**/pulumiUtilities.go
          sdk/nodejs/package.json
          sdk/python/pyproject.toml
          sdk/java/build.gradle
      continue-on-error: ${{ contains(github.actor, 'renovate') }}
    - name: Commit SDK changes for Renovate
-      if: failure() && steps.worktreeClean.outcome == 'failure' &&
+      if: steps.worktreeClean.outcome == 'failure' &&
        contains(github.actor, 'renovate') && github.event_name ==
        'pull_request'
      shell: bash
@@ -335,27 +342,27 @@ jobs:
        # workflow. https://github.com/orgs/community/discussions/25702
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
      env:
        HEAD_REF: ${{ github.head_ref }}
    - run: git status --porcelain
    - name: Tar SDK folder
      run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: ${{ matrix.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
        retention-days: 30
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure while building SDKs
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
  test:
@@ -378,52 +385,33 @@ jobs:
      id-token: write
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - id: version
      name: Set Provider Version
-      uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+      uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      with:
        set-env: PROVIDER_VERSION
-    - name: Install Go
+      env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Setup Java
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        java-version: ${{ env.JAVAVERSION }}
        distribution: temurin
        cache: gradle
    - name: Setup Gradle
      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
      with:
        gradle-version: "7.6"
    - name: Download provider
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
        path: ${{ github.workspace }}/bin
@@ -435,7 +423,7 @@ jobs:
        -exec chmod +x {} \;
    - name: Download SDK
      if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: ${{ matrix.language }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
@@ -463,13 +451,13 @@ jobs:
        requested-token-type: urn:pulumi:token-type:access_token:organization
        export-environment-variables: false
    - name: Export AWS Credentials
-      uses: pulumi/esc-action@efb0bc8946938f0dfbfa00e829196ec95f0d0ea7 # v1.4.0
+      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
      env:
        PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
      with:
        environment: logins/pulumi-ci
    - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
      with:
        workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
          }}/locations/global/workloadIdentityPools/${{
@@ -477,7 +465,7 @@ jobs:
          env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
        service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
    - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@77e7a554d41e2ee56fc945c52dfd3f33d12def9a # v2.1.4
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
      with:
        install_components: gke-gcloud-auth-plugin
    - name: Install gotestfmt
@@ -490,23 +478,40 @@ jobs:
        set -euo pipefail
        cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - if: failure() && github.event_name == 'push'
      name: Notify Slack
-      uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
+      uses: 8398a7/action-slack@77eaa4f1c608a7d68b38af4e3f739dcd8cba273e # v3.19.0
      with:
        author_name: Failure in SDK tests
        fields: repo,commit,author,action
        status: ${{ job.status }}
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
  sentinel:
    runs-on: ubuntu-latest
    name: sentinel
    steps:
    - name: Checkout Repo
      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}    
    - env:
        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: Mark workflow as successful
-      uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
+      uses: guibranco/github-status-action-v2@631f55ea0251f0fb284525ad86c30e9f7a8dd284 # v1.1.14
      with:
        authToken: ${{ secrets.GITHUB_TOKEN }}
        context: Sentinel
@@ -515,6 +520,7 @@ jobs:
        sha: ${{ github.event.pull_request.head.sha || github.sha }}
    permissions:
      statuses: write
      id-token: write # For ESC secrets.
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
    needs:
@@ -525,25 +531,23 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true
        persist-credentials: false
        ref: ${{ env.PR_COMMIT_SHA }}
-    - name: Install Go
+    - name: Setup Tools
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Disarm go:embed directives to enable linters that compile source code
      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
        's/go:embed/ goembed/g'
    - name: golangci-lint provider pkg
      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
      with:
-        version: ${{ env.GOLANGCI_LINT_VERSION }}
+        install-mode: none # Handled by mise.
-        args: -c ../.golangci.yml
+        working-directory: .
        working-directory: provider
    name: lint
    if: github.event_name == 'repository_dispatch' ||
      github.event.pull_request.head.repo.full_name == github.repository
--- a/.github/workflows/weekly-pulumi-update.yml
+++ b/.github/workflows/weekly-pulumi-update.yml
@@ -17,13 +17,10 @@ env:
  DOTNETVERSION: "8.0.x"
  JAVAVERSION: "11"
  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
  AWS_REGION: us-west-2
  AZURE_LOCATION: westus
  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -32,38 +29,30 @@ env:
  GOOGLE_REGION: us-central1
  GOOGLE_ZONE: us-central1-a
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
 jobs:
  weekly-pulumi-update:
    runs-on: ubuntu-latest
    permissions: write-all
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
      with:
        lfs: true    
-    - name: Install Go
+    - env:
-      uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
        ESC_ACTION_OIDC_AUTH: "true"
        ESC_ACTION_OIDC_ORGANIZATION: pulumi
        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
      id: esc-secrets
      name: Fetch secrets from ESC
      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
    - name: Setup Tools
      uses: ./.github/actions/setup-tools
      with:
-        go-version: ${{ env.GOVERSION }}
+        github_token: ${{ secrets.GITHUB_TOKEN }}
        cache-dependency-path: "**/*.sum"
    - name: Install pulumictl
      uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
      with:
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
    - name: Setup DotNet
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: ${{ env.DOTNETVERSION }}
    - name: Setup Node
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
      with:
        node-version: ${{ env.NODEVERSION }}
        registry-url: https://registry.npmjs.org
    - name: Setup Python
      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
      with:
        python-version: ${{ env.PYTHONVERSION }}
    - name: Update Pulumi/Pulumi
      id: gomod
      run: >-
@@ -122,5 +111,5 @@ jobs:
        gh pr create -t "$msg" -b "$msg" --head "$(git branch --show-current)"
      env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
    name: weekly-pulumi-update
--- a/.goreleaser.yml
+++ b/.goreleaser.yml
@@ -1,5 +1,4 @@
 # WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
 project_name: pulumi-docker-build
 builds:
 - id: build-provider
--- a/.pulumi.version
+++ b/.pulumi.version
@@ -1 +1 @@
-3.187.0
+3.192.0
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,9 +1,25 @@
 ## Unreleased
 ## Changed
 - Arguments `CacheFromGitHubActions.URL` and `CacheFromGitHubActions.Token` have been removed. If the previous behaviour is desired, set the `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_TOKEN` environment variables. (https://github.com/pulumi/pulumi-docker-build/issues/75)
 ## 0.0.14 (2025-09-30)
 ### Fixed
 - A warning is no longer emitted for the reserved `__internal` key. (https://github.com/pulumi/pulumi-docker-build/issues/579)
 ## 0.0.13 (2025-08-27)
 ### Changed
 - Docker Build Cloud and `exec` errors are more helpful. (https://github.com/pulumi/pulumi-docker-build/issues/549)
 ### Fixed
 - The provider is no longer replaced on version changes. (https://github.com/pulumi/pulumi-docker-build/issues/581)
 ## 0.0.12 (2025-05-16)
 ### Changed
--- a/45
+++ b/45
@@ -17,8 +17,9 @@ WORKING_DIR      := $(shell pwd)
 EXAMPLES_DIR     := ${WORKING_DIR}/examples/yaml
 TESTPARALLELISM  := 4
-PULUMI           := bin/pulumi
+PULUMI           := pulumi
-GOGLANGCILINT    := bin/golangci-lint
+GOGLANGCILINT    := golangci-lint
 GOTEST           := go test
 # Override during CI using `make [TARGET] PROVIDER_VERSION=""` or by setting a PROVIDER_VERSION environment variable
 # Local & branch builds will just used this fixed default version unless specified
@@ -46,10 +47,10 @@ provider_debug::
 	(cd provider && go build -o $(WORKING_DIR)/bin/${PROVIDER} -gcflags="all=-N -l" -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
 test_provider:: # Required by CI
-	go test -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
+	${GOTEST} -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
 test_examples: install_nodejs_sdk install_dotnet_sdk
-	go test -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
+	${GOTEST} -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
 test_all:: test_provider test_examples
@@ -63,38 +64,26 @@ examples/yaml:
 	rm -rf ${WORKING_DIR}/examples/yaml/app
 	cp -r ${WORKING_DIR}/examples/app ${WORKING_DIR}/examples/yaml/app
-examples/go: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/go: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,go)
 	@git checkout examples/go/go.mod
-examples/nodejs: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/nodejs: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,nodejs)
 	@git checkout examples/nodejs/package.json
-examples/python: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/python: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,python)
 	@git checkout examples/python/requirements.txt
-examples/dotnet: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/dotnet: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,dotnet)
 	@git checkout examples/dotnet/provider-docker-build.csproj
-examples/java: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/java: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,java)
 	@git checkout examples/java/pom.xml
 ${PULUMI}: go.sum
 	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/pkg/v3/cmd/pulumi
 	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3
 	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3
 	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3
 	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-java/pkg/cmd/pulumi-language-java
 	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3
 	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-yaml/cmd/pulumi-converter-yaml
 ${GOGLANGCILINT}: go.sum
 	GOBIN=${WORKING_DIR}/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@8b37f14
 define pulumi_login
    export PULUMI_CONFIG_PASSPHRASE=asdfqwerty1234; \
    pulumi login --local;
@@ -102,7 +91,7 @@ endef
 define example
 	rm -rf ${WORKING_DIR}/examples/$(1)
-	$(PULUMI) convert \
+	pulumi convert \
 		--cwd ${WORKING_DIR}/examples/yaml \
 		--logtostderr \
 		--generate-only \
@@ -140,7 +129,7 @@ build:: provider sdk/dotnet sdk/go sdk/nodejs sdk/python sdk/java ${SCHEMA_PATH}
 only_build:: build
 .PHONY: lint
-lint: ${GOGLANGCILINT}
+lint:
 	${GOGLANGCILINT} run --fix -c .golangci.yml
 install:: install_nodejs_sdk install_dotnet_sdk
@@ -205,7 +194,7 @@ sdk: sdk/python sdk/nodejs sdk/java sdk/python sdk/go sdk/dotnet
 .PHONY: sdk/*
 sdk/python: TMPDIR := $(shell mktemp -d)
-sdk/python: $(PULUMI) bin/${PROVIDER}
+sdk/python: bin/${PROVIDER}
 	rm -rf sdk/python
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language python -o ${TMPDIR}
 	cp README.md ${TMPDIR}/python/
@@ -218,7 +207,7 @@ sdk/python: $(PULUMI) bin/${PROVIDER}
 	mv -f ${TMPDIR}/python ${WORKING_DIR}/sdk/.
 sdk/nodejs: TMPDIR := $(shell mktemp -d)
-sdk/nodejs: $(PULUMI) bin/${PROVIDER}
+sdk/nodejs: bin/${PROVIDER}
 	rm -rf sdk/nodejs
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
 	cp README.md LICENSE ${TMPDIR}/nodejs
@@ -230,7 +219,7 @@ sdk/nodejs: $(PULUMI) bin/${PROVIDER}
 sdk/go: TMPDIR := $(shell mktemp -d)
 sdk/go: PATH := "$(WORKING_DIR)/bin:$(PATH)"
-sdk/go: $(PULUMI) bin/${PROVIDER}
+sdk/go: bin/${PROVIDER}
 	rm -rf sdk/go
 	PATH=$(PATH) $(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language go -o ${TMPDIR}
 	cp go.mod ${TMPDIR}/go/dockerbuild/go.mod
@@ -240,7 +229,7 @@ sdk/go: $(PULUMI) bin/${PROVIDER}
 	mv -f ${TMPDIR}/go ${WORKING_DIR}/sdk/go
 sdk/dotnet: TMPDIR := $(shell mktemp -d)
-sdk/dotnet: $(PULUMI) bin/${PROVIDER}
+sdk/dotnet: bin/${PROVIDER}
 	rm -rf sdk/dotnet
 	$(PULUMI) package gen-sdk ./bin/${PROVIDER} --language dotnet -o ${TMPDIR}
 	cd ${TMPDIR}/dotnet/ && \
@@ -250,7 +239,7 @@ sdk/dotnet: $(PULUMI) bin/${PROVIDER}
 sdk/java: PACKAGE_VERSION := $(shell pulumictl convert-version --language generic -v "$(VERSION_GENERIC)")
 sdk/java: TMPDIR := $(shell mktemp -d)
-sdk/java: $(PULUMI) bin/${PROVIDER}
+sdk/java: bin/${PROVIDER}
 	rm -rf sdk/java
 	$(PULUMI) package gen-sdk --language java ./bin/${PROVIDER} -o ${TMPDIR}
 	cd ${TMPDIR}/java/ && gradle --console=plain build
--- a/docs/_index.md
+++ b/docs/_index.md
@@ -0,0 +1,428 @@
 ---
 title: Docker Build
 meta_desc: Provides an overview of the Docker Build Provider for Pulumi.
 layout: package
 ---
 The Docker Build provider leverages [buildx and BuildKit](https://docs.docker.com/build/architecture/) to build modern Docker images with Pulumi.
 Not to be confused with the earlier
 [Docker](../docker) provider, which is still
 appropriate for managing resources unrelated to building images.
 | Provider               | Use cases                                                               |
 | ----------------       | ----------------------------------------------------------------------- |
 | `@pulumi/docker-build` | Anything related to building images with `docker build`.                |
 | `@pulumi/docker`       | Everything else -- including running containers and creating networks.  |
 ## Example
 If your Pulumi program has a directory called `app` alongside it, containing a
 file named "Dockerfile" (which can be as simple as `FROM alpine` for the
 purpose of example), then the code below shows how to build a multi-platform
 image, publish it to a remote AWS ECR registry, and use an [inline
 cache](https://docs.docker.com/build/cache/backends/inline/) to speed up
 subsequent builds.
 {{< chooser language "typescript,python,csharp,go,yaml,java" / >}}
 {{% choosable language typescript %}}
 ```typescript
 import * as aws from "@pulumi/aws";
 import * as docker_build from "@pulumi/docker-build";
 // Create an ECR repository for pushing.
 const ecrRepository = new aws.ecr.Repository("ecr-repository", {});
 // Grab auth credentials for ECR.
 const authToken = aws.ecr.getAuthorizationTokenOutput({
    registryId: ecrRepository.registryId,
 });
 // Build and push an image to ECR with inline caching.
 const myImage = new docker_build.Image("my-image", {
    // Tag our image with our ECR repository's address.
    tags: [pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`],
    context: {
        location: "./app",
    },
    // Use the pushed image as a cache source.
    cacheFrom: [{
        registry: {
            ref: pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`,
        },
    }],
    // Include an inline cache with our pushed image.
    cacheTo: [{
        inline: {},
    }],
    // Build a multi-platform image manifest for ARM and AMD.
    platforms: [
        "linux/amd64",
        "linux/arm64",
    ],
    // Push the final result to ECR.
    push: true,
    // Provide our ECR credentials.
    registries: [{
        address: ecrRepository.repositoryUrl,
        password: authToken.password,
        username: authToken.userName,
    }],
 });
 // Export a ref for the pushed images so we can deploy it.
 export const ref = myImage.ref;
 ```
 {{% /choosable %}}
 {{% choosable language python %}}
 ```python
 import pulumi
 import pulumi_aws as aws
 import pulumi_docker_build as docker_build
 # Create an ECR repository for pushing.
 ecr_repository = aws.ecr.Repository("ecr-repository")
 # Grab auth credentials for ECR.
 auth_token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
 # Build and push an image to ECR with inline caching.
 my_image = docker_build.Image("my-image",
    # Tag our image with our ECR repository's address.
    tags=[ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest")],
    context=docker_build.BuildContextArgs(
        location="./app",
    ),
    # Use the pushed image as a cache source.
    cache_from=[docker_build.CacheFromArgs(
        registry=docker_build.CacheFromRegistryArgs(
            ref=ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest"),
        ),
    )],
    # Include an inline cache with our pushed image.
    cache_to=[docker_build.CacheToArgs(
        inline=docker_build.CacheToInlineArgs(),
    )],
    # Build a multi-platform image manifest for ARM and AMD.
    platforms=[
        docker_build.Platform.LINUX_AMD64,
        docker_build.Platform.LINUX_ARM64,
    ],
    # Push the final result to ECR.
    push=True,
    # Provide our ECR credentials.
    registries=[docker_build.RegistryArgs(
        address=ecr_repository.repository_url,
        password=auth_token.password,
        username=auth_token.user_name,
    )],
 )
 # Export a ref for the pushed images so we can deploy it.
 pulumi.export("ref", my_image.ref)
 ```
 {{% /choosable %}}
 {{% choosable language csharp %}}
 ```csharp
 using System.Collections.Generic;
 using System.Linq;
 using Pulumi;
 using Aws = Pulumi.Aws;
 using DockerBuild = Pulumi.DockerBuild;
 return await Deployment.RunAsync(() =>
 {
    // Create an ECR repository for pushing.
    var ecrRepository = new Aws.Ecr.Repository("ecr-repository");
    // Grab auth credentials for ECR.
    var authToken = Aws.Ecr.GetAuthorizationToken.Invoke(new()
    {
        RegistryId = ecrRepository.RegistryId,
    });
    // Build and push an image to ECR with inline caching.
    var myImage = new DockerBuild.Image("my-image", new()
    {
        // Tag our image with our ECR repository's address.
        Tags = new[]
        {
            ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
        },
        Context = new DockerBuild.Inputs.BuildContextArgs
        {
            Location = "./app",
        },
        // Use the pushed image as a cache source.
        CacheFrom = new[]
        {
            new DockerBuild.Inputs.CacheFromArgs
            {
                Registry = new DockerBuild.Inputs.CacheFromRegistryArgs
                {
                    Ref = ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
                },
            },
        },
        // Include an inline cache with our pushed image.
        CacheTo = new[]
        {
            new DockerBuild.Inputs.CacheToArgs
            {
                Inline = null,
            },
        },
        // Build a multi-platform image manifest for ARM and AMD.
        Platforms = new[]
        {
            DockerBuild.Platform.Linux_amd64,
            DockerBuild.Platform.Linux_arm64,
        },
        // Push the final result to ECR.
        Push = true,
        // Provide our ECR credentials.
        Registries = new[]
        {
            new DockerBuild.Inputs.RegistryArgs
            {
                Address = ecrRepository.RepositoryUrl,
                Password = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.Password),
                Username = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.UserName),
            },
        },
    });
    // Export a ref for the pushed images so we can deploy it.
    return new Dictionary<string, object?>
    {
        ["ref"] = myImage.Ref,
    };
 });
 ```
 {{% /choosable %}}
 {{% choosable language go %}}
 ```go
 package main
 import (
    "fmt"
    "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
    "github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        // Create an ECR repository for pushing.
        ecrRepository, err := ecr.NewRepository(ctx, "ecr-repository", nil)
        if err != nil {
            return err
        }
        // Grab auth credentials for ECR.
        authToken := ecr.GetAuthorizationTokenOutput(ctx, ecr.GetAuthorizationTokenOutputArgs{
            RegistryId: ecrRepository.RegistryId,
        }, nil)
        // Build and push an image to ECR with inline caching.
        myImage, err := dockerbuild.NewImage(ctx, "my-image", &dockerbuild.ImageArgs{
            // Tag our image with our ECR repository's address.
            Tags: pulumi.StringArray{
                ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
                    return fmt.Sprintf("%v:latest", repositoryUrl), nil
                }).(pulumi.StringOutput),
            },
            Context: &dockerbuild.BuildContextArgs{
                Location: pulumi.String("./app"),
            },
            // Use the pushed image as a cache source.
            CacheFrom: dockerbuild.CacheFromArray{
                &dockerbuild.CacheFromArgs{
                    Registry: &dockerbuild.CacheFromRegistryArgs{
                        Ref: ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
                            return fmt.Sprintf("%v:latest", repositoryUrl), nil
                        }).(pulumi.StringOutput),
                    },
                },
            },
            // Include an inline cache with our pushed image.
            CacheTo: dockerbuild.CacheToArray{
                &dockerbuild.CacheToArgs{
                    Inline: nil,
                },
            },
            // Build a multi-platform image manifest for ARM and AMD.
            Platforms: dockerbuild.PlatformArray{
                dockerbuild.Platform_Linux_amd64,
                dockerbuild.Platform_Linux_arm64,
            },
            // Push the final result to ECR.
            Push: pulumi.Bool(true),
            // Provide our ECR credentials.
            Registries: dockerbuild.RegistryArray{
                &dockerbuild.RegistryArgs{
                    Address: ecrRepository.RepositoryUrl,
                    Password: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
                        return &authToken.Password, nil
                    }).(pulumi.StringPtrOutput),
                    Username: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
                        return &authToken.UserName, nil
                    }).(pulumi.StringPtrOutput),
                },
            },
        })
        if err != nil {
            return err
        }
        // Export a ref for the pushed images so we can deploy it.
        ctx.Export("ref", myImage.Ref)
        return nil
    })
 }
 ```
 {{% /choosable %}}
 {{% choosable language yaml %}}
 ```yaml
 description: Push to AWS ECR with caching
 name: ecr
 outputs:
    ref: ${my-image.ref}
 resources:
    # Create an ECR repository for pushing.
    ecr-repository:
        type: aws:ecr:Repository
    # Build and push an image to ECR with inline caching.
    my-image:
        type: docker-build:Image
        properties:
            # Tag our image with our ECR repository's address.
            tags:
                - ${ecr-repository.repositoryUrl}:latest
            context:
                location: ./app
            # Use the pushed image as a cache source.
            cacheFrom:
                - registry:
                    ref: ${ecr-repository.repositoryUrl}:latest
            # Include an inline cache with our pushed image.
            cacheTo:
                - inline: {}
            # Build a multi-platform image manifest for ARM and AMD.
            platforms:
                - linux/amd64
                - linux/arm64
            # Push the final result to ECR.
            push: true
            # Provide our ECR credentials.
            registries:
                - address: ${ecr-repository.repositoryUrl}
                  password: ${auth-token.password}
                  username: ${auth-token.userName}
 runtime: yaml
 variables:
    auth-token:
        # Grab auth credentials for ECR.
        fn::aws:ecr:getAuthorizationToken:
            registryId: ${ecr-repository.registryId}
 ```
 {{% /choosable %}}
 {{% choosable language java %}}
 ```java
 package myapp;
 import com.pulumi.Context;
 import com.pulumi.Pulumi;
 import com.pulumi.core.Output;
 import com.pulumi.aws.ecr.Repository;
 import com.pulumi.aws.ecr.EcrFunctions;
 import com.pulumi.aws.ecr.inputs.GetAuthorizationTokenArgs;
 import com.pulumi.dockerbuild.Image;
 import com.pulumi.dockerbuild.ImageArgs;
 import com.pulumi.dockerbuild.inputs.CacheFromArgs;
 import com.pulumi.dockerbuild.inputs.CacheFromRegistryArgs;
 import com.pulumi.dockerbuild.inputs.CacheToArgs;
 import com.pulumi.dockerbuild.inputs.CacheToInlineArgs;
 import com.pulumi.dockerbuild.inputs.BuildContextArgs;
 import com.pulumi.dockerbuild.inputs.RegistryArgs;
 import java.util.List;
 import java.util.ArrayList;
 import java.util.Map;
 import java.io.File;
 import java.nio.file.Files;
 import java.nio.file.Paths;
 public class App {
    public static void main(String[] args) {
        Pulumi.run(App::stack);
    }
    public static void stack(Context ctx) {
        // Create an ECR repository for pushing.
        var ecrRepository = new Repository("ecrRepository");
        // Grab auth credentials for ECR.
        final var authToken = EcrFunctions.getAuthorizationToken(GetAuthorizationTokenArgs.builder()
            .registryId(ecrRepository.registryId())
            .build());
        // Build and push an image to ECR with inline caching.
        var myImage = new Image("myImage", ImageArgs.builder()
            // Tag our image with our ECR repository's address.
            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
            .context(BuildContextArgs.builder()
                .location("./app")
                .build())
            // Use the pushed image as a cache source.
            .cacheFrom(CacheFromArgs.builder()
                .registry(CacheFromRegistryArgs.builder()
                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
                    .build())
                .build())
            // Include an inline cache with our pushed image.
            .cacheTo(CacheToArgs.builder()
                .inline()
                .build())
            // Build a multi-platform image manifest for ARM and AMD.
            .platforms(
                "linux/amd64",
                "linux/arm64")
            // Push the final result to ECR.
            .push(true)
            // Provide our ECR credentials.
            .registries(RegistryArgs.builder()
                .address(ecrRepository.repositoryUrl())
                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
                .build())
            .build());
        ctx.export("ref", myImage.ref());
    }
 }
 ```
 {{% /choosable %}}
 {{< /chooser >}}
--- a/docs/installation-configuration.md
+++ b/docs/installation-configuration.md
@@ -0,0 +1,33 @@
 ---
 title: Docker-Build Installation & Configuration
 meta_desc: Provides an overview on how to configure the Pulumi Docker-Build Provider.
 layout: package
 ---
 The Pulumi Docker-build provider builds modern Docker images with [buildx](https://docs.docker.com/reference/cli/docker/buildx/) and [BuildKit](https://docs.docker.com/build/buildkit/).
 ## Installation
 The Docker-Build provider is available as a package in all Pulumi languages:
 * JavaScript/TypeScript: [`@pulumi/docker-build`](https://www.npmjs.com/package/@pulumi/docker-build)
 * Python: [`pulumi-docker-build`](https://pypi.org/project/pulumi-docker-build/)
 * Go: [`github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild`](https://github.com/pulumi/pulumi-docker-build)
 * .NET: [`Pulumi.DockerBuild`](https://www.nuget.org/packages/Pulumi.DockerBuild)
 * Java: [`com.pulumi/docker-build`](https://central.sonatype.com/artifact/com.pulumi/docker-build)
 ## Configuring The Provider
 ### Host
 The `DOCKER_HOST` environment variable can be used to specify a custom build daemon's location.
 ```bash
 $ export DOCKER_HOST=tcp://127.0.0.1:2376/
 ```
 This can also be specified in your stack's configuration:
 ```bash
 $ pulumi config set docker-build:host tcp://127.0.0.1:2376/
 ```
--- a/examples/go/go.mod
+++ b/examples/go/go.mod
@@ -6,7 +6,7 @@ toolchain go1.24.5
 require (
 	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12
-	github.com/pulumi/pulumi/sdk/v3 v3.187.0
+	github.com/pulumi/pulumi/sdk/v3 v3.192.0
 )
 require (
@@ -58,11 +58,12 @@ require (
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
 	github.com/pgavlin/fx/v2 v2.0.3 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.14.3 // indirect
+	github.com/pulumi/esc v0.20.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
@@ -78,18 +79,17 @@ require (
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/zclconf/go-cty v1.16.2 // indirect
 	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
+	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
-	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.33.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
 	google.golang.org/grpc v1.72.1 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
--- a/examples/go/go.sum
+++ b/examples/go/go.sum
@@ -159,12 +159,12 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.14.3 h1:Zli+9LiSDT/W+Fsfr8tITxCo+5wn969tLrE4KLv44G8=
+github.com/pulumi/esc v0.20.0 h1:LZn4sjAsI76x10ZuZXXyh2ExGcP7AHmjOzCi/p3/fpQ=
-github.com/pulumi/esc v0.14.3/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
+github.com/pulumi/esc v0.20.0/go.mod h1:h1VjdedI0K84MhMzaR9ZKbEpU6SfZMOZF4ZrVgQyNLY=
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12 h1:uzmw+0iic764m0Yvh4I/jRV1x3q49dVh5Ctq9RllsQ8=
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12/go.mod h1:6zFMe786NvFDO03BVJwdw1R/Yms4F6vAU49iBHo8zbQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0 h1:BflBBeD/qaoKN4Tov11g4aHzJ7pTXBSb8otgmteRer0=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0/go.mod h1:BnpKxUc6QlxqoCqobHNZsUuIuY27H6ZFUk0Cp+0JN5U=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -228,29 +228,29 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -266,24 +266,24 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/examples/nodejs/package.json
+++ b/examples/nodejs/package.json
@@ -5,6 +5,6 @@
  },
  "dependencies": {
    "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.184.0"
+    "@pulumi/pulumi": "3.211.0"
  }
 }
--- a/examples/nodejs_test.go
+++ b/examples/nodejs_test.go
@@ -181,8 +181,9 @@ func TestConfig(t *testing.T) {
 	require.NoError(t, err)
 	test := integration.ProgramTestOptions{
-		Dir:          path.Join(cwd, "tests", "config"),
+		Dir:                    path.Join(cwd, "tests", "config"),
-		Dependencies: []string{"@pulumi/docker-build"},
+		Dependencies:           []string{"@pulumi/docker-build"},
 		SkipEmptyPreviewUpdate: true,
 	}
 	integration.ProgramTest(t, &test)
--- a/examples/tests/caching/package.json
+++ b/examples/tests/caching/package.json
@@ -4,6 +4,6 @@
    "@types/node": "^20.0.0"
  },
  "dependencies": {
-    "@pulumi/pulumi": "3.184.0"
+    "@pulumi/pulumi": "3.211.0"
  }
 }
--- a/examples/tests/caching/yarn.lock
+++ b/examples/tests/caching/yarn.lock
@@ -369,10 +369,10 @@
  resolved "https://registry.yarnpkg.com/@protobufjs/utf8/-/utf8-1.1.0.tgz#a777360b5b39a1a2e5106f8e858f2fd2d060c570"
  integrity sha512-Vvn3zZrhQZkkBE8LSuW3em98c0FwgO4nxzv6OdSxPKJIEKY2bGbHn+mhGIPerzI4twdxaP8/0+06HBpwf345Lw==
-"@pulumi/pulumi@3.184.0":
+"@pulumi/pulumi@3.211.0":
-  version "3.184.0"
+  version "3.211.0"
-  resolved "https://registry.yarnpkg.com/@pulumi/pulumi/-/pulumi-3.184.0.tgz#650831728ed5c22ff1eda36349af860fadc5c9d1"
+  resolved "https://registry.yarnpkg.com/@pulumi/pulumi/-/pulumi-3.211.0.tgz#eedee7d5ec1647209be5439d1e221c48e93f4a17"
-  integrity sha512-hseyV9cDUcu6MgXnnuKibIx5DtZVjS0judMYQdy74vau8CCKIAoIJGoURaKIl0KCT8OuvaMCHS+iOG/8o8VSCg==
+  integrity sha512-buIAse/ll5I+gzYRYNeDL39wjg+Ehq+OZ8oWO0ISkB6E7xuB60rvS9ATKHJYacroYFsuE6pVEA19f7wc67mRzA==
  dependencies:
    "@grpc/grpc-js" "^1.10.1"
    "@logdna/tail-file" "^2.0.6"
@@ -389,18 +389,18 @@
    "@types/tmp" "^0.2.6"
    execa "^5.1.0"
    fdir "^6.1.1"
-    google-protobuf "^3.5.0"
+    google-protobuf "^3.21.4"
    got "^11.8.6"
    ini "^2.0.0"
-    js-yaml "^3.14.0"
+    js-yaml "^3.14.2"
    minimist "^1.2.6"
    normalize-package-data "^6.0.0"
    package-directory "^8.1.0"
    picomatch "^3.0.1"
    pkg-dir "^7.0.0"
    require-from-string "^2.0.1"
    semver "^7.5.2"
    source-map-support "^0.5.6"
-    tmp "^0.2.1"
+    tmp "^0.2.4"
    upath "^1.1.0"
 "@sigstore/bundle@^2.3.2":
@@ -819,13 +819,10 @@ fdir@^6.1.1:
  resolved "https://registry.yarnpkg.com/fdir/-/fdir-6.2.0.tgz#9120f438d566ef3e808ca37864d9dd18e1a4f9b5"
  integrity sha512-9XaWcDl0riOX5j2kYfy0kKdg7skw3IY6kA4LFT8Tk2yF9UdrADUy8D6AJuBLtf7ISm/MksumwAHE3WVbMRyCLw==
-find-up@^6.3.0:
+find-up-simple@^1.0.0:
-  version "6.3.0"
+  version "1.0.1"
-  resolved "https://registry.yarnpkg.com/find-up/-/find-up-6.3.0.tgz#2abab3d3280b2dc7ac10199ef324c4e002c8c790"
+  resolved "https://registry.yarnpkg.com/find-up-simple/-/find-up-simple-1.0.1.tgz#18fb90ad49e45252c4d7fca56baade04fa3fca1e"
-  integrity sha512-v2ZsoEuVHYy8ZIlYqwPe/39Cy+cFDzp4dXPaxNvkEuouymu+2Jbz0PxpKarJHYJTmv2HWT3O382qY8l4jMWthw==
+  integrity sha512-afd4O7zpqHeRyg4PfDQsXmlDe2PfdHtJt6Akt8jOWaApLOZk5JXs6VMR29lz03pRe9mpykrRCYIYxaJYcfpncQ==
  dependencies:
    locate-path "^7.1.0"
    path-exists "^5.0.0"
 foreground-child@^3.1.0:
  version "3.3.0"
@@ -883,7 +880,7 @@ glob@^10.2.2, glob@^10.3.10:
    package-json-from-dist "^1.0.0"
    path-scurry "^1.11.1"
-google-protobuf@^3.5.0:
+google-protobuf@^3.21.4:
  version "3.21.4"
  resolved "https://registry.yarnpkg.com/google-protobuf/-/google-protobuf-3.21.4.tgz#2f933e8b6e5e9f8edde66b7be0024b68f77da6c9"
  integrity sha512-MnG7N936zcKTco4Jd2PX2U96Kf9PxygAPKBug+74LHzmHXmceN16MmRcdgZv+DGef/S9YvQAfRsNCn4cjf9yyQ==
@@ -1051,10 +1048,10 @@ jackspeak@^3.1.2:
  optionalDependencies:
    "@pkgjs/parseargs" "^0.11.0"
-js-yaml@^3.14.0:
+js-yaml@^3.14.2:
-  version "3.14.1"
+  version "3.14.2"
-  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.1.tgz#dae812fdb3825fa306609a8717383c50c36a0537"
+  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.2.tgz#77485ce1dd7f33c061fd1b16ecea23b55fcb04b0"
-  integrity sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==
+  integrity sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==
  dependencies:
    argparse "^1.0.7"
    esprima "^4.0.0"
@@ -1101,13 +1098,6 @@ keyv@^4.0.0:
  dependencies:
    json-buffer "3.0.1"
 locate-path@^7.1.0:
  version "7.2.0"
  resolved "https://registry.yarnpkg.com/locate-path/-/locate-path-7.2.0.tgz#69cb1779bd90b35ab1e771e1f2f89a202c2a8a8a"
  integrity sha512-gvVijfZvn7R+2qyPX8mAuKcFGDf6Nc61GdvGafQsHL0sBIxfKzA+usWn4GFC/bk+QdwPUD4kWFJLhElipq+0VA==
  dependencies:
    p-locate "^6.0.0"
 lodash.camelcase@^4.3.0:
  version "4.3.0"
  resolved "https://registry.yarnpkg.com/lodash.camelcase/-/lodash.camelcase-4.3.0.tgz#b28aa6288a2b9fc651035c7711f65ab6190331a6"
@@ -1385,20 +1375,6 @@ p-cancelable@^2.0.0:
  resolved "https://registry.yarnpkg.com/p-cancelable/-/p-cancelable-2.1.1.tgz#aab7fbd416582fa32a3db49859c122487c5ed2cf"
  integrity sha512-BZOr3nRQHOntUjTrH8+Lh54smKHoHyur8We1V8DSMVrl5A2malOOwuJRnKRDjSnkoeBh4at6BwEnb5I7Jl31wg==
 p-limit@^4.0.0:
  version "4.0.0"
  resolved "https://registry.yarnpkg.com/p-limit/-/p-limit-4.0.0.tgz#914af6544ed32bfa54670b061cafcbd04984b644"
  integrity sha512-5b0R4txpzjPWVw/cXXUResoD4hb6U/x9BH08L7nw+GN1sezDzPdxeRvpc9c433fZhBan/wusjbCsqwqm4EIBIQ==
  dependencies:
    yocto-queue "^1.0.0"
 p-locate@^6.0.0:
  version "6.0.0"
  resolved "https://registry.yarnpkg.com/p-locate/-/p-locate-6.0.0.tgz#3da9a49d4934b901089dca3302fa65dc5a05c04f"
  integrity sha512-wPrq66Llhl7/4AGC6I+cqxT07LhXvWL08LNXz1fENOw0Ap4sRZZ/gZpTTJ5jpurzzzfS2W/Ge9BY3LgLjCShcw==
  dependencies:
    p-limit "^4.0.0"
 p-map@^4.0.0:
  version "4.0.0"
  resolved "https://registry.yarnpkg.com/p-map/-/p-map-4.0.0.tgz#bb2f95a5eda2ec168ec9274e06a747c3e2904d2b"
@@ -1406,6 +1382,13 @@ p-map@^4.0.0:
  dependencies:
    aggregate-error "^3.0.0"
 package-directory@^8.1.0:
  version "8.1.0"
  resolved "https://registry.yarnpkg.com/package-directory/-/package-directory-8.1.0.tgz#75737f33380df04490de8cacb47d682116661401"
  integrity sha512-qHKRW0pw3lYdZMQVkjDBqh8HlamH/LCww2PH7OWEp4Qrt3SFeYMNpnJrQzlSnGrDD5zGR51XqBh7FnNCdVNEHA==
  dependencies:
    find-up-simple "^1.0.0"
 package-json-from-dist@^1.0.0:
  version "1.0.0"
  resolved "https://registry.yarnpkg.com/package-json-from-dist/-/package-json-from-dist-1.0.0.tgz#e501cd3094b278495eb4258d4c9f6d5ac3019f00"
@@ -1443,11 +1426,6 @@ parse-conflict-json@^3.0.0:
    just-diff "^6.0.0"
    just-diff-apply "^5.2.0"
 path-exists@^5.0.0:
  version "5.0.0"
  resolved "https://registry.yarnpkg.com/path-exists/-/path-exists-5.0.0.tgz#a6aad9489200b21fab31e49cf09277e5116fb9e7"
  integrity sha512-RjhtfwJOxzcFmNOi6ltcbcu4Iu+FL3zEj83dk4kAS+fVpTxXLO1b38RvJgT/0QwvV/L3aY9TAnyv0EOqW4GoMQ==
 path-key@^3.0.0, path-key@^3.1.0:
  version "3.1.1"
  resolved "https://registry.yarnpkg.com/path-key/-/path-key-3.1.1.tgz#581f6ade658cbba65a0d3380de7753295054f375"
@@ -1471,13 +1449,6 @@ picomatch@^3.0.1:
  resolved "https://registry.yarnpkg.com/picomatch/-/picomatch-3.0.1.tgz#817033161def55ec9638567a2f3bbc876b3e7516"
  integrity sha512-I3EurrIQMlRc9IaAZnqRR044Phh2DXY+55o7uJ0V+hYZAcQYSuFWsc9q5PvyDHUSCe1Qxn/iBz+78s86zWnGag==
 pkg-dir@^7.0.0:
  version "7.0.0"
  resolved "https://registry.yarnpkg.com/pkg-dir/-/pkg-dir-7.0.0.tgz#8f0c08d6df4476756c5ff29b3282d0bab7517d11"
  integrity sha512-Ie9z/WINcxxLp27BKOCHGde4ITq9UklYKDzVo1nhk5sqGEXU3FpkwP5GM2voTGJkGd9B3Otl+Q4uwSOeSUtOBA==
  dependencies:
    find-up "^6.3.0"
 postcss-selector-parser@^6.0.10:
  version "6.1.1"
  resolved "https://registry.yarnpkg.com/postcss-selector-parser/-/postcss-selector-parser-6.1.1.tgz#5be94b277b8955904476a2400260002ce6c56e38"
@@ -1805,10 +1776,10 @@ tar@^6.1.11, tar@^6.2.1:
    mkdirp "^1.0.3"
    yallist "^4.0.0"
-tmp@^0.2.1:
+tmp@^0.2.4:
-  version "0.2.3"
+  version "0.2.5"
-  resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.3.tgz#eb783cc22bc1e8bebd0671476d46ea4eb32a79ae"
+  resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.5.tgz#b06bcd23f0f3c8357b426891726d16015abfd8f8"
-  integrity sha512-nZD7m9iCPC5g0pYmcaxogYKggSfLsdxl8of3Q/oIbqCqLLIO9IAF0GWjX1z9NZRHPiXv8Wex4yDCaZsgEw0Y8w==
+  integrity sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==
 treeverse@^3.0.0:
  version "3.0.0"
@@ -1957,8 +1928,3 @@ yargs@^17.7.2:
    string-width "^4.2.3"
    y18n "^5.0.5"
    yargs-parser "^21.1.1"
 yocto-queue@^1.0.0:
  version "1.1.1"
  resolved "https://registry.yarnpkg.com/yocto-queue/-/yocto-queue-1.1.1.tgz#fef65ce3ac9f8a32ceac5a634f74e17e5b232110"
  integrity sha512-b4JR1PFR10y1mKjhHY9LaGo6tmrgjit7hxVIeAmyMw3jegXR4dhYqLaQF5zMXZxY7tLpMyJeLjr1C4rLmkVe8g==
--- a/examples/tests/config/package.json
+++ b/examples/tests/config/package.json
@@ -4,6 +4,6 @@
    "@types/node": "^20.0.0"
  },
  "dependencies": {
-    "@pulumi/pulumi": "3.184.0"
+    "@pulumi/pulumi": "3.211.0"
  }
 }
--- a/examples/upgrade-node/package.json
+++ b/examples/upgrade-node/package.json
@@ -5,6 +5,6 @@
  },
  "dependencies": {
    "typescript": "^4.0.0",
-    "@pulumi/pulumi": "3.184.0"
+    "@pulumi/pulumi": "3.211.0"
  }
 }
--- a/go.mod
+++ b/go.mod
@@ -16,14 +16,14 @@ require (
 	github.com/otiai10/copy v1.14.0
 	github.com/pulumi/providertest v0.3.1
 	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef
-	github.com/pulumi/pulumi-go-provider v1.1.0
+	github.com/pulumi/pulumi-go-provider v1.1.2
 	github.com/pulumi/pulumi-java/pkg v1.16.0
 	github.com/pulumi/pulumi-yaml v1.21.2
-	github.com/pulumi/pulumi/pkg/v3 v3.187.0
+	github.com/pulumi/pulumi/pkg/v3 v3.192.0
 	github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815
 	github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815
 	github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815
-	github.com/pulumi/pulumi/sdk/v3 v3.187.0
+	github.com/pulumi/pulumi/sdk/v3 v3.192.0
 	github.com/regclient/regclient v0.7.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.14.0
@@ -34,8 +34,8 @@ require (
 	go.opentelemetry.io/otel/sdk v1.36.0
 	go.opentelemetry.io/otel/trace v1.36.0
 	go.uber.org/mock v0.5.2
-	golang.org/x/crypto v0.39.0
+	golang.org/x/crypto v0.45.0
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0
+	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792
 	google.golang.org/protobuf v1.36.6
 	gopkg.in/yaml.v3 v3.0.1
 )
@@ -140,7 +140,7 @@ require (
 	github.com/compose-spec/compose-go/v2 v2.4.8 // indirect
 	github.com/containerd/console v1.0.4 // indirect
 	github.com/containerd/containerd/api v1.8.0 // indirect
-	github.com/containerd/containerd/v2 v2.0.3 // indirect
+	github.com/containerd/containerd/v2 v2.0.7 // indirect
 	github.com/containerd/continuity v0.4.5 // indirect
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
@@ -198,7 +198,7 @@ require (
 	github.com/go-toolsmith/astp v1.1.0 // indirect
 	github.com/go-toolsmith/strparse v1.1.0 // indirect
 	github.com/go-toolsmith/typep v1.1.0 // indirect
-	github.com/go-viper/mapstructure/v2 v2.0.0 // indirect
+	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/go-xmlfmt/xmlfmt v1.1.2 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/godbus/dbus/v5 v5.1.0 // indirect
@@ -342,6 +342,7 @@ require (
 	github.com/pgavlin/aho-corasick v0.5.1 // indirect
 	github.com/pgavlin/diff v0.0.0-20230503175810-113847418e2e // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
 	github.com/pgavlin/fx/v2 v2.0.3 // indirect
 	github.com/pgavlin/goldmark v1.1.33-0.20200616210433-b5eb04559386 // indirect
 	github.com/pgavlin/text v0.0.0-20240821195002-b51d0990e284 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
@@ -357,7 +358,7 @@ require (
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.17.0 // indirect
+	github.com/pulumi/esc v0.20.0 // indirect
 	github.com/pulumi/inflector v0.2.1 // indirect
 	github.com/quasilyte/go-ruleguard v0.4.2 // indirect
 	github.com/quasilyte/go-ruleguard/dsl v0.3.22 // indirect
@@ -418,7 +419,7 @@ require (
 	github.com/tonistiigi/vt100 v0.0.0-20240514184818-90bafcd6abab // indirect
 	github.com/uber/jaeger-client-go v2.30.0+incompatible // indirect
 	github.com/uber/jaeger-lib v2.4.1+incompatible // indirect
-	github.com/ulikunitz/xz v0.5.12 // indirect
+	github.com/ulikunitz/xz v0.5.15 // indirect
 	github.com/ultraware/funlen v0.1.0 // indirect
 	github.com/ultraware/whitespace v0.1.1 // indirect
 	github.com/uudashr/gocognit v1.1.2 // indirect
@@ -432,7 +433,7 @@ require (
 	github.com/yagipy/maintidx v1.0.0 // indirect
 	github.com/yeya24/promlinter v0.3.0 // indirect
 	github.com/ykadowak/zerologlint v0.1.5 // indirect
-	github.com/yuin/goldmark v1.5.2 // indirect
+	github.com/yuin/goldmark v1.7.13 // indirect
 	github.com/yuin/goldmark-emoji v1.0.1 // indirect
 	github.com/yusufpapurcu/wmi v1.2.4 // indirect
 	github.com/zclconf/go-cty v1.16.3 // indirect
@@ -460,15 +461,17 @@ require (
 	gocloud.dev v0.37.0 // indirect
 	gocloud.dev/secrets/hashivault v0.37.0 // indirect
 	golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f // indirect
-	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
 	golang.org/x/oauth2 v0.30.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/time v0.6.0 // indirect
+	golang.org/x/time v0.12.0 // indirect
-	golang.org/x/tools v0.33.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	golang.org/x/tools/go/expect v0.1.1-deprecated // indirect
 	golang.org/x/tools/godoc v0.1.0-deprecated // indirect
 	golang.org/x/xerrors v0.0.0-20231012003039-104605ab7028 // indirect
 	google.golang.org/api v0.169.0 // indirect
 	google.golang.org/genproto v0.0.0-20240311173647-c811ad7063a7 // indirect
--- a/go.sum
+++ b/go.sum
@@ -245,8 +245,8 @@ github.com/containerd/console v1.0.4 h1:F2g4+oChYvBTsASRTz8NP6iIAi97J3TtSAsLbIFn
 github.com/containerd/console v1.0.4/go.mod h1:YynlIjWYF8myEu6sdkwKIvGQq+cOckRm6So2avqoYAk=
 github.com/containerd/containerd/api v1.8.0 h1:hVTNJKR8fMc/2Tiw60ZRijntNMd1U+JVMyTRdsD2bS0=
 github.com/containerd/containerd/api v1.8.0/go.mod h1:dFv4lt6S20wTu/hMcP4350RL87qPWLVa/OHOwmmdnYc=
-github.com/containerd/containerd/v2 v2.0.3 h1:zBKgwgZsuu+LPCMzCLgA4sC4MiZzZ59ZT31XkmiISQM=
+github.com/containerd/containerd/v2 v2.0.7 h1:55JsNhqP/L7VZOijyfq6Qn0O8Oeff0UizfRuP+2pc90=
-github.com/containerd/containerd/v2 v2.0.3/go.mod h1:5j9QUUaV/cy9ZeAx4S+8n9ffpf+iYnEj4jiExgcbuLY=
+github.com/containerd/containerd/v2 v2.0.7/go.mod h1:su8B0Z1NFQMEIztOIbHwy7xtznbCms/kFlfsxIcQrZ8=
 github.com/containerd/continuity v0.4.5 h1:ZRoN1sXq9u7V6QoHMcVWGhOwDFqZ4B9i5H6un1Wh0x4=
 github.com/containerd/continuity v0.4.5/go.mod h1:/lNJvtJKUQStBzpVQ1+rasXO1LAWtUQssk28EZvJ3nE=
 github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
@@ -424,8 +424,8 @@ github.com/go-toolsmith/strparse v1.1.0 h1:GAioeZUK9TGxnLS+qfdqNbA4z0SSm5zVNtCQi
 github.com/go-toolsmith/strparse v1.1.0/go.mod h1:7ksGy58fsaQkGQlY8WVoBFNyEPMGuJin1rfoPS4lBSQ=
 github.com/go-toolsmith/typep v1.1.0 h1:fIRYDyF+JywLfqzyhdiHzRop/GQDxxNhLGQ6gFUNHus=
 github.com/go-toolsmith/typep v1.1.0/go.mod h1:fVIw+7zjdsMxDA3ITWnH1yOiw1rnTQKCsF/sk2H/qig=
-github.com/go-viper/mapstructure/v2 v2.0.0 h1:dhn8MZ1gZ0mzeodTG3jt5Vj/o87xZKuNAprG2mQfMfc=
+github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
-github.com/go-viper/mapstructure/v2 v2.0.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
+github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/go-xmlfmt/xmlfmt v1.1.2 h1:Nea7b4icn8s57fTx1M5AI4qQT5HEM3rVUO8MuE6g80U=
 github.com/go-xmlfmt/xmlfmt v1.1.2/go.mod h1:aUCEOzzezBEjDBbFBoSiya/gduyIiWYRP6CnSFIV8AM=
 github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y=
@@ -888,30 +888,30 @@ github.com/prometheus/procfs v0.15.1 h1:YagwOFzUgYfKKHX6Dr+sHT7km/hxC76UB0leargg
 github.com/prometheus/procfs v0.15.1/go.mod h1:fB45yRUv8NstnjriLhBQLuOUt+WW4BsoGhij/e3PBqk=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.17.0 h1:oaVOIyFTENlYDuqc3pW75lQT9jb2cd6ie/4/Twxn66w=
+github.com/pulumi/esc v0.20.0 h1:LZn4sjAsI76x10ZuZXXyh2ExGcP7AHmjOzCi/p3/fpQ=
-github.com/pulumi/esc v0.17.0/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
+github.com/pulumi/esc v0.20.0/go.mod h1:h1VjdedI0K84MhMzaR9ZKbEpU6SfZMOZF4ZrVgQyNLY=
 github.com/pulumi/inflector v0.2.1 h1:bqyiish3tq//vLeLiEstSFE5K7RNjy/ce47ed4QATu8=
 github.com/pulumi/inflector v0.2.1/go.mod h1:HUFCjcPTz96YtTuUlwG3i3EZG4WlniBvR9bd+iJxCUY=
 github.com/pulumi/providertest v0.3.1 h1:vlftr7TZlObh81mL88IhhF0/9ZbLrZZos4NAvR4HUUw=
 github.com/pulumi/providertest v0.3.1/go.mod h1:fFHUP4/9DRyYnHWiRnwcynMtM/a7hHR/QcJfcuZKO3A=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef h1:cxRa9R9To6OYKacIG2Em6zcM7BDNr6joC43uiV1lSVY=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef/go.mod h1:VLcnE1lj92EfRi7CRMzdPkQ9OQvrlg2upJM1lBZzNmg=
-github.com/pulumi/pulumi-go-provider v1.1.0 h1:TNrLoQ7LrT6Z2xPbspJKXE3pKZsz+pCVo62zKFGxjBI=
+github.com/pulumi/pulumi-go-provider v1.1.2 h1:NUQDXaftBDFTPMBPwxo8FhJUX0ymkv6a1XiXTnCDpvg=
-github.com/pulumi/pulumi-go-provider v1.1.0/go.mod h1:bWvFWytb2ULBefjDW/YG+GcjHbzVojwtl1RW5afMvR0=
+github.com/pulumi/pulumi-go-provider v1.1.2/go.mod h1:3lNIuxT/BArFyiKrVfv+UT7gMMtplss7V69KuBZ4zIk=
 github.com/pulumi/pulumi-java/pkg v1.16.0 h1:8KCiIXWv2uxfIks0SdgOezyXg4HZIoPfHID9eMg4nuM=
 github.com/pulumi/pulumi-java/pkg v1.16.0/go.mod h1:VeMZ1s9LfXBypao4A1tRF3EB7fYnYZ1LwImyg6FBX0c=
 github.com/pulumi/pulumi-yaml v1.21.2 h1:czqC5AazinfX6Bj0nqAAQ6x/Cr8/3oUz3HUjJg6tJ4o=
 github.com/pulumi/pulumi-yaml v1.21.2/go.mod h1:KOqDnuJksfIq8belFVFN3IEI4r0NgW69M0QPSj54On4=
-github.com/pulumi/pulumi/pkg/v3 v3.187.0 h1:VTbireKCxG/wKPX3slHNb3Zk3xKMr5CvcvjH8194H2I=
+github.com/pulumi/pulumi/pkg/v3 v3.192.0 h1:gZRMPaNpW+VN3ng3h9r8De8wI0keWC9fIP0rcUDatMA=
-github.com/pulumi/pulumi/pkg/v3 v3.187.0/go.mod h1:3y5nyMg62dd+DBzYW/P4d+Ye9pJ/zhJd+aGzMzfUL1g=
+github.com/pulumi/pulumi/pkg/v3 v3.192.0/go.mod h1:+Zp3EzjzGW4PlcW8oITZgeOfFzIVbLWvHtUVixvGQcs=
 github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815 h1:tipGG4aEPejP424igQYxJ6TOtWVtZJa0z679oIv00ho=
 github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815/go.mod h1:V2MMs29cFeGBdZyFKxNqTGVfBgDLhIOGfrXOxheieuI=
 github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815 h1:+QJTFK7UcOFTYCg3XaSTrRZHWJ6Hqza8w9oADa4pPcM=
 github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815/go.mod h1:0kA9b5LsaXLEKQzo0o9UUsHtZkACthHYLyBVUDUVMxc=
 github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815 h1:bkvtySMos0ij3fWZWZaU5sVrvGvU0dZCusoxpgEtX6I=
 github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815/go.mod h1:SJtr0N/XFyelI7M7U0UbJXr15pgEdSmpN40cglTsRTA=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0 h1:BflBBeD/qaoKN4Tov11g4aHzJ7pTXBSb8otgmteRer0=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0/go.mod h1:BnpKxUc6QlxqoCqobHNZsUuIuY27H6ZFUk0Cp+0JN5U=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
 github.com/quasilyte/go-ruleguard v0.4.2 h1:htXcXDK6/rO12kiTHKfHuqR4kr3Y4M0J0rOL6CH/BYs=
 github.com/quasilyte/go-ruleguard v0.4.2/go.mod h1:GJLgqsLeo4qgavUoL8JeGFNS7qcisx3awV/w9eWTmNI=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE=
@@ -1083,8 +1083,8 @@ github.com/uber/jaeger-client-go v2.30.0+incompatible h1:D6wyKGCecFaSRUpo8lCVbaO
 github.com/uber/jaeger-client-go v2.30.0+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk=
 github.com/uber/jaeger-lib v2.4.1+incompatible h1:td4jdvLcExb4cBISKIpHuGoVXh+dVKhn2Um6rjCsSsg=
 github.com/uber/jaeger-lib v2.4.1+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U=
-github.com/ulikunitz/xz v0.5.12 h1:37Nm15o69RwBkXM0J6A5OlE67RZTfzUxTj8fB3dfcsc=
+github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY=
-github.com/ulikunitz/xz v0.5.12/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
+github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14=
 github.com/ultraware/funlen v0.1.0 h1:BuqclbkY6pO+cvxoq7OsktIXZpgBSkYTQtmwhAK81vI=
 github.com/ultraware/funlen v0.1.0/go.mod h1:XJqmOQja6DpxarLj6Jj1U7JuoS8PvL4nEqDaQhy22p4=
 github.com/ultraware/whitespace v0.1.1 h1:bTPOGejYFulW3PkcrqkeQwOd6NKOOXvmGD9bo/Gk8VQ=
@@ -1122,8 +1122,9 @@ github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9dec
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.1/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.5.2 h1:ALmeCk/px5FSm1MAcFBAsVKZjDuMVj8Tm7FFIlMJnqU=
 github.com/yuin/goldmark v1.5.2/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
 github.com/yuin/goldmark v1.7.13 h1:GPddIs617DnBLFFVJFgpo1aBfe/4xcvMc3SB5t/D0pA=
 github.com/yuin/goldmark v1.7.13/go.mod h1:ip/1k0VRfGynBgxOz0yCqHrbZXhcjxyuS66Brc7iBKg=
 github.com/yuin/goldmark-emoji v1.0.1 h1:ctuWEyzGBwiucEqxzwe0SOYDXPAucOrE9NQC18Wa1os=
 github.com/yuin/goldmark-emoji v1.0.1/go.mod h1:2w1E6FEWLcDQkoTE+7HU6QF1F6SLlNGjRIBbIZQFqkQ=
 github.com/yusufpapurcu/wmi v1.2.4 h1:zFUKzehAFReQwLys1b/iSMl+JQGSCSjtVqQn9bBrPo0=
@@ -1204,11 +1205,11 @@ golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
 golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg=
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
 golang.org/x/exp/typeparams v0.0.0-20220428152302-39d4317da171/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20230203172020-98cc5a0785f9/go.mod h1:AbB0pIl9nAr9wVwH+Z2ZpaocVmF5I4GyWCDIsVjR0bk=
 golang.org/x/exp/typeparams v0.0.0-20240314144324-c7f7c6466f7f h1:phY1HzDcf18Aq9A8KkmRtY9WvOFIxN8wgfvy6Zm1DV8=
@@ -1230,8 +1231,8 @@ golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1258,8 +1259,8 @@ golang.org/x/net v0.6.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
 golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.15.0/go.mod h1:idbUs1IY1+zTqbi8yxTbhexhEEk5ur9LInksu6HrEpk=
 golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
 golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
@@ -1275,8 +1276,8 @@ golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJ
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.3.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y=
 golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -1319,8 +1320,8 @@ golang.org/x/sys v0.11.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/sys v0.17.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
@@ -1331,8 +1332,8 @@ golang.org/x/term v0.8.0/go.mod h1:xPskH00ivmX89bAKVGSKKtLOWNx2+17Eiy94tnKShWo=
 golang.org/x/term v0.12.0/go.mod h1:owVbMEjm3cBLCHdkQu9b1opXd4ETQWc3BhuQGKgXgvU=
 golang.org/x/term v0.16.0/go.mod h1:yn7UURbUtPyrVJPGPq404EukNFxcm/foM+bV/bfcDsY=
 golang.org/x/term v0.17.0/go.mod h1:lLRBjIVuehSbZlaOtGMbcMncT+aqLLLmKrsjNrUguwk=
-golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
@@ -1344,10 +1345,10 @@ golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
 golang.org/x/text v0.9.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE=
 golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
-golang.org/x/time v0.6.0 h1:eTDhh4ZXt5Qf0augr54TN6suAUudPcawVZeIAPU7D4U=
+golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=
-golang.org/x/time v0.6.0/go.mod h1:3BpzKBy/shNhVucY/MWOyx10tF3SFh9QdLuxbVysPQM=
+golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -1381,8 +1382,14 @@ golang.org/x/tools v0.5.0/go.mod h1:N+Kgy78s5I24c24dU8OfWNEotWjutIs8SnJvn5IDq+k=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
 golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/tools v0.17.0/go.mod h1:xsh6VxdV005rRVaS6SSAf9oiAqljS7UZUacMZ8Bnsps=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/tools/go/expect v0.1.1-deprecated h1:jpBZDwmgPhXsKZC6WhL20P4b/wmnpsEAGHaNy0n/rJM=
 golang.org/x/tools/go/expect v0.1.1-deprecated/go.mod h1:eihoPOH+FgIqa3FpoTwguz/bVUSGBlGQU67vpBeOrBY=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated h1:1h2MnaIAIXISqTFKdENegdpAgUXz6NrPEsbIeWaBRvM=
 golang.org/x/tools/go/packages/packagestest v0.1.1-deprecated/go.mod h1:RVAQXBGNv1ib0J382/DPCRS/BPnsGebyM1Gj5VSDpG8=
 golang.org/x/tools/godoc v0.1.0-deprecated h1:o+aZ1BOj6Hsx/GBdJO/s815sqftjSnrZZwyYTHODvtk=
 golang.org/x/tools/godoc v0.1.0-deprecated/go.mod h1:qM63CriJ961IHWmnWa9CjZnBndniPt4a3CK0PVB9bIg=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/mise.toml
+++ b/mise.toml
@@ -1,19 +0,0 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 [tools]
 # Runtimes
 go = '1.21'
 node = '20'
 python = '3.11.8'
 dotnet = '8.0'
 # Corretto version used as Java SE/OpenJDK version no longer offered
 java = 'corretto-11'
 # Executable tools
 pulumi = 'latest'
 "go:github.com/pulumi/pulumictl/cmd/pulumictl" = 'latest'
 gradle = '7.6'
 [settings]
 experimental = true # Required for Go binaries (e.g. pulumictl).
--- a/provider/cmd/pulumi-resource-docker-build/schema.json
+++ b/provider/cmd/pulumi-resource-docker-build/schema.json
@@ -155,32 +155,12 @@
      ]
    },
    "docker-build:index:CacheFromGitHubActions": {
      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
      "properties": {
        "scope": {
          "type": "string",
          "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
          "default": "buildkit"
        },
        "token": {
          "type": "string",
          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
          "default": "",
          "defaultInfo": {
            "environment": [
              "ACTIONS_RUNTIME_TOKEN"
            ]
          },
          "secret": true
        },
        "url": {
          "type": "string",
          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
          "default": "",
          "defaultInfo": {
            "environment": [
              "ACTIONS_CACHE_URL"
            ]
          }
        }
      },
      "type": "object"
@@ -370,6 +350,7 @@
      ]
    },
    "docker-build:index:CacheToGitHubActions": {
      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
      "properties": {
        "ignoreError": {
          "type": "boolean",
@@ -385,27 +366,6 @@
          "type": "string",
          "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
          "default": "buildkit"
        },
        "token": {
          "type": "string",
          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
          "default": "",
          "defaultInfo": {
            "environment": [
              "ACTIONS_RUNTIME_TOKEN"
            ]
          },
          "secret": true
        },
        "url": {
          "type": "string",
          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
          "default": "",
          "defaultInfo": {
            "environment": [
              "ACTIONS_CACHE_URL"
            ]
          }
        }
      },
      "type": "object"
--- a/provider/internal/cache.go
+++ b/provider/internal/cache.go
@@ -17,6 +17,7 @@ package internal
 import (
 	"errors"
 	"fmt"
 	"os"
 	"strings"
 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -148,33 +149,20 @@ func (c CacheWithOCI) String() string {
 // CacheFromGitHubActions pulls cache manifests from the GitHub actions cache.
 type CacheFromGitHubActions struct {
 	URL   string `pulumi:"url,optional"`
 	Token string `pulumi:"token,optional" provider:"secret"`
 	Scope string `pulumi:"scope,optional"`
 }
 // Annotate sets docstrings on CacheFromGitHubActions.
 func (c *CacheFromGitHubActions) Annotate(a infer.Annotator) {
-	a.SetDefault(&c.URL, "", "ACTIONS_CACHE_URL")
+	a.Describe(&c, dedent(`
-	a.SetDefault(&c.Token, "", "ACTIONS_RUNTIME_TOKEN")
+		Recommended for use with GitHub Actions workflows.
 		An action like "crazy-max/ghaction-github-runtime" is recommended to expose
 		appropriate credentials to your GitHub workflow.
 	`))
 	a.SetDefault(&c.Scope, "buildkit")
 	a.Describe(&c.URL, dedent(`
 		The cache server URL to use for artifacts.
 		Defaults to "$ACTIONS_CACHE_URL", although a separate action like
 		"crazy-max/ghaction-github-runtime" is recommended to expose this
 		environment variable to your jobs.
 	`))
 	a.Describe(&c.Token, dedent(`
 		The GitHub Actions token to use. This is not a personal access tokens
 		and is typically generated automatically as part of each job.
 		Defaults to "$ACTIONS_RUNTIME_TOKEN", although a separate action like
 		"crazy-max/ghaction-github-runtime" is recommended to expose this
 		environment variable to your jobs.
 	`))
 	a.Describe(&c.Scope, dedent(`
 		The scope to use for cache keys. Defaults to "buildkit".
@@ -191,11 +179,12 @@ func (c *CacheFromGitHubActions) String() string {
 	if c.Scope != "" {
 		parts = append(parts, "scope="+c.Scope)
 	}
-	if c.Token != "" {
+	// Preserving backwards compatibility with the old behaviour.
-		parts = append(parts, "token="+c.Token)
+	if token := os.Getenv("ACTIONS_RUNTIME_TOKEN"); token != "" {
 		parts = append(parts, "token="+token)
 	}
-	if c.URL != "" {
+	if url := os.Getenv("ACTIONS_CACHE_URL"); url != "" {
-		parts = append(parts, "url="+c.URL)
+		parts = append(parts, "url="+url)
 	}
 	return strings.Join(parts, ",")
 }
--- a/provider/internal/cache_test.go
+++ b/provider/internal/cache_test.go
@@ -24,14 +24,15 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 //nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 func TestCacheString(t *testing.T) {
 	t.Parallel()
 	gzip := Gzip
 	tests := []struct {
-		name  string
+		name    string
-		given fmt.Stringer
+		arrange func(t *testing.T)
-		want  string
+		given   fmt.Stringer
 		want    string
 	}{
 		{
 			name: "s3",
@@ -55,7 +56,37 @@ func TestCacheString(t *testing.T) {
 		{
 			name:  "gha",
 			given: CacheTo{GHA: &CacheToGitHubActions{}},
-			want:  "type=gha",
+			arrange: func(t *testing.T) {
 				t.Setenv("ACTIONS_CACHE_URL", "")
 				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
 			},
 			want: "type=gha",
 		},
 		{
 			name: "gha-default-envs",
 			arrange: func(t *testing.T) {
 				t.Setenv("ACTIONS_CACHE_URL", "https://example.com")
 				t.Setenv("ACTIONS_RUNTIME_TOKEN", "token")
 			},
 			given: CacheTo{GHA: &CacheToGitHubActions{
 				CacheFromGitHubActions: CacheFromGitHubActions{
 					Scope: "scope",
 				},
 			}},
 			want: "type=gha,scope=scope,token=token,url=https://example.com",
 		},
 		{
 			name: "gha-with-scope",
 			arrange: func(t *testing.T) {
 				t.Setenv("ACTIONS_CACHE_URL", "")
 				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
 			},
 			given: CacheTo{GHA: &CacheToGitHubActions{
 				CacheFromGitHubActions: CacheFromGitHubActions{
 					Scope: "scope",
 				},
 			}},
 			want: "type=gha,scope=scope",
 		},
 		{
 			name:  "from-local",
@@ -121,9 +152,12 @@ func TestCacheString(t *testing.T) {
 		},
 	}
 	//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
+			if tt.arrange != nil {
 				tt.arrange(t)
 			}
 			actual := tt.given.String()
 			assert.Equal(t, tt.want, actual)
--- a/provider/internal/image_test.go
+++ b/provider/internal/image_test.go
@@ -917,8 +917,10 @@ func TestValidateImageArgs(t *testing.T) {
 			{
 				name: "gha environment",
 				envs: map[string]string{
-					"ACTIONS_CACHE_URL":     "test-cache-url",
+					"ACTIONS_CACHE_URL":        "test-cache-url",
-					"ACTIONS_RUNTIME_TOKEN": "test-runtime-token",
+					"ACTIONS_RUNTIME_TOKEN":    "test-runtime-token",
 					"ACTIONS_RESULTS_URL":      "test-results-url",
 					"ACTIONS_CACHE_SERVICE_V2": "true",
 				},
 				args: ImageArgs{
 					Context:   &BuildContext{Context: Context{Location: "testdata/noop"}},
@@ -930,15 +932,17 @@ func TestValidateImageArgs(t *testing.T) {
 				wantCacheFrom: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token": "test-runtime-token",
+						"token":  "test-runtime-token",
-						"url":   "test-cache-url",
+						"url":    "test-cache-url",
 						"url_v2": "test-results-url",
 					},
 				},
 				wantCacheTo: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token": "test-runtime-token",
+						"token":  "test-runtime-token",
-						"url":   "test-cache-url",
+						"url":    "test-cache-url",
 						"url_v2": "test-results-url",
 					},
 				},
 			},
--- a/scripts/get-versions.sh
+++ b/scripts/get-versions.sh
@@ -0,0 +1,55 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # This script can be simplified to use go when https://github.com/jdx/mise/discussions/6374 is fixed
 # e.g. go list -m -f '{{.GoVersion}}'
 module_path="github.com/pulumi/pulumi/pkg/v3"
 go_mod_path="."
 gomod="go.mod"
 if [[ "$go_mod_path" != "" && "$go_mod_path" != "." ]]; then
  gomod="$go_mod_path/$gomod"
 fi
 if [[ ! -f "$gomod" ]]; then
  echo "missing $gomod" >&2
  exit 1
 fi
 raw_version=$(awk -v module="$module_path" '
    $1 == module || $2 == module {
        for (i = 1; i <= NF; i++) {
            if ($i ~ /^v[0-9]/) {
                sub(/^v/, "", $i)
                print $i
                exit
            }
        }
    }
 ' "$gomod")
 if [[ -z "${raw_version:-}" ]]; then
  echo "failed to determine Pulumi version from $gomod" >&2
  exit 1
 fi
 echo "PULUMI_VERSION_MISE=$raw_version"
 export PULUMI_VERSION_MISE=$raw_version
 # Prefer the toolchain directive if present, otherwise fall back to the `go` version line
 go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod")
 if [[ -n "${go_toolchain:-}" ]]; then
  go_version=${go_toolchain#go}
 else
  go_version=$(awk '/^go[[:space:]]+[0-9]/{ print $2; exit }' "$gomod")
 fi
 if [[ -z "${go_version:-}" ]]; then
  echo "failed to determine Go version from $gomod" >&2
  exit 1
 fi
 echo "GO_VERSION_MISE=$go_version"
 export GO_VERSION_MISE=$go_version
--- a/sdk/dotnet/Inputs/CacheFromGitHubActionsArgs.cs
+++ b/sdk/dotnet/Inputs/CacheFromGitHubActionsArgs.cs
@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
    /// <summary>
    /// Recommended for use with GitHub Actions workflows.
    /// 
    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
    /// appropriate credentials to your GitHub workflow.
    /// </summary>
    public sealed class CacheFromGitHubActionsArgs : global::Pulumi.ResourceArgs
    {
        /// <summary>
@@ -21,42 +27,9 @@ namespace Pulumi.DockerBuild.Inputs
        [Input("scope")]
        public Input<string>? Scope { get; set; }
        [Input("token")]
        private Input<string>? _token;
        /// <summary>
        /// The GitHub Actions token to use. This is not a personal access tokens
        /// and is typically generated automatically as part of each job.
        /// 
        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
        /// environment variable to your jobs.
        /// </summary>
        public Input<string>? Token
        {
            get => _token;
            set
            {
                var emptySecret = Output.CreateSecret(0);
                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
            }
        }
        /// <summary>
        /// The cache server URL to use for artifacts.
        /// 
        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
        /// environment variable to your jobs.
        /// </summary>
        [Input("url")]
        public Input<string>? Url { get; set; }
        public CacheFromGitHubActionsArgs()
        {
            Scope = "buildkit";
            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
        }
        public static new CacheFromGitHubActionsArgs Empty => new CacheFromGitHubActionsArgs();
    }
--- a/sdk/dotnet/Inputs/CacheToGitHubActionsArgs.cs
+++ b/sdk/dotnet/Inputs/CacheToGitHubActionsArgs.cs
@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
    /// <summary>
    /// Recommended for use with GitHub Actions workflows.
    /// 
    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
    /// appropriate credentials to your GitHub workflow.
    /// </summary>
    public sealed class CacheToGitHubActionsArgs : global::Pulumi.ResourceArgs
    {
        /// <summary>
@@ -33,44 +39,11 @@ namespace Pulumi.DockerBuild.Inputs
        [Input("scope")]
        public Input<string>? Scope { get; set; }
        [Input("token")]
        private Input<string>? _token;
        /// <summary>
        /// The GitHub Actions token to use. This is not a personal access tokens
        /// and is typically generated automatically as part of each job.
        /// 
        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
        /// environment variable to your jobs.
        /// </summary>
        public Input<string>? Token
        {
            get => _token;
            set
            {
                var emptySecret = Output.CreateSecret(0);
                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
            }
        }
        /// <summary>
        /// The cache server URL to use for artifacts.
        /// 
        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
        /// environment variable to your jobs.
        /// </summary>
        [Input("url")]
        public Input<string>? Url { get; set; }
        public CacheToGitHubActionsArgs()
        {
            IgnoreError = false;
            Mode = Pulumi.DockerBuild.CacheMode.Min;
            Scope = "buildkit";
            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
        }
        public static new CacheToGitHubActionsArgs Empty => new CacheToGitHubActionsArgs();
    }
--- a/sdk/dotnet/Outputs/CacheFromGitHubActions.cs
+++ b/sdk/dotnet/Outputs/CacheFromGitHubActions.cs
@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
    /// <summary>
    /// Recommended for use with GitHub Actions workflows.
    /// 
    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
    /// appropriate credentials to your GitHub workflow.
    /// </summary>
    [OutputType]
    public sealed class CacheFromGitHubActions
    {
@@ -20,35 +26,11 @@ namespace Pulumi.DockerBuild.Outputs
        /// workflow, otherwise caches will overwrite each other.
        /// </summary>
        public readonly string? Scope;
        /// <summary>
        /// The GitHub Actions token to use. This is not a personal access tokens
        /// and is typically generated automatically as part of each job.
        /// 
        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
        /// environment variable to your jobs.
        /// </summary>
        public readonly string? Token;
        /// <summary>
        /// The cache server URL to use for artifacts.
        /// 
        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
        /// environment variable to your jobs.
        /// </summary>
        public readonly string? Url;
        [OutputConstructor]
-        private CacheFromGitHubActions(
+        private CacheFromGitHubActions(string? scope)
            string? scope,
            string? token,
            string? url)
        {
            Scope = scope;
            Token = token;
            Url = url;
        }
    }
 }
--- a/sdk/dotnet/Outputs/CacheToGitHubActions.cs
+++ b/sdk/dotnet/Outputs/CacheToGitHubActions.cs
@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
    /// <summary>
    /// Recommended for use with GitHub Actions workflows.
    /// 
    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
    /// appropriate credentials to your GitHub workflow.
    /// </summary>
    [OutputType]
    public sealed class CacheToGitHubActions
    {
@@ -28,23 +34,6 @@ namespace Pulumi.DockerBuild.Outputs
        /// workflow, otherwise caches will overwrite each other.
        /// </summary>
        public readonly string? Scope;
        /// <summary>
        /// The GitHub Actions token to use. This is not a personal access tokens
        /// and is typically generated automatically as part of each job.
        /// 
        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
        /// environment variable to your jobs.
        /// </summary>
        public readonly string? Token;
        /// <summary>
        /// The cache server URL to use for artifacts.
        /// 
        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
        /// environment variable to your jobs.
        /// </summary>
        public readonly string? Url;
        [OutputConstructor]
        private CacheToGitHubActions(
@@ -52,17 +41,11 @@ namespace Pulumi.DockerBuild.Outputs
            Pulumi.DockerBuild.CacheMode? mode,
-            string? scope,
+            string? scope)
            string? token,
            string? url)
        {
            IgnoreError = ignoreError;
            Mode = mode;
            Scope = scope;
            Token = token;
            Url = url;
        }
    }
 }
--- a/sdk/go/dockerbuild/go.mod
+++ b/sdk/go/dockerbuild/go.mod
@@ -4,7 +4,7 @@ go 1.24.1
 require (
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/pulumi/pulumi/sdk/v3 v3.187.0
+	github.com/pulumi/pulumi/sdk/v3 v3.192.0
 )
 require (
@@ -58,12 +58,13 @@ require (
 	github.com/opentracing/basictracer-go v1.1.0 // indirect
 	github.com/opentracing/opentracing-go v1.2.0 // indirect
 	github.com/pgavlin/fx v0.1.6 // indirect
 	github.com/pgavlin/fx/v2 v2.0.3 // indirect
 	github.com/pjbgf/sha1cd v0.3.2 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.17.0 // indirect
+	github.com/pulumi/esc v0.20.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect
@@ -80,18 +81,17 @@ require (
 	github.com/xanzy/ssh-agent v0.3.3 // indirect
 	github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect
 	github.com/zclconf/go-cty v1.16.3 // indirect
 	go.opentelemetry.io/otel v1.36.0 // indirect
 	go.opentelemetry.io/otel/sdk v1.36.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
-	golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 // indirect
+	golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 // indirect
-	golang.org/x/mod v0.25.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
-	golang.org/x/net v0.40.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/sync v0.15.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
-	golang.org/x/sys v0.33.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
-	golang.org/x/term v0.32.0 // indirect
+	golang.org/x/term v0.37.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
-	golang.org/x/tools v0.33.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250519155744-55703ea1f237 // indirect
 	google.golang.org/grpc v1.72.1 // indirect
 	google.golang.org/protobuf v1.36.6 // indirect
--- a/sdk/go/dockerbuild/go.sum
+++ b/sdk/go/dockerbuild/go.sum
@@ -162,10 +162,10 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.17.0 h1:oaVOIyFTENlYDuqc3pW75lQT9jb2cd6ie/4/Twxn66w=
+github.com/pulumi/esc v0.20.0 h1:LZn4sjAsI76x10ZuZXXyh2ExGcP7AHmjOzCi/p3/fpQ=
-github.com/pulumi/esc v0.17.0/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
+github.com/pulumi/esc v0.20.0/go.mod h1:h1VjdedI0K84MhMzaR9ZKbEpU6SfZMOZF4ZrVgQyNLY=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0 h1:BflBBeD/qaoKN4Tov11g4aHzJ7pTXBSb8otgmteRer0=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0/go.mod h1:BnpKxUc6QlxqoCqobHNZsUuIuY27H6ZFUk0Cp+0JN5U=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=
@@ -230,29 +230,29 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
 golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
-golang.org/x/crypto v0.39.0 h1:SHs+kF4LP+f+p14esP5jAoDpHU8Gu/v9lFRK6IT5imM=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
-golang.org/x/crypto v0.39.0/go.mod h1:L+Xg3Wf6HoL4Bn4238Z6ft6KfEpN0tJGo53AAPC632U=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0 h1:R84qjqJb5nVJMxqWYb3np9L5ZsaDtB+a39EqjV0JSUM=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792 h1:R9PFI6EUdfVKgwKjZef7QIwGcBKu86OEFpJ9nUEP2l4=
-golang.org/x/exp v0.0.0-20250408133849-7e4ce0ab07d0/go.mod h1:S9Xr4PYopiDyqSyp5NjCrhFrqg6A5zA2E/iPHPhqnS8=
+golang.org/x/exp v0.0.0-20250718183923-645b1fa84792/go.mod h1:A+z0yzpGtvnG90cToK5n2tu8UJVP2XUATh+r+sfOOOc=
 golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
 golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
-golang.org/x/mod v0.25.0 h1:n7a+ZbQKQA/Ysbyb0/6IbB1H/X41mKgbhfv7AfG/44w=
+golang.org/x/mod v0.29.0 h1:HV8lRxZC4l2cr3Zq1LvtOsi/ThTgWnUk/y64QSs8GwA=
-golang.org/x/mod v0.25.0/go.mod h1:IXM97Txy2VM4PJ3gI61r1YEk/gAj6zAHN3AdZt6S9Ww=
+golang.org/x/mod v0.29.0/go.mod h1:NyhrlYXJ2H4eJiRy/WDBO6HMqZQ6q9nk4JzS3NuCK+w=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200421231249-e086a090c8fd/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
-golang.org/x/net v0.40.0 h1:79Xs7wF06Gbdcg4kdCCIQArK11Z1hr5POQ6+fIYHNuY=
+golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
-golang.org/x/net v0.40.0/go.mod h1:y0hY0exeL2Pku80/zKK7tpntoX23cqL3Oa6njdgRtds=
+golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
-golang.org/x/sync v0.15.0 h1:KWH3jNZsfyT6xfAfKiz6MRNmd46ByHDYaZ7KSkCtdW8=
+golang.org/x/sync v0.18.0 h1:kr88TuHDroi+UVf+0hZnirlk8o8T+4MrK6mr60WkH/I=
-golang.org/x/sync v0.15.0/go.mod h1:1dzgHSNfp02xaA81J2MS99Qcpr2w7fw1gpm99rleRqA=
+golang.org/x/sync v0.18.0/go.mod h1:9KTHXmSnoGruLpwFjVSX0lNNA75CykiMECbovNTZqGI=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -268,24 +268,24 @@ golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.33.0 h1:q3i8TbbEz+JRD9ywIRlyRAQbM0qF7hu24q3teo2hbuw=
+golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=
-golang.org/x/sys v0.33.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k=
+golang.org/x/sys v0.38.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
-golang.org/x/term v0.32.0 h1:DR4lr0TjUs3epypdhTOkMmuF5CDFJ/8pOnbzMZPQ7bg=
+golang.org/x/term v0.37.0 h1:8EGAD0qCmHYZg6J17DvsMy9/wJ7/D/4pV/wfnld5lTU=
-golang.org/x/term v0.32.0/go.mod h1:uZG1FhGx848Sqfsq4/DlJr3xGGsYMu/L5GW4abiaEPQ=
+golang.org/x/term v0.37.0/go.mod h1:5pB4lxRNYYVZuTLmy8oR2BH8dflOR+IbTYFD8fi3254=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
-golang.org/x/text v0.26.0 h1:P42AVeLghgTYr4+xUnTRKDMqpar+PtX7KWuNQL21L8M=
+golang.org/x/text v0.31.0 h1:aC8ghyu4JhP8VojJ2lEHBnochRno1sgL6nEi9WGFGMM=
-golang.org/x/text v0.26.0/go.mod h1:QK15LZJUUQVJxhz7wXgxSy/CJaTFjd0G+YLonydOVQA=
+golang.org/x/text v0.31.0/go.mod h1:tKRAlv61yKIjGGHX/4tP1LTbc13YSec1pxVEWXzfoeM=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20181030221726-6c7e314b6563/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
 golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.33.0 h1:4qz2S3zmRxbGIhDIAgjxvFutSvH5EfnsYrRBj0UI0bc=
+golang.org/x/tools v0.38.0 h1:Hx2Xv8hISq8Lm16jvBZ2VQf+RLmbd7wVUsALibYI/IQ=
-golang.org/x/tools v0.33.0/go.mod h1:CIJMaWEY88juyUfo7UbgPqbC8rU2OqfAV1h2Qp0oMYI=
+golang.org/x/tools v0.38.0/go.mod h1:yEsQ/d/YK8cjh0L6rZlY8tgtlKiBNTL14pGDJPJpYQs=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
--- a/sdk/go/dockerbuild/pulumiTypes.go
+++ b/sdk/go/dockerbuild/pulumiTypes.go
@@ -834,25 +834,16 @@ func (o CacheFromAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
 	// The GitHub Actions token to use. This is not a personal access tokens
 	// and is typically generated automatically as part of each job.
 	//
 	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Token *string `pulumi:"token"`
 	// The cache server URL to use for artifacts.
 	//
 	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Url *string `pulumi:"url"`
 }
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -865,18 +856,6 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
 	if tmp.Token == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
 			token_ := d.(string)
 			tmp.Token = &token_
 		}
 	}
 	if tmp.Url == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
 			url_ := d.(string)
 			tmp.Url = &url_
 		}
 	}
 	return &tmp
 }
@@ -891,25 +870,16 @@ type CacheFromGitHubActionsInput interface {
 	ToCacheFromGitHubActionsOutputWithContext(context.Context) CacheFromGitHubActionsOutput
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
 	// The GitHub Actions token to use. This is not a personal access tokens
 	// and is typically generated automatically as part of each job.
 	//
 	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Token pulumi.StringPtrInput `pulumi:"token"`
 	// The cache server URL to use for artifacts.
 	//
 	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -921,16 +891,6 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
 	if tmp.Token == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
 			tmp.Token = pulumi.StringPtr(d.(string))
 		}
 	}
 	if tmp.Url == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
 			tmp.Url = pulumi.StringPtr(d.(string))
 		}
 	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -998,6 +958,10 @@ func (i *cacheFromGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Ou
 	}
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -1036,25 +1000,6 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 // The GitHub Actions token to use. This is not a personal access tokens
 // and is typically generated automatically as part of each job.
 //
 // Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheFromGitHubActionsOutput) Token() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
 }
 // The cache server URL to use for artifacts.
 //
 // Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheFromGitHubActionsOutput) Url() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
 }
 type CacheFromGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 func (CacheFromGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -1098,35 +1043,6 @@ func (o CacheFromGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 // The GitHub Actions token to use. This is not a personal access tokens
 // and is typically generated automatically as part of each job.
 //
 // Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheFromGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
 		if v == nil {
 			return nil
 		}
 		return v.Token
 	}).(pulumi.StringPtrOutput)
 }
 // The cache server URL to use for artifacts.
 //
 // Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheFromGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
 		if v == nil {
 			return nil
 		}
 		return v.Url
 	}).(pulumi.StringPtrOutput)
 }
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -2361,6 +2277,10 @@ func (o CacheToAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -2371,19 +2291,6 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
 	// The GitHub Actions token to use. This is not a personal access tokens
 	// and is typically generated automatically as part of each job.
 	//
 	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Token *string `pulumi:"token"`
 	// The cache server URL to use for artifacts.
 	//
 	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Url *string `pulumi:"url"`
 }
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -2404,18 +2311,6 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
 	if tmp.Token == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
 			token_ := d.(string)
 			tmp.Token = &token_
 		}
 	}
 	if tmp.Url == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
 			url_ := d.(string)
 			tmp.Url = &url_
 		}
 	}
 	return &tmp
 }
@@ -2430,6 +2325,10 @@ type CacheToGitHubActionsInput interface {
 	ToCacheToGitHubActionsOutputWithContext(context.Context) CacheToGitHubActionsOutput
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumi.BoolPtrInput `pulumi:"ignoreError"`
@@ -2440,19 +2339,6 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
 	// The GitHub Actions token to use. This is not a personal access tokens
 	// and is typically generated automatically as part of each job.
 	//
 	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Token pulumi.StringPtrInput `pulumi:"token"`
 	// The cache server URL to use for artifacts.
 	//
 	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -2470,16 +2356,6 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
 	if tmp.Token == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
 			tmp.Token = pulumi.StringPtr(d.(string))
 		}
 	}
 	if tmp.Url == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
 			tmp.Url = pulumi.StringPtr(d.(string))
 		}
 	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -2547,6 +2423,10 @@ func (i *cacheToGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Outp
 	}
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -2595,25 +2475,6 @@ func (o CacheToGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 // The GitHub Actions token to use. This is not a personal access tokens
 // and is typically generated automatically as part of each job.
 //
 // Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheToGitHubActionsOutput) Token() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
 }
 // The cache server URL to use for artifacts.
 //
 // Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheToGitHubActionsOutput) Url() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
 }
 type CacheToGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 func (CacheToGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -2677,35 +2538,6 @@ func (o CacheToGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 // The GitHub Actions token to use. This is not a personal access tokens
 // and is typically generated automatically as part of each job.
 //
 // Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheToGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v *CacheToGitHubActions) *string {
 		if v == nil {
 			return nil
 		}
 		return v.Token
 	}).(pulumi.StringPtrOutput)
 }
 // The cache server URL to use for artifacts.
 //
 // Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheToGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v *CacheToGitHubActions) *string {
 		if v == nil {
 			return nil
 		}
 		return v.Url
 	}).(pulumi.StringPtrOutput)
 }
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }
--- a/sdk/go/dockerbuild/x/pulumiTypes.go
+++ b/sdk/go/dockerbuild/x/pulumiTypes.go
@@ -393,25 +393,16 @@ func (o CacheFromAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromAzureBlob](o, func(v CacheFromAzureBlob) *string { return v.SecretAccessKey })
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
 	// The GitHub Actions token to use. This is not a personal access tokens
 	// and is typically generated automatically as part of each job.
 	//
 	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Token *string `pulumi:"token"`
 	// The cache server URL to use for artifacts.
 	//
 	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Url *string `pulumi:"url"`
 }
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -424,40 +415,19 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
 	if tmp.Token == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
 			token_ := d.(string)
 			tmp.Token = &token_
 		}
 	}
 	if tmp.Url == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
 			url_ := d.(string)
 			tmp.Url = &url_
 		}
 	}
 	return &tmp
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
 	// The GitHub Actions token to use. This is not a personal access tokens
 	// and is typically generated automatically as part of each job.
 	//
 	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Token pulumix.Input[*string] `pulumi:"token"`
 	// The cache server URL to use for artifacts.
 	//
 	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Url pulumix.Input[*string] `pulumi:"url"`
 }
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -469,16 +439,6 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
 	if tmp.Token == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
 			tmp.Token = pulumix.Ptr(d.(string))
 		}
 	}
 	if tmp.Url == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
 			tmp.Url = pulumix.Ptr(d.(string))
 		}
 	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -497,6 +457,10 @@ func (i *CacheFromGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Outpu
 	return pulumix.Val(i)
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -525,25 +489,6 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Scope })
 }
 // The GitHub Actions token to use. This is not a personal access tokens
 // and is typically generated automatically as part of each job.
 //
 // Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheFromGitHubActionsOutput) Token() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Token })
 }
 // The cache server URL to use for artifacts.
 //
 // Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheFromGitHubActionsOutput) Url() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Url })
 }
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -1134,6 +1079,10 @@ func (o CacheToAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToAzureBlob](o, func(v CacheToAzureBlob) *string { return v.SecretAccessKey })
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -1144,19 +1093,6 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
 	// The GitHub Actions token to use. This is not a personal access tokens
 	// and is typically generated automatically as part of each job.
 	//
 	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Token *string `pulumi:"token"`
 	// The cache server URL to use for artifacts.
 	//
 	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Url *string `pulumi:"url"`
 }
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -1177,21 +1113,13 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
 	if tmp.Token == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
 			token_ := d.(string)
 			tmp.Token = &token_
 		}
 	}
 	if tmp.Url == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
 			url_ := d.(string)
 			tmp.Url = &url_
 		}
 	}
 	return &tmp
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumix.Input[*bool] `pulumi:"ignoreError"`
@@ -1202,19 +1130,6 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
 	// The GitHub Actions token to use. This is not a personal access tokens
 	// and is typically generated automatically as part of each job.
 	//
 	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Token pulumix.Input[*string] `pulumi:"token"`
 	// The cache server URL to use for artifacts.
 	//
 	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 	// `crazy-max/ghaction-github-runtime` is recommended to expose this
 	// environment variable to your jobs.
 	Url pulumix.Input[*string] `pulumi:"url"`
 }
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -1232,16 +1147,6 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
 	if tmp.Token == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
 			tmp.Token = pulumix.Ptr(d.(string))
 		}
 	}
 	if tmp.Url == nil {
 		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
 			tmp.Url = pulumix.Ptr(d.(string))
 		}
 	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -1260,6 +1165,10 @@ func (i *CacheToGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Output[
 	return pulumix.Val(i)
 }
 // Recommended for use with GitHub Actions workflows.
 //
 // An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 // appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -1298,25 +1207,6 @@ func (o CacheToGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Scope })
 }
 // The GitHub Actions token to use. This is not a personal access tokens
 // and is typically generated automatically as part of each job.
 //
 // Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheToGitHubActionsOutput) Token() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Token })
 }
 // The cache server URL to use for artifacts.
 //
 // Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
 // `crazy-max/ghaction-github-runtime` is recommended to expose this
 // environment variable to your jobs.
 func (o CacheToGitHubActionsOutput) Url() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Url })
 }
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }
--- a/sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheFromGitHubActionsArgs.java
+++ b/sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheFromGitHubActionsArgs.java
@@ -12,6 +12,13 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 /**
 * Recommended for use with GitHub Actions workflows.
 * 
 * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 * appropriate credentials to your GitHub workflow.
 * 
 */
 public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
    public static final CacheFromGitHubActionsArgs Empty = new CacheFromGitHubActionsArgs();
@@ -37,60 +44,10 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
        return Optional.ofNullable(this.scope);
    }
    /**
     * The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     * 
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    @Import(name="token")
    private @Nullable Output<String> token;
    /**
     * @return The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     * 
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    public Optional<Output<String>> token() {
        return Optional.ofNullable(this.token);
    }
    /**
     * The cache server URL to use for artifacts.
     * 
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    @Import(name="url")
    private @Nullable Output<String> url;
    /**
     * @return The cache server URL to use for artifacts.
     * 
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    public Optional<Output<String>> url() {
        return Optional.ofNullable(this.url);
    }
    private CacheFromGitHubActionsArgs() {}
    private CacheFromGitHubActionsArgs(CacheFromGitHubActionsArgs $) {
        this.scope = $.scope;
        this.token = $.token;
        this.url = $.url;
    }
    public static Builder builder() {
@@ -138,70 +95,8 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
            return scope(Output.of(scope));
        }
        /**
         * @param token The GitHub Actions token to use. This is not a personal access tokens
         * and is typically generated automatically as part of each job.
         * 
         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
         * `crazy-max/ghaction-github-runtime` is recommended to expose this
         * environment variable to your jobs.
         * 
         * @return builder
         * 
         */
        public Builder token(@Nullable Output<String> token) {
            $.token = token;
            return this;
        }
        /**
         * @param token The GitHub Actions token to use. This is not a personal access tokens
         * and is typically generated automatically as part of each job.
         * 
         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
         * `crazy-max/ghaction-github-runtime` is recommended to expose this
         * environment variable to your jobs.
         * 
         * @return builder
         * 
         */
        public Builder token(String token) {
            return token(Output.of(token));
        }
        /**
         * @param url The cache server URL to use for artifacts.
         * 
         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
         * `crazy-max/ghaction-github-runtime` is recommended to expose this
         * environment variable to your jobs.
         * 
         * @return builder
         * 
         */
        public Builder url(@Nullable Output<String> url) {
            $.url = url;
            return this;
        }
        /**
         * @param url The cache server URL to use for artifacts.
         * 
         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
         * `crazy-max/ghaction-github-runtime` is recommended to expose this
         * environment variable to your jobs.
         * 
         * @return builder
         * 
         */
        public Builder url(String url) {
            return url(Output.of(url));
        }
        public CacheFromGitHubActionsArgs build() {
            $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
            return $;
        }
    }
--- a/sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheToGitHubActionsArgs.java
+++ b/sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheToGitHubActionsArgs.java
@@ -14,6 +14,13 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 /**
 * Recommended for use with GitHub Actions workflows.
 * 
 * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 * appropriate credentials to your GitHub workflow.
 * 
 */
 public final class CacheToGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
    public static final CacheToGitHubActionsArgs Empty = new CacheToGitHubActionsArgs();
@@ -69,62 +76,12 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
        return Optional.ofNullable(this.scope);
    }
    /**
     * The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     * 
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    @Import(name="token")
    private @Nullable Output<String> token;
    /**
     * @return The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     * 
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    public Optional<Output<String>> token() {
        return Optional.ofNullable(this.token);
    }
    /**
     * The cache server URL to use for artifacts.
     * 
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    @Import(name="url")
    private @Nullable Output<String> url;
    /**
     * @return The cache server URL to use for artifacts.
     * 
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    public Optional<Output<String>> url() {
        return Optional.ofNullable(this.url);
    }
    private CacheToGitHubActionsArgs() {}
    private CacheToGitHubActionsArgs(CacheToGitHubActionsArgs $) {
        this.ignoreError = $.ignoreError;
        this.mode = $.mode;
        this.scope = $.scope;
        this.token = $.token;
        this.url = $.url;
    }
    public static Builder builder() {
@@ -214,72 +171,10 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
            return scope(Output.of(scope));
        }
        /**
         * @param token The GitHub Actions token to use. This is not a personal access tokens
         * and is typically generated automatically as part of each job.
         * 
         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
         * `crazy-max/ghaction-github-runtime` is recommended to expose this
         * environment variable to your jobs.
         * 
         * @return builder
         * 
         */
        public Builder token(@Nullable Output<String> token) {
            $.token = token;
            return this;
        }
        /**
         * @param token The GitHub Actions token to use. This is not a personal access tokens
         * and is typically generated automatically as part of each job.
         * 
         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
         * `crazy-max/ghaction-github-runtime` is recommended to expose this
         * environment variable to your jobs.
         * 
         * @return builder
         * 
         */
        public Builder token(String token) {
            return token(Output.of(token));
        }
        /**
         * @param url The cache server URL to use for artifacts.
         * 
         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
         * `crazy-max/ghaction-github-runtime` is recommended to expose this
         * environment variable to your jobs.
         * 
         * @return builder
         * 
         */
        public Builder url(@Nullable Output<String> url) {
            $.url = url;
            return this;
        }
        /**
         * @param url The cache server URL to use for artifacts.
         * 
         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
         * `crazy-max/ghaction-github-runtime` is recommended to expose this
         * environment variable to your jobs.
         * 
         * @return builder
         * 
         */
        public Builder url(String url) {
            return url(Output.of(url));
        }
        public CacheToGitHubActionsArgs build() {
            $.ignoreError = Codegen.booleanProp("ignoreError").output().arg($.ignoreError).def(false).getNullable();
            $.mode = Codegen.objectProp("mode", CacheMode.class).output().arg($.mode).def(CacheMode.Min).getNullable();
            $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
            return $;
        }
    }
--- a/sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheFromGitHubActions.java
+++ b/sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheFromGitHubActions.java
@@ -19,25 +19,6 @@ public final class CacheFromGitHubActions {
     * 
     */
    private @Nullable String scope;
    /**
     * @return The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     * 
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    private @Nullable String token;
    /**
     * @return The cache server URL to use for artifacts.
     * 
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    private @Nullable String url;
    private CacheFromGitHubActions() {}
    /**
@@ -50,29 +31,6 @@ public final class CacheFromGitHubActions {
    public Optional<String> scope() {
        return Optional.ofNullable(this.scope);
    }
    /**
     * @return The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     * 
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    public Optional<String> token() {
        return Optional.ofNullable(this.token);
    }
    /**
     * @return The cache server URL to use for artifacts.
     * 
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    public Optional<String> url() {
        return Optional.ofNullable(this.url);
    }
    public static Builder builder() {
        return new Builder();
@@ -84,14 +42,10 @@ public final class CacheFromGitHubActions {
    @CustomType.Builder
    public static final class Builder {
        private @Nullable String scope;
        private @Nullable String token;
        private @Nullable String url;
        public Builder() {}
        public Builder(CacheFromGitHubActions defaults) {
    	      Objects.requireNonNull(defaults);
    	      this.scope = defaults.scope;
    	      this.token = defaults.token;
    	      this.url = defaults.url;
        }
        @CustomType.Setter
@@ -100,23 +54,9 @@ public final class CacheFromGitHubActions {
            this.scope = scope;
            return this;
        }
        @CustomType.Setter
        public Builder token(@Nullable String token) {
            this.token = token;
            return this;
        }
        @CustomType.Setter
        public Builder url(@Nullable String url) {
            this.url = url;
            return this;
        }
        public CacheFromGitHubActions build() {
            final var _resultValue = new CacheFromGitHubActions();
            _resultValue.scope = scope;
            _resultValue.token = token;
            _resultValue.url = url;
            return _resultValue;
        }
    }
--- a/sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheToGitHubActions.java
+++ b/sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheToGitHubActions.java
@@ -31,25 +31,6 @@ public final class CacheToGitHubActions {
     * 
     */
    private @Nullable String scope;
    /**
     * @return The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     * 
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    private @Nullable String token;
    /**
     * @return The cache server URL to use for artifacts.
     * 
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    private @Nullable String url;
    private CacheToGitHubActions() {}
    /**
@@ -76,29 +57,6 @@ public final class CacheToGitHubActions {
    public Optional<String> scope() {
        return Optional.ofNullable(this.scope);
    }
    /**
     * @return The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     * 
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    public Optional<String> token() {
        return Optional.ofNullable(this.token);
    }
    /**
     * @return The cache server URL to use for artifacts.
     * 
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     * 
     */
    public Optional<String> url() {
        return Optional.ofNullable(this.url);
    }
    public static Builder builder() {
        return new Builder();
@@ -112,16 +70,12 @@ public final class CacheToGitHubActions {
        private @Nullable Boolean ignoreError;
        private @Nullable CacheMode mode;
        private @Nullable String scope;
        private @Nullable String token;
        private @Nullable String url;
        public Builder() {}
        public Builder(CacheToGitHubActions defaults) {
    	      Objects.requireNonNull(defaults);
    	      this.ignoreError = defaults.ignoreError;
    	      this.mode = defaults.mode;
    	      this.scope = defaults.scope;
    	      this.token = defaults.token;
    	      this.url = defaults.url;
        }
        @CustomType.Setter
@@ -142,25 +96,11 @@ public final class CacheToGitHubActions {
            this.scope = scope;
            return this;
        }
        @CustomType.Setter
        public Builder token(@Nullable String token) {
            this.token = token;
            return this;
        }
        @CustomType.Setter
        public Builder url(@Nullable String url) {
            this.url = url;
            return this;
        }
        public CacheToGitHubActions build() {
            final var _resultValue = new CacheToGitHubActions();
            _resultValue.ignoreError = ignoreError;
            _resultValue.mode = mode;
            _resultValue.scope = scope;
            _resultValue.token = token;
            _resultValue.url = url;
            return _resultValue;
        }
    }
--- a/sdk/nodejs/image.ts
+++ b/sdk/nodejs/image.ts
@@ -501,7 +501,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--add-host` flag.
     */
-    public readonly addHosts!: pulumi.Output<string[] | undefined>;
+    declare public readonly addHosts: pulumi.Output<string[] | undefined>;
    /**
     * `ARG` names and values to set during the build.
     *
@@ -513,7 +513,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--build-arg` flag.
     */
-    public readonly buildArgs!: pulumi.Output<{[key: string]: string} | undefined>;
+    declare public readonly buildArgs: pulumi.Output<{[key: string]: string} | undefined>;
    /**
     * Setting this to `false` will always skip image builds during previews,
     * and setting it to `true` will always build images during previews.
@@ -527,35 +527,35 @@ export class Image extends pulumi.CustomResource {
     * Defaults to `true` as a safeguard against broken images merging as part
     * of CI pipelines.
     */
-    public readonly buildOnPreview!: pulumi.Output<boolean | undefined>;
+    declare public readonly buildOnPreview: pulumi.Output<boolean | undefined>;
    /**
     * Builder configuration.
     */
-    public readonly builder!: pulumi.Output<outputs.BuilderConfig | undefined>;
+    declare public readonly builder: pulumi.Output<outputs.BuilderConfig | undefined>;
    /**
     * Cache export configuration.
     *
     * Equivalent to Docker's `--cache-from` flag.
     */
-    public readonly cacheFrom!: pulumi.Output<outputs.CacheFrom[] | undefined>;
+    declare public readonly cacheFrom: pulumi.Output<outputs.CacheFrom[] | undefined>;
    /**
     * Cache import configuration.
     *
     * Equivalent to Docker's `--cache-to` flag.
     */
-    public readonly cacheTo!: pulumi.Output<outputs.CacheTo[] | undefined>;
+    declare public readonly cacheTo: pulumi.Output<outputs.CacheTo[] | undefined>;
    /**
     * Build context settings. Defaults to the current directory.
     *
     * Equivalent to Docker's `PATH | URL | -` positional argument.
     */
-    public readonly context!: pulumi.Output<outputs.BuildContext | undefined>;
+    declare public readonly context: pulumi.Output<outputs.BuildContext | undefined>;
    /**
     * A preliminary hash of the image's build context.
     *
     * Pulumi uses this to determine if an image _may_ need to be re-built.
     */
-    public /*out*/ readonly contextHash!: pulumi.Output<string>;
+    declare public /*out*/ readonly contextHash: pulumi.Output<string>;
    /**
     * A SHA256 digest of the image if it was exported to a registry or
     * elsewhere.
@@ -565,13 +565,13 @@ export class Image extends pulumi.CustomResource {
     * Registry images can be referenced precisely as `<tag>@<digest>`. The
     * `ref` output provides one such reference as a convenience.
     */
-    public /*out*/ readonly digest!: pulumi.Output<string>;
+    declare public /*out*/ readonly digest: pulumi.Output<string>;
    /**
     * Dockerfile settings.
     *
     * Equivalent to Docker's `--file` flag.
     */
-    public readonly dockerfile!: pulumi.Output<outputs.Dockerfile | undefined>;
+    declare public readonly dockerfile: pulumi.Output<outputs.Dockerfile | undefined>;
    /**
     * Use `exec` mode to build this image.
     *
@@ -594,7 +594,7 @@ export class Image extends pulumi.CustomResource {
     * are temporarily written to disk in order to provide them to the
     * `docker-buildx` binary.
     */
-    public readonly exec!: pulumi.Output<boolean | undefined>;
+    declare public readonly exec: pulumi.Output<boolean | undefined>;
    /**
     * Controls where images are persisted after building.
     *
@@ -606,13 +606,13 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--output` flag.
     */
-    public readonly exports!: pulumi.Output<outputs.Export[] | undefined>;
+    declare public readonly exports: pulumi.Output<outputs.Export[] | undefined>;
    /**
     * Attach arbitrary key/value metadata to the image.
     *
     * Equivalent to Docker's `--label` flag.
     */
-    public readonly labels!: pulumi.Output<{[key: string]: string} | undefined>;
+    declare public readonly labels: pulumi.Output<{[key: string]: string} | undefined>;
    /**
     * When `true` the build will automatically include a `docker` export.
     *
@@ -620,7 +620,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--load` flag.
     */
-    public readonly load!: pulumi.Output<boolean | undefined>;
+    declare public readonly load: pulumi.Output<boolean | undefined>;
    /**
     * Set the network mode for `RUN` instructions. Defaults to `default`.
     *
@@ -628,25 +628,25 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--network` flag.
     */
-    public readonly network!: pulumi.Output<enums.NetworkMode | undefined>;
+    declare public readonly network: pulumi.Output<enums.NetworkMode | undefined>;
    /**
     * Do not import cache manifests when building the image.
     *
     * Equivalent to Docker's `--no-cache` flag.
     */
-    public readonly noCache!: pulumi.Output<boolean | undefined>;
+    declare public readonly noCache: pulumi.Output<boolean | undefined>;
    /**
     * Set target platform(s) for the build. Defaults to the host's platform.
     *
     * Equivalent to Docker's `--platform` flag.
     */
-    public readonly platforms!: pulumi.Output<enums.Platform[] | undefined>;
+    declare public readonly platforms: pulumi.Output<enums.Platform[] | undefined>;
    /**
     * Always pull referenced images.
     *
     * Equivalent to Docker's `--pull` flag.
     */
-    public readonly pull!: pulumi.Output<boolean | undefined>;
+    declare public readonly pull: pulumi.Output<boolean | undefined>;
    /**
     * When `true` the build will automatically include a `registry` export.
     *
@@ -654,7 +654,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--push` flag.
     */
-    public readonly push!: pulumi.Output<boolean>;
+    declare public readonly push: pulumi.Output<boolean>;
    /**
     * If the image was pushed to any registries then this will contain a
     * single fully-qualified tag including the build's digest.
@@ -671,7 +671,7 @@ export class Image extends pulumi.CustomResource {
     * For more control over tags consumed by downstream resources you should
     * use the `digest` output.
     */
-    public /*out*/ readonly ref!: pulumi.Output<string>;
+    declare public /*out*/ readonly ref: pulumi.Output<string>;
    /**
     * Registry credentials. Required if reading or exporting to private
     * repositories.
@@ -681,7 +681,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Similar to `docker login`.
     */
-    public readonly registries!: pulumi.Output<outputs.Registry[] | undefined>;
+    declare public readonly registries: pulumi.Output<outputs.Registry[] | undefined>;
    /**
     * A mapping of secret names to their corresponding values.
     *
@@ -693,13 +693,13 @@ export class Image extends pulumi.CustomResource {
     *
     * Similar to Docker's `--secret` flag.
     */
-    public readonly secrets!: pulumi.Output<{[key: string]: string} | undefined>;
+    declare public readonly secrets: pulumi.Output<{[key: string]: string} | undefined>;
    /**
     * SSH agent socket or keys to expose to the build.
     *
     * Equivalent to Docker's `--ssh` flag.
     */
-    public readonly ssh!: pulumi.Output<outputs.SSH[] | undefined>;
+    declare public readonly ssh: pulumi.Output<outputs.SSH[] | undefined>;
    /**
     * Name and optionally a tag (format: `name:tag`).
     *
@@ -708,7 +708,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--tag` flag.
     */
-    public readonly tags!: pulumi.Output<string[] | undefined>;
+    declare public readonly tags: pulumi.Output<string[] | undefined>;
    /**
     * Set the target build stage(s) to build.
     *
@@ -716,7 +716,7 @@ export class Image extends pulumi.CustomResource {
     *
     * Equivalent to Docker's `--target` flag.
     */
-    public readonly target!: pulumi.Output<string | undefined>;
+    declare public readonly target: pulumi.Output<string | undefined>;
    /**
     * Create a Image resource with the given unique name, arguments, and options.
@@ -729,31 +729,31 @@ export class Image extends pulumi.CustomResource {
        let resourceInputs: pulumi.Inputs = {};
        opts = opts || {};
        if (!opts.id) {
-            if ((!args || args.push === undefined) && !opts.urn) {
+            if (args?.push === undefined && !opts.urn) {
                throw new Error("Missing required property 'push'");
            }
-            resourceInputs["addHosts"] = args ? args.addHosts : undefined;
+            resourceInputs["addHosts"] = args?.addHosts;
-            resourceInputs["buildArgs"] = args ? args.buildArgs : undefined;
+            resourceInputs["buildArgs"] = args?.buildArgs;
-            resourceInputs["buildOnPreview"] = (args ? args.buildOnPreview : undefined) ?? true;
+            resourceInputs["buildOnPreview"] = (args?.buildOnPreview) ?? true;
-            resourceInputs["builder"] = args ? args.builder : undefined;
+            resourceInputs["builder"] = args?.builder;
-            resourceInputs["cacheFrom"] = args ? args.cacheFrom : undefined;
+            resourceInputs["cacheFrom"] = args?.cacheFrom;
-            resourceInputs["cacheTo"] = args ? args.cacheTo : undefined;
+            resourceInputs["cacheTo"] = args?.cacheTo;
-            resourceInputs["context"] = args ? args.context : undefined;
+            resourceInputs["context"] = args?.context;
-            resourceInputs["dockerfile"] = args ? args.dockerfile : undefined;
+            resourceInputs["dockerfile"] = args?.dockerfile;
-            resourceInputs["exec"] = args ? args.exec : undefined;
+            resourceInputs["exec"] = args?.exec;
-            resourceInputs["exports"] = args ? args.exports : undefined;
+            resourceInputs["exports"] = args?.exports;
-            resourceInputs["labels"] = args ? args.labels : undefined;
+            resourceInputs["labels"] = args?.labels;
-            resourceInputs["load"] = args ? args.load : undefined;
+            resourceInputs["load"] = args?.load;
-            resourceInputs["network"] = (args ? args.network : undefined) ?? "default";
+            resourceInputs["network"] = (args?.network) ?? "default";
-            resourceInputs["noCache"] = args ? args.noCache : undefined;
+            resourceInputs["noCache"] = args?.noCache;
-            resourceInputs["platforms"] = args ? args.platforms : undefined;
+            resourceInputs["platforms"] = args?.platforms;
-            resourceInputs["pull"] = args ? args.pull : undefined;
+            resourceInputs["pull"] = args?.pull;
-            resourceInputs["push"] = args ? args.push : undefined;
+            resourceInputs["push"] = args?.push;
-            resourceInputs["registries"] = args ? args.registries : undefined;
+            resourceInputs["registries"] = args?.registries;
-            resourceInputs["secrets"] = args ? args.secrets : undefined;
+            resourceInputs["secrets"] = args?.secrets;
-            resourceInputs["ssh"] = args ? args.ssh : undefined;
+            resourceInputs["ssh"] = args?.ssh;
-            resourceInputs["tags"] = args ? args.tags : undefined;
+            resourceInputs["tags"] = args?.tags;
-            resourceInputs["target"] = args ? args.target : undefined;
+            resourceInputs["target"] = args?.target;
            resourceInputs["contextHash"] = undefined /*out*/;
            resourceInputs["digest"] = undefined /*out*/;
            resourceInputs["ref"] = undefined /*out*/;
--- a/sdk/nodejs/index_.ts
+++ b/sdk/nodejs/index_.ts
@@ -113,27 +113,27 @@ export class Index extends pulumi.CustomResource {
     *
     * Defaults to `true`.
     */
-    public readonly push!: pulumi.Output<boolean | undefined>;
+    declare public readonly push: pulumi.Output<boolean | undefined>;
    /**
     * The pushed tag with digest.
     *
     * Identical to the tag if the index was not pushed.
     */
-    public /*out*/ readonly ref!: pulumi.Output<string>;
+    declare public /*out*/ readonly ref: pulumi.Output<string>;
    /**
     * Authentication for the registry where the tagged index will be pushed.
     *
     * Credentials can also be included with the provider's configuration.
     */
-    public readonly registry!: pulumi.Output<outputs.Registry | undefined>;
+    declare public readonly registry: pulumi.Output<outputs.Registry | undefined>;
    /**
     * Existing images to include in the index.
     */
-    public readonly sources!: pulumi.Output<string[]>;
+    declare public readonly sources: pulumi.Output<string[]>;
    /**
     * The tag to apply to the index.
     */
-    public readonly tag!: pulumi.Output<string>;
+    declare public readonly tag: pulumi.Output<string>;
    /**
     * Create a Index resource with the given unique name, arguments, and options.
@@ -146,16 +146,16 @@ export class Index extends pulumi.CustomResource {
        let resourceInputs: pulumi.Inputs = {};
        opts = opts || {};
        if (!opts.id) {
-            if ((!args || args.sources === undefined) && !opts.urn) {
+            if (args?.sources === undefined && !opts.urn) {
                throw new Error("Missing required property 'sources'");
            }
-            if ((!args || args.tag === undefined) && !opts.urn) {
+            if (args?.tag === undefined && !opts.urn) {
                throw new Error("Missing required property 'tag'");
            }
-            resourceInputs["push"] = (args ? args.push : undefined) ?? true;
+            resourceInputs["push"] = (args?.push) ?? true;
-            resourceInputs["registry"] = args ? args.registry : undefined;
+            resourceInputs["registry"] = args?.registry;
-            resourceInputs["sources"] = args ? args.sources : undefined;
+            resourceInputs["sources"] = args?.sources;
-            resourceInputs["tag"] = args ? args.tag : undefined;
+            resourceInputs["tag"] = args?.tag;
            resourceInputs["ref"] = undefined /*out*/;
        } else {
            resourceInputs["push"] = undefined /*out*/;
--- a/sdk/nodejs/provider.ts
+++ b/sdk/nodejs/provider.ts
@@ -25,7 +25,7 @@ export class Provider extends pulumi.ProviderResource {
    /**
     * The build daemon's address.
     */
-    public readonly host!: pulumi.Output<string | undefined>;
+    declare public readonly host: pulumi.Output<string | undefined>;
    /**
     * Create a Provider resource with the given unique name, arguments, and options.
@@ -38,8 +38,8 @@ export class Provider extends pulumi.ProviderResource {
        let resourceInputs: pulumi.Inputs = {};
        opts = opts || {};
        {
-            resourceInputs["host"] = (args ? args.host : undefined) ?? (utilities.getEnv("DOCKER_HOST") || "");
+            resourceInputs["host"] = (args?.host) ?? (utilities.getEnv("DOCKER_HOST") || "");
-            resourceInputs["registries"] = pulumi.output(args ? args.registries : undefined).apply(JSON.stringify);
+            resourceInputs["registries"] = pulumi.output(args?.registries).apply(JSON.stringify);
        }
        opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
        super(Provider.__pulumiType, name, resourceInputs, opts);
--- a/sdk/nodejs/tsconfig.json
+++ b/sdk/nodejs/tsconfig.json
@@ -1,7 +1,7 @@
 {
    "compilerOptions": {
        "outDir": "bin",
-        "target": "es2016",
+        "target": "ES2020",
        "module": "commonjs",
        "moduleResolution": "node",
        "declaration": true,
--- a/sdk/nodejs/types/input.ts
+++ b/sdk/nodejs/types/input.ts
@@ -104,6 +104,12 @@ export interface CacheFromAzureBlobArgs {
    secretAccessKey?: pulumi.Input<string>;
 }
 /**
 * Recommended for use with GitHub Actions workflows.
 *
 * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 * appropriate credentials to your GitHub workflow.
 */
 export interface CacheFromGitHubActionsArgs {
    /**
     * The scope to use for cache keys. Defaults to `buildkit`.
@@ -112,23 +118,6 @@ export interface CacheFromGitHubActionsArgs {
     * workflow, otherwise caches will overwrite each other.
     */
    scope?: pulumi.Input<string>;
    /**
     * The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     *
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     */
    token?: pulumi.Input<string>;
    /**
     * The cache server URL to use for artifacts.
     *
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     */
    url?: pulumi.Input<string>;
 }
 /**
 * cacheFromGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -137,8 +126,6 @@ export function cacheFromGitHubActionsArgsProvideDefaults(val: CacheFromGitHubAc
    return {
        ...val,
        scope: (val.scope) ?? "buildkit",
        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
    };
 }
@@ -303,6 +290,12 @@ export function cacheToAzureBlobArgsProvideDefaults(val: CacheToAzureBlobArgs):
    };
 }
 /**
 * Recommended for use with GitHub Actions workflows.
 *
 * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 * appropriate credentials to your GitHub workflow.
 */
 export interface CacheToGitHubActionsArgs {
    /**
     * Ignore errors caused by failed cache exports.
@@ -319,23 +312,6 @@ export interface CacheToGitHubActionsArgs {
     * workflow, otherwise caches will overwrite each other.
     */
    scope?: pulumi.Input<string>;
    /**
     * The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     *
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     */
    token?: pulumi.Input<string>;
    /**
     * The cache server URL to use for artifacts.
     *
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     */
    url?: pulumi.Input<string>;
 }
 /**
 * cacheToGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -346,8 +322,6 @@ export function cacheToGitHubActionsArgsProvideDefaults(val: CacheToGitHubAction
        ignoreError: (val.ignoreError) ?? false,
        mode: (val.mode) ?? "min",
        scope: (val.scope) ?? "buildkit",
        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
    };
 }
--- a/sdk/nodejs/types/output.ts
+++ b/sdk/nodejs/types/output.ts
@@ -104,6 +104,12 @@ export interface CacheFromAzureBlob {
    secretAccessKey?: string;
 }
 /**
 * Recommended for use with GitHub Actions workflows.
 *
 * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 * appropriate credentials to your GitHub workflow.
 */
 export interface CacheFromGitHubActions {
    /**
     * The scope to use for cache keys. Defaults to `buildkit`.
@@ -112,23 +118,6 @@ export interface CacheFromGitHubActions {
     * workflow, otherwise caches will overwrite each other.
     */
    scope?: string;
    /**
     * The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     *
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     */
    token?: string;
    /**
     * The cache server URL to use for artifacts.
     *
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     */
    url?: string;
 }
 /**
 * cacheFromGitHubActionsProvideDefaults sets the appropriate defaults for CacheFromGitHubActions
@@ -137,8 +126,6 @@ export function cacheFromGitHubActionsProvideDefaults(val: CacheFromGitHubAction
    return {
        ...val,
        scope: (val.scope) ?? "buildkit",
        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
    };
 }
@@ -303,6 +290,12 @@ export function cacheToAzureBlobProvideDefaults(val: CacheToAzureBlob): CacheToA
    };
 }
 /**
 * Recommended for use with GitHub Actions workflows.
 *
 * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
 * appropriate credentials to your GitHub workflow.
 */
 export interface CacheToGitHubActions {
    /**
     * Ignore errors caused by failed cache exports.
@@ -319,23 +312,6 @@ export interface CacheToGitHubActions {
     * workflow, otherwise caches will overwrite each other.
     */
    scope?: string;
    /**
     * The GitHub Actions token to use. This is not a personal access tokens
     * and is typically generated automatically as part of each job.
     *
     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     */
    token?: string;
    /**
     * The cache server URL to use for artifacts.
     *
     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
     * `crazy-max/ghaction-github-runtime` is recommended to expose this
     * environment variable to your jobs.
     */
    url?: string;
 }
 /**
 * cacheToGitHubActionsProvideDefaults sets the appropriate defaults for CacheToGitHubActions
@@ -346,8 +322,6 @@ export function cacheToGitHubActionsProvideDefaults(val: CacheToGitHubActions):
        ignoreError: (val.ignoreError) ?? false,
        mode: (val.mode) ?? "min",
        scope: (val.scope) ?? "buildkit",
        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
    };
 }
--- a/sdk/python/pulumi_docker_build/_inputs.py
+++ b/sdk/python/pulumi_docker_build/_inputs.py
@@ -281,6 +281,12 @@ class CacheFromAzureBlobArgs:
 if not MYPY:
    class CacheFromGitHubActionsArgsDict(TypedDict):
        """
        Recommended for use with GitHub Actions workflows.
        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
        appropriate credentials to your GitHub workflow.
        """
        scope: NotRequired[pulumi.Input[_builtins.str]]
        """
        The scope to use for cache keys. Defaults to `buildkit`.
@@ -288,61 +294,27 @@ if not MYPY:
        This should be set if building and caching multiple images in one
        workflow, otherwise caches will overwrite each other.
        """
        token: NotRequired[pulumi.Input[_builtins.str]]
        """
        The GitHub Actions token to use. This is not a personal access tokens
        and is typically generated automatically as part of each job.
        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        url: NotRequired[pulumi.Input[_builtins.str]]
        """
        The cache server URL to use for artifacts.
        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
 elif False:
    CacheFromGitHubActionsArgsDict: TypeAlias = Mapping[str, Any]
@pulumi.input_type
 class CacheFromGitHubActionsArgs:
    def __init__(__self__, *,
-                 scope: Optional[pulumi.Input[_builtins.str]] = None,
+                 scope: Optional[pulumi.Input[_builtins.str]] = None):
                 token: Optional[pulumi.Input[_builtins.str]] = None,
                 url: Optional[pulumi.Input[_builtins.str]] = None):
        """
        Recommended for use with GitHub Actions workflows.
        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
        appropriate credentials to your GitHub workflow.
        :param pulumi.Input[_builtins.str] scope: The scope to use for cache keys. Defaults to `buildkit`.
               This should be set if building and caching multiple images in one
               workflow, otherwise caches will overwrite each other.
        :param pulumi.Input[_builtins.str] token: The GitHub Actions token to use. This is not a personal access tokens
               and is typically generated automatically as part of each job.
               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
               `crazy-max/ghaction-github-runtime` is recommended to expose this
               environment variable to your jobs.
        :param pulumi.Input[_builtins.str] url: The cache server URL to use for artifacts.
               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
               `crazy-max/ghaction-github-runtime` is recommended to expose this
               environment variable to your jobs.
        """
        if scope is None:
            scope = 'buildkit'
        if scope is not None:
            pulumi.set(__self__, "scope", scope)
        if token is None:
            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
        if token is not None:
            pulumi.set(__self__, "token", token)
        if url is None:
            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
        if url is not None:
            pulumi.set(__self__, "url", url)
    @_builtins.property
    @pulumi.getter
@@ -359,39 +331,6 @@ class CacheFromGitHubActionsArgs:
    def scope(self, value: Optional[pulumi.Input[_builtins.str]]):
        pulumi.set(self, "scope", value)
    @_builtins.property
    @pulumi.getter
    def token(self) -> Optional[pulumi.Input[_builtins.str]]:
        """
        The GitHub Actions token to use. This is not a personal access tokens
        and is typically generated automatically as part of each job.
        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        return pulumi.get(self, "token")
    @token.setter
    def token(self, value: Optional[pulumi.Input[_builtins.str]]):
        pulumi.set(self, "token", value)
    @_builtins.property
    @pulumi.getter
    def url(self) -> Optional[pulumi.Input[_builtins.str]]:
        """
        The cache server URL to use for artifacts.
        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        return pulumi.get(self, "url")
    @url.setter
    def url(self, value: Optional[pulumi.Input[_builtins.str]]):
        pulumi.set(self, "url", value)
 if not MYPY:
    class CacheFromLocalArgsDict(TypedDict):
@@ -977,6 +916,12 @@ class CacheToAzureBlobArgs:
 if not MYPY:
    class CacheToGitHubActionsArgsDict(TypedDict):
        """
        Recommended for use with GitHub Actions workflows.
        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
        appropriate credentials to your GitHub workflow.
        """
        ignore_error: NotRequired[pulumi.Input[_builtins.bool]]
        """
        Ignore errors caused by failed cache exports.
@@ -992,23 +937,6 @@ if not MYPY:
        This should be set if building and caching multiple images in one
        workflow, otherwise caches will overwrite each other.
        """
        token: NotRequired[pulumi.Input[_builtins.str]]
        """
        The GitHub Actions token to use. This is not a personal access tokens
        and is typically generated automatically as part of each job.
        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        url: NotRequired[pulumi.Input[_builtins.str]]
        """
        The cache server URL to use for artifacts.
        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
 elif False:
    CacheToGitHubActionsArgsDict: TypeAlias = Mapping[str, Any]
@@ -1017,27 +945,18 @@ class CacheToGitHubActionsArgs:
    def __init__(__self__, *,
                 ignore_error: Optional[pulumi.Input[_builtins.bool]] = None,
                 mode: Optional[pulumi.Input['CacheMode']] = None,
-                 scope: Optional[pulumi.Input[_builtins.str]] = None,
+                 scope: Optional[pulumi.Input[_builtins.str]] = None):
                 token: Optional[pulumi.Input[_builtins.str]] = None,
                 url: Optional[pulumi.Input[_builtins.str]] = None):
        """
        Recommended for use with GitHub Actions workflows.
        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
        appropriate credentials to your GitHub workflow.
        :param pulumi.Input[_builtins.bool] ignore_error: Ignore errors caused by failed cache exports.
        :param pulumi.Input['CacheMode'] mode: The cache mode to use. Defaults to `min`.
        :param pulumi.Input[_builtins.str] scope: The scope to use for cache keys. Defaults to `buildkit`.
               This should be set if building and caching multiple images in one
               workflow, otherwise caches will overwrite each other.
        :param pulumi.Input[_builtins.str] token: The GitHub Actions token to use. This is not a personal access tokens
               and is typically generated automatically as part of each job.
               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
               `crazy-max/ghaction-github-runtime` is recommended to expose this
               environment variable to your jobs.
        :param pulumi.Input[_builtins.str] url: The cache server URL to use for artifacts.
               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
               `crazy-max/ghaction-github-runtime` is recommended to expose this
               environment variable to your jobs.
        """
        if ignore_error is None:
            ignore_error = False
@@ -1051,14 +970,6 @@ class CacheToGitHubActionsArgs:
            scope = 'buildkit'
        if scope is not None:
            pulumi.set(__self__, "scope", scope)
        if token is None:
            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
        if token is not None:
            pulumi.set(__self__, "token", token)
        if url is None:
            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
        if url is not None:
            pulumi.set(__self__, "url", url)
    @_builtins.property
    @pulumi.getter(name="ignoreError")
@@ -1099,39 +1010,6 @@ class CacheToGitHubActionsArgs:
    def scope(self, value: Optional[pulumi.Input[_builtins.str]]):
        pulumi.set(self, "scope", value)
    @_builtins.property
    @pulumi.getter
    def token(self) -> Optional[pulumi.Input[_builtins.str]]:
        """
        The GitHub Actions token to use. This is not a personal access tokens
        and is typically generated automatically as part of each job.
        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        return pulumi.get(self, "token")
    @token.setter
    def token(self, value: Optional[pulumi.Input[_builtins.str]]):
        pulumi.set(self, "token", value)
    @_builtins.property
    @pulumi.getter
    def url(self) -> Optional[pulumi.Input[_builtins.str]]:
        """
        The cache server URL to use for artifacts.
        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        return pulumi.get(self, "url")
    @url.setter
    def url(self, value: Optional[pulumi.Input[_builtins.str]]):
        pulumi.set(self, "url", value)
 if not MYPY:
    class CacheToInlineArgsDict(TypedDict):
--- a/sdk/python/pulumi_docker_build/outputs.py
+++ b/sdk/python/pulumi_docker_build/outputs.py
@@ -293,39 +293,28 @@ class CacheFromAzureBlob(dict):
@pulumi.output_type
 class CacheFromGitHubActions(dict):
    """
    Recommended for use with GitHub Actions workflows.
    An action like `crazy-max/ghaction-github-runtime` is recommended to expose
    appropriate credentials to your GitHub workflow.
    """
    def __init__(__self__, *,
-                 scope: Optional[_builtins.str] = None,
+                 scope: Optional[_builtins.str] = None):
                 token: Optional[_builtins.str] = None,
                 url: Optional[_builtins.str] = None):
        """
        Recommended for use with GitHub Actions workflows.
        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
        appropriate credentials to your GitHub workflow.
        :param _builtins.str scope: The scope to use for cache keys. Defaults to `buildkit`.
               This should be set if building and caching multiple images in one
               workflow, otherwise caches will overwrite each other.
        :param _builtins.str token: The GitHub Actions token to use. This is not a personal access tokens
               and is typically generated automatically as part of each job.
               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
               `crazy-max/ghaction-github-runtime` is recommended to expose this
               environment variable to your jobs.
        :param _builtins.str url: The cache server URL to use for artifacts.
               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
               `crazy-max/ghaction-github-runtime` is recommended to expose this
               environment variable to your jobs.
        """
        if scope is None:
            scope = 'buildkit'
        if scope is not None:
            pulumi.set(__self__, "scope", scope)
        if token is None:
            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
        if token is not None:
            pulumi.set(__self__, "token", token)
        if url is None:
            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
        if url is not None:
            pulumi.set(__self__, "url", url)
    @_builtins.property
    @pulumi.getter
@@ -338,31 +327,6 @@ class CacheFromGitHubActions(dict):
        """
        return pulumi.get(self, "scope")
    @_builtins.property
    @pulumi.getter
    def token(self) -> Optional[_builtins.str]:
        """
        The GitHub Actions token to use. This is not a personal access tokens
        and is typically generated automatically as part of each job.
        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        return pulumi.get(self, "token")
    @_builtins.property
    @pulumi.getter
    def url(self) -> Optional[_builtins.str]:
        """
        The cache server URL to use for artifacts.
        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        return pulumi.get(self, "url")
@pulumi.output_type
 class CacheFromLocal(dict):
@@ -784,6 +748,12 @@ class CacheToAzureBlob(dict):
@pulumi.output_type
 class CacheToGitHubActions(dict):
    """
    Recommended for use with GitHub Actions workflows.
    An action like `crazy-max/ghaction-github-runtime` is recommended to expose
    appropriate credentials to your GitHub workflow.
    """
    @staticmethod
    def __key_warning(key: str):
        suggest = None
@@ -804,27 +774,18 @@ class CacheToGitHubActions(dict):
    def __init__(__self__, *,
                 ignore_error: Optional[_builtins.bool] = None,
                 mode: Optional['CacheMode'] = None,
-                 scope: Optional[_builtins.str] = None,
+                 scope: Optional[_builtins.str] = None):
                 token: Optional[_builtins.str] = None,
                 url: Optional[_builtins.str] = None):
        """
        Recommended for use with GitHub Actions workflows.
        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
        appropriate credentials to your GitHub workflow.
        :param _builtins.bool ignore_error: Ignore errors caused by failed cache exports.
        :param 'CacheMode' mode: The cache mode to use. Defaults to `min`.
        :param _builtins.str scope: The scope to use for cache keys. Defaults to `buildkit`.
               This should be set if building and caching multiple images in one
               workflow, otherwise caches will overwrite each other.
        :param _builtins.str token: The GitHub Actions token to use. This is not a personal access tokens
               and is typically generated automatically as part of each job.
               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
               `crazy-max/ghaction-github-runtime` is recommended to expose this
               environment variable to your jobs.
        :param _builtins.str url: The cache server URL to use for artifacts.
               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
               `crazy-max/ghaction-github-runtime` is recommended to expose this
               environment variable to your jobs.
        """
        if ignore_error is None:
            ignore_error = False
@@ -838,14 +799,6 @@ class CacheToGitHubActions(dict):
            scope = 'buildkit'
        if scope is not None:
            pulumi.set(__self__, "scope", scope)
        if token is None:
            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
        if token is not None:
            pulumi.set(__self__, "token", token)
        if url is None:
            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
        if url is not None:
            pulumi.set(__self__, "url", url)
    @_builtins.property
    @pulumi.getter(name="ignoreError")
@@ -874,31 +827,6 @@ class CacheToGitHubActions(dict):
        """
        return pulumi.get(self, "scope")
    @_builtins.property
    @pulumi.getter
    def token(self) -> Optional[_builtins.str]:
        """
        The GitHub Actions token to use. This is not a personal access tokens
        and is typically generated automatically as part of each job.
        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        return pulumi.get(self, "token")
    @_builtins.property
    @pulumi.getter
    def url(self) -> Optional[_builtins.str]:
        """
        The cache server URL to use for artifacts.
        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
        `crazy-max/ghaction-github-runtime` is recommended to expose this
        environment variable to your jobs.
        """
        return pulumi.get(self, "url")
@pulumi.output_type
 class CacheToInline(dict):