[internal] Update GitHub Actions workflow files

This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 5619381e924fbac90750f41b6a27cadcd11c4c2d.

.ci-mgmt.yaml

@@ -4,25 +4,26 @@ major-version: 0
 providerDefaultBranch: main
 providerVersion: github.com/pulumi/pulumi-docker-build/provider.Version
 aws: true
+modulePath: .
 gcp: true
 sdkModuleDir: sdk/go/dockerbuild
 parallel: 3
 esc:
-  enabled: true
+    enabled: true
 envOverride:
-  AWS_REGION: us-west-2
+    AWS_REGION: us-west-2
-  PULUMI_API: "https://api.pulumi-staging.io"
+    PULUMI_API: "https://api.pulumi-staging.io"
-  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+    ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
-  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+    ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
-  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+    ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
-  ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
+    ARM_CLIENT_SECRET: ${{ secrets.ARM_CLIENT_SECRET }}
-  AZURE_LOCATION: westus
+    AZURE_LOCATION: westus
-  DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
+    DIGITALOCEAN_TOKEN: ${{ secrets.DIGITALOCEAN_TOKEN }}
-  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+    GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
-  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+    GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
-  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+    GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
-  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+    GOOGLE_PROJECT: pulumi-ci-gcp-provider
-  GOOGLE_PROJECT_NUMBER: 895284651812
+    GOOGLE_PROJECT_NUMBER: 895284651812
-  GOOGLE_REGION: us-central1
+    GOOGLE_REGION: us-central1
-  GOOGLE_ZONE: us-central1-a
+    GOOGLE_ZONE: us-central1-a
-  DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}
+    DOCKER_HUB_PASSWORD: ${{ secrets.DOCKER_HUB_PASSWORD }}

.config/mise.lock

@@ -0,0 +1,87 @@
+[[tools.dotnet]]
+version = "8.0.414"
+backend = "asdf:dotnet"
+
+[[tools."github:pulumi/pulumictl"]]
+version = "0.0.50"
+backend = "github:pulumi/pulumictl"
+
+[tools."github:pulumi/pulumictl".platforms.linux-x64]
+checksum = "blake3:c128dd74993f779c613296fe7cd21c20cbd323f24e59cb76e007620660b60348"
+name = "pulumictl-v0.0.50-linux-amd64.tar.gz"
+size = 27744219
+url = "https://github.com/pulumi/pulumictl/releases/download/v0.0.50/pulumictl-v0.0.50-linux-amd64.tar.gz"
+url_api = ""
+
+[[tools."github:pulumi/schema-tools"]]
+version = "0.6.0"
+backend = "github:pulumi/schema-tools"
+
+[tools."github:pulumi/schema-tools".platforms.linux-x64]
+checksum = "blake3:82dfe616fee18b4258f6e3d2dc3c4e9f14afd43a0a4cc33eff2d2a04088d6ca3"
+name = "schema-tools-v0.6.0-linux-amd64.tar.gz"
+size = 14282746
+url = "https://github.com/pulumi/schema-tools/releases/download/v0.6.0/schema-tools-v0.6.0-linux-amd64.tar.gz"
+url_api = ""
+
+[[tools.go]]
+version = "1.24.1"
+backend = "core:go"
+
+[tools.go.platforms.linux-x64]
+checksum = "sha256:cb2396bae64183cdccf81a9a6df0aea3bce9511fc21469fb89a0c00470088073"
+size = 78503123
+url = "https://dl.google.com/go/go1.24.1.linux-amd64.tar.gz"
+
+[[tools.golangci-lint]]
+version = "1.64.8"
+backend = "aqua:golangci/golangci-lint"
+
+[tools.golangci-lint.platforms.linux-x64]
+checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
+size = 12364828
+url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
+
+[[tools.gradle]]
+version = "7.6.6"
+backend = "aqua:gradle/gradle"
+
+[tools.gradle.platforms.linux-x64]
+checksum = "blake3:5cad8fc455b720b68a0bd2907d435e2919581708243f84f27845fe8812a09323"
+size = 128439774
+url = "https://github.com/gradle/gradle-distributions/releases/download/v7.6.6/gradle-7.6.6-bin.zip"
+
+[[tools.java]]
+version = "corretto-11.0.28.6.1"
+backend = "core:java"
+
+[tools.java.platforms.linux-x64]
+checksum = "sha256:70734c46e0bbeb7f45b721756ba0b2f1f1e1ef85a11e10d5a488f06b257dadd9"
+size = 195648709
+url = "https://corretto.aws/downloads/resources/11.0.28.6.1/amazon-corretto-11.0.28.6.1-linux-x64.tar.gz"
+
+[[tools.node]]
+version = "20.19.5"
+backend = "core:node"
+
+[tools.node.platforms.linux-x64]
+checksum = "sha256:4eba5fbe1fb10753bc06e42f001a91c5cec16798b7764a3e9257adc59af47fe1"
+size = 47041607
+url = "https://nodejs.org/dist/v20.19.5/node-v20.19.5-linux-x64.tar.gz"
+
+[[tools."npm:yarn"]]
+version = "1.22.22"
+backend = "npm:yarn"
+
+[[tools.pulumi]]
+version = "3.192.0"
+backend = "aqua:pulumi/pulumi"
+
+[tools.pulumi.platforms.linux-x64]
+checksum = "sha512:6351213bee02ade5b76407d9b43cdb243fa461ca38231b03410de5aa1f697e55ab6467da2a9e37ebbff7be6cd3485d833e9ad8f29d4de6919bbdd471fb25e45a"
+size = 92867578
+url = "https://github.com/pulumi/pulumi/releases/download/v3.192.0/pulumi-v3.192.0-linux-x64.tar.gz"
+
+[[tools.python]]
+version = "3.11.8"
+backend = "core:python"

.config/mise.test.toml

@@ -0,0 +1,11 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+
+# Overrides for test workflows
+
+[env]
+# Acceptance (specifically providertest) tests require that PULUMI_HOME be the default
+PULUMI_HOME = "{{ env.HOME }}/.pulumi"
+
+[tools]
+# always use pulumi latest for tests
+pulumi = "latest"

.config/mise.toml

@@ -0,0 +1,29 @@
+# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
+# You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
+
+[env]
+_.source = "{{config_root}}/scripts/get-versions.sh"
+PULUMI_HOME = "{{config_root}}/.pulumi"
+
+[tools]
+
+# Runtimes
+# TODO: we may not need `get_env` once https://github.com/jdx/mise/discussions/6339 is fixed
+go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}"
+node = '20.19.5'
+python = '3.11.8'
+dotnet = '8.0.414'
+# Corretto version used as Java SE/OpenJDK version no longer offered
+java = 'corretto-11'
+
+# Executable tools
+pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
+"github:pulumi/pulumictl" = 'latest'
+"github:pulumi/schema-tools" = "latest"
+gradle = '7.6'
+golangci-lint = "1.64.8" # See note about about overrides if you need to customize this.
+"npm:yarn" = "1.22.22"
+
+[settings]
+experimental = true # Required for Go binaries (e.g. pulumictl).
+lockfile = true

.github/workflows/build.yml

@@ -16,9 +16,7 @@ on:
   workflow_dispatch: {}
 env:
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -42,6 +40,9 @@ jobs:
   prerequisites:
     runs-on: ubuntu-latest
     name: prerequisites
+    permissions:
+      id-token: write # For ESC secrets.
+      pull-requests: write # For schema check comment.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -49,12 +50,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -123,6 +125,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -189,7 +192,7 @@ jobs:
         DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
       env:
         CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
@@ -224,12 +227,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -249,7 +253,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -258,7 +262,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -268,7 +272,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -297,6 +301,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -378,12 +383,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: check if this commit needs release
       if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
       uses: pulumi/action-release-by-pr-label@main
@@ -422,12 +428,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -447,7 +454,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -456,7 +463,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -466,7 +473,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -562,12 +569,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -596,7 +604,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
       with:
         aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
@@ -641,12 +649,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -672,7 +681,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -681,7 +690,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
@@ -753,8 +762,7 @@ jobs:
       uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
       with:
         version: ${{ env.GOLANGCI_LINT_VERSION }}
-        args: -c ../.golangci.yml
+        working-directory: .
-        working-directory: provider
     name: lint
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/command-dispatch.yml

@@ -19,6 +19,9 @@ jobs:
   command-dispatch-for-testing:
     name: command-dispatch-for-testing
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write # For ESC secrets.
     steps:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -26,12 +29,13 @@ jobs:
         persist-credentials: false    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4
       with:
         commands: |

.github/workflows/comment-on-stale-issues.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Stale issue job
     steps:
-    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc #v7.1.0
+    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc # v7.1.0
       with:
         issue-types: issues # only look at issues (ignore pull-requests)
 

.github/workflows/prerelease.yml

@@ -7,9 +7,7 @@ on:
     - v*.*.*-**
 env:
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -41,12 +39,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -115,6 +114,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -181,7 +181,7 @@ jobs:
         DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
       env:
         CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
@@ -216,12 +216,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -241,7 +242,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -250,7 +251,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -260,7 +261,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -289,6 +290,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit ${{ matrix.language }} SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -379,12 +381,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -404,7 +407,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -413,7 +416,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -423,7 +426,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -519,12 +522,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -553,7 +557,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
       with:
         aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
@@ -598,12 +602,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -629,7 +634,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -638,7 +643,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
@@ -699,12 +704,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -730,7 +736,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download java SDK
@@ -742,7 +748,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Publish Java SDK

.github/workflows/release.yml

@@ -8,9 +8,7 @@ on:
     - "!v*.*.*-**"
 env:
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -44,12 +42,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -118,6 +117,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -184,7 +184,7 @@ jobs:
         DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
       env:
         CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
@@ -219,12 +219,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -244,7 +245,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -253,7 +254,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -263,7 +264,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -292,6 +293,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -382,12 +384,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -407,7 +410,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -416,7 +419,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -426,7 +429,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -522,12 +525,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -556,7 +560,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
       with:
         aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
@@ -601,12 +605,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -632,7 +637,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -641,7 +646,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Download python SDK
@@ -702,12 +707,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -733,7 +739,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download java SDK
@@ -745,7 +751,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Publish Java SDK
@@ -804,12 +810,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Install pulumictl
       uses: jaxxstorm/action-install-gh-release@6096f2a2bbfee498ced520b6922ac2c06e990ed2 # v2.1.0
       with:

.github/workflows/release_command.yml

@@ -16,12 +16,13 @@ jobs:
         persist-credentials: false    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Should release PR
       uses: pulumi/action-release-by-pr-label@main
       with:
@@ -36,7 +37,7 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure()
       name: Notify failure
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
@@ -45,7 +46,7 @@ jobs:
           "release command failed: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
     - if: success()
       name: Notify success
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}

.github/workflows/run-acceptance-tests.yml

@@ -11,9 +11,7 @@ on:
   workflow_dispatch: {}
 env:
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -51,7 +49,7 @@ jobs:
         "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
         >> "$GITHUB_OUTPUT"
     - name: Update with Result
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
@@ -72,12 +70,13 @@ jobs:
         ref: ${{ env.PR_COMMIT_SHA }}    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -146,6 +145,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -212,7 +212,7 @@ jobs:
         DOCKER_HUB_PASSWORD: ${{ steps.esc-secrets.outputs.DOCKER_HUB_PASSWORD }}
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@fdcc8476540edceab3de004e990f80d881c6cc00 # v5.5.0
+      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
       env:
         CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
     - if: failure() && github.event_name == 'push'
@@ -251,12 +251,13 @@ jobs:
         ref: ${{ env.PR_COMMIT_SHA }}    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -276,7 +277,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -285,7 +286,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -295,7 +296,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -324,6 +325,7 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
+          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -418,12 +420,13 @@ jobs:
         ref: ${{ env.PR_COMMIT_SHA }}    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - id: version
       name: Set Provider Version
       uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
@@ -443,7 +446,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -452,7 +455,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -462,7 +465,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -558,12 +561,13 @@ jobs:
         ref: ${{ env.PR_COMMIT_SHA }}    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Mark workflow as successful
       uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
       with:
@@ -602,8 +606,7 @@ jobs:
       uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
       with:
         version: ${{ env.GOLANGCI_LINT_VERSION }}
-        args: -c ../.golangci.yml
+        working-directory: .
-        working-directory: provider
     name: lint
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/weekly-pulumi-update.yml

@@ -8,9 +8,7 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
-  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
-  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -41,12 +39,13 @@ jobs:
         lfs: true    
     - env:
         ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
         ESC_ACTION_OIDC_AUTH: "true"
         ESC_ACTION_OIDC_ORGANIZATION: pulumi
         ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
       id: esc-secrets
       name: Fetch secrets from ESC
-      uses: pulumi/esc-action@v1
+      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Install Go
       uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
       with:
@@ -63,12 +62,12 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
     - name: Setup Python
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: ${{ env.PYTHONVERSION }}
     - name: Setup Java
@@ -78,7 +77,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@017a9effdb900e5b5b2fddfb590a105619dca3c3 # v4.4.2
+      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
       with:
         gradle-version: "7.6"
     - name: Update Pulumi/Pulumi

CHANGELOG.md

@@ -1,5 +1,15 @@
 ## Unreleased
 
+## Changed
+
+- Arguments `CacheFromGitHubActions.URL` and `CacheFromGitHubActions.Token` have been removed. If the previous behaviour is desired, set the `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_TOKEN` environment variables. (https://github.com/pulumi/pulumi-docker-build/issues/75)
+
+## 0.0.14 (2025-09-30)
+
+### Fixed
+
+- A warning is no longer emitted for the reserved `__internal` key. (https://github.com/pulumi/pulumi-docker-build/issues/579)
+
 ## 0.0.13 (2025-08-27)
 
 ### Changed

Makefile

@@ -17,8 +17,9 @@ WORKING_DIR      := $(shell pwd)
 EXAMPLES_DIR     := ${WORKING_DIR}/examples/yaml
 TESTPARALLELISM  := 4
 
-PULUMI           := bin/pulumi
+PULUMI           := pulumi
-GOGLANGCILINT    := bin/golangci-lint
+GOGLANGCILINT    := golangci-lint
+GOTEST           := go test
 
 # Override during CI using `make [TARGET] PROVIDER_VERSION=""` or by setting a PROVIDER_VERSION environment variable
 # Local & branch builds will just used this fixed default version unless specified
@@ -46,10 +47,10 @@ provider_debug::
 	(cd provider && go build -o $(WORKING_DIR)/bin/${PROVIDER} -gcflags="all=-N -l" -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
 
 test_provider:: # Required by CI
-	go test -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
+	${GOTEST} -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
 
 test_examples: install_nodejs_sdk install_dotnet_sdk
-	go test -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
+	${GOTEST} -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
 
 test_all:: test_provider test_examples
 
@@ -63,38 +64,26 @@ examples/yaml:
 	rm -rf ${WORKING_DIR}/examples/yaml/app
 	cp -r ${WORKING_DIR}/examples/app ${WORKING_DIR}/examples/yaml/app
 
-examples/go: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/go: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,go)
 	@git checkout examples/go/go.mod
 
-examples/nodejs: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/nodejs: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,nodejs)
 	@git checkout examples/nodejs/package.json
 
-examples/python: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/python: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,python)
 	@git checkout examples/python/requirements.txt
 
-examples/dotnet: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/dotnet: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,dotnet)
 	@git checkout examples/dotnet/provider-docker-build.csproj
 
-examples/java: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/java: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,java)
 	@git checkout examples/java/pom.xml
 
-${PULUMI}: go.sum
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/pkg/v3/cmd/pulumi
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-java/pkg/cmd/pulumi-language-java
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3
-	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-yaml/cmd/pulumi-converter-yaml
-
-${GOGLANGCILINT}: go.sum
-	GOBIN=${WORKING_DIR}/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@8b37f14
-
 define pulumi_login
     export PULUMI_CONFIG_PASSPHRASE=asdfqwerty1234; \
     pulumi login --local;
@@ -102,7 +91,7 @@ endef
 
 define example
 	rm -rf ${WORKING_DIR}/examples/$(1)
-	$(PULUMI) convert \
+	pulumi convert \
 		--cwd ${WORKING_DIR}/examples/yaml \
 		--logtostderr \
 		--generate-only \
@@ -140,7 +129,7 @@ build:: provider sdk/dotnet sdk/go sdk/nodejs sdk/python sdk/java ${SCHEMA_PATH}
 only_build:: build
 
 .PHONY: lint
-lint: ${GOGLANGCILINT}
+lint:
 	${GOGLANGCILINT} run --fix -c .golangci.yml
 
 install:: install_nodejs_sdk install_dotnet_sdk
@@ -205,7 +194,7 @@ sdk: sdk/python sdk/nodejs sdk/java sdk/python sdk/go sdk/dotnet
 .PHONY: sdk/*
 
 sdk/python: TMPDIR := $(shell mktemp -d)
-sdk/python: $(PULUMI) bin/${PROVIDER}
+sdk/python: bin/${PROVIDER}
 	rm -rf sdk/python
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language python -o ${TMPDIR}
 	cp README.md ${TMPDIR}/python/
@@ -218,7 +207,7 @@ sdk/python: $(PULUMI) bin/${PROVIDER}
 	mv -f ${TMPDIR}/python ${WORKING_DIR}/sdk/.
 
 sdk/nodejs: TMPDIR := $(shell mktemp -d)
-sdk/nodejs: $(PULUMI) bin/${PROVIDER}
+sdk/nodejs: bin/${PROVIDER}
 	rm -rf sdk/nodejs
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
 	cp README.md LICENSE ${TMPDIR}/nodejs
@@ -230,7 +219,7 @@ sdk/nodejs: $(PULUMI) bin/${PROVIDER}
 
 sdk/go: TMPDIR := $(shell mktemp -d)
 sdk/go: PATH := "$(WORKING_DIR)/bin:$(PATH)"
-sdk/go: $(PULUMI) bin/${PROVIDER}
+sdk/go: bin/${PROVIDER}
 	rm -rf sdk/go
 	PATH=$(PATH) $(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language go -o ${TMPDIR}
 	cp go.mod ${TMPDIR}/go/dockerbuild/go.mod
@@ -240,7 +229,7 @@ sdk/go: $(PULUMI) bin/${PROVIDER}
 	mv -f ${TMPDIR}/go ${WORKING_DIR}/sdk/go
 
 sdk/dotnet: TMPDIR := $(shell mktemp -d)
-sdk/dotnet: $(PULUMI) bin/${PROVIDER}
+sdk/dotnet: bin/${PROVIDER}
 	rm -rf sdk/dotnet
 	$(PULUMI) package gen-sdk ./bin/${PROVIDER} --language dotnet -o ${TMPDIR}
 	cd ${TMPDIR}/dotnet/ && \
@@ -250,7 +239,7 @@ sdk/dotnet: $(PULUMI) bin/${PROVIDER}
 
 sdk/java: PACKAGE_VERSION := $(shell pulumictl convert-version --language generic -v "$(VERSION_GENERIC)")
 sdk/java: TMPDIR := $(shell mktemp -d)
-sdk/java: $(PULUMI) bin/${PROVIDER}
+sdk/java: bin/${PROVIDER}
 	rm -rf sdk/java
 	$(PULUMI) package gen-sdk --language java ./bin/${PROVIDER} -o ${TMPDIR}
 	cd ${TMPDIR}/java/ && gradle --console=plain build

docs/_index.md

@@ -0,0 +1,428 @@
+---
+title: Docker Build
+meta_desc: Provides an overview of the Docker Build Provider for Pulumi.
+layout: package
+---
+
+The Docker Build provider leverages [buildx and BuildKit](https://docs.docker.com/build/architecture/) to build modern Docker images with Pulumi.
+
+Not to be confused with the earlier
+[Docker](../docker) provider, which is still
+appropriate for managing resources unrelated to building images.
+
+| Provider               | Use cases                                                               |
+| ----------------       | ----------------------------------------------------------------------- |
+| `@pulumi/docker-build` | Anything related to building images with `docker build`.                |
+| `@pulumi/docker`       | Everything else -- including running containers and creating networks.  |
+
+## Example
+
+If your Pulumi program has a directory called `app` alongside it, containing a
+file named "Dockerfile" (which can be as simple as `FROM alpine` for the
+purpose of example), then the code below shows how to build a multi-platform
+image, publish it to a remote AWS ECR registry, and use an [inline
+cache](https://docs.docker.com/build/cache/backends/inline/) to speed up
+subsequent builds.
+
+{{< chooser language "typescript,python,csharp,go,yaml,java" / >}}
+
+{{% choosable language typescript %}}
+
+```typescript
+import * as aws from "@pulumi/aws";
+import * as docker_build from "@pulumi/docker-build";
+
+// Create an ECR repository for pushing.
+const ecrRepository = new aws.ecr.Repository("ecr-repository", {});
+
+// Grab auth credentials for ECR.
+const authToken = aws.ecr.getAuthorizationTokenOutput({
+    registryId: ecrRepository.registryId,
+});
+
+// Build and push an image to ECR with inline caching.
+const myImage = new docker_build.Image("my-image", {
+    // Tag our image with our ECR repository's address.
+    tags: [pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`],
+    context: {
+        location: "./app",
+    },
+    // Use the pushed image as a cache source.
+    cacheFrom: [{
+        registry: {
+            ref: pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`,
+        },
+    }],
+    // Include an inline cache with our pushed image.
+    cacheTo: [{
+        inline: {},
+    }],
+    // Build a multi-platform image manifest for ARM and AMD.
+    platforms: [
+        "linux/amd64",
+        "linux/arm64",
+    ],
+    // Push the final result to ECR.
+    push: true,
+    // Provide our ECR credentials.
+    registries: [{
+        address: ecrRepository.repositoryUrl,
+        password: authToken.password,
+        username: authToken.userName,
+    }],
+});
+
+// Export a ref for the pushed images so we can deploy it.
+export const ref = myImage.ref;
+```
+
+{{% /choosable %}}
+
+{{% choosable language python %}}
+
+```python
+import pulumi
+import pulumi_aws as aws
+import pulumi_docker_build as docker_build
+
+# Create an ECR repository for pushing.
+ecr_repository = aws.ecr.Repository("ecr-repository")
+
+# Grab auth credentials for ECR.
+auth_token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
+
+# Build and push an image to ECR with inline caching.
+my_image = docker_build.Image("my-image",
+    # Tag our image with our ECR repository's address.
+    tags=[ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest")],
+    context=docker_build.BuildContextArgs(
+        location="./app",
+    ),
+    # Use the pushed image as a cache source.
+    cache_from=[docker_build.CacheFromArgs(
+        registry=docker_build.CacheFromRegistryArgs(
+            ref=ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest"),
+        ),
+    )],
+    # Include an inline cache with our pushed image.
+    cache_to=[docker_build.CacheToArgs(
+        inline=docker_build.CacheToInlineArgs(),
+    )],
+    # Build a multi-platform image manifest for ARM and AMD.
+    platforms=[
+        docker_build.Platform.LINUX_AMD64,
+        docker_build.Platform.LINUX_ARM64,
+    ],
+    # Push the final result to ECR.
+    push=True,
+    # Provide our ECR credentials.
+    registries=[docker_build.RegistryArgs(
+        address=ecr_repository.repository_url,
+        password=auth_token.password,
+        username=auth_token.user_name,
+    )],
+)
+
+# Export a ref for the pushed images so we can deploy it.
+pulumi.export("ref", my_image.ref)
+```
+
+{{% /choosable %}}
+
+{{% choosable language csharp %}}
+
+```csharp
+using System.Collections.Generic;
+using System.Linq;
+using Pulumi;
+using Aws = Pulumi.Aws;
+using DockerBuild = Pulumi.DockerBuild;
+
+return await Deployment.RunAsync(() =>
+{
+    // Create an ECR repository for pushing.
+    var ecrRepository = new Aws.Ecr.Repository("ecr-repository");
+
+    // Grab auth credentials for ECR.
+    var authToken = Aws.Ecr.GetAuthorizationToken.Invoke(new()
+    {
+        RegistryId = ecrRepository.RegistryId,
+    });
+
+    // Build and push an image to ECR with inline caching.
+    var myImage = new DockerBuild.Image("my-image", new()
+    {
+        // Tag our image with our ECR repository's address.
+        Tags = new[]
+        {
+            ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
+        },
+        Context = new DockerBuild.Inputs.BuildContextArgs
+        {
+            Location = "./app",
+        },
+        // Use the pushed image as a cache source.
+        CacheFrom = new[]
+        {
+            new DockerBuild.Inputs.CacheFromArgs
+            {
+                Registry = new DockerBuild.Inputs.CacheFromRegistryArgs
+                {
+                    Ref = ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
+                },
+            },
+        },
+        // Include an inline cache with our pushed image.
+        CacheTo = new[]
+        {
+            new DockerBuild.Inputs.CacheToArgs
+            {
+                Inline = null,
+            },
+        },
+        // Build a multi-platform image manifest for ARM and AMD.
+        Platforms = new[]
+        {
+            DockerBuild.Platform.Linux_amd64,
+            DockerBuild.Platform.Linux_arm64,
+        },
+        // Push the final result to ECR.
+        Push = true,
+        // Provide our ECR credentials.
+        Registries = new[]
+        {
+            new DockerBuild.Inputs.RegistryArgs
+            {
+                Address = ecrRepository.RepositoryUrl,
+                Password = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.Password),
+                Username = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.UserName),
+            },
+        },
+    });
+
+    // Export a ref for the pushed images so we can deploy it.
+    return new Dictionary<string, object?>
+    {
+        ["ref"] = myImage.Ref,
+    };
+});
+
+```
+
+{{% /choosable %}}
+
+{{% choosable language go %}}
+
+```go
+package main
+
+import (
+    "fmt"
+
+    "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
+    "github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
+    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
+)
+
+func main() {
+    pulumi.Run(func(ctx *pulumi.Context) error {
+        // Create an ECR repository for pushing.
+        ecrRepository, err := ecr.NewRepository(ctx, "ecr-repository", nil)
+        if err != nil {
+            return err
+        }
+
+        // Grab auth credentials for ECR.
+        authToken := ecr.GetAuthorizationTokenOutput(ctx, ecr.GetAuthorizationTokenOutputArgs{
+            RegistryId: ecrRepository.RegistryId,
+        }, nil)
+
+        // Build and push an image to ECR with inline caching.
+        myImage, err := dockerbuild.NewImage(ctx, "my-image", &dockerbuild.ImageArgs{
+            // Tag our image with our ECR repository's address.
+            Tags: pulumi.StringArray{
+                ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
+                    return fmt.Sprintf("%v:latest", repositoryUrl), nil
+                }).(pulumi.StringOutput),
+            },
+            Context: &dockerbuild.BuildContextArgs{
+                Location: pulumi.String("./app"),
+            },
+            // Use the pushed image as a cache source.
+            CacheFrom: dockerbuild.CacheFromArray{
+                &dockerbuild.CacheFromArgs{
+                    Registry: &dockerbuild.CacheFromRegistryArgs{
+                        Ref: ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
+                            return fmt.Sprintf("%v:latest", repositoryUrl), nil
+                        }).(pulumi.StringOutput),
+                    },
+                },
+            },
+            // Include an inline cache with our pushed image.
+            CacheTo: dockerbuild.CacheToArray{
+                &dockerbuild.CacheToArgs{
+                    Inline: nil,
+                },
+            },
+            // Build a multi-platform image manifest for ARM and AMD.
+            Platforms: dockerbuild.PlatformArray{
+                dockerbuild.Platform_Linux_amd64,
+                dockerbuild.Platform_Linux_arm64,
+            },
+            // Push the final result to ECR.
+            Push: pulumi.Bool(true),
+            // Provide our ECR credentials.
+            Registries: dockerbuild.RegistryArray{
+                &dockerbuild.RegistryArgs{
+                    Address: ecrRepository.RepositoryUrl,
+                    Password: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
+                        return &authToken.Password, nil
+                    }).(pulumi.StringPtrOutput),
+                    Username: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
+                        return &authToken.UserName, nil
+                    }).(pulumi.StringPtrOutput),
+                },
+            },
+        })
+        if err != nil {
+            return err
+        }
+
+        // Export a ref for the pushed images so we can deploy it.
+        ctx.Export("ref", myImage.Ref)
+        return nil
+    })
+}
+```
+
+{{% /choosable %}}
+
+{{% choosable language yaml %}}
+
+```yaml
+description: Push to AWS ECR with caching
+name: ecr
+outputs:
+    ref: ${my-image.ref}
+resources:
+    # Create an ECR repository for pushing.
+    ecr-repository:
+        type: aws:ecr:Repository
+
+    # Build and push an image to ECR with inline caching.
+    my-image:
+        type: docker-build:Image
+        properties:
+            # Tag our image with our ECR repository's address.
+            tags:
+                - ${ecr-repository.repositoryUrl}:latest
+            context:
+                location: ./app
+            # Use the pushed image as a cache source.
+            cacheFrom:
+                - registry:
+                    ref: ${ecr-repository.repositoryUrl}:latest
+            # Include an inline cache with our pushed image.
+            cacheTo:
+                - inline: {}
+            # Build a multi-platform image manifest for ARM and AMD.
+            platforms:
+                - linux/amd64
+                - linux/arm64
+            # Push the final result to ECR.
+            push: true
+            # Provide our ECR credentials.
+            registries:
+                - address: ${ecr-repository.repositoryUrl}
+                  password: ${auth-token.password}
+                  username: ${auth-token.userName}
+
+runtime: yaml
+variables:
+    auth-token:
+        # Grab auth credentials for ECR.
+        fn::aws:ecr:getAuthorizationToken:
+            registryId: ${ecr-repository.registryId}
+```
+
+{{% /choosable %}}
+
+{{% choosable language java %}}
+
+```java
+package myapp;
+
+import com.pulumi.Context;
+import com.pulumi.Pulumi;
+import com.pulumi.core.Output;
+import com.pulumi.aws.ecr.Repository;
+import com.pulumi.aws.ecr.EcrFunctions;
+import com.pulumi.aws.ecr.inputs.GetAuthorizationTokenArgs;
+import com.pulumi.dockerbuild.Image;
+import com.pulumi.dockerbuild.ImageArgs;
+import com.pulumi.dockerbuild.inputs.CacheFromArgs;
+import com.pulumi.dockerbuild.inputs.CacheFromRegistryArgs;
+import com.pulumi.dockerbuild.inputs.CacheToArgs;
+import com.pulumi.dockerbuild.inputs.CacheToInlineArgs;
+import com.pulumi.dockerbuild.inputs.BuildContextArgs;
+import com.pulumi.dockerbuild.inputs.RegistryArgs;
+import java.util.List;
+import java.util.ArrayList;
+import java.util.Map;
+import java.io.File;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+public class App {
+    public static void main(String[] args) {
+        Pulumi.run(App::stack);
+    }
+
+    public static void stack(Context ctx) {
+        // Create an ECR repository for pushing.
+        var ecrRepository = new Repository("ecrRepository");
+
+        // Grab auth credentials for ECR.
+        final var authToken = EcrFunctions.getAuthorizationToken(GetAuthorizationTokenArgs.builder()
+            .registryId(ecrRepository.registryId())
+            .build());
+
+        // Build and push an image to ECR with inline caching.
+        var myImage = new Image("myImage", ImageArgs.builder()
+            // Tag our image with our ECR repository's address.
+            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
+            .context(BuildContextArgs.builder()
+                .location("./app")
+                .build())
+            // Use the pushed image as a cache source.
+            .cacheFrom(CacheFromArgs.builder()
+                .registry(CacheFromRegistryArgs.builder()
+                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
+                    .build())
+                .build())
+            // Include an inline cache with our pushed image.
+            .cacheTo(CacheToArgs.builder()
+                .inline()
+                .build())
+            // Build a multi-platform image manifest for ARM and AMD.
+            .platforms(
+                "linux/amd64",
+                "linux/arm64")
+            // Push the final result to ECR.
+            .push(true)
+            // Provide our ECR credentials.
+            .registries(RegistryArgs.builder()
+                .address(ecrRepository.repositoryUrl())
+                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
+                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
+                .build())
+            .build());
+
+        ctx.export("ref", myImage.ref());
+    }
+}
+```
+
+{{% /choosable %}}
+
+{{< /chooser >}}

docs/installation-configuration.md

@@ -0,0 +1,33 @@
+---
+title: Docker-Build Installation & Configuration
+meta_desc: Provides an overview on how to configure the Pulumi Docker-Build Provider.
+layout: package
+---
+
+The Pulumi Docker-build provider builds modern Docker images with [buildx](https://docs.docker.com/reference/cli/docker/buildx/) and [BuildKit](https://docs.docker.com/build/buildkit/).
+
+## Installation
+
+The Docker-Build provider is available as a package in all Pulumi languages:
+
+* JavaScript/TypeScript: [`@pulumi/docker-build`](https://www.npmjs.com/package/@pulumi/docker-build)
+* Python: [`pulumi-docker-build`](https://pypi.org/project/pulumi-docker-build/)
+* Go: [`github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild`](https://github.com/pulumi/pulumi-docker-build)
+* .NET: [`Pulumi.DockerBuild`](https://www.nuget.org/packages/Pulumi.DockerBuild)
+* Java: [`com.pulumi/docker-build`](https://central.sonatype.com/artifact/com.pulumi/docker-build)
+
+## Configuring The Provider
+
+### Host
+
+The `DOCKER_HOST` environment variable can be used to specify a custom build daemon's location.
+
+```bash
+$ export DOCKER_HOST=tcp://127.0.0.1:2376/
+```
+
+This can also be specified in your stack's configuration:
+
+```bash
+$ pulumi config set docker-build:host tcp://127.0.0.1:2376/
+```

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/otiai10/copy v1.14.0
 	github.com/pulumi/providertest v0.3.1
 	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef
-	github.com/pulumi/pulumi-go-provider v1.1.1
+	github.com/pulumi/pulumi-go-provider v1.1.2
 	github.com/pulumi/pulumi-java/pkg v1.16.0
 	github.com/pulumi/pulumi-yaml v1.21.2
 	github.com/pulumi/pulumi/pkg/v3 v3.192.0

go.sum

@@ -896,8 +896,8 @@ github.com/pulumi/providertest v0.3.1 h1:vlftr7TZlObh81mL88IhhF0/9ZbLrZZos4NAvR4
 github.com/pulumi/providertest v0.3.1/go.mod h1:fFHUP4/9DRyYnHWiRnwcynMtM/a7hHR/QcJfcuZKO3A=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef h1:cxRa9R9To6OYKacIG2Em6zcM7BDNr6joC43uiV1lSVY=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef/go.mod h1:VLcnE1lj92EfRi7CRMzdPkQ9OQvrlg2upJM1lBZzNmg=
-github.com/pulumi/pulumi-go-provider v1.1.1 h1:4UT3LeNT9CdGhkq8OSWKJsmKTW9Tg+vsfOO/hsFVyb4=
+github.com/pulumi/pulumi-go-provider v1.1.2 h1:NUQDXaftBDFTPMBPwxo8FhJUX0ymkv6a1XiXTnCDpvg=
-github.com/pulumi/pulumi-go-provider v1.1.1/go.mod h1:3lNIuxT/BArFyiKrVfv+UT7gMMtplss7V69KuBZ4zIk=
+github.com/pulumi/pulumi-go-provider v1.1.2/go.mod h1:3lNIuxT/BArFyiKrVfv+UT7gMMtplss7V69KuBZ4zIk=
 github.com/pulumi/pulumi-java/pkg v1.16.0 h1:8KCiIXWv2uxfIks0SdgOezyXg4HZIoPfHID9eMg4nuM=
 github.com/pulumi/pulumi-java/pkg v1.16.0/go.mod h1:VeMZ1s9LfXBypao4A1tRF3EB7fYnYZ1LwImyg6FBX0c=
 github.com/pulumi/pulumi-yaml v1.21.2 h1:czqC5AazinfX6Bj0nqAAQ6x/Cr8/3oUz3HUjJg6tJ4o=

mise.toml

@@ -1,19 +0,0 @@
-# WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
-
-[tools]
-
-# Runtimes
-go = '1.21'
-node = '20'
-python = '3.11.8'
-dotnet = '8.0'
-# Corretto version used as Java SE/OpenJDK version no longer offered
-java = 'corretto-11'
-
-# Executable tools
-pulumi = 'latest'
-"go:github.com/pulumi/pulumictl/cmd/pulumictl" = 'latest'
-gradle = '7.6'
-
-[settings]
-experimental = true # Required for Go binaries (e.g. pulumictl).

provider/cmd/pulumi-resource-docker-build/schema.json

@@ -155,32 +155,12 @@
       ]
     },
     "docker-build:index:CacheFromGitHubActions": {
+      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
       "properties": {
         "scope": {
           "type": "string",
           "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
           "default": "buildkit"
-        },
-        "token": {
-          "type": "string",
-          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
-          "default": "",
-          "defaultInfo": {
-            "environment": [
-              "ACTIONS_RUNTIME_TOKEN"
-            ]
-          },
-          "secret": true
-        },
-        "url": {
-          "type": "string",
-          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
-          "default": "",
-          "defaultInfo": {
-            "environment": [
-              "ACTIONS_CACHE_URL"
-            ]
-          }
         }
       },
       "type": "object"
@@ -370,6 +350,7 @@
       ]
     },
     "docker-build:index:CacheToGitHubActions": {
+      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
       "properties": {
         "ignoreError": {
           "type": "boolean",
@@ -385,27 +366,6 @@
           "type": "string",
           "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
           "default": "buildkit"
-        },
-        "token": {
-          "type": "string",
-          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
-          "default": "",
-          "defaultInfo": {
-            "environment": [
-              "ACTIONS_RUNTIME_TOKEN"
-            ]
-          },
-          "secret": true
-        },
-        "url": {
-          "type": "string",
-          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
-          "default": "",
-          "defaultInfo": {
-            "environment": [
-              "ACTIONS_CACHE_URL"
-            ]
-          }
         }
       },
       "type": "object"

provider/internal/cache.go

@@ -17,6 +17,7 @@ package internal
 import (
 	"errors"
 	"fmt"
+	"os"
 	"strings"
 
 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -148,33 +149,20 @@ func (c CacheWithOCI) String() string {
 
 // CacheFromGitHubActions pulls cache manifests from the GitHub actions cache.
 type CacheFromGitHubActions struct {
-	URL   string `pulumi:"url,optional"`
-	Token string `pulumi:"token,optional" provider:"secret"`
 	Scope string `pulumi:"scope,optional"`
 }
 
 // Annotate sets docstrings on CacheFromGitHubActions.
 func (c *CacheFromGitHubActions) Annotate(a infer.Annotator) {
-	a.SetDefault(&c.URL, "", "ACTIONS_CACHE_URL")
+	a.Describe(&c, dedent(`
-	a.SetDefault(&c.Token, "", "ACTIONS_RUNTIME_TOKEN")
+		Recommended for use with GitHub Actions workflows.
+
+		An action like "crazy-max/ghaction-github-runtime" is recommended to expose
+		appropriate credentials to your GitHub workflow.
+	`))
+
 	a.SetDefault(&c.Scope, "buildkit")
 
-	a.Describe(&c.URL, dedent(`
-		The cache server URL to use for artifacts.
-
-		Defaults to "$ACTIONS_CACHE_URL", although a separate action like
-		"crazy-max/ghaction-github-runtime" is recommended to expose this
-		environment variable to your jobs.
-	`))
-	a.Describe(&c.Token, dedent(`
-		The GitHub Actions token to use. This is not a personal access tokens
-		and is typically generated automatically as part of each job.
-
-		Defaults to "$ACTIONS_RUNTIME_TOKEN", although a separate action like
-		"crazy-max/ghaction-github-runtime" is recommended to expose this
-		environment variable to your jobs.
-
-	`))
 	a.Describe(&c.Scope, dedent(`
 		The scope to use for cache keys. Defaults to "buildkit".
 
@@ -191,11 +179,12 @@ func (c *CacheFromGitHubActions) String() string {
 	if c.Scope != "" {
 		parts = append(parts, "scope="+c.Scope)
 	}
-	if c.Token != "" {
+	// Preserving backwards compatibility with the old behaviour.
-		parts = append(parts, "token="+c.Token)
+	if token := os.Getenv("ACTIONS_RUNTIME_TOKEN"); token != "" {
+		parts = append(parts, "token="+token)
 	}
-	if c.URL != "" {
+	if url := os.Getenv("ACTIONS_CACHE_URL"); url != "" {
-		parts = append(parts, "url="+c.URL)
+		parts = append(parts, "url="+url)
 	}
 	return strings.Join(parts, ",")
 }

provider/internal/cache_test.go

@@ -24,14 +24,15 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
+//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 func TestCacheString(t *testing.T) {
-	t.Parallel()
 	gzip := Gzip
 
 	tests := []struct {
-		name  string
+		name    string
-		given fmt.Stringer
+		arrange func(t *testing.T)
-		want  string
+		given   fmt.Stringer
+		want    string
 	}{
 		{
 			name: "s3",
@@ -55,7 +56,37 @@ func TestCacheString(t *testing.T) {
 		{
 			name:  "gha",
 			given: CacheTo{GHA: &CacheToGitHubActions{}},
-			want:  "type=gha",
+			arrange: func(t *testing.T) {
+				t.Setenv("ACTIONS_CACHE_URL", "")
+				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
+			},
+			want: "type=gha",
+		},
+		{
+			name: "gha-default-envs",
+			arrange: func(t *testing.T) {
+				t.Setenv("ACTIONS_CACHE_URL", "https://example.com")
+				t.Setenv("ACTIONS_RUNTIME_TOKEN", "token")
+			},
+			given: CacheTo{GHA: &CacheToGitHubActions{
+				CacheFromGitHubActions: CacheFromGitHubActions{
+					Scope: "scope",
+				},
+			}},
+			want: "type=gha,scope=scope,token=token,url=https://example.com",
+		},
+		{
+			name: "gha-with-scope",
+			arrange: func(t *testing.T) {
+				t.Setenv("ACTIONS_CACHE_URL", "")
+				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
+			},
+			given: CacheTo{GHA: &CacheToGitHubActions{
+				CacheFromGitHubActions: CacheFromGitHubActions{
+					Scope: "scope",
+				},
+			}},
+			want: "type=gha,scope=scope",
 		},
 		{
 			name:  "from-local",
@@ -121,9 +152,12 @@ func TestCacheString(t *testing.T) {
 		},
 	}
 
+	//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			t.Parallel()
+			if tt.arrange != nil {
+				tt.arrange(t)
+			}
 
 			actual := tt.given.String()
 			assert.Equal(t, tt.want, actual)

provider/internal/image_test.go

@@ -917,8 +917,10 @@ func TestValidateImageArgs(t *testing.T) {
 			{
 				name: "gha environment",
 				envs: map[string]string{
-					"ACTIONS_CACHE_URL":     "test-cache-url",
+					"ACTIONS_CACHE_URL":        "test-cache-url",
-					"ACTIONS_RUNTIME_TOKEN": "test-runtime-token",
+					"ACTIONS_RUNTIME_TOKEN":    "test-runtime-token",
+					"ACTIONS_RESULTS_URL":      "test-results-url",
+					"ACTIONS_CACHE_SERVICE_V2": "true",
 				},
 				args: ImageArgs{
 					Context:   &BuildContext{Context: Context{Location: "testdata/noop"}},
@@ -930,15 +932,17 @@ func TestValidateImageArgs(t *testing.T) {
 				wantCacheFrom: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token": "test-runtime-token",
+						"token":  "test-runtime-token",
-						"url":   "test-cache-url",
+						"url":    "test-cache-url",
+						"url_v2": "test-results-url",
 					},
 				},
 				wantCacheTo: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token": "test-runtime-token",
+						"token":  "test-runtime-token",
-						"url":   "test-cache-url",
+						"url":    "test-cache-url",
+						"url_v2": "test-results-url",
 					},
 				},
 			},

scripts/get-versions.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# This script can be simplified to use go when https://github.com/jdx/mise/discussions/6374 is fixed
+# e.g. go list -m -f '{{.GoVersion}}'
+
+module_path="github.com/pulumi/pulumi/pkg/v3"
+go_mod_path="."
+gomod="go.mod"
+
+if [[ "$go_mod_path" != "" && "$go_mod_path" != "." ]]; then
+  gomod="$go_mod_path/$gomod"
+fi
+
+if [[ ! -f "$gomod" ]]; then
+  echo "missing $gomod" >&2
+  exit 1
+fi
+
+raw_version=$(awk -v module="$module_path" '
+    $1 == module || $2 == module {
+        for (i = 1; i <= NF; i++) {
+            if ($i ~ /^v[0-9]/) {
+                sub(/^v/, "", $i)
+                print $i
+                exit
+            }
+        }
+    }
+' "$gomod")
+
+if [[ -z "${raw_version:-}" ]]; then
+  echo "failed to determine Pulumi version from $gomod" >&2
+  exit 1
+fi
+
+echo "PULUMI_VERSION_MISE=$raw_version"
+export PULUMI_VERSION_MISE=$raw_version
+
+# Prefer the toolchain directive if present, otherwise fall back to the `go` version line
+go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod")
+
+if [[ -n "${go_toolchain:-}" ]]; then
+  go_version=${go_toolchain#go}
+else
+  go_version=$(awk '/^go[[:space:]]+[0-9]/{ print $2; exit }' "$gomod")
+fi
+
+if [[ -z "${go_version:-}" ]]; then
+  echo "failed to determine Go version from $gomod" >&2
+  exit 1
+fi
+
+echo "GO_VERSION_MISE=$go_version"
+export GO_VERSION_MISE=$go_version

sdk/dotnet/Inputs/CacheFromGitHubActionsArgs.cs

@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
 
+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
     public sealed class CacheFromGitHubActionsArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
@@ -21,42 +27,9 @@ namespace Pulumi.DockerBuild.Inputs
         [Input("scope")]
         public Input<string>? Scope { get; set; }
 
-        [Input("token")]
-        private Input<string>? _token;
-
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public Input<string>? Token
-        {
-            get => _token;
-            set
-            {
-                var emptySecret = Output.CreateSecret(0);
-                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
-            }
-        }
-
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        [Input("url")]
-        public Input<string>? Url { get; set; }
-
         public CacheFromGitHubActionsArgs()
         {
             Scope = "buildkit";
-            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
-            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
         }
         public static new CacheFromGitHubActionsArgs Empty => new CacheFromGitHubActionsArgs();
     }

sdk/dotnet/Inputs/CacheToGitHubActionsArgs.cs

@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
 
+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
     public sealed class CacheToGitHubActionsArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
@@ -33,44 +39,11 @@ namespace Pulumi.DockerBuild.Inputs
         [Input("scope")]
         public Input<string>? Scope { get; set; }
 
-        [Input("token")]
-        private Input<string>? _token;
-
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public Input<string>? Token
-        {
-            get => _token;
-            set
-            {
-                var emptySecret = Output.CreateSecret(0);
-                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
-            }
-        }
-
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        [Input("url")]
-        public Input<string>? Url { get; set; }
-
         public CacheToGitHubActionsArgs()
         {
             IgnoreError = false;
             Mode = Pulumi.DockerBuild.CacheMode.Min;
             Scope = "buildkit";
-            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
-            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
         }
         public static new CacheToGitHubActionsArgs Empty => new CacheToGitHubActionsArgs();
     }

sdk/dotnet/Outputs/CacheFromGitHubActions.cs

@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
 
+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
     [OutputType]
     public sealed class CacheFromGitHubActions
     {
@@ -20,35 +26,11 @@ namespace Pulumi.DockerBuild.Outputs
         /// workflow, otherwise caches will overwrite each other.
         /// </summary>
         public readonly string? Scope;
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Token;
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Url;
 
         [OutputConstructor]
-        private CacheFromGitHubActions(
+        private CacheFromGitHubActions(string? scope)
-            string? scope,
-
-            string? token,
-
-            string? url)
         {
             Scope = scope;
-            Token = token;
-            Url = url;
         }
     }
 }

sdk/dotnet/Outputs/CacheToGitHubActions.cs

@@ -10,6 +10,12 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
 
+    /// <summary>
+    /// Recommended for use with GitHub Actions workflows.
+    /// 
+    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    /// appropriate credentials to your GitHub workflow.
+    /// </summary>
     [OutputType]
     public sealed class CacheToGitHubActions
     {
@@ -28,23 +34,6 @@ namespace Pulumi.DockerBuild.Outputs
         /// workflow, otherwise caches will overwrite each other.
         /// </summary>
         public readonly string? Scope;
-        /// <summary>
-        /// The GitHub Actions token to use. This is not a personal access tokens
-        /// and is typically generated automatically as part of each job.
-        /// 
-        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Token;
-        /// <summary>
-        /// The cache server URL to use for artifacts.
-        /// 
-        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
-        /// environment variable to your jobs.
-        /// </summary>
-        public readonly string? Url;
 
         [OutputConstructor]
         private CacheToGitHubActions(
@@ -52,17 +41,11 @@ namespace Pulumi.DockerBuild.Outputs
 
             Pulumi.DockerBuild.CacheMode? mode,
 
-            string? scope,
+            string? scope)
-
-            string? token,
-
-            string? url)
         {
             IgnoreError = ignoreError;
             Mode = mode;
             Scope = scope;
-            Token = token;
-            Url = url;
         }
     }
 }

sdk/go/dockerbuild/pulumiTypes.go

@@ -834,25 +834,16 @@ func (o CacheFromAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -865,18 +856,6 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }
 
@@ -891,25 +870,16 @@ type CacheFromGitHubActionsInput interface {
 	ToCacheFromGitHubActionsOutputWithContext(context.Context) CacheFromGitHubActionsOutput
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumi.StringPtrInput `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -921,16 +891,6 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumi.StringPtr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumi.StringPtr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -998,6 +958,10 @@ func (i *cacheFromGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Ou
 	}
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -1036,25 +1000,6 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
-}
-
 type CacheFromGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -1098,35 +1043,6 @@ func (o CacheFromGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Token
-	}).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Url
-	}).(pulumi.StringPtrOutput)
-}
-
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -2361,6 +2277,10 @@ func (o CacheToAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -2371,19 +2291,6 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -2404,18 +2311,6 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }
 
@@ -2430,6 +2325,10 @@ type CacheToGitHubActionsInput interface {
 	ToCacheToGitHubActionsOutputWithContext(context.Context) CacheToGitHubActionsOutput
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumi.BoolPtrInput `pulumi:"ignoreError"`
@@ -2440,19 +2339,6 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumi.StringPtrInput `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -2470,16 +2356,6 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumi.StringPtr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumi.StringPtr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -2547,6 +2423,10 @@ func (i *cacheToGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Outp
 	}
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -2595,25 +2475,6 @@ func (o CacheToGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
-}
-
 type CacheToGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -2677,35 +2538,6 @@ func (o CacheToGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheToGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Token
-	}).(pulumi.StringPtrOutput)
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
-	return o.ApplyT(func(v *CacheToGitHubActions) *string {
-		if v == nil {
-			return nil
-		}
-		return v.Url
-	}).(pulumi.StringPtrOutput)
-}
-
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }

sdk/go/dockerbuild/x/pulumiTypes.go

@@ -393,25 +393,16 @@ func (o CacheFromAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromAzureBlob](o, func(v CacheFromAzureBlob) *string { return v.SecretAccessKey })
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -424,40 +415,19 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumix.Input[*string] `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumix.Input[*string] `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -469,16 +439,6 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumix.Ptr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumix.Ptr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -497,6 +457,10 @@ func (i *CacheFromGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Outpu
 	return pulumix.Val(i)
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -525,25 +489,6 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Scope })
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Token() pulumix.Output[*string] {
-	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Token })
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheFromGitHubActionsOutput) Url() pulumix.Output[*string] {
-	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Url })
-}
-
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -1134,6 +1079,10 @@ func (o CacheToAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToAzureBlob](o, func(v CacheToAzureBlob) *string { return v.SecretAccessKey })
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -1144,19 +1093,6 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token *string `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -1177,21 +1113,13 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			token_ := d.(string)
-			tmp.Token = &token_
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			url_ := d.(string)
-			tmp.Url = &url_
-		}
-	}
 	return &tmp
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumix.Input[*bool] `pulumi:"ignoreError"`
@@ -1202,19 +1130,6 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
-	// The GitHub Actions token to use. This is not a personal access tokens
-	// and is typically generated automatically as part of each job.
-	//
-	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Token pulumix.Input[*string] `pulumi:"token"`
-	// The cache server URL to use for artifacts.
-	//
-	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-	// `crazy-max/ghaction-github-runtime` is recommended to expose this
-	// environment variable to your jobs.
-	Url pulumix.Input[*string] `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -1232,16 +1147,6 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
-	if tmp.Token == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
-			tmp.Token = pulumix.Ptr(d.(string))
-		}
-	}
-	if tmp.Url == nil {
-		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
-			tmp.Url = pulumix.Ptr(d.(string))
-		}
-	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -1260,6 +1165,10 @@ func (i *CacheToGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Output[
 	return pulumix.Val(i)
 }
 
+// Recommended for use with GitHub Actions workflows.
+//
+// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -1298,25 +1207,6 @@ func (o CacheToGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Scope })
 }
 
-// The GitHub Actions token to use. This is not a personal access tokens
-// and is typically generated automatically as part of each job.
-//
-// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Token() pulumix.Output[*string] {
-	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Token })
-}
-
-// The cache server URL to use for artifacts.
-//
-// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-// `crazy-max/ghaction-github-runtime` is recommended to expose this
-// environment variable to your jobs.
-func (o CacheToGitHubActionsOutput) Url() pulumix.Output[*string] {
-	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Url })
-}
-
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }

sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheFromGitHubActionsArgs.java

@@ -12,6 +12,13 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ * 
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ * 
+ */
 public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
 
     public static final CacheFromGitHubActionsArgs Empty = new CacheFromGitHubActionsArgs();
@@ -37,60 +44,10 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
         return Optional.ofNullable(this.scope);
     }
 
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    @Import(name="token")
-    private @Nullable Output<String> token;
-
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<Output<String>> token() {
-        return Optional.ofNullable(this.token);
-    }
-
-    /**
-     * The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    @Import(name="url")
-    private @Nullable Output<String> url;
-
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<Output<String>> url() {
-        return Optional.ofNullable(this.url);
-    }
-
     private CacheFromGitHubActionsArgs() {}
 
     private CacheFromGitHubActionsArgs(CacheFromGitHubActionsArgs $) {
         this.scope = $.scope;
-        this.token = $.token;
-        this.url = $.url;
     }
 
     public static Builder builder() {
@@ -138,70 +95,8 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
             return scope(Output.of(scope));
         }
 
-        /**
-         * @param token The GitHub Actions token to use. This is not a personal access tokens
-         * and is typically generated automatically as part of each job.
-         * 
-         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder token(@Nullable Output<String> token) {
-            $.token = token;
-            return this;
-        }
-
-        /**
-         * @param token The GitHub Actions token to use. This is not a personal access tokens
-         * and is typically generated automatically as part of each job.
-         * 
-         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder token(String token) {
-            return token(Output.of(token));
-        }
-
-        /**
-         * @param url The cache server URL to use for artifacts.
-         * 
-         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder url(@Nullable Output<String> url) {
-            $.url = url;
-            return this;
-        }
-
-        /**
-         * @param url The cache server URL to use for artifacts.
-         * 
-         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder url(String url) {
-            return url(Output.of(url));
-        }
-
         public CacheFromGitHubActionsArgs build() {
             $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
-            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
-            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
             return $;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheToGitHubActionsArgs.java

@@ -14,6 +14,13 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ * 
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ * 
+ */
 public final class CacheToGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
 
     public static final CacheToGitHubActionsArgs Empty = new CacheToGitHubActionsArgs();
@@ -69,62 +76,12 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
         return Optional.ofNullable(this.scope);
     }
 
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    @Import(name="token")
-    private @Nullable Output<String> token;
-
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<Output<String>> token() {
-        return Optional.ofNullable(this.token);
-    }
-
-    /**
-     * The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    @Import(name="url")
-    private @Nullable Output<String> url;
-
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<Output<String>> url() {
-        return Optional.ofNullable(this.url);
-    }
-
     private CacheToGitHubActionsArgs() {}
 
     private CacheToGitHubActionsArgs(CacheToGitHubActionsArgs $) {
         this.ignoreError = $.ignoreError;
         this.mode = $.mode;
         this.scope = $.scope;
-        this.token = $.token;
-        this.url = $.url;
     }
 
     public static Builder builder() {
@@ -214,72 +171,10 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
             return scope(Output.of(scope));
         }
 
-        /**
-         * @param token The GitHub Actions token to use. This is not a personal access tokens
-         * and is typically generated automatically as part of each job.
-         * 
-         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder token(@Nullable Output<String> token) {
-            $.token = token;
-            return this;
-        }
-
-        /**
-         * @param token The GitHub Actions token to use. This is not a personal access tokens
-         * and is typically generated automatically as part of each job.
-         * 
-         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder token(String token) {
-            return token(Output.of(token));
-        }
-
-        /**
-         * @param url The cache server URL to use for artifacts.
-         * 
-         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder url(@Nullable Output<String> url) {
-            $.url = url;
-            return this;
-        }
-
-        /**
-         * @param url The cache server URL to use for artifacts.
-         * 
-         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-         * `crazy-max/ghaction-github-runtime` is recommended to expose this
-         * environment variable to your jobs.
-         * 
-         * @return builder
-         * 
-         */
-        public Builder url(String url) {
-            return url(Output.of(url));
-        }
-
         public CacheToGitHubActionsArgs build() {
             $.ignoreError = Codegen.booleanProp("ignoreError").output().arg($.ignoreError).def(false).getNullable();
             $.mode = Codegen.objectProp("mode", CacheMode.class).output().arg($.mode).def(CacheMode.Min).getNullable();
             $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
-            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
-            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
             return $;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheFromGitHubActions.java

@@ -19,25 +19,6 @@ public final class CacheFromGitHubActions {
      * 
      */
     private @Nullable String scope;
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    private @Nullable String token;
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    private @Nullable String url;
 
     private CacheFromGitHubActions() {}
     /**
@@ -50,29 +31,6 @@ public final class CacheFromGitHubActions {
     public Optional<String> scope() {
         return Optional.ofNullable(this.scope);
     }
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<String> token() {
-        return Optional.ofNullable(this.token);
-    }
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<String> url() {
-        return Optional.ofNullable(this.url);
-    }
 
     public static Builder builder() {
         return new Builder();
@@ -84,14 +42,10 @@ public final class CacheFromGitHubActions {
     @CustomType.Builder
     public static final class Builder {
         private @Nullable String scope;
-        private @Nullable String token;
-        private @Nullable String url;
         public Builder() {}
         public Builder(CacheFromGitHubActions defaults) {
     	      Objects.requireNonNull(defaults);
     	      this.scope = defaults.scope;
-    	      this.token = defaults.token;
-    	      this.url = defaults.url;
         }
 
         @CustomType.Setter
@@ -100,23 +54,9 @@ public final class CacheFromGitHubActions {
             this.scope = scope;
             return this;
         }
-        @CustomType.Setter
-        public Builder token(@Nullable String token) {
-
-            this.token = token;
-            return this;
-        }
-        @CustomType.Setter
-        public Builder url(@Nullable String url) {
-
-            this.url = url;
-            return this;
-        }
         public CacheFromGitHubActions build() {
             final var _resultValue = new CacheFromGitHubActions();
             _resultValue.scope = scope;
-            _resultValue.token = token;
-            _resultValue.url = url;
             return _resultValue;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheToGitHubActions.java

@@ -31,25 +31,6 @@ public final class CacheToGitHubActions {
      * 
      */
     private @Nullable String scope;
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    private @Nullable String token;
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    private @Nullable String url;
 
     private CacheToGitHubActions() {}
     /**
@@ -76,29 +57,6 @@ public final class CacheToGitHubActions {
     public Optional<String> scope() {
         return Optional.ofNullable(this.scope);
     }
-    /**
-     * @return The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     * 
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<String> token() {
-        return Optional.ofNullable(this.token);
-    }
-    /**
-     * @return The cache server URL to use for artifacts.
-     * 
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     * 
-     */
-    public Optional<String> url() {
-        return Optional.ofNullable(this.url);
-    }
 
     public static Builder builder() {
         return new Builder();
@@ -112,16 +70,12 @@ public final class CacheToGitHubActions {
         private @Nullable Boolean ignoreError;
         private @Nullable CacheMode mode;
         private @Nullable String scope;
-        private @Nullable String token;
-        private @Nullable String url;
         public Builder() {}
         public Builder(CacheToGitHubActions defaults) {
     	      Objects.requireNonNull(defaults);
     	      this.ignoreError = defaults.ignoreError;
     	      this.mode = defaults.mode;
     	      this.scope = defaults.scope;
-    	      this.token = defaults.token;
-    	      this.url = defaults.url;
         }
 
         @CustomType.Setter
@@ -142,25 +96,11 @@ public final class CacheToGitHubActions {
             this.scope = scope;
             return this;
         }
-        @CustomType.Setter
-        public Builder token(@Nullable String token) {
-
-            this.token = token;
-            return this;
-        }
-        @CustomType.Setter
-        public Builder url(@Nullable String url) {
-
-            this.url = url;
-            return this;
-        }
         public CacheToGitHubActions build() {
             final var _resultValue = new CacheToGitHubActions();
             _resultValue.ignoreError = ignoreError;
             _resultValue.mode = mode;
             _resultValue.scope = scope;
-            _resultValue.token = token;
-            _resultValue.url = url;
             return _resultValue;
         }
     }

sdk/nodejs/types/input.ts

@@ -104,6 +104,12 @@ export interface CacheFromAzureBlobArgs {
     secretAccessKey?: pulumi.Input<string>;
 }
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ *
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ */
 export interface CacheFromGitHubActionsArgs {
     /**
      * The scope to use for cache keys. Defaults to `buildkit`.
@@ -112,23 +118,6 @@ export interface CacheFromGitHubActionsArgs {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: pulumi.Input<string>;
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     *
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    token?: pulumi.Input<string>;
-    /**
-     * The cache server URL to use for artifacts.
-     *
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    url?: pulumi.Input<string>;
 }
 /**
  * cacheFromGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -137,8 +126,6 @@ export function cacheFromGitHubActionsArgsProvideDefaults(val: CacheFromGitHubAc
     return {
         ...val,
         scope: (val.scope) ?? "buildkit",
-        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
-        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 
@@ -303,6 +290,12 @@ export function cacheToAzureBlobArgsProvideDefaults(val: CacheToAzureBlobArgs):
     };
 }
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ *
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ */
 export interface CacheToGitHubActionsArgs {
     /**
      * Ignore errors caused by failed cache exports.
@@ -319,23 +312,6 @@ export interface CacheToGitHubActionsArgs {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: pulumi.Input<string>;
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     *
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    token?: pulumi.Input<string>;
-    /**
-     * The cache server URL to use for artifacts.
-     *
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    url?: pulumi.Input<string>;
 }
 /**
  * cacheToGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -346,8 +322,6 @@ export function cacheToGitHubActionsArgsProvideDefaults(val: CacheToGitHubAction
         ignoreError: (val.ignoreError) ?? false,
         mode: (val.mode) ?? "min",
         scope: (val.scope) ?? "buildkit",
-        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
-        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 

sdk/nodejs/types/output.ts

@@ -104,6 +104,12 @@ export interface CacheFromAzureBlob {
     secretAccessKey?: string;
 }
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ *
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ */
 export interface CacheFromGitHubActions {
     /**
      * The scope to use for cache keys. Defaults to `buildkit`.
@@ -112,23 +118,6 @@ export interface CacheFromGitHubActions {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: string;
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     *
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    token?: string;
-    /**
-     * The cache server URL to use for artifacts.
-     *
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    url?: string;
 }
 /**
  * cacheFromGitHubActionsProvideDefaults sets the appropriate defaults for CacheFromGitHubActions
@@ -137,8 +126,6 @@ export function cacheFromGitHubActionsProvideDefaults(val: CacheFromGitHubAction
     return {
         ...val,
         scope: (val.scope) ?? "buildkit",
-        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
-        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 
@@ -303,6 +290,12 @@ export function cacheToAzureBlobProvideDefaults(val: CacheToAzureBlob): CacheToA
     };
 }
 
+/**
+ * Recommended for use with GitHub Actions workflows.
+ *
+ * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+ * appropriate credentials to your GitHub workflow.
+ */
 export interface CacheToGitHubActions {
     /**
      * Ignore errors caused by failed cache exports.
@@ -319,23 +312,6 @@ export interface CacheToGitHubActions {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: string;
-    /**
-     * The GitHub Actions token to use. This is not a personal access tokens
-     * and is typically generated automatically as part of each job.
-     *
-     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    token?: string;
-    /**
-     * The cache server URL to use for artifacts.
-     *
-     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-     * `crazy-max/ghaction-github-runtime` is recommended to expose this
-     * environment variable to your jobs.
-     */
-    url?: string;
 }
 /**
  * cacheToGitHubActionsProvideDefaults sets the appropriate defaults for CacheToGitHubActions
@@ -346,8 +322,6 @@ export function cacheToGitHubActionsProvideDefaults(val: CacheToGitHubActions):
         ignoreError: (val.ignoreError) ?? false,
         mode: (val.mode) ?? "min",
         scope: (val.scope) ?? "buildkit",
-        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
-        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 

sdk/python/pulumi_docker_build/_inputs.py

@@ -281,6 +281,12 @@ class CacheFromAzureBlobArgs:
 
 if not MYPY:
     class CacheFromGitHubActionsArgsDict(TypedDict):
+        """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
+        """
         scope: NotRequired[pulumi.Input[_builtins.str]]
         """
         The scope to use for cache keys. Defaults to `buildkit`.
@@ -288,61 +294,27 @@ if not MYPY:
         This should be set if building and caching multiple images in one
         workflow, otherwise caches will overwrite each other.
         """
-        token: NotRequired[pulumi.Input[_builtins.str]]
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        url: NotRequired[pulumi.Input[_builtins.str]]
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
 elif False:
     CacheFromGitHubActionsArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
 class CacheFromGitHubActionsArgs:
     def __init__(__self__, *,
-                 scope: Optional[pulumi.Input[_builtins.str]] = None,
+                 scope: Optional[pulumi.Input[_builtins.str]] = None):
-                 token: Optional[pulumi.Input[_builtins.str]] = None,
-                 url: Optional[pulumi.Input[_builtins.str]] = None):
         """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
         :param pulumi.Input[_builtins.str] scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
-        :param pulumi.Input[_builtins.str] token: The GitHub Actions token to use. This is not a personal access tokens
-               and is typically generated automatically as part of each job.
-               
-               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
-        :param pulumi.Input[_builtins.str] url: The cache server URL to use for artifacts.
-               
-               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
         """
         if scope is None:
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
-        if token is None:
-            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
-        if token is not None:
-            pulumi.set(__self__, "token", token)
-        if url is None:
-            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
-        if url is not None:
-            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter
@@ -359,39 +331,6 @@ class CacheFromGitHubActionsArgs:
     def scope(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "scope", value)
 
-    @_builtins.property
-    @pulumi.getter
-    def token(self) -> Optional[pulumi.Input[_builtins.str]]:
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "token")
-
-    @token.setter
-    def token(self, value: Optional[pulumi.Input[_builtins.str]]):
-        pulumi.set(self, "token", value)
-
-    @_builtins.property
-    @pulumi.getter
-    def url(self) -> Optional[pulumi.Input[_builtins.str]]:
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "url")
-
-    @url.setter
-    def url(self, value: Optional[pulumi.Input[_builtins.str]]):
-        pulumi.set(self, "url", value)
-
 
 if not MYPY:
     class CacheFromLocalArgsDict(TypedDict):
@@ -977,6 +916,12 @@ class CacheToAzureBlobArgs:
 
 if not MYPY:
     class CacheToGitHubActionsArgsDict(TypedDict):
+        """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
+        """
         ignore_error: NotRequired[pulumi.Input[_builtins.bool]]
         """
         Ignore errors caused by failed cache exports.
@@ -992,23 +937,6 @@ if not MYPY:
         This should be set if building and caching multiple images in one
         workflow, otherwise caches will overwrite each other.
         """
-        token: NotRequired[pulumi.Input[_builtins.str]]
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        url: NotRequired[pulumi.Input[_builtins.str]]
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
 elif False:
     CacheToGitHubActionsArgsDict: TypeAlias = Mapping[str, Any]
 
@@ -1017,27 +945,18 @@ class CacheToGitHubActionsArgs:
     def __init__(__self__, *,
                  ignore_error: Optional[pulumi.Input[_builtins.bool]] = None,
                  mode: Optional[pulumi.Input['CacheMode']] = None,
-                 scope: Optional[pulumi.Input[_builtins.str]] = None,
+                 scope: Optional[pulumi.Input[_builtins.str]] = None):
-                 token: Optional[pulumi.Input[_builtins.str]] = None,
-                 url: Optional[pulumi.Input[_builtins.str]] = None):
         """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
         :param pulumi.Input[_builtins.bool] ignore_error: Ignore errors caused by failed cache exports.
         :param pulumi.Input['CacheMode'] mode: The cache mode to use. Defaults to `min`.
         :param pulumi.Input[_builtins.str] scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
-        :param pulumi.Input[_builtins.str] token: The GitHub Actions token to use. This is not a personal access tokens
-               and is typically generated automatically as part of each job.
-               
-               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
-        :param pulumi.Input[_builtins.str] url: The cache server URL to use for artifacts.
-               
-               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
         """
         if ignore_error is None:
             ignore_error = False
@@ -1051,14 +970,6 @@ class CacheToGitHubActionsArgs:
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
-        if token is None:
-            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
-        if token is not None:
-            pulumi.set(__self__, "token", token)
-        if url is None:
-            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
-        if url is not None:
-            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter(name="ignoreError")
@@ -1099,39 +1010,6 @@ class CacheToGitHubActionsArgs:
     def scope(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "scope", value)
 
-    @_builtins.property
-    @pulumi.getter
-    def token(self) -> Optional[pulumi.Input[_builtins.str]]:
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "token")
-
-    @token.setter
-    def token(self, value: Optional[pulumi.Input[_builtins.str]]):
-        pulumi.set(self, "token", value)
-
-    @_builtins.property
-    @pulumi.getter
-    def url(self) -> Optional[pulumi.Input[_builtins.str]]:
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "url")
-
-    @url.setter
-    def url(self, value: Optional[pulumi.Input[_builtins.str]]):
-        pulumi.set(self, "url", value)
-
 
 if not MYPY:
     class CacheToInlineArgsDict(TypedDict):

sdk/python/pulumi_docker_build/outputs.py

@@ -293,39 +293,28 @@ class CacheFromAzureBlob(dict):
 
 @pulumi.output_type
 class CacheFromGitHubActions(dict):
+    """
+    Recommended for use with GitHub Actions workflows.
+
+    An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    appropriate credentials to your GitHub workflow.
+    """
     def __init__(__self__, *,
-                 scope: Optional[_builtins.str] = None,
+                 scope: Optional[_builtins.str] = None):
-                 token: Optional[_builtins.str] = None,
-                 url: Optional[_builtins.str] = None):
         """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
         :param _builtins.str scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
-        :param _builtins.str token: The GitHub Actions token to use. This is not a personal access tokens
-               and is typically generated automatically as part of each job.
-               
-               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
-        :param _builtins.str url: The cache server URL to use for artifacts.
-               
-               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
         """
         if scope is None:
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
-        if token is None:
-            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
-        if token is not None:
-            pulumi.set(__self__, "token", token)
-        if url is None:
-            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
-        if url is not None:
-            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter
@@ -338,31 +327,6 @@ class CacheFromGitHubActions(dict):
         """
         return pulumi.get(self, "scope")
 
-    @_builtins.property
-    @pulumi.getter
-    def token(self) -> Optional[_builtins.str]:
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "token")
-
-    @_builtins.property
-    @pulumi.getter
-    def url(self) -> Optional[_builtins.str]:
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "url")
-
 
 @pulumi.output_type
 class CacheFromLocal(dict):
@@ -784,6 +748,12 @@ class CacheToAzureBlob(dict):
 
 @pulumi.output_type
 class CacheToGitHubActions(dict):
+    """
+    Recommended for use with GitHub Actions workflows.
+
+    An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+    appropriate credentials to your GitHub workflow.
+    """
     @staticmethod
     def __key_warning(key: str):
         suggest = None
@@ -804,27 +774,18 @@ class CacheToGitHubActions(dict):
     def __init__(__self__, *,
                  ignore_error: Optional[_builtins.bool] = None,
                  mode: Optional['CacheMode'] = None,
-                 scope: Optional[_builtins.str] = None,
+                 scope: Optional[_builtins.str] = None):
-                 token: Optional[_builtins.str] = None,
-                 url: Optional[_builtins.str] = None):
         """
+        Recommended for use with GitHub Actions workflows.
+
+        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
+        appropriate credentials to your GitHub workflow.
         :param _builtins.bool ignore_error: Ignore errors caused by failed cache exports.
         :param 'CacheMode' mode: The cache mode to use. Defaults to `min`.
         :param _builtins.str scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
-        :param _builtins.str token: The GitHub Actions token to use. This is not a personal access tokens
-               and is typically generated automatically as part of each job.
-               
-               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
-        :param _builtins.str url: The cache server URL to use for artifacts.
-               
-               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-               `crazy-max/ghaction-github-runtime` is recommended to expose this
-               environment variable to your jobs.
         """
         if ignore_error is None:
             ignore_error = False
@@ -838,14 +799,6 @@ class CacheToGitHubActions(dict):
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
-        if token is None:
-            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
-        if token is not None:
-            pulumi.set(__self__, "token", token)
-        if url is None:
-            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
-        if url is not None:
-            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter(name="ignoreError")
@@ -874,31 +827,6 @@ class CacheToGitHubActions(dict):
         """
         return pulumi.get(self, "scope")
 
-    @_builtins.property
-    @pulumi.getter
-    def token(self) -> Optional[_builtins.str]:
-        """
-        The GitHub Actions token to use. This is not a personal access tokens
-        and is typically generated automatically as part of each job.
-
-        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "token")
-
-    @_builtins.property
-    @pulumi.getter
-    def url(self) -> Optional[_builtins.str]:
-        """
-        The cache server URL to use for artifacts.
-
-        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
-        `crazy-max/ghaction-github-runtime` is recommended to expose this
-        environment variable to your jobs.
-        """
-        return pulumi.get(self, "url")
-
 
 @pulumi.output_type
 class CacheToInline(dict):