[internal] Update GitHub Actions workflow files

This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 5619381e924fbac90750f41b6a27cadcd11c4c2d.

.ci-mgmt.yaml

@@ -4,23 +4,26 @@ major-version: 0
 providerDefaultBranch: main
 providerVersion: github.com/pulumi/pulumi-docker-build/provider.Version
 aws: true
+modulePath: .
 gcp: true
 sdkModuleDir: sdk/go/dockerbuild
 parallel: 3
+esc:
+    enabled: true
 envOverride:
-  AWS_REGION: us-west-2
+    AWS_REGION: us-west-2
-  PULUMI_API: "https://api.pulumi-staging.io"
+    PULUMI_API: "https://api.pulumi-staging.io"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+    ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+    ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+    ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+    ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-  AZURE_LOCATION: westus
+    AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+    DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+    GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
-  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+    GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
-  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+    GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
-  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+    GOOGLE_PROJECT: pulumi-ci-gcp-provider
-  GOOGLE_PROJECT_NUMBER: 895284651812
+    GOOGLE_PROJECT_NUMBER: 895284651812
-  GOOGLE_REGION: us-central1
+    GOOGLE_REGION: us-central1
-  GOOGLE_ZONE: us-central1-a
+    GOOGLE_ZONE: us-central1-a
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
+    DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}

.config/mise.lock

@@ -0,0 +1,87 @@
+[[tools.dotnet]]
+version = "8.0.414"
+backend = "asdf:dotnet"
+
+[[tools."github:pulumi/pulumictl"]]
+version = "0.0.50"
+backend = "github:pulumi/pulumictl"
+
+[tools."github:pulumi/pulumictl".platforms.linux-x64]
+checksum = "blake3:c128dd74993f779c613296fe7cd21c20cbd323f24e59cb76e007620660b60348"
+name = "pulumictl-v0.0.50-linux-amd64.tar.gz"
+size = 27744219
+url = "https://github.com/pulumi/pulumictl/releases/download/v0.0.50/pulumictl-v0.0.50-linux-amd64.tar.gz"
+url_api = ""
+
+[[tools."github:pulumi/schema-tools"]]
+version = "0.6.0"
+backend = "github:pulumi/schema-tools"
+
+[tools."github:pulumi/schema-tools".platforms.linux-x64]
+checksum = "blake3:82dfe616fee18b4258f6e3d2dc3c4e9f14afd43a0a4cc33eff2d2a04088d6ca3"
+name = "schema-tools-v0.6.0-linux-amd64.tar.gz"
+size = 14282746
+url = "https://github.com/pulumi/schema-tools/releases/download/v0.6.0/schema-tools-v0.6.0-linux-amd64.tar.gz"
+url_api = ""
+
+[[tools.go]]
+version = "1.24.1"
+backend = "core:go"
+
+[tools.go.platforms.linux-x64]
+checksum = "sha256:cb2396bae64183cdccf81a9a6df0aea3bce9511fc21469fb89a0c00470088073"
+size = 78503123
+url = "https://dl.google.com/go/go1.24.1.linux-amd64.tar.gz"
+
+[[tools.golangci-lint]]
+version = "1.64.8"
+backend = "aqua:golangci/golangci-lint"
+
+[tools.golangci-lint.platforms.linux-x64]
+checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
+size = 12364828
+url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
+
+[[tools.gradle]]
+version = "7.6.6"
+backend = "aqua:gradle/gradle"
+
+[tools.gradle.platforms.linux-x64]
+checksum = "blake3:5cad8fc455b720b68a0bd2907d435e2919581708243f84f27845fe8812a09323"
+size = 128439774
+url = "https://github.com/gradle/gradle-distributions/releases/download/v7.6.6/gradle-7.6.6-bin.zip"
+
+[[tools.java]]
+version = "corretto-11.0.28.6.1"
+backend = "core:java"
+
+[tools.java.platforms.linux-x64]
+checksum = "sha256:70734c46e0bbeb7f45b721756ba0b2f1f1e1ef85a11e10d5a488f06b257dadd9"
+size = 195648709
+url = "https://corretto.aws/downloads/resources/11.0.28.6.1/amazon-corretto-11.0.28.6.1-linux-x64.tar.gz"
+
+[[tools.node]]
+version = "20.19.5"
+backend = "core:node"
+
+[tools.node.platforms.linux-x64]
+checksum = "sha256:4eba5fbe1fb10753bc06e42f001a91c5cec16798b7764a3e9257adc59af47fe1"
+size = 47041607
+url = "https://nodejs.org/dist/v20.19.5/node-v20.19.5-linux-x64.tar.gz"
+
+[[tools."npm:yarn"]]
+version = "1.22.22"
+backend = "npm:yarn"
+
+[[tools.pulumi]]
+version = "3.192.0"
+backend = "aqua:pulumi/pulumi"
+
+[tools.pulumi.platforms.linux-x64]
+checksum = "sha512:6351213bee02ade5b76407d9b43cdb243fa461ca38231b03410de5aa1f697e55ab6467da2a9e37ebbff7be6cd3485d833e9ad8f29d4de6919bbdd471fb25e45a"
+size = 92867578
+url = "https://github.com/pulumi/pulumi/releases/download/v3.192.0/pulumi-v3.192.0-linux-x64.tar.gz"
+
+[[tools.python]]
+version = "3.11.8"
+backend = "core:python"

.config/mise.test.toml

@@ -0,0 +1,11 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
+# Overrides for test workflows
+
+[env]
+# Acceptance (specifically providertest) tests require that PULUMI_HOME be the default
+PULUMI_HOME = "{{ env.HOME }}/.pulumi"
+
+[tools]
+# always use pulumi latest for tests
+pulumi = "latest"

.config/mise.toml

@@ -0,0 +1,28 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+# You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
+
+[env]
+_.source = "{{config_root}}/scripts/get-versions.sh"
+
+[tools]
+
+# Runtimes
+# TODO: we may not need `get_env` once https://github.com/jdx/mise/discussions/6339 is fixed
+go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}"
+node = '20.19.5'
+python = '3.11.8'
+dotnet = '8.0.414'
+# Corretto version used as Java SE/OpenJDK version no longer offered
+java = 'corretto-11'
+
+# Executable tools
+pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
+"github:pulumi/pulumictl" = 'latest'
+"github:pulumi/schema-tools" = "latest"
+gradle = '7.6'
+golangci-lint = "1.64.8" # See note about about overrides if you need to customize this.
+"npm:yarn" = "1.22.22"
+
+[settings]
+experimental = true # Required for Go binaries (e.g. pulumictl).
+lockfile = true

.github/actions/esc-action/index.js

@@ -5,7 +5,7 @@ var stream = fs.createWriteStream(file, { flags: "a" });
 
 for (const [name, value] of Object.entries(process.env)) {
   try {
-    stream.write(`${name}=${value}\n`);
+    stream.write(`${name}<<EEEOOOFFF\n${value}\nEEEOOOFFF\n`); // << syntax accommodates multiline strings.
   } catch (err) {
     console.log(`error: failed to set output for ${name}: ${err.message}`);
   }

.github/workflows/build.yml

@@ -16,22 +16,17 @@ on:
   workflow_dispatch: {}
 env:
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -40,15 +35,28 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
+
 jobs:
   prerequisites:
     runs-on: ubuntu-latest
     name: prerequisites
+    permissions:
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -66,7 +74,7 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
       uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -87,7 +95,7 @@ jobs:
           echo 'EOF';
         } >> "$GITHUB_ENV"
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -117,6 +125,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -162,7 +171,7 @@ jobs:
 
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
@@ -171,16 +180,21 @@ jobs:
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
       env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
+        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
+        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      env:
+        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -189,7 +203,7 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   build_sdks:
     needs: prerequisites
     runs-on: pulumi-ubuntu-8core
@@ -203,11 +217,23 @@ jobs:
         - go
         - java
     name: build_sdks
+    permissions:
+      pull-requests: write # For Renovate SDK updates.
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -225,18 +251,18 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -246,11 +272,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -275,6 +301,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -320,14 +347,14 @@ jobs:
 
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
@@ -340,13 +367,29 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
 
   tag_release_if_labeled_needs_release:
     name: Tag release if labeled as needs-release
     needs: publish
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
+    - name: Checkout Repo
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: check if this commit needs release
       if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
       uses: pulumi/action-release-by-pr-label@main
@@ -354,10 +397,10 @@ jobs:
         command: "release-if-needed"
         repo: ${{ github.repository }}
         commit: ${{ github.sha }}
-        slack_channel: ${{ secrets.RELEASE_OPS_SLACK_CHANNEL }}
+        slack_channel: C02MGR8JVST
       env:
-        RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   test:
@@ -377,12 +420,21 @@ jobs:
     name: test
     permissions:
       contents: read
-      id-token: write
+      id-token: write # For ESC secrets and Pulumi access token OIDC.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -400,18 +452,18 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -421,11 +473,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -437,7 +489,7 @@ jobs:
         -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: ${{ matrix.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -471,7 +523,7 @@ jobs:
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -479,7 +531,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@cb1e50a9932213ecece00a606661ae9ca44f3397 # v2.2.0
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -492,6 +544,8 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -500,16 +554,28 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish:
     runs-on: ubuntu-latest
     needs: test
     name: publish
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -536,27 +602,27 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
       with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
         role-duration-seconds: 7200
         role-session-name: ${{ env.PROVIDER }}@githubActions
         role-external-id: upload-pulumi-release
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
       env:
         GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-        AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-        AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-        AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
-        SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
       with:
         args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
         version: latest
@@ -568,16 +634,28 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_sdk:
     runs-on: ubuntu-latest
     needs: publish
     name: publish_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -601,22 +679,22 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: python-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -624,7 +702,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
         ${{github.workspace}}/sdk/python
     - name: Download dotnet SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: dotnet-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -632,7 +710,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
         ${{github.workspace}}/sdk/dotnet
     - name: Download nodejs SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: nodejs-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -644,16 +722,16 @@ jobs:
     - name: Publish SDKs
       run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
       env:
-        NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
         PYPI_PUBLISH_ARTIFACTS: all
         PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
-        SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
-        PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -662,7 +740,7 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   lint:
     runs-on: ubuntu-latest
     steps:
@@ -684,8 +762,7 @@ jobs:
       uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
       with:
         version: ${{ env.GOLANGCI_LINT_VERSION }}
-        args: -c ../.golangci.yml
+        working-directory: .
-        working-directory: provider
     name: lint
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/command-dispatch.yml

@@ -2,13 +2,10 @@
 
 env:
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -17,15 +14,28 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
+
 jobs:
   command-dispatch-for-testing:
     name: command-dispatch-for-testing
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4
       with:
         commands: |
@@ -35,7 +45,7 @@ jobs:
         permission: write
         reaction-token: ${{ secrets.GITHUB_TOKEN }}
         repository: pulumi/pulumi-docker-build
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
 name: command-dispatch
 on:
   issue_comment:

.github/workflows/comment-on-stale-issues.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Stale issue job
     steps:
-    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc #v7.1.0
+    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc # v7.1.0
       with:
         issue-types: issues # only look at issues (ignore pull-requests)
 

.github/workflows/community-moderation.yml

@@ -1,7 +1,5 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 jobs:
   warn_codegen:
     name: warn_codegen

.github/workflows/export-repo-secrets.yml

@@ -13,7 +13,7 @@ jobs:
           app-id: 1256780 # Export Secrets GitHub App
           private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
       - name: Export secrets to ESC
-        uses: pulumi/esc-export-secrets-action@v1
+        uses: pulumi/esc-export-secrets-action@9d6485759b6adff2538ae91f1b77cc96265c9dad # v1
         with:
           organization: pulumi
           org-environment: imports/github-secrets

.github/workflows/prerelease.yml

@@ -7,22 +7,17 @@ on:
     - v*.*.*-**
 env:
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -32,6 +27,7 @@ env:
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
   IS_PRERELEASE: true
+
 jobs:
   prerequisites:
     runs-on: ubuntu-latest
@@ -41,6 +37,15 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -58,7 +63,7 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
       uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -79,7 +84,7 @@ jobs:
           echo 'EOF';
         } >> "$GITHUB_ENV"
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -109,6 +114,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -154,7 +160,7 @@ jobs:
 
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
@@ -163,16 +169,21 @@ jobs:
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
       env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
+        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
+        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      env:
+        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -181,7 +192,7 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   build_sdks:
     needs: prerequisites
     runs-on: pulumi-ubuntu-8core
@@ -195,11 +206,23 @@ jobs:
         - go
         - java
     name: build_sdks
+    permissions:
+      pull-requests: write # For Renovate SDK updates.
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -217,18 +240,18 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -238,11 +261,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -267,6 +290,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit ${{ matrix.language }} SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -312,14 +336,14 @@ jobs:
 
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
@@ -331,7 +355,7 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   test:
     runs-on: pulumi-ubuntu-8core
     needs:
@@ -349,12 +373,21 @@ jobs:
     name: test
     permissions:
       contents: read
-      id-token: write
+      id-token: write # For ESC secrets and Pulumi access token OIDC.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -372,18 +405,18 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -393,11 +426,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -409,7 +442,7 @@ jobs:
         -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: ${{ matrix.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -443,7 +476,7 @@ jobs:
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -451,7 +484,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@cb1e50a9932213ecece00a606661ae9ca44f3397 # v2.2.0
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -464,6 +497,8 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -472,16 +507,28 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish:
     runs-on: ubuntu-latest
     needs: test
     name: publish
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -508,27 +555,27 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
       with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
         role-duration-seconds: 7200
         role-session-name: ${{ env.PROVIDER }}@githubActions
         role-external-id: upload-pulumi-release
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
       env:
         GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-        AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-        AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-        AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
-        SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
       with:
         args: -p 3 -f .goreleaser.prerelease.yml --clean --skip=validate --timeout 60m0s
         version: latest
@@ -540,16 +587,28 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_sdk:
     runs-on: ubuntu-latest
     needs: publish
     name: publish_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -573,22 +632,22 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: python-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -596,7 +655,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
         ${{github.workspace}}/sdk/python
     - name: Download dotnet SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: dotnet-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -604,7 +663,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
         ${{github.workspace}}/sdk/dotnet
     - name: Download nodejs SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: nodejs-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -616,11 +675,11 @@ jobs:
     - name: Publish SDKs
       run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
       env:
-        NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
         PYPI_PUBLISH_ARTIFACTS: all
         PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -629,17 +688,29 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_java_sdk:
     runs-on: ubuntu-latest
     continue-on-error: true
     needs: publish
     name: publish_java_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -657,7 +728,7 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Java
       uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
       with:
@@ -665,11 +736,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download java SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: java-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -677,18 +748,18 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Publish Java SDK
       run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
       env:
         PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
   publish_go_sdk:
     runs-on: ubuntu-latest
     name: publish-go-sdk
@@ -706,7 +777,7 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Download go SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: go-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/

.github/workflows/pull-request.yml

@@ -3,33 +3,7 @@
 name: pull-request
 on:
   pull_request_target: {}
-env:
+
-  PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
-  TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
-  GOVERSION: "1.21.x"
-  NODEVERSION: "20.x"
-  PYTHONVERSION: "3.11.8"
-  DOTNETVERSION: "8.0.x"
-  JAVAVERSION: "11"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  AWS_REGION: us-west-2
-  AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
-  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
-  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
-  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
-  GOOGLE_PROJECT: pulumi-ci-gcp-provider
-  GOOGLE_PROJECT_NUMBER: "895284651812"
-  GOOGLE_REGION: us-central1
-  GOOGLE_ZONE: us-central1-a
-  PULUMI_API: https://api.pulumi-staging.io
 jobs:
   comment-on-pr:
     runs-on: ubuntu-latest

.github/workflows/release.yml

@@ -8,22 +8,17 @@ on:
     - "!v*.*.*-**"
 env:
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -32,15 +27,28 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
+
 jobs:
   prerequisites:
     runs-on: ubuntu-latest
     name: prerequisites
+    permissions:
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -58,7 +66,7 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
       uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -79,7 +87,7 @@ jobs:
           echo 'EOF';
         } >> "$GITHUB_ENV"
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -109,6 +117,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -154,7 +163,7 @@ jobs:
 
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
@@ -163,16 +172,21 @@ jobs:
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
       env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
+        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
+        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      env:
+        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -181,7 +195,7 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   build_sdks:
     needs: prerequisites
     runs-on: pulumi-ubuntu-8core
@@ -195,11 +209,23 @@ jobs:
         - go
         - java
     name: build_sdks
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -217,18 +243,18 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -238,11 +264,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -267,6 +293,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -312,14 +339,14 @@ jobs:
 
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
@@ -331,7 +358,7 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   test:
     runs-on: pulumi-ubuntu-8core
     needs:
@@ -349,12 +376,21 @@ jobs:
     name: test
     permissions:
       contents: read
-      id-token: write
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -372,18 +408,18 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -393,11 +429,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -409,7 +445,7 @@ jobs:
         -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: ${{ matrix.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -443,7 +479,7 @@ jobs:
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -451,7 +487,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@cb1e50a9932213ecece00a606661ae9ca44f3397 # v2.2.0
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -464,6 +500,8 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
+      env:
+        GTIHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -472,16 +510,28 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish:
     runs-on: ubuntu-latest
     needs: test
     name: publish
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -508,27 +558,27 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
       with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
+        aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+        aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_SECRET_ACCESS_KEY }}
         role-duration-seconds: 7200
         role-session-name: ${{ env.PROVIDER }}@githubActions
         role-external-id: upload-pulumi-release
-        role-to-assume: ${{ secrets.AWS_UPLOAD_ROLE_ARN }}
+        role-to-assume: ${{ steps.esc-secrets.outputs.AWS_UPLOAD_ROLE_ARN }}
     - name: Run GoReleaser
       uses: goreleaser/goreleaser-action@5742e2a039330cbb23ebf35f046f814d4c6ff811 # v5.1.0
       env:
         GORELEASER_CURRENT_TAG: v${{ steps.version.outputs.version }}
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-        AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+        AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-        AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+        AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-        AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+        AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-        AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+        SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET == '' && steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID == '' && steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI == '' }}
-        SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
       with:
         args: -p 3 release --clean --timeout 60m0s
         version: latest
@@ -540,16 +590,28 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_sdk:
     runs-on: ubuntu-latest
     needs: publish
     name: publish_sdks
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -573,22 +635,22 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: python-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -596,7 +658,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/python.tar.gz -C
         ${{github.workspace}}/sdk/python
     - name: Download dotnet SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: dotnet-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -604,7 +666,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/dotnet.tar.gz -C
         ${{github.workspace}}/sdk/dotnet
     - name: Download nodejs SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: nodejs-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -616,11 +678,11 @@ jobs:
     - name: Publish SDKs
       run: ./ci-scripts/ci/publish-tfgen-package ${{ github.workspace }}
       env:
-        NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
-        NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
         PYPI_PUBLISH_ARTIFACTS: all
         PYPI_USERNAME: __token__
-        PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -629,17 +691,29 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   publish_java_sdk:
     runs-on: ubuntu-latest
     continue-on-error: true
     needs: publish
     name: publish_java_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -657,7 +731,7 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Java
       uses: actions/setup-java@dded0888837ed1f317902acf8a20df0ad188d165 # v5.0.0
       with:
@@ -665,11 +739,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download java SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: java-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -677,18 +751,18 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Publish Java SDK
       run: gradle -p ./sdk/java publishToSonatype closeAndReleaseSonatypeStagingRepository
       env:
         PACKAGE_VERSION: ${{ env.PROVIDER_VERSION }}
-        SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
-        SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
-        SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
-        PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
-        PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
   publish_go_sdk:
     runs-on: ubuntu-latest
     name: publish-go-sdk
@@ -706,7 +780,7 @@ jobs:
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Download go SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: go-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -726,7 +800,23 @@ jobs:
   dispatch_docs_build:
     runs-on: ubuntu-latest
     needs: publish_go_sdk
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
+    - name: Checkout Repo
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Install pulumictl
       uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
       with:
@@ -735,5 +825,5 @@ jobs:
       run: pulumictl create docs-build pulumi-${{ env.PROVIDER }}
         "${GITHUB_REF#refs/tags/}"
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
     name: dispatch_docs_build

.github/workflows/release_command.yml

@@ -14,6 +14,15 @@ jobs:
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Should release PR
       uses: pulumi/action-release-by-pr-label@main
       with:
@@ -21,14 +30,14 @@ jobs:
         repo: ${{ github.repository }}
         pr: ${{ github.event.client_payload.pull_request.number }}
         version: ${{ github.event.client_payload.slash_command.args.all }}
-        slack_channel: ${{ secrets.RELEASE_OPS_STAGING_SLACK_CHANNEL }}
+        slack_channel: ${{ steps.esc-secrets.outputs.RELEASE_OPS_STAGING_SLACK_CHANNEL }}
       env:
-        RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure()
       name: Notify failure
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
@@ -37,7 +46,7 @@ jobs:
           "release command failed: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
     - if: success()
       name: Notify success
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}

.github/workflows/run-acceptance-tests.yml

@@ -11,22 +11,17 @@ on:
   workflow_dispatch: {}
 env:
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -38,32 +33,50 @@ env:
   PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
 jobs:
   comment-notification:
+    if: github.event_name == 'repository_dispatch'
     runs-on: ubuntu-latest
     name: comment-notification
     steps:
-    - name: Create URL to the run output
-      id: vars
-      run: echo
-        "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
-        >> "$GITHUB_OUTPUT"
-    - name: Update with Result
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
-      with:
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
-        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
-        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
-        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
-    if: github.event_name == 'repository_dispatch'
-  prerequisites:
-    runs-on: ubuntu-latest
-    name: prerequisites
-    steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true
         persist-credentials: false
         ref: ${{ env.PR_COMMIT_SHA }}
+    - name: Create URL to the run output
+      id: vars
+      run: echo
+        "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
+        >> "$GITHUB_OUTPUT"
+    - name: Update with Result
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      with:
+        token: ${{ secrets.GITHUB_TOKEN }}
+        repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
+        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
+        body: "Please view the PR build: ${{ steps.vars.outputs.run-url }}"
+  prerequisites:
+    runs-on: ubuntu-latest
+    name: prerequisites
+    permissions:
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -81,7 +94,7 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - if: github.event_name == 'pull_request'
       name: Install Schema Tools
       uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
@@ -102,7 +115,7 @@ jobs:
           echo 'EOF';
         } >> "$GITHUB_ENV"
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
     - if: github.event_name == 'pull_request' && github.actor != 'dependabot[bot]'
       name: Comment on PR with Details of Schema Check
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
@@ -132,6 +145,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -177,7 +191,7 @@ jobs:
 
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
@@ -186,16 +200,21 @@ jobs:
         github.workspace}}/bin/ pulumi-resource-${{ env.PROVIDER }}
         pulumi-gen-${{ env.PROVIDER}}
     - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin/provider.tar.gz
     - name: Test Provider Library
       run: make test_provider
-    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
       env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        ARM_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.ARM_CLIENT_SECRET }}
+        DIGITALOCEAN_TOKEN: ${{ steps.esc-secrets.outputs.DIGITALOCEAN_TOKEN }}
+        DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+    - name: Upload coverage reports to Codecov
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
+      env:
+        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -204,7 +223,7 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
   build_sdks:
@@ -220,6 +239,9 @@ jobs:
         - go
         - java
     name: build_sdks
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -227,6 +249,15 @@ jobs:
         lfs: true
         persist-credentials: false
         ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -244,18 +275,18 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -265,11 +296,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -294,6 +325,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -338,14 +370,14 @@ jobs:
 
         # workflow. https://github.com/orgs/community/discussions/25702
 
-        git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
+        git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }}     "HEAD:$HEAD_REF"
       env:
         HEAD_REF: ${{ github.head_ref }}
     - run: git status --porcelain
     - name: Tar SDK folder
       run: tar -zcf sdk/${{ matrix.language }}.tar.gz -C sdk/${{ matrix.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: ${{ matrix.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ matrix.language }}.tar.gz
@@ -358,7 +390,7 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
   test:
@@ -386,6 +418,15 @@ jobs:
         lfs: true
         persist-credentials: false
         ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -403,18 +444,18 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -424,11 +465,11 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: pulumi-${{ env.PROVIDER }}-provider.tar.gz
         path: ${{ github.workspace }}/bin
@@ -440,7 +481,7 @@ jobs:
         -exec chmod +x {} \;
     - name: Download SDK
       if: ${{ matrix.language != 'yaml' }}
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: ${{ matrix.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
@@ -474,7 +515,7 @@ jobs:
       with:
         environment: logins/pulumi-ci
     - name: Authenticate to Google Cloud
-      uses: google-github-actions/auth@b7593ed2efd1c1617e1b0254da33b86225adb2a5 # v2.1.12
+      uses: google-github-actions/auth@7c6bc770dae815cd3e89ee6cdf493a5fab2cc093 # v3.0.0
       with:
         workload_identity_provider: projects/${{ env.GOOGLE_PROJECT_NUMBER
           }}/locations/global/workloadIdentityPools/${{
@@ -482,7 +523,7 @@ jobs:
           env.GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER }}
         service_account: ${{ env.GOOGLE_CI_SERVICE_ACCOUNT_EMAIL }}
     - name: Setup gcloud auth
-      uses: google-github-actions/setup-gcloud@cb1e50a9932213ecece00a606661ae9ca44f3397 # v2.2.0
+      uses: google-github-actions/setup-gcloud@aa5489c8933f4cc7a4f7d45035b3b1440c9c10db # v3.0.1
       with:
         install_components: gke-gcloud-auth-plugin
     - name: Install gotestfmt
@@ -495,6 +536,8 @@ jobs:
         set -euo pipefail
 
         cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4 .
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure() && github.event_name == 'push'
       name: Notify Slack
       uses: 8398a7/action-slack@1750b5085f3ec60384090fb7c52965ef822e869e # v3.18.0
@@ -503,13 +546,28 @@ jobs:
         fields: repo,commit,author,action
         status: ${{ job.status }}
       env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
   sentinel:
     runs-on: ubuntu-latest
     name: sentinel
     steps:
+    - name: Checkout Repo
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Mark workflow as successful
       uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
       with:
@@ -520,6 +578,7 @@ jobs:
         sha: ${{ github.event.pull_request.head.sha || github.sha }}
     permissions:
       statuses: write
+      id-token: write # For ESC secrets.
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository
     needs:
@@ -547,8 +606,7 @@ jobs:
       uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
       with:
         version: ${{ env.GOLANGCI_LINT_VERSION }}
-        args: -c ../.golangci.yml
+        working-directory: .
-        working-directory: provider
     name: lint
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/weekly-pulumi-update.yml

@@ -8,22 +8,17 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
   DOTNETVERSION: "8.0.x"
   JAVAVERSION: "11"
   ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
   ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
   ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
   AWS_REGION: us-west-2
   AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
   GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
   GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
   GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
@@ -32,14 +27,25 @@ env:
   GOOGLE_REGION: us-central1
   GOOGLE_ZONE: us-central1-a
   PULUMI_API: https://api.pulumi-staging.io
+
 jobs:
   weekly-pulumi-update:
     runs-on: ubuntu-latest
+    permissions: write-all
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         lfs: true    
+    - env:
+        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+        ESC_ACTION_OIDC_AUTH: "true"
+        ESC_ACTION_OIDC_ORGANIZATION: pulumi
+        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+      id: esc-secrets
+      name: Fetch secrets from ESC
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Install Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
@@ -50,18 +56,18 @@ jobs:
       with:
         repo: pulumi/pulumictl
     - name: Install Pulumi CLI
-      uses: pulumi/actions@df5a93ad715135263c732ba288301bd044c383c0 # v6.3.0
+      uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup DotNet
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Node
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -71,7 +77,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Update Pulumi/Pulumi
@@ -132,5 +138,5 @@ jobs:
 
         gh pr create -t "$msg" -b "$msg" --head "$(git branch --show-current)"
       env:
-        GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+        GITHUB_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
     name: weekly-pulumi-update

.pulumi.version

@@ -1 +1 @@
-3.187.0
+3.192.0

CHANGELOG.md

@@ -1,5 +1,15 @@
 ## Unreleased
 
+## Changed
+
+- Arguments `CacheFromGitHubActions.URL` and `CacheFromGitHubActions.Token` have been removed. If the previous behaviour is desired, set the `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_TOKEN` environment variables. (https://github.com/pulumi/pulumi-docker-build/issues/75)
+
+## 0.0.14 (2025-09-30)
+
+### Fixed
+
+- A warning is no longer emitted for the reserved `__internal` key. (https://github.com/pulumi/pulumi-docker-build/issues/579)
+
 ## 0.0.13 (2025-08-27)
 
 ### Changed

Makefile

@@ -17,8 +17,9 @@ WORKING_DIR      := $(shell pwd)
 EXAMPLES_DIR     := ${WORKING_DIR}/examples/yaml
 TESTPARALLELISM  := 4
 
-PULUMI           := bin/pulumi
+PULUMI           := pulumi
-GOGLANGCILINT    := bin/golangci-lint
+GOGLANGCILINT    := golangci-lint
+GOTEST           := go test
 
 # Override during CI using `make [TARGET] PROVIDER_VERSION=""` or by setting a PROVIDER_VERSION environment variable
 # Local & branch builds will just used this fixed default version unless specified
@@ -46,10 +47,10 @@ provider_debug::
 	(cd provider && go build -o $(WORKING_DIR)/bin/${PROVIDER} -gcflags="all=-N -l" -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
 
 test_provider:: # Required by CI
-	go test -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
+	${GOTEST} -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
 
 test_examples: install_nodejs_sdk install_dotnet_sdk
-	go test -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
+	${GOTEST} -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
 
 test_all:: test_provider test_examples
 
@@ -63,38 +64,26 @@ examples/yaml:
 	rm -rf ${WORKING_DIR}/examples/yaml/app
 	cp -r ${WORKING_DIR}/examples/app ${WORKING_DIR}/examples/yaml/app
 
-examples/go: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/go: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,go)
 	@git checkout examples/go/go.mod
 
-examples/nodejs: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/nodejs: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,nodejs)
 	@git checkout examples/nodejs/package.json
 
-examples/python: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/python: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,python)
 	@git checkout examples/python/requirements.txt
 
-examples/dotnet: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/dotnet: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,dotnet)
 	@git checkout examples/dotnet/provider-docker-build.csproj
 
-examples/java: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/java: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,java)
 	@git checkout examples/java/pom.xml
 
-${PULUMI}: go.sum
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/pkg/v3/cmd/pulumi
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-java/pkg/cmd/pulumi-language-java
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-yaml/cmd/pulumi-converter-yaml
-
-${GOGLANGCILINT}: go.sum
-	GOBIN=${WORKING_DIR}/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@8b37f14
-
 define pulumi_login
     export PULUMI_CONFIG_PASSPHRASE=asdfqwerty1234; \
     pulumi login --local;
@@ -102,7 +91,7 @@ endef
 
 define example
 	rm -rf ${WORKING_DIR}/examples/$(1)
-	$(PULUMI) convert \
+	pulumi convert \
 		--cwd ${WORKING_DIR}/examples/yaml \
 		--logtostderr \
 		--generate-only \
@@ -140,7 +129,7 @@ build:: provider sdk/dotnet sdk/go sdk/nodejs sdk/python sdk/java ${SCHEMA_PATH}
 only_build:: build
 
 .PHONY: lint
-lint: ${GOGLANGCILINT}
+lint:
 	${GOGLANGCILINT} run --fix -c .golangci.yml
 
 install:: install_nodejs_sdk install_dotnet_sdk
@@ -205,7 +194,7 @@ sdk: sdk/python sdk/nodejs sdk/java sdk/python sdk/go sdk/dotnet
 .PHONY: sdk/*
 
 sdk/python: TMPDIR := $(shell mktemp -d)
-sdk/python: $(PULUMI) bin/${PROVIDER}
+sdk/python: bin/${PROVIDER}
 	rm -rf sdk/python
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language python -o ${TMPDIR}
 	cp README.md ${TMPDIR}/python/
@@ -218,7 +207,7 @@ sdk/python: $(PULUMI) bin/${PROVIDER}
 	mv -f ${TMPDIR}/python ${WORKING_DIR}/sdk/.
 
 sdk/nodejs: TMPDIR := $(shell mktemp -d)
-sdk/nodejs: $(PULUMI) bin/${PROVIDER}
+sdk/nodejs: bin/${PROVIDER}
 	rm -rf sdk/nodejs
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
 	cp README.md LICENSE ${TMPDIR}/nodejs
@@ -230,7 +219,7 @@ sdk/nodejs: $(PULUMI) bin/${PROVIDER}
 
 sdk/go: TMPDIR := $(shell mktemp -d)
 sdk/go: PATH := "$(WORKING_DIR)/bin:$(PATH)"
-sdk/go: $(PULUMI) bin/${PROVIDER}
+sdk/go: bin/${PROVIDER}
 	rm -rf sdk/go
 	PATH=$(PATH) $(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language go -o ${TMPDIR}
 	cp go.mod ${TMPDIR}/go/dockerbuild/go.mod
@@ -240,7 +229,7 @@ sdk/go: $(PULUMI) bin/${PROVIDER}
 	mv -f ${TMPDIR}/go ${WORKING_DIR}/sdk/go
 
 sdk/dotnet: TMPDIR := $(shell mktemp -d)
-sdk/dotnet: $(PULUMI) bin/${PROVIDER}
+sdk/dotnet: bin/${PROVIDER}
 	rm -rf sdk/dotnet
 	$(PULUMI) package gen-sdk ./bin/${PROVIDER} --language dotnet -o ${TMPDIR}
 	cd ${TMPDIR}/dotnet/ && \
@@ -250,7 +239,7 @@ sdk/dotnet: $(PULUMI) bin/${PROVIDER}
 
 sdk/java: PACKAGE_VERSION := $(shell pulumictl convert-version --language generic -v "$(VERSION_GENERIC)")
 sdk/java: TMPDIR := $(shell mktemp -d)
-sdk/java: $(PULUMI) bin/${PROVIDER}
+sdk/java: bin/${PROVIDER}
 	rm -rf sdk/java
 	$(PULUMI) package gen-sdk --language java ./bin/${PROVIDER} -o ${TMPDIR}
 	cd ${TMPDIR}/java/ && gradle --console=plain build

docs/_index.md

@@ -0,0 +1,428 @@
+---
+title: Docker Build
+meta_desc: Provides an overview of the Docker Build Provider for Pulumi.
+layout: package
+---
+
+The Docker Build provider leverages [buildx and BuildKit](https://docs.docker.com/build/architecture/) to build modern Docker images with Pulumi.
+
+Not to be confused with the earlier
+[Docker](../docker) provider, which is still
+appropriate for managing resources unrelated to building images.
+
+| Provider               | Use cases                                                               |
+| ----------------       | ----------------------------------------------------------------------- |
+| `@pulumi/docker-build` | Anything related to building images with `docker build`.                |
+| `@pulumi/docker`       | Everything else -- including running containers and creating networks.  |
+
+## Example
+
+If your Pulumi program has a directory called `app` alongside it, containing a
+file named "Dockerfile" (which can be as simple as `FROM alpine` for the
+purpose of example), then the code below shows how to build a multi-platform
+image, publish it to a remote AWS ECR registry, and use an [inline
+cache](https://docs.docker.com/build/cache/backends/inline/) to speed up
+subsequent builds.
+
+{{< chooser language "typescript,python,csharp,go,yaml,java" / >}}
+
+{{% choosable language typescript %}}
+
+```typescript
+import * as aws from "@pulumi/aws";
+import * as docker_build from "@pulumi/docker-build";
+
+// Create an ECR repository for pushing.
+const ecrRepository = new aws.ecr.Repository("ecr-repository", {});
+
+// Grab auth credentials for ECR.
+const authToken = aws.ecr.getAuthorizationTokenOutput({
+    registryId: ecrRepository.registryId,
+});
+
+// Build and push an image to ECR with inline caching.
+const myImage = new docker_build.Image("my-image", {
+    // Tag our image with our ECR repository's address.
+    tags: [pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`],
+    context: {
+        location: "./app",
+    },
+    // Use the pushed image as a cache source.
+    cacheFrom: [{
+        registry: {
+            ref: pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`,
+        },
+    }],
+    // Include an inline cache with our pushed image.
+    cacheTo: [{
+        inline: {},
+    }],
+    // Build a multi-platform image manifest for ARM and AMD.
+    platforms: [
+        "linux/amd64",
+        "linux/arm64",
+    ],
+    // Push the final result to ECR.
+    push: true,
+    // Provide our ECR credentials.
+    registries: [{
+        address: ecrRepository.repositoryUrl,
+        password: authToken.password,
+        username: authToken.userName,
+    }],
+});
+
+// Export a ref for the pushed images so we can deploy it.
+export const ref = myImage.ref;
+```
+
+{{% /choosable %}}
+
+{{% choosable language python %}}
+
+```python
+import pulumi
+import pulumi_aws as aws
+import pulumi_docker_build as docker_build
+
+# Create an ECR repository for pushing.
+ecr_repository = aws.ecr.Repository("ecr-repository")
+
+# Grab auth credentials for ECR.
+auth_token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
+
+# Build and push an image to ECR with inline caching.
+my_image = docker_build.Image("my-image",
+    # Tag our image with our ECR repository's address.
+    tags=[ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest")],
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    # Use the pushed image as a cache source.
+    cache_from=[docker_build.CacheFromArgs(
+        registry=docker_build.CacheFromRegistryArgs(
+            ref=ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest"),
+        ),
+    )],
+    # Include an inline cache with our pushed image.
+    cache_to=[docker_build.CacheToArgs(
+        inline=docker_build.CacheToInlineArgs(),
+    )],
+    # Build a multi-platform image manifest for ARM and AMD.
+    platforms=[
+        docker_build.Platform.LINUX_AMD64,
+        docker_build.Platform.LINUX_ARM64,
+    ],
+    # Push the final result to ECR.
+    push=True,
+    # Provide our ECR credentials.
+    registries=[docker_build.RegistryArgs(
+        address=ecr_repository.repository_url,
+        password=auth_token.password,
+        username=auth_token.user_name,
+    )],
+)
+
+# Export a ref for the pushed images so we can deploy it.
+pulumi.export("ref", my_image.ref)
+```
+
+{{% /choosable %}}
+
+{{% choosable language csharp %}}
+
+```csharp
+using System.Collections.Generic;
+using System.Linq;
+using Pulumi;
+using Aws = Pulumi.Aws;
+using DockerBuild = Pulumi.DockerBuild;
+
+return await Deployment.RunAsync(() =>
+{
+    // Create an ECR repository for pushing.
+    var ecrRepository = new Aws.Ecr.Repository("ecr-repository");
+
+    // Grab auth credentials for ECR.
+    var authToken = Aws.Ecr.GetAuthorizationToken.Invoke(new()
+    {
+        RegistryId = ecrRepository.RegistryId,
+    });
+
+    // Build and push an image to ECR with inline caching.
+    var myImage = new DockerBuild.Image("my-image", new()
+    {
+        // Tag our image with our ECR repository's address.
+        Tags = new[]
+        {
+            ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        // Use the pushed image as a cache source.
+        CacheFrom = new[]
+        {
+            new DockerBuild.Inputs.CacheFromArgs
+            {
+                Registry = new DockerBuild.Inputs.CacheFromRegistryArgs
+                {
+                    Ref = ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
+                },
+            },
+        },
+        // Include an inline cache with our pushed image.
+        CacheTo = new[]
+        {
+            new DockerBuild.Inputs.CacheToArgs
+            {
+                Inline = null,
+            },
+        },
+        // Build a multi-platform image manifest for ARM and AMD.
+        Platforms = new[]
+        {
+            DockerBuild.Platform.Linux_amd64,
+            DockerBuild.Platform.Linux_arm64,
+        },
+        // Push the final result to ECR.
+        Push = true,
+        // Provide our ECR credentials.
+        Registries = new[]
+        {
+            new DockerBuild.Inputs.RegistryArgs
+            {
+                Address = ecrRepository.RepositoryUrl,
+                Password = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.Password),
+                Username = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.UserName),
+            },
+        },
+    });
+
+    // Export a ref for the pushed images so we can deploy it.
+    return new Dictionary<string, object?>
+    {
+        ["ref"] = myImage.Ref,
+    };
+});
+
+```
+
+{{% /choosable %}}
+
+{{% choosable language go %}}
+
+```go
+package main
+
+import (
+    "fmt"
+
+    "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
+    "github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
+    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+)
+
+func main() {
+    pulumi.Run(func(ctx *pulumi.Context) error {
+        // Create an ECR repository for pushing.
+        ecrRepository, err := ecr.NewRepository(ctx, "ecr-repository", nil)
+        if err != nil {
+            return err
+        }
+
+        // Grab auth credentials for ECR.
+        authToken := ecr.GetAuthorizationTokenOutput(ctx, ecr.GetAuthorizationTokenOutputArgs{
+            RegistryId: ecrRepository.RegistryId,
+        }, nil)
+
+        // Build and push an image to ECR with inline caching.
+        myImage, err := dockerbuild.NewImage(ctx, "my-image", &dockerbuild.ImageArgs{
+            // Tag our image with our ECR repository's address.
+            Tags: pulumi.StringArray{
+                ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
+                    return fmt.Sprintf("%v:latest", repositoryUrl), nil
+                }).(pulumi.StringOutput),
+            },
+            Context: &dockerbuild.BuildContextArgs{
+                Location: pulumi.String("./app"),
+            },
+            // Use the pushed image as a cache source.
+            CacheFrom: dockerbuild.CacheFromArray{
+                &dockerbuild.CacheFromArgs{
+                    Registry: &dockerbuild.CacheFromRegistryArgs{
+                        Ref: ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
+                            return fmt.Sprintf("%v:latest", repositoryUrl), nil
+                        }).(pulumi.StringOutput),
+                    },
+                },
+            },
+            // Include an inline cache with our pushed image.
+            CacheTo: dockerbuild.CacheToArray{
+                &dockerbuild.CacheToArgs{
+                    Inline: nil,
+                },
+            },
+            // Build a multi-platform image manifest for ARM and AMD.
+            Platforms: dockerbuild.PlatformArray{
+                dockerbuild.Platform_Linux_amd64,
+                dockerbuild.Platform_Linux_arm64,
+            },
+            // Push the final result to ECR.
+            Push: pulumi.Bool(true),
+            // Provide our ECR credentials.
+            Registries: dockerbuild.RegistryArray{
+                &dockerbuild.RegistryArgs{
+                    Address: ecrRepository.RepositoryUrl,
+                    Password: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
+                        return &authToken.Password, nil
+                    }).(pulumi.StringPtrOutput),
+                    Username: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
+                        return &authToken.UserName, nil
+                    }).(pulumi.StringPtrOutput),
+                },
+            },
+        })
+        if err != nil {
+            return err
+        }
+
+        // Export a ref for the pushed images so we can deploy it.
+        ctx.Export("ref", myImage.Ref)
+        return nil
+    })
+}
+```
+
+{{% /choosable %}}
+
+{{% choosable language yaml %}}
+
+```yaml
+description: Push to AWS ECR with caching
+name: ecr
+outputs:
+    ref: ${my-image.ref}
+resources:
+    # Create an ECR repository for pushing.
+    ecr-repository:
+        type: aws:ecr:Repository
+
+    # Build and push an image to ECR with inline caching.
+    my-image:
+        type: docker-build:Image
+        properties:
+            # Tag our image with our ECR repository's address.
+            tags:
+                - ${ecr-repository.repositoryUrl}:latest
+            context:
+                location: ./app
+            # Use the pushed image as a cache source.
+            cacheFrom:
+                - registry:
+                    ref: ${ecr-repository.repositoryUrl}:latest
+            # Include an inline cache with our pushed image.
+            cacheTo:
+                - inline: {}
+            # Build a multi-platform image manifest for ARM and AMD.
+            platforms:
+                - linux/amd64
+                - linux/arm64
+            # Push the final result to ECR.
+            push: true
+            # Provide our ECR credentials.
+            registries:
+                - address: ${ecr-repository.repositoryUrl}
+                  password: ${auth-token.password}
+                  username: ${auth-token.userName}
+
+runtime: yaml
+variables:
+    auth-token:
+        # Grab auth credentials for ECR.
+        fn::aws:ecr:getAuthorizationToken:
+            registryId: ${ecr-repository.registryId}
+```
+
+{{% /choosable %}}
+
+{{% choosable language java %}}
+
+```java
+package myapp;
+
+import com.pulumi.Context;
+import com.pulumi.Pulumi;
+import com.pulumi.core.Output;
+import com.pulumi.aws.ecr.Repository;
+import com.pulumi.aws.ecr.EcrFunctions;
+import com.pulumi.aws.ecr.inputs.GetAuthorizationTokenArgs;
+import com.pulumi.dockerbuild.Image;
+import com.pulumi.dockerbuild.ImageArgs;
+import com.pulumi.dockerbuild.inputs.CacheFromArgs;
+import com.pulumi.dockerbuild.inputs.CacheFromRegistryArgs;
+import com.pulumi.dockerbuild.inputs.CacheToArgs;
+import com.pulumi.dockerbuild.inputs.CacheToInlineArgs;
+import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import com.pulumi.dockerbuild.inputs.RegistryArgs;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Map;
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+public class App {
+    public static void main(String[] args) {
+        Pulumi.run(App::stack);
+    }
+
+    public static void stack(Context ctx) {
+        // Create an ECR repository for pushing.
+        var ecrRepository = new Repository("ecrRepository");
+
+        // Grab auth credentials for ECR.
+        final var authToken = EcrFunctions.getAuthorizationToken(GetAuthorizationTokenArgs.builder()
+            .registryId(ecrRepository.registryId())
+            .build());
+
+        // Build and push an image to ECR with inline caching.
+        var myImage = new Image("myImage", ImageArgs.builder()
+            // Tag our image with our ECR repository's address.
+            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
+            .context(BuildContextArgs.builder()
+                .location("./app")
+                .build())
+            // Use the pushed image as a cache source.
+            .cacheFrom(CacheFromArgs.builder()
+                .registry(CacheFromRegistryArgs.builder()
+                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
+                    .build())
+                .build())
+            // Include an inline cache with our pushed image.
+            .cacheTo(CacheToArgs.builder()
+                .inline()
+                .build())
+            // Build a multi-platform image manifest for ARM and AMD.
+            .platforms(
+                "linux/amd64",
+                "linux/arm64")
+            // Push the final result to ECR.
+            .push(true)
+            // Provide our ECR credentials.
+            .registries(RegistryArgs.builder()
+                .address(ecrRepository.repositoryUrl())
+                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
+                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
+                .build())
+            .build());
+
+        ctx.export("ref", myImage.ref());
+    }
+}
+```
+
+{{% /choosable %}}
+
+{{< /chooser >}}

docs/installation-configuration.md

@@ -0,0 +1,33 @@
+---
+title: Docker-Build Installation & Configuration
+meta_desc: Provides an overview on how to configure the Pulumi Docker-Build Provider.
+layout: package
+---
+
+The Pulumi Docker-build provider builds modern Docker images with [buildx](https://docs.docker.com/reference/cli/docker/buildx/) and [BuildKit](https://docs.docker.com/build/buildkit/).
+
+## Installation
+
+The Docker-Build provider is available as a package in all Pulumi languages:
+
+* JavaScript/TypeScript: [`@pulumi/docker-build`](https://www.npmjs.com/package/@pulumi/docker-build)
+* Python: [`pulumi-docker-build`](https://pypi.org/project/pulumi-docker-build/)
+* Go: [`github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild`](https://github.com/pulumi/pulumi-docker-build)
+* .NET: [`Pulumi.DockerBuild`](https://www.nuget.org/packages/Pulumi.DockerBuild)
+* Java: [`com.pulumi/docker-build`](https://central.sonatype.com/artifact/com.pulumi/docker-build)
+
+## Configuring The Provider
+
+### Host
+
+The `DOCKER_HOST` environment variable can be used to specify a custom build daemon's location.
+
+```bash
+$ export DOCKER_HOST=tcp://127.0.0.1:2376/
+```
+
+This can also be specified in your stack's configuration:
+
+```bash
+$ pulumi config set docker-build:host tcp://127.0.0.1:2376/
+```

examples/go/go.mod

@@ -6,7 +6,7 @@ toolchain go1.24.5
 
 require (
 	github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12
-	github.com/pulumi/pulumi/sdk/v3 v3.187.0
+	github.com/pulumi/pulumi/sdk/v3 v3.192.0
 )
 
 require (
@@ -62,7 +62,7 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pkg/term v1.1.0 // indirect
 	github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 // indirect
-	github.com/pulumi/esc v0.14.3 // indirect
+	github.com/pulumi/esc v0.17.0 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect
 	github.com/rogpeppe/go-internal v1.14.1 // indirect
 	github.com/sabhiram/go-gitignore v0.0.0-20210923224102-525f6e181f06 // indirect

examples/go/go.sum

@@ -159,12 +159,12 @@ github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRI
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435cARxCW6q9gc0S/Yxz7Mkd38pOb0=
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
-github.com/pulumi/esc v0.14.3 h1:Zli+9LiSDT/W+Fsfr8tITxCo+5wn969tLrE4KLv44G8=
+github.com/pulumi/esc v0.17.0 h1:oaVOIyFTENlYDuqc3pW75lQT9jb2cd6ie/4/Twxn66w=
-github.com/pulumi/esc v0.14.3/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
+github.com/pulumi/esc v0.17.0/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12 h1:uzmw+0iic764m0Yvh4I/jRV1x3q49dVh5Ctq9RllsQ8=
 github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild v0.0.12/go.mod h1:6zFMe786NvFDO03BVJwdw1R/Yms4F6vAU49iBHo8zbQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0 h1:BflBBeD/qaoKN4Tov11g4aHzJ7pTXBSb8otgmteRer0=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0/go.mod h1:BnpKxUc6QlxqoCqobHNZsUuIuY27H6ZFUk0Cp+0JN5U=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=

examples/nodejs_test.go

@@ -181,8 +181,9 @@ func TestConfig(t *testing.T) {
 	require.NoError(t, err)
 
 	test := integration.ProgramTestOptions{
-		Dir:          path.Join(cwd, "tests", "config"),
+		Dir:                    path.Join(cwd, "tests", "config"),
-		Dependencies: []string{"@pulumi/docker-build"},
+		Dependencies:           []string{"@pulumi/docker-build"},
+		SkipEmptyPreviewUpdate: true,
 	}
 
 	integration.ProgramTest(t, &test)

go.mod

@@ -16,14 +16,14 @@ require (
 	github.com/otiai10/copy v1.14.0
 	github.com/pulumi/providertest v0.3.1
 	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef
-	github.com/pulumi/pulumi-go-provider v1.1.1
+	github.com/pulumi/pulumi-go-provider v1.1.2
 	github.com/pulumi/pulumi-java/pkg v1.16.0
 	github.com/pulumi/pulumi-yaml v1.21.2
-	github.com/pulumi/pulumi/pkg/v3 v3.187.0
+	github.com/pulumi/pulumi/pkg/v3 v3.192.0
 	github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815
 	github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815
 	github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815
-	github.com/pulumi/pulumi/sdk/v3 v3.187.0
+	github.com/pulumi/pulumi/sdk/v3 v3.192.0
 	github.com/regclient/regclient v0.7.1
 	github.com/sirupsen/logrus v1.9.3
 	github.com/spf13/afero v1.14.0

go.sum

@@ -896,22 +896,22 @@ github.com/pulumi/providertest v0.3.1 h1:vlftr7TZlObh81mL88IhhF0/9ZbLrZZos4NAvR4
 github.com/pulumi/providertest v0.3.1/go.mod h1:fFHUP4/9DRyYnHWiRnwcynMtM/a7hHR/QcJfcuZKO3A=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef h1:cxRa9R9To6OYKacIG2Em6zcM7BDNr6joC43uiV1lSVY=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef/go.mod h1:VLcnE1lj92EfRi7CRMzdPkQ9OQvrlg2upJM1lBZzNmg=
-github.com/pulumi/pulumi-go-provider v1.1.1 h1:4UT3LeNT9CdGhkq8OSWKJsmKTW9Tg+vsfOO/hsFVyb4=
+github.com/pulumi/pulumi-go-provider v1.1.2 h1:NUQDXaftBDFTPMBPwxo8FhJUX0ymkv6a1XiXTnCDpvg=
-github.com/pulumi/pulumi-go-provider v1.1.1/go.mod h1:3lNIuxT/BArFyiKrVfv+UT7gMMtplss7V69KuBZ4zIk=
+github.com/pulumi/pulumi-go-provider v1.1.2/go.mod h1:3lNIuxT/BArFyiKrVfv+UT7gMMtplss7V69KuBZ4zIk=
 github.com/pulumi/pulumi-java/pkg v1.16.0 h1:8KCiIXWv2uxfIks0SdgOezyXg4HZIoPfHID9eMg4nuM=
 github.com/pulumi/pulumi-java/pkg v1.16.0/go.mod h1:VeMZ1s9LfXBypao4A1tRF3EB7fYnYZ1LwImyg6FBX0c=
 github.com/pulumi/pulumi-yaml v1.21.2 h1:czqC5AazinfX6Bj0nqAAQ6x/Cr8/3oUz3HUjJg6tJ4o=
 github.com/pulumi/pulumi-yaml v1.21.2/go.mod h1:KOqDnuJksfIq8belFVFN3IEI4r0NgW69M0QPSj54On4=
-github.com/pulumi/pulumi/pkg/v3 v3.187.0 h1:VTbireKCxG/wKPX3slHNb3Zk3xKMr5CvcvjH8194H2I=
+github.com/pulumi/pulumi/pkg/v3 v3.192.0 h1:gZRMPaNpW+VN3ng3h9r8De8wI0keWC9fIP0rcUDatMA=
-github.com/pulumi/pulumi/pkg/v3 v3.187.0/go.mod h1:3y5nyMg62dd+DBzYW/P4d+Ye9pJ/zhJd+aGzMzfUL1g=
+github.com/pulumi/pulumi/pkg/v3 v3.192.0/go.mod h1:+Zp3EzjzGW4PlcW8oITZgeOfFzIVbLWvHtUVixvGQcs=
 github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815 h1:tipGG4aEPejP424igQYxJ6TOtWVtZJa0z679oIv00ho=
 github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3 v3.0.0-20250806165243-bee5e4fa4815/go.mod h1:V2MMs29cFeGBdZyFKxNqTGVfBgDLhIOGfrXOxheieuI=
 github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815 h1:+QJTFK7UcOFTYCg3XaSTrRZHWJ6Hqza8w9oADa4pPcM=
 github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3 v3.0.0-20250806165243-bee5e4fa4815/go.mod h1:0kA9b5LsaXLEKQzo0o9UUsHtZkACthHYLyBVUDUVMxc=
 github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815 h1:bkvtySMos0ij3fWZWZaU5sVrvGvU0dZCusoxpgEtX6I=
 github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3 v3.0.0-20250806165243-bee5e4fa4815/go.mod h1:SJtr0N/XFyelI7M7U0UbJXr15pgEdSmpN40cglTsRTA=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0 h1:BflBBeD/qaoKN4Tov11g4aHzJ7pTXBSb8otgmteRer0=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0/go.mod h1:BnpKxUc6QlxqoCqobHNZsUuIuY27H6ZFUk0Cp+0JN5U=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
 github.com/quasilyte/go-ruleguard v0.4.2 h1:htXcXDK6/rO12kiTHKfHuqR4kr3Y4M0J0rOL6CH/BYs=
 github.com/quasilyte/go-ruleguard v0.4.2/go.mod h1:GJLgqsLeo4qgavUoL8JeGFNS7qcisx3awV/w9eWTmNI=
 github.com/quasilyte/go-ruleguard/dsl v0.3.22 h1:wd8zkOhSNr+I+8Qeciml08ivDt1pSXe60+5DqOpCjPE=

mise.toml

@@ -1,19 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-
-[tools]
-
-# Runtimes
-go = '1.21'
-node = '20'
-python = '3.11.8'
-dotnet = '8.0'
-# Corretto version used as Java SE/OpenJDK version no longer offered
-java = 'corretto-11'
-
-# Executable tools
-pulumi = 'latest'
-"go:github.com/pulumi/pulumictl/cmd/pulumictl" = 'latest'
-gradle = '7.6'
-
-[settings]
-experimental = true # Required for Go binaries (e.g. pulumictl).

provider/cmd/pulumi-resource-docker-build/schema.json

@@ -155,32 +155,12 @@
       ]
     },
     "docker-build:index:CacheFromGitHubActions": {
+      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
       "properties": {
         "scope": {
           "type": "string",
           "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
           "default": "buildkit"
-        },
-        "token": {
-          "type": "string",
-          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
-          "default": "",
-          "defaultInfo": {
-            "environment": [
-              "ACTIONS_RUNTIME_TOKEN"
-            ]
-          },
-          "secret": true
-        },
-        "url": {
-          "type": "string",
-          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
-          "default": "",
-          "defaultInfo": {
-            "environment": [
-              "ACTIONS_CACHE_URL"
-            ]
-          }
         }
       },
       "type": "object"
@@ -370,6 +350,7 @@
       ]
     },
     "docker-build:index:CacheToGitHubActions": {
+      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
       "properties": {
         "ignoreError": {
           "type": "boolean",
@@ -385,27 +366,6 @@
           "type": "string",
           "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
           "default": "buildkit"
-        },
-        "token": {
-          "type": "string",
-          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
-          "default": "",
-          "defaultInfo": {
-            "environment": [
-              "ACTIONS_RUNTIME_TOKEN"
-            ]
-          },
-          "secret": true
-        },
-        "url": {
-          "type": "string",
-          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
-          "default": "",
-          "defaultInfo": {
-            "environment": [
-              "ACTIONS_CACHE_URL"
-            ]
-          }
         }
       },
       "type": "object"

provider/internal/cache.go

@@ -17,6 +17,7 @@ package internal
 import (
 	"errors"
 	"fmt"
+	"os"
 	"strings"
 
 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -148,33 +149,20 @@ func (c CacheWithOCI) String() string {
 
 // CacheFromGitHubActions pulls cache manifests from the GitHub actions cache.
 type CacheFromGitHubActions struct {
-	URL   string `pulumi:"url,optional"`
-	Token string `pulumi:"token,optional" provider:"secret"`
 	Scope string `pulumi:"scope,optional"`
 }
 
 // Annotate sets docstrings on CacheFromGitHubActions.
 func (c *CacheFromGitHubActions) Annotate(a infer.Annotator) {
-	a.SetDefault(&c.URL, "", "ACTIONS_CACHE_URL")
+	a.Describe(&c, dedent(`
-	a.SetDefault(&c.Token, "", "ACTIONS_RUNTIME_TOKEN")
+		Recommended for use with GitHub Actions workflows.
+
+		An action like "crazy-max/ghaction-github-runtime" is recommended to expose
+		appropriate credentials to your GitHub workflow.
+	`))
+
 	a.SetDefault(&c.Scope, "buildkit")
 
-	a.Describe(&c.URL, dedent(`
-		The cache server URL to use for artifacts.
-
-		Defaults to "$ACTIONS_CACHE_URL", although a separate action like
-		"crazy-max/ghaction-github-runtime" is recommended to expose this
-		environment variable to your jobs.
-	`))
-	a.Describe(&c.Token, dedent(`
-		The GitHub Actions token to use. This is not a personal access tokens
-		and is typically generated automatically as part of each job.
-
-		Defaults to "$ACTIONS_RUNTIME_TOKEN", although a separate action like
-		"crazy-max/ghaction-github-runtime" is recommended to expose this
-		environment variable to your jobs.
-
-	`))
 	a.Describe(&c.Scope, dedent(`
 		The scope to use for cache keys. Defaults to "buildkit".
 
@@ -191,11 +179,12 @@ func (c *CacheFromGitHubActions) String() string {
 	if c.Scope != "" {
 		parts = append(parts, "scope="+c.Scope)
 	}
-	if c.Token != "" {
+	// Preserving backwards compatibility with the old behaviour.
-		parts = append(parts, "token="+c.Token)
+	if token := os.Getenv("ACTIONS_RUNTIME_TOKEN"); token != "" {
+		parts = append(parts, "token="+token)
 	}
-	if c.URL != "" {
+	if url := os.Getenv("ACTIONS_CACHE_URL"); url != "" {
-		parts = append(parts, "url="+c.URL)
+		parts = append(parts, "url="+url)
 	}
 	return strings.Join(parts, ",")
 }

provider/internal/cache_test.go

@@ -24,14 +24,15 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
+//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 func TestCacheString(t *testing.T) {
-	t.Parallel()
 	gzip := Gzip
 
 	tests := []struct {
-		name  string
+		name    string
-		given fmt.Stringer
+		arrange func(t *testing.T)
-		want  string
+		given   fmt.Stringer
+		want    string
 	}{
 		{
 			name: "s3",
@@ -55,7 +56,37 @@ func TestCacheString(t *testing.T) {
 		{
 			name:  "gha",
 			given: CacheTo{GHA: &CacheToGitHubActions{}},
-			want:  "type=gha",
+			arrange: func(t *testing.T) {
+				t.Setenv("ACTIONS_CACHE_URL", "")
+				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
+			},
+			want: "type=gha",
+		},
+		{
+			name: "gha-default-envs",
+			arrange: func(t *testing.T) {
+				t.Setenv("ACTIONS_CACHE_URL", "https://example.com")
+				t.Setenv("ACTIONS_RUNTIME_TOKEN", "token")
+			},
+			given: CacheTo{GHA: &CacheToGitHubActions{
+				CacheFromGitHubActions: CacheFromGitHubActions{
+					Scope: "scope",
+				},
+			}},
+			want: "type=gha,scope=scope,token=token,url=https://example.com",
+		},
+		{
+			name: "gha-with-scope",
+			arrange: func(t *testing.T) {
+				t.Setenv("ACTIONS_CACHE_URL", "")
+				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
+			},
+			given: CacheTo{GHA: &CacheToGitHubActions{
+				CacheFromGitHubActions: CacheFromGitHubActions{
+					Scope: "scope",
+				},
+			}},
+			want: "type=gha,scope=scope",
 		},
 		{
 			name:  "from-local",
@@ -121,9 +152,12 @@ func TestCacheString(t *testing.T) {
 		},
 	}
 
+	//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
+			if tt.arrange != nil {
+				tt.arrange(t)
+			}
 
 			actual := tt.given.String()
 			assert.Equal(t, tt.want, actual)

provider/internal/image_test.go

@@ -917,8 +917,10 @@ func TestValidateImageArgs(t *testing.T) {
 			{
 				name: "gha environment",
 				envs: map[string]string{
-					"ACTIONS_CACHE_URL":     "test-cache-url",
+					"ACTIONS_CACHE_URL":        "test-cache-url",
-					"ACTIONS_RUNTIME_TOKEN": "test-runtime-token",
+					"ACTIONS_RUNTIME_TOKEN":    "test-runtime-token",
+					"ACTIONS_RESULTS_URL":      "test-results-url",
+					"ACTIONS_CACHE_SERVICE_V2": "true",
 				},
 				args: ImageArgs{
 					Context:   &BuildContext{Context: Context{Location: "testdata/noop"}},
@@ -930,15 +932,17 @@ func TestValidateImageArgs(t *testing.T) {
 				wantCacheFrom: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token": "test-runtime-token",
+						"token":  "test-runtime-token",
-						"url":   "test-cache-url",
+						"url":    "test-cache-url",
+						"url_v2": "test-results-url",
 					},
 				},
 				wantCacheTo: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token": "test-runtime-token",
+						"token":  "test-runtime-token",
-						"url":   "test-cache-url",
+						"url":    "test-cache-url",
+						"url_v2": "test-results-url",
 					},
 				},
 			},

scripts/get-versions.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script can be simplified to use go when https://github.com/jdx/mise/discussions/6374 is fixed
+# e.g. go list -m -f '{{.GoVersion}}'
+
+module_path="github.com/pulumi/pulumi/pkg/v3"
+go_mod_path="."
+gomod="go.mod"
+
+if [[ "$go_mod_path" != "" && "$go_mod_path" != "." ]]; then
+  gomod="$go_mod_path/$gomod"
+fi
+
+if [[ ! -f "$gomod" ]]; then
+  echo "missing $gomod" >&2
+  exit 1
+fi
+
+raw_version=$(awk -v module="$module_path" '
+    $1 == module || $2 == module {
+        for (i = 1; i <= NF; i++) {
+            if ($i ~ /^v[0-9]/) {
+                sub(/^v/, "", $i)
+                print $i
+                exit
+            }
+        }
+    }
+' "$gomod")
+
+if [[ -z "${raw_version:-}" ]]; then
+  echo "failed to determine Pulumi version from $gomod" >&2
+  exit 1
+fi
+
+echo "PULUMI_VERSION_MISE=$raw_version"
+export PULUMI_VERSION_MISE=$raw_version
+
+# Prefer the toolchain directive if present, otherwise fall back to the `go` version line
+go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod")
+
+if [[ -n "${go_toolchain:-}" ]]; then
+  go_version=${go_toolchain#go}
+else
+  go_version=$(awk '/^go[[:space:]]+[0-9]/{ print $2; exit }' "$gomod")
+fi
+
+if [[ -z "${go_version:-}" ]]; then
+  echo "failed to determine Go version from $gomod" >&2
+  exit 1
+fi
+
+echo "GO_VERSION_MISE=$go_version"
+export GO_VERSION_MISE=$go_version

sdk/dotnet/Inputs/CacheFromGitHubActionsArgs.cs

@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
 
+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
     public sealed class CacheFromGitHubActionsArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
@@ -21,42 +27,9 @@ namespace Pulumi.DockerBuild.Inputs
         [Input("scope")]
         public Input<string>? Scope { get; set; }
 
-        [Input("token")]
-        private Input<string>? _token;
-
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public Input<string>? Token
-        {
-            get => _token;
-            set
-            {
-                var emptySecret = Output.CreateSecret(0);
-                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
-            }
-        }
-
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        [Input("url")]
-        public Input<string>? Url { get; set; }
-
         public CacheFromGitHubActionsArgs()
         {
             Scope = "buildkit";
-            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
-            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
         }
         public static new CacheFromGitHubActionsArgs Empty => new CacheFromGitHubActionsArgs();
     }

sdk/dotnet/Inputs/CacheToGitHubActionsArgs.cs

@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
 
+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
     public sealed class CacheToGitHubActionsArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
@@ -33,44 +39,11 @@ namespace Pulumi.DockerBuild.Inputs
         [Input("scope")]
         public Input<string>? Scope { get; set; }
 
-        [Input("token")]
-        private Input<string>? _token;
-
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public Input<string>? Token
-        {
-            get => _token;
-            set
-            {
-                var emptySecret = Output.CreateSecret(0);
-                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
-            }
-        }
-
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        [Input("url")]
-        public Input<string>? Url { get; set; }
-
         public CacheToGitHubActionsArgs()
         {
             IgnoreError = false;
             Mode = Pulumi.DockerBuild.CacheMode.Min;
             Scope = "buildkit";
-            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
-            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
         }
         public static new CacheToGitHubActionsArgs Empty => new CacheToGitHubActionsArgs();
     }

sdk/dotnet/Outputs/CacheFromGitHubActions.cs

@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
 
+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
     [OutputType]
     public sealed class CacheFromGitHubActions
     {
@@ -20,35 +26,11 @@ namespace Pulumi.DockerBuild.Outputs
         /// workflow, otherwise caches will overwrite each other.
         /// </summary>
         public readonly string? Scope;
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Token;
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Url;
 
         [OutputConstructor]
-        private CacheFromGitHubActions(
+        private CacheFromGitHubActions(string? scope)
-            string? scope,
-
-            string? token,
-
-            string? url)
         {
             Scope = scope;
-            Token = token;
-            Url = url;
         }
     }
 }

sdk/dotnet/Outputs/CacheToGitHubActions.cs

@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
 
+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
     [OutputType]
     public sealed class CacheToGitHubActions
     {
@@ -28,23 +34,6 @@ namespace Pulumi.DockerBuild.Outputs
         /// workflow, otherwise caches will overwrite each other.
         /// </summary>
         public readonly string? Scope;
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Token;
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Url;
 
         [OutputConstructor]
         private CacheToGitHubActions(
@@ -52,17 +41,11 @@ namespace Pulumi.DockerBuild.Outputs
 
             Pulumi.DockerBuild.CacheMode? mode,
 
-            string? scope,
+            string? scope)
-
-            string? token,
-
-            string? url)
         {
             IgnoreError = ignoreError;
             Mode = mode;
             Scope = scope;
-            Token = token;
-            Url = url;
         }
     }
 }

sdk/go/dockerbuild/go.mod

@@ -4,7 +4,7 @@ go 1.24.1
 
 require (
 	github.com/blang/semver v3.5.1+incompatible
-	github.com/pulumi/pulumi/sdk/v3 v3.187.0
+	github.com/pulumi/pulumi/sdk/v3 v3.192.0
 )
 
 require (

sdk/go/dockerbuild/go.sum

@@ -164,8 +164,8 @@ github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231 h1:vkHw5I/plNdTr435
 github.com/pulumi/appdash v0.0.0-20231130102222-75f619a67231/go.mod h1:murToZ2N9hNJzewjHBgfFdXhZKjY3z5cYC1VXk+lbFE=
 github.com/pulumi/esc v0.17.0 h1:oaVOIyFTENlYDuqc3pW75lQT9jb2cd6ie/4/Twxn66w=
 github.com/pulumi/esc v0.17.0/go.mod h1:XnSxlt5NkmuAj304l/gK4pRErFbtqq6XpfX1tYT9Jbc=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0 h1:BflBBeD/qaoKN4Tov11g4aHzJ7pTXBSb8otgmteRer0=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0 h1:sfHuR3P02wSbV3xdSMEQ0+uC/HzlMz0YfKrVAXy1hSQ=
-github.com/pulumi/pulumi/sdk/v3 v3.187.0/go.mod h1:BnpKxUc6QlxqoCqobHNZsUuIuY27H6ZFUk0Cp+0JN5U=
+github.com/pulumi/pulumi/sdk/v3 v3.192.0/go.mod h1:aV0+c5xpSYccWKmOjTZS9liYCqh7+peu3cQgSXu7CJw=
 github.com/rivo/uniseg v0.2.0/go.mod h1:J6wj4VEh+S6ZtnVlnTBMWIodfgj8LQOQFoIToxlJtxc=
 github.com/rivo/uniseg v0.4.7 h1:WUdvkW8uEhrYfLC4ZzdpI2ztxP1I582+49Oc5Mq64VQ=
 github.com/rivo/uniseg v0.4.7/go.mod h1:FN3SvrM+Zdj16jyLfmOkMNblXMcoc8DfTHruCPUcx88=

sdk/go/dockerbuild/pulumiTypes.go

@@ -834,25 +834,16 @@ func (o CacheFromAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -865,18 +856,6 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }
 
@@ -891,25 +870,16 @@ type CacheFromGitHubActionsInput interface {
 	ToCacheFromGitHubActionsOutputWithContext(context.Context) CacheFromGitHubActionsOutput
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumi.StringPtrInput `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -921,16 +891,6 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumi.StringPtr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumi.StringPtr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -998,6 +958,10 @@ func (i *cacheFromGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Ou
 	}
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -1036,25 +1000,6 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
-}
-
 type CacheFromGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -1098,35 +1043,6 @@ func (o CacheFromGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Token
-	}).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Url
-	}).(pulumi.StringPtrOutput)
-}
-
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -2361,6 +2277,10 @@ func (o CacheToAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -2371,19 +2291,6 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -2404,18 +2311,6 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }
 
@@ -2430,6 +2325,10 @@ type CacheToGitHubActionsInput interface {
 	ToCacheToGitHubActionsOutputWithContext(context.Context) CacheToGitHubActionsOutput
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumi.BoolPtrInput `pulumi:"ignoreError"`
@@ -2440,19 +2339,6 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumi.StringPtrInput `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -2470,16 +2356,6 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumi.StringPtr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumi.StringPtr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -2547,6 +2423,10 @@ func (i *cacheToGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Outp
 	}
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -2595,25 +2475,6 @@ func (o CacheToGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
-}
-
 type CacheToGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -2677,35 +2538,6 @@ func (o CacheToGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheToGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Token
-	}).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheToGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Url
-	}).(pulumi.StringPtrOutput)
-}
-
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }

sdk/go/dockerbuild/x/pulumiTypes.go

@@ -393,25 +393,16 @@ func (o CacheFromAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromAzureBlob](o, func(v CacheFromAzureBlob) *string { return v.SecretAccessKey })
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -424,40 +415,19 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumix.Input[*string] `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumix.Input[*string] `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -469,16 +439,6 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumix.Ptr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumix.Ptr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -497,6 +457,10 @@ func (i *CacheFromGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Outpu
 	return pulumix.Val(i)
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -525,25 +489,6 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Scope })
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Token() pulumix.Output[*string] {
-	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Token })
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Url() pulumix.Output[*string] {
-	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Url })
-}
-
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -1134,6 +1079,10 @@ func (o CacheToAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToAzureBlob](o, func(v CacheToAzureBlob) *string { return v.SecretAccessKey })
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -1144,19 +1093,6 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -1177,21 +1113,13 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumix.Input[*bool] `pulumi:"ignoreError"`
@@ -1202,19 +1130,6 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumix.Input[*string] `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumix.Input[*string] `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -1232,16 +1147,6 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumix.Ptr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumix.Ptr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -1260,6 +1165,10 @@ func (i *CacheToGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Output[
 	return pulumix.Val(i)
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -1298,25 +1207,6 @@ func (o CacheToGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Scope })
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Token() pulumix.Output[*string] {
-	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Token })
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Url() pulumix.Output[*string] {
-	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Url })
-}
-
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }

sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheFromGitHubActionsArgs.java

@@ -12,6 +12,13 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ * 
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ * 
+ */
 public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
 
     public static final CacheFromGitHubActionsArgs Empty = new CacheFromGitHubActionsArgs();
@@ -37,60 +44,10 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
         return Optional.ofNullable(this.scope);
     }
 
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    @Import(name="token")
-    private @Nullable Output<String> token;
-
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<Output<String>> token() {
-        return Optional.ofNullable(this.token);
-    }
-
-    /**
-     * The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    @Import(name="url")
-    private @Nullable Output<String> url;
-
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<Output<String>> url() {
-        return Optional.ofNullable(this.url);
-    }
-
     private CacheFromGitHubActionsArgs() {}
 
     private CacheFromGitHubActionsArgs(CacheFromGitHubActionsArgs $) {
         this.scope = $.scope;
-        this.token = $.token;
-        this.url = $.url;
     }
 
     public static Builder builder() {
@@ -138,70 +95,8 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
             return scope(Output.of(scope));
         }
 
-        /**
-         * @param token The GitHub Actions token to use. This is not a personal access tokens
-         * and is typically generated automatically as part of each job.
-         * 
-         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder token(@Nullable Output<String> token) {
-            $.token = token;
-            return this;
-        }
-
-        /**
-         * @param token The GitHub Actions token to use. This is not a personal access tokens
-         * and is typically generated automatically as part of each job.
-         * 
-         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder token(String token) {
-            return token(Output.of(token));
-        }
-
-        /**
-         * @param url The cache server URL to use for artifacts.
-         * 
-         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder url(@Nullable Output<String> url) {
-            $.url = url;
-            return this;
-        }
-
-        /**
-         * @param url The cache server URL to use for artifacts.
-         * 
-         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder url(String url) {
-            return url(Output.of(url));
-        }
-
         public CacheFromGitHubActionsArgs build() {
             $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
-            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
-            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
             return $;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheToGitHubActionsArgs.java

@@ -14,6 +14,13 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ * 
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ * 
+ */
 public final class CacheToGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
 
     public static final CacheToGitHubActionsArgs Empty = new CacheToGitHubActionsArgs();
@@ -69,62 +76,12 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
         return Optional.ofNullable(this.scope);
     }
 
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    @Import(name="token")
-    private @Nullable Output<String> token;
-
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<Output<String>> token() {
-        return Optional.ofNullable(this.token);
-    }
-
-    /**
-     * The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    @Import(name="url")
-    private @Nullable Output<String> url;
-
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<Output<String>> url() {
-        return Optional.ofNullable(this.url);
-    }
-
     private CacheToGitHubActionsArgs() {}
 
     private CacheToGitHubActionsArgs(CacheToGitHubActionsArgs $) {
         this.ignoreError = $.ignoreError;
         this.mode = $.mode;
         this.scope = $.scope;
-        this.token = $.token;
-        this.url = $.url;
     }
 
     public static Builder builder() {
@@ -214,72 +171,10 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
             return scope(Output.of(scope));
         }
 
-        /**
-         * @param token The GitHub Actions token to use. This is not a personal access tokens
-         * and is typically generated automatically as part of each job.
-         * 
-         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder token(@Nullable Output<String> token) {
-            $.token = token;
-            return this;
-        }
-
-        /**
-         * @param token The GitHub Actions token to use. This is not a personal access tokens
-         * and is typically generated automatically as part of each job.
-         * 
-         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder token(String token) {
-            return token(Output.of(token));
-        }
-
-        /**
-         * @param url The cache server URL to use for artifacts.
-         * 
-         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder url(@Nullable Output<String> url) {
-            $.url = url;
-            return this;
-        }
-
-        /**
-         * @param url The cache server URL to use for artifacts.
-         * 
-         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder url(String url) {
-            return url(Output.of(url));
-        }
-
         public CacheToGitHubActionsArgs build() {
             $.ignoreError = Codegen.booleanProp("ignoreError").output().arg($.ignoreError).def(false).getNullable();
             $.mode = Codegen.objectProp("mode", CacheMode.class).output().arg($.mode).def(CacheMode.Min).getNullable();
             $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
-            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
-            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
             return $;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheFromGitHubActions.java

@@ -19,25 +19,6 @@ public final class CacheFromGitHubActions {
      * 
      */
     private @Nullable String scope;
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    private @Nullable String token;
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    private @Nullable String url;
 
     private CacheFromGitHubActions() {}
     /**
@@ -50,29 +31,6 @@ public final class CacheFromGitHubActions {
     public Optional<String> scope() {
         return Optional.ofNullable(this.scope);
     }
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<String> token() {
-        return Optional.ofNullable(this.token);
-    }
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<String> url() {
-        return Optional.ofNullable(this.url);
-    }
 
     public static Builder builder() {
         return new Builder();
@@ -84,14 +42,10 @@ public final class CacheFromGitHubActions {
     @CustomType.Builder
     public static final class Builder {
         private @Nullable String scope;
-        private @Nullable String token;
-        private @Nullable String url;
         public Builder() {}
         public Builder(CacheFromGitHubActions defaults) {
     	      Objects.requireNonNull(defaults);
     	      this.scope = defaults.scope;
-    	      this.token = defaults.token;
-    	      this.url = defaults.url;
         }
 
         @CustomType.Setter
@@ -100,23 +54,9 @@ public final class CacheFromGitHubActions {
             this.scope = scope;
             return this;
         }
-        @CustomType.Setter
-        public Builder token(@Nullable String token) {
-
-            this.token = token;
-            return this;
-        }
-        @CustomType.Setter
-        public Builder url(@Nullable String url) {
-
-            this.url = url;
-            return this;
-        }
         public CacheFromGitHubActions build() {
             final var _resultValue = new CacheFromGitHubActions();
             _resultValue.scope = scope;
-            _resultValue.token = token;
-            _resultValue.url = url;
             return _resultValue;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheToGitHubActions.java

@@ -31,25 +31,6 @@ public final class CacheToGitHubActions {
      * 
      */
     private @Nullable String scope;
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    private @Nullable String token;
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    private @Nullable String url;
 
     private CacheToGitHubActions() {}
     /**
@@ -76,29 +57,6 @@ public final class CacheToGitHubActions {
     public Optional<String> scope() {
         return Optional.ofNullable(this.scope);
     }
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<String> token() {
-        return Optional.ofNullable(this.token);
-    }
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<String> url() {
-        return Optional.ofNullable(this.url);
-    }
 
     public static Builder builder() {
         return new Builder();
@@ -112,16 +70,12 @@ public final class CacheToGitHubActions {
         private @Nullable Boolean ignoreError;
         private @Nullable CacheMode mode;
         private @Nullable String scope;
-        private @Nullable String token;
-        private @Nullable String url;
         public Builder() {}
         public Builder(CacheToGitHubActions defaults) {
     	      Objects.requireNonNull(defaults);
     	      this.ignoreError = defaults.ignoreError;
     	      this.mode = defaults.mode;
     	      this.scope = defaults.scope;
-    	      this.token = defaults.token;
-    	      this.url = defaults.url;
         }
 
         @CustomType.Setter
@@ -142,25 +96,11 @@ public final class CacheToGitHubActions {
             this.scope = scope;
             return this;
         }
-        @CustomType.Setter
-        public Builder token(@Nullable String token) {
-
-            this.token = token;
-            return this;
-        }
-        @CustomType.Setter
-        public Builder url(@Nullable String url) {
-
-            this.url = url;
-            return this;
-        }
         public CacheToGitHubActions build() {
             final var _resultValue = new CacheToGitHubActions();
             _resultValue.ignoreError = ignoreError;
             _resultValue.mode = mode;
             _resultValue.scope = scope;
-            _resultValue.token = token;
-            _resultValue.url = url;
             return _resultValue;
         }
     }

sdk/nodejs/image.ts

@@ -501,7 +501,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--add-host` flag.
      */
-    public readonly addHosts!: pulumi.Output<string[] | undefined>;
+    declare public readonly addHosts: pulumi.Output<string[] | undefined>;
     /**
      * `ARG` names and values to set during the build.
      *
@@ -513,7 +513,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--build-arg` flag.
      */
-    public readonly buildArgs!: pulumi.Output<{[key: string]: string} | undefined>;
+    declare public readonly buildArgs: pulumi.Output<{[key: string]: string} | undefined>;
     /**
      * Setting this to `false` will always skip image builds during previews,
      * and setting it to `true` will always build images during previews.
@@ -527,35 +527,35 @@ export class Image extends pulumi.CustomResource {
      * Defaults to `true` as a safeguard against broken images merging as part
      * of CI pipelines.
      */
-    public readonly buildOnPreview!: pulumi.Output<boolean | undefined>;
+    declare public readonly buildOnPreview: pulumi.Output<boolean | undefined>;
     /**
      * Builder configuration.
      */
-    public readonly builder!: pulumi.Output<outputs.BuilderConfig | undefined>;
+    declare public readonly builder: pulumi.Output<outputs.BuilderConfig | undefined>;
     /**
      * Cache export configuration.
      *
      * Equivalent to Docker's `--cache-from` flag.
      */
-    public readonly cacheFrom!: pulumi.Output<outputs.CacheFrom[] | undefined>;
+    declare public readonly cacheFrom: pulumi.Output<outputs.CacheFrom[] | undefined>;
     /**
      * Cache import configuration.
      *
      * Equivalent to Docker's `--cache-to` flag.
      */
-    public readonly cacheTo!: pulumi.Output<outputs.CacheTo[] | undefined>;
+    declare public readonly cacheTo: pulumi.Output<outputs.CacheTo[] | undefined>;
     /**
      * Build context settings. Defaults to the current directory.
      *
      * Equivalent to Docker's `PATH | URL | -` positional argument.
      */
-    public readonly context!: pulumi.Output<outputs.BuildContext | undefined>;
+    declare public readonly context: pulumi.Output<outputs.BuildContext | undefined>;
     /**
      * A preliminary hash of the image's build context.
      *
      * Pulumi uses this to determine if an image _may_ need to be re-built.
      */
-    public /*out*/ readonly contextHash!: pulumi.Output<string>;
+    declare public /*out*/ readonly contextHash: pulumi.Output<string>;
     /**
      * A SHA256 digest of the image if it was exported to a registry or
      * elsewhere.
@@ -565,13 +565,13 @@ export class Image extends pulumi.CustomResource {
      * Registry images can be referenced precisely as `<tag>@<digest>`. The
      * `ref` output provides one such reference as a convenience.
      */
-    public /*out*/ readonly digest!: pulumi.Output<string>;
+    declare public /*out*/ readonly digest: pulumi.Output<string>;
     /**
      * Dockerfile settings.
      *
      * Equivalent to Docker's `--file` flag.
      */
-    public readonly dockerfile!: pulumi.Output<outputs.Dockerfile | undefined>;
+    declare public readonly dockerfile: pulumi.Output<outputs.Dockerfile | undefined>;
     /**
      * Use `exec` mode to build this image.
      *
@@ -594,7 +594,7 @@ export class Image extends pulumi.CustomResource {
      * are temporarily written to disk in order to provide them to the
      * `docker-buildx` binary.
      */
-    public readonly exec!: pulumi.Output<boolean | undefined>;
+    declare public readonly exec: pulumi.Output<boolean | undefined>;
     /**
      * Controls where images are persisted after building.
      *
@@ -606,13 +606,13 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--output` flag.
      */
-    public readonly exports!: pulumi.Output<outputs.Export[] | undefined>;
+    declare public readonly exports: pulumi.Output<outputs.Export[] | undefined>;
     /**
      * Attach arbitrary key/value metadata to the image.
      *
      * Equivalent to Docker's `--label` flag.
      */
-    public readonly labels!: pulumi.Output<{[key: string]: string} | undefined>;
+    declare public readonly labels: pulumi.Output<{[key: string]: string} | undefined>;
     /**
      * When `true` the build will automatically include a `docker` export.
      *
@@ -620,7 +620,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--load` flag.
      */
-    public readonly load!: pulumi.Output<boolean | undefined>;
+    declare public readonly load: pulumi.Output<boolean | undefined>;
     /**
      * Set the network mode for `RUN` instructions. Defaults to `default`.
      *
@@ -628,25 +628,25 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--network` flag.
      */
-    public readonly network!: pulumi.Output<enums.NetworkMode | undefined>;
+    declare public readonly network: pulumi.Output<enums.NetworkMode | undefined>;
     /**
      * Do not import cache manifests when building the image.
      *
      * Equivalent to Docker's `--no-cache` flag.
      */
-    public readonly noCache!: pulumi.Output<boolean | undefined>;
+    declare public readonly noCache: pulumi.Output<boolean | undefined>;
     /**
      * Set target platform(s) for the build. Defaults to the host's platform.
      *
      * Equivalent to Docker's `--platform` flag.
      */
-    public readonly platforms!: pulumi.Output<enums.Platform[] | undefined>;
+    declare public readonly platforms: pulumi.Output<enums.Platform[] | undefined>;
     /**
      * Always pull referenced images.
      *
      * Equivalent to Docker's `--pull` flag.
      */
-    public readonly pull!: pulumi.Output<boolean | undefined>;
+    declare public readonly pull: pulumi.Output<boolean | undefined>;
     /**
      * When `true` the build will automatically include a `registry` export.
      *
@@ -654,7 +654,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--push` flag.
      */
-    public readonly push!: pulumi.Output<boolean>;
+    declare public readonly push: pulumi.Output<boolean>;
     /**
      * If the image was pushed to any registries then this will contain a
      * single fully-qualified tag including the build's digest.
@@ -671,7 +671,7 @@ export class Image extends pulumi.CustomResource {
      * For more control over tags consumed by downstream resources you should
      * use the `digest` output.
      */
-    public /*out*/ readonly ref!: pulumi.Output<string>;
+    declare public /*out*/ readonly ref: pulumi.Output<string>;
     /**
      * Registry credentials. Required if reading or exporting to private
      * repositories.
@@ -681,7 +681,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Similar to `docker login`.
      */
-    public readonly registries!: pulumi.Output<outputs.Registry[] | undefined>;
+    declare public readonly registries: pulumi.Output<outputs.Registry[] | undefined>;
     /**
      * A mapping of secret names to their corresponding values.
      *
@@ -693,13 +693,13 @@ export class Image extends pulumi.CustomResource {
      *
      * Similar to Docker's `--secret` flag.
      */
-    public readonly secrets!: pulumi.Output<{[key: string]: string} | undefined>;
+    declare public readonly secrets: pulumi.Output<{[key: string]: string} | undefined>;
     /**
      * SSH agent socket or keys to expose to the build.
      *
      * Equivalent to Docker's `--ssh` flag.
      */
-    public readonly ssh!: pulumi.Output<outputs.SSH[] | undefined>;
+    declare public readonly ssh: pulumi.Output<outputs.SSH[] | undefined>;
     /**
      * Name and optionally a tag (format: `name:tag`).
      *
@@ -708,7 +708,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--tag` flag.
      */
-    public readonly tags!: pulumi.Output<string[] | undefined>;
+    declare public readonly tags: pulumi.Output<string[] | undefined>;
     /**
      * Set the target build stage(s) to build.
      *
@@ -716,7 +716,7 @@ export class Image extends pulumi.CustomResource {
      *
      * Equivalent to Docker's `--target` flag.
      */
-    public readonly target!: pulumi.Output<string | undefined>;
+    declare public readonly target: pulumi.Output<string | undefined>;
 
     /**
      * Create a Image resource with the given unique name, arguments, and options.
@@ -729,31 +729,31 @@ export class Image extends pulumi.CustomResource {
         let resourceInputs: pulumi.Inputs = {};
         opts = opts || {};
         if (!opts.id) {
-            if ((!args || args.push === undefined) && !opts.urn) {
+            if (args?.push === undefined && !opts.urn) {
                 throw new Error("Missing required property 'push'");
             }
-            resourceInputs["addHosts"] = args ? args.addHosts : undefined;
+            resourceInputs["addHosts"] = args?.addHosts;
-            resourceInputs["buildArgs"] = args ? args.buildArgs : undefined;
+            resourceInputs["buildArgs"] = args?.buildArgs;
-            resourceInputs["buildOnPreview"] = (args ? args.buildOnPreview : undefined) ?? true;
+            resourceInputs["buildOnPreview"] = (args?.buildOnPreview) ?? true;
-            resourceInputs["builder"] = args ? args.builder : undefined;
+            resourceInputs["builder"] = args?.builder;
-            resourceInputs["cacheFrom"] = args ? args.cacheFrom : undefined;
+            resourceInputs["cacheFrom"] = args?.cacheFrom;
-            resourceInputs["cacheTo"] = args ? args.cacheTo : undefined;
+            resourceInputs["cacheTo"] = args?.cacheTo;
-            resourceInputs["context"] = args ? args.context : undefined;
+            resourceInputs["context"] = args?.context;
-            resourceInputs["dockerfile"] = args ? args.dockerfile : undefined;
+            resourceInputs["dockerfile"] = args?.dockerfile;
-            resourceInputs["exec"] = args ? args.exec : undefined;
+            resourceInputs["exec"] = args?.exec;
-            resourceInputs["exports"] = args ? args.exports : undefined;
+            resourceInputs["exports"] = args?.exports;
-            resourceInputs["labels"] = args ? args.labels : undefined;
+            resourceInputs["labels"] = args?.labels;
-            resourceInputs["load"] = args ? args.load : undefined;
+            resourceInputs["load"] = args?.load;
-            resourceInputs["network"] = (args ? args.network : undefined) ?? "default";
+            resourceInputs["network"] = (args?.network) ?? "default";
-            resourceInputs["noCache"] = args ? args.noCache : undefined;
+            resourceInputs["noCache"] = args?.noCache;
-            resourceInputs["platforms"] = args ? args.platforms : undefined;
+            resourceInputs["platforms"] = args?.platforms;
-            resourceInputs["pull"] = args ? args.pull : undefined;
+            resourceInputs["pull"] = args?.pull;
-            resourceInputs["push"] = args ? args.push : undefined;
+            resourceInputs["push"] = args?.push;
-            resourceInputs["registries"] = args ? args.registries : undefined;
+            resourceInputs["registries"] = args?.registries;
-            resourceInputs["secrets"] = args ? args.secrets : undefined;
+            resourceInputs["secrets"] = args?.secrets;
-            resourceInputs["ssh"] = args ? args.ssh : undefined;
+            resourceInputs["ssh"] = args?.ssh;
-            resourceInputs["tags"] = args ? args.tags : undefined;
+            resourceInputs["tags"] = args?.tags;
-            resourceInputs["target"] = args ? args.target : undefined;
+            resourceInputs["target"] = args?.target;
             resourceInputs["contextHash"] = undefined /*out*/;
             resourceInputs["digest"] = undefined /*out*/;
             resourceInputs["ref"] = undefined /*out*/;

sdk/nodejs/index_.ts

@@ -113,27 +113,27 @@ export class Index extends pulumi.CustomResource {
      *
      * Defaults to `true`.
      */
-    public readonly push!: pulumi.Output<boolean | undefined>;
+    declare public readonly push: pulumi.Output<boolean | undefined>;
     /**
      * The pushed tag with digest.
      *
      * Identical to the tag if the index was not pushed.
      */
-    public /*out*/ readonly ref!: pulumi.Output<string>;
+    declare public /*out*/ readonly ref: pulumi.Output<string>;
     /**
      * Authentication for the registry where the tagged index will be pushed.
      *
      * Credentials can also be included with the provider's configuration.
      */
-    public readonly registry!: pulumi.Output<outputs.Registry | undefined>;
+    declare public readonly registry: pulumi.Output<outputs.Registry | undefined>;
     /**
      * Existing images to include in the index.
      */
-    public readonly sources!: pulumi.Output<string[]>;
+    declare public readonly sources: pulumi.Output<string[]>;
     /**
      * The tag to apply to the index.
      */
-    public readonly tag!: pulumi.Output<string>;
+    declare public readonly tag: pulumi.Output<string>;
 
     /**
      * Create a Index resource with the given unique name, arguments, and options.
@@ -146,16 +146,16 @@ export class Index extends pulumi.CustomResource {
         let resourceInputs: pulumi.Inputs = {};
         opts = opts || {};
         if (!opts.id) {
-            if ((!args || args.sources === undefined) && !opts.urn) {
+            if (args?.sources === undefined && !opts.urn) {
                 throw new Error("Missing required property 'sources'");
             }
-            if ((!args || args.tag === undefined) && !opts.urn) {
+            if (args?.tag === undefined && !opts.urn) {
                 throw new Error("Missing required property 'tag'");
             }
-            resourceInputs["push"] = (args ? args.push : undefined) ?? true;
+            resourceInputs["push"] = (args?.push) ?? true;
-            resourceInputs["registry"] = args ? args.registry : undefined;
+            resourceInputs["registry"] = args?.registry;
-            resourceInputs["sources"] = args ? args.sources : undefined;
+            resourceInputs["sources"] = args?.sources;
-            resourceInputs["tag"] = args ? args.tag : undefined;
+            resourceInputs["tag"] = args?.tag;
             resourceInputs["ref"] = undefined /*out*/;
         } else {
             resourceInputs["push"] = undefined /*out*/;

sdk/nodejs/provider.ts

@@ -25,7 +25,7 @@ export class Provider extends pulumi.ProviderResource {
     /**
      * The build daemon's address.
      */
-    public readonly host!: pulumi.Output<string | undefined>;
+    declare public readonly host: pulumi.Output<string | undefined>;
 
     /**
      * Create a Provider resource with the given unique name, arguments, and options.
@@ -38,8 +38,8 @@ export class Provider extends pulumi.ProviderResource {
         let resourceInputs: pulumi.Inputs = {};
         opts = opts || {};
         {
-            resourceInputs["host"] = (args ? args.host : undefined) ?? (utilities.getEnv("DOCKER_HOST") || "");
+            resourceInputs["host"] = (args?.host) ?? (utilities.getEnv("DOCKER_HOST") || "");
-            resourceInputs["registries"] = pulumi.output(args ? args.registries : undefined).apply(JSON.stringify);
+            resourceInputs["registries"] = pulumi.output(args?.registries).apply(JSON.stringify);
         }
         opts = pulumi.mergeOptions(utilities.resourceOptsDefaults(), opts);
         super(Provider.__pulumiType, name, resourceInputs, opts);

sdk/nodejs/tsconfig.json

@@ -1,7 +1,7 @@
 {
     "compilerOptions": {
         "outDir": "bin",
-        "target": "es2016",
+        "target": "ES2020",
         "module": "commonjs",
         "moduleResolution": "node",
         "declaration": true,

sdk/nodejs/types/input.ts

@@ -104,6 +104,12 @@ export interface CacheFromAzureBlobArgs {
     secretAccessKey?: pulumi.Input<string>;
 }
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ *
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ */
 export interface CacheFromGitHubActionsArgs {
     /**
      * The scope to use for cache keys. Defaults to `buildkit`.
@@ -112,23 +118,6 @@ export interface CacheFromGitHubActionsArgs {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: pulumi.Input<string>;
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     *
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    token?: pulumi.Input<string>;
-    /**
-     * The cache server URL to use for artifacts.
-     *
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    url?: pulumi.Input<string>;
 }
 /**
  * cacheFromGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -137,8 +126,6 @@ export function cacheFromGitHubActionsArgsProvideDefaults(val: CacheFromGitHubAc
     return {
         ...val,
         scope: (val.scope) ?? "buildkit",
-        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
-        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 
@@ -303,6 +290,12 @@ export function cacheToAzureBlobArgsProvideDefaults(val: CacheToAzureBlobArgs):
     };
 }
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ *
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ */
 export interface CacheToGitHubActionsArgs {
     /**
      * Ignore errors caused by failed cache exports.
@@ -319,23 +312,6 @@ export interface CacheToGitHubActionsArgs {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: pulumi.Input<string>;
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     *
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    token?: pulumi.Input<string>;
-    /**
-     * The cache server URL to use for artifacts.
-     *
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    url?: pulumi.Input<string>;
 }
 /**
  * cacheToGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -346,8 +322,6 @@ export function cacheToGitHubActionsArgsProvideDefaults(val: CacheToGitHubAction
         ignoreError: (val.ignoreError) ?? false,
         mode: (val.mode) ?? "min",
         scope: (val.scope) ?? "buildkit",
-        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
-        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 

sdk/nodejs/types/output.ts

@@ -104,6 +104,12 @@ export interface CacheFromAzureBlob {
     secretAccessKey?: string;
 }
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ *
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ */
 export interface CacheFromGitHubActions {
     /**
      * The scope to use for cache keys. Defaults to `buildkit`.
@@ -112,23 +118,6 @@ export interface CacheFromGitHubActions {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: string;
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     *
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    token?: string;
-    /**
-     * The cache server URL to use for artifacts.
-     *
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    url?: string;
 }
 /**
  * cacheFromGitHubActionsProvideDefaults sets the appropriate defaults for CacheFromGitHubActions
@@ -137,8 +126,6 @@ export function cacheFromGitHubActionsProvideDefaults(val: CacheFromGitHubAction
     return {
         ...val,
         scope: (val.scope) ?? "buildkit",
-        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
-        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 
@@ -303,6 +290,12 @@ export function cacheToAzureBlobProvideDefaults(val: CacheToAzureBlob): CacheToA
     };
 }
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ *
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ */
 export interface CacheToGitHubActions {
     /**
      * Ignore errors caused by failed cache exports.
@@ -319,23 +312,6 @@ export interface CacheToGitHubActions {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: string;
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     *
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    token?: string;
-    /**
-     * The cache server URL to use for artifacts.
-     *
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    url?: string;
 }
 /**
  * cacheToGitHubActionsProvideDefaults sets the appropriate defaults for CacheToGitHubActions
@@ -346,8 +322,6 @@ export function cacheToGitHubActionsProvideDefaults(val: CacheToGitHubActions):
         ignoreError: (val.ignoreError) ?? false,
         mode: (val.mode) ?? "min",
         scope: (val.scope) ?? "buildkit",
-        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
-        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 

sdk/python/pulumi_docker_build/_inputs.py

@@ -281,6 +281,12 @@ class CacheFromAzureBlobArgs:
 
 if not MYPY:
     class CacheFromGitHubActionsArgsDict(TypedDict):
+        """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
+        """
         scope: NotRequired[pulumi.Input[_builtins.str]]
         """
         The scope to use for cache keys. Defaults to `buildkit`.
@@ -288,61 +294,27 @@ if not MYPY:
         This should be set if building and caching multiple images in one
         workflow, otherwise caches will overwrite each other.
         """
-        token: NotRequired[pulumi.Input[_builtins.str]]
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        url: NotRequired[pulumi.Input[_builtins.str]]
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
 elif False:
     CacheFromGitHubActionsArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
 class CacheFromGitHubActionsArgs:
     def __init__(__self__, *,
-                 scope: Optional[pulumi.Input[_builtins.str]] = None,
+                 scope: Optional[pulumi.Input[_builtins.str]] = None):
-                 token: Optional[pulumi.Input[_builtins.str]] = None,
-                 url: Optional[pulumi.Input[_builtins.str]] = None):
         """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
         :param pulumi.Input[_builtins.str] scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
-        :param pulumi.Input[_builtins.str] token: The GitHub Actions token to use. This is not a personal access tokens
-               and is typically generated automatically as part of each job.
-               
-               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
-        :param pulumi.Input[_builtins.str] url: The cache server URL to use for artifacts.
-               
-               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
         """
         if scope is None:
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
-        if token is None:
-            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
-        if token is not None:
-            pulumi.set(__self__, "token", token)
-        if url is None:
-            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
-        if url is not None:
-            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter
@@ -359,39 +331,6 @@ class CacheFromGitHubActionsArgs:
     def scope(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "scope", value)
 
-    @_builtins.property
-    @pulumi.getter
-    def token(self) -> Optional[pulumi.Input[_builtins.str]]:
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "token")
-
-    @token.setter
-    def token(self, value: Optional[pulumi.Input[_builtins.str]]):
-        pulumi.set(self, "token", value)
-
-    @_builtins.property
-    @pulumi.getter
-    def url(self) -> Optional[pulumi.Input[_builtins.str]]:
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "url")
-
-    @url.setter
-    def url(self, value: Optional[pulumi.Input[_builtins.str]]):
-        pulumi.set(self, "url", value)
-
 
 if not MYPY:
     class CacheFromLocalArgsDict(TypedDict):
@@ -977,6 +916,12 @@ class CacheToAzureBlobArgs:
 
 if not MYPY:
     class CacheToGitHubActionsArgsDict(TypedDict):
+        """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
+        """
         ignore_error: NotRequired[pulumi.Input[_builtins.bool]]
         """
         Ignore errors caused by failed cache exports.
@@ -992,23 +937,6 @@ if not MYPY:
         This should be set if building and caching multiple images in one
         workflow, otherwise caches will overwrite each other.
         """
-        token: NotRequired[pulumi.Input[_builtins.str]]
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        url: NotRequired[pulumi.Input[_builtins.str]]
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
 elif False:
     CacheToGitHubActionsArgsDict: TypeAlias = Mapping[str, Any]
 
@@ -1017,27 +945,18 @@ class CacheToGitHubActionsArgs:
     def __init__(__self__, *,
                  ignore_error: Optional[pulumi.Input[_builtins.bool]] = None,
                  mode: Optional[pulumi.Input['CacheMode']] = None,
-                 scope: Optional[pulumi.Input[_builtins.str]] = None,
+                 scope: Optional[pulumi.Input[_builtins.str]] = None):
-                 token: Optional[pulumi.Input[_builtins.str]] = None,
-                 url: Optional[pulumi.Input[_builtins.str]] = None):
         """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
         :param pulumi.Input[_builtins.bool] ignore_error: Ignore errors caused by failed cache exports.
         :param pulumi.Input['CacheMode'] mode: The cache mode to use. Defaults to `min`.
         :param pulumi.Input[_builtins.str] scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
-        :param pulumi.Input[_builtins.str] token: The GitHub Actions token to use. This is not a personal access tokens
-               and is typically generated automatically as part of each job.
-               
-               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
-        :param pulumi.Input[_builtins.str] url: The cache server URL to use for artifacts.
-               
-               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
         """
         if ignore_error is None:
             ignore_error = False
@@ -1051,14 +970,6 @@ class CacheToGitHubActionsArgs:
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
-        if token is None:
-            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
-        if token is not None:
-            pulumi.set(__self__, "token", token)
-        if url is None:
-            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
-        if url is not None:
-            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter(name="ignoreError")
@@ -1099,39 +1010,6 @@ class CacheToGitHubActionsArgs:
     def scope(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "scope", value)
 
-    @_builtins.property
-    @pulumi.getter
-    def token(self) -> Optional[pulumi.Input[_builtins.str]]:
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "token")
-
-    @token.setter
-    def token(self, value: Optional[pulumi.Input[_builtins.str]]):
-        pulumi.set(self, "token", value)
-
-    @_builtins.property
-    @pulumi.getter
-    def url(self) -> Optional[pulumi.Input[_builtins.str]]:
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "url")
-
-    @url.setter
-    def url(self, value: Optional[pulumi.Input[_builtins.str]]):
-        pulumi.set(self, "url", value)
-
 
 if not MYPY:
     class CacheToInlineArgsDict(TypedDict):

sdk/python/pulumi_docker_build/outputs.py

@@ -293,39 +293,28 @@ class CacheFromAzureBlob(dict):
 
 @pulumi.output_type
 class CacheFromGitHubActions(dict):
+    """
+    Recommended for use with GitHub Actions workflows.
+
+    An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    appropriate credentials to your GitHub workflow.
+    """
     def __init__(__self__, *,
-                 scope: Optional[_builtins.str] = None,
+                 scope: Optional[_builtins.str] = None):
-                 token: Optional[_builtins.str] = None,
-                 url: Optional[_builtins.str] = None):
         """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
         :param _builtins.str scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
-        :param _builtins.str token: The GitHub Actions token to use. This is not a personal access tokens
-               and is typically generated automatically as part of each job.
-               
-               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
-        :param _builtins.str url: The cache server URL to use for artifacts.
-               
-               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
         """
         if scope is None:
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
-        if token is None:
-            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
-        if token is not None:
-            pulumi.set(__self__, "token", token)
-        if url is None:
-            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
-        if url is not None:
-            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter
@@ -338,31 +327,6 @@ class CacheFromGitHubActions(dict):
         """
         return pulumi.get(self, "scope")
 
-    @_builtins.property
-    @pulumi.getter
-    def token(self) -> Optional[_builtins.str]:
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "token")
-
-    @_builtins.property
-    @pulumi.getter
-    def url(self) -> Optional[_builtins.str]:
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "url")
-
 
 @pulumi.output_type
 class CacheFromLocal(dict):
@@ -784,6 +748,12 @@ class CacheToAzureBlob(dict):
 
 @pulumi.output_type
 class CacheToGitHubActions(dict):
+    """
+    Recommended for use with GitHub Actions workflows.
+
+    An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    appropriate credentials to your GitHub workflow.
+    """
     @staticmethod
     def __key_warning(key: str):
         suggest = None
@@ -804,27 +774,18 @@ class CacheToGitHubActions(dict):
     def __init__(__self__, *,
                  ignore_error: Optional[_builtins.bool] = None,
                  mode: Optional['CacheMode'] = None,
-                 scope: Optional[_builtins.str] = None,
+                 scope: Optional[_builtins.str] = None):
-                 token: Optional[_builtins.str] = None,
-                 url: Optional[_builtins.str] = None):
         """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
         :param _builtins.bool ignore_error: Ignore errors caused by failed cache exports.
         :param 'CacheMode' mode: The cache mode to use. Defaults to `min`.
         :param _builtins.str scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
-        :param _builtins.str token: The GitHub Actions token to use. This is not a personal access tokens
-               and is typically generated automatically as part of each job.
-               
-               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
-        :param _builtins.str url: The cache server URL to use for artifacts.
-               
-               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
         """
         if ignore_error is None:
             ignore_error = False
@@ -838,14 +799,6 @@ class CacheToGitHubActions(dict):
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
-        if token is None:
-            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
-        if token is not None:
-            pulumi.set(__self__, "token", token)
-        if url is None:
-            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
-        if url is not None:
-            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter(name="ignoreError")
@@ -874,31 +827,6 @@ class CacheToGitHubActions(dict):
         """
         return pulumi.get(self, "scope")
 
-    @_builtins.property
-    @pulumi.getter
-    def token(self) -> Optional[_builtins.str]:
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "token")
-
-    @_builtins.property
-    @pulumi.getter
-    def url(self) -> Optional[_builtins.str]:
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "url")
-
 
 @pulumi.output_type
 class CacheToInline(dict):