[internal] Update GitHub Actions workflow files

.config/mise.lock

@@ -8,10 +8,8 @@ backend = "github:pulumi/pulumictl"
 
 [tools."github:pulumi/pulumictl".platforms.linux-x64]
 checksum = "blake3:c128dd74993f779c613296fe7cd21c20cbd323f24e59cb76e007620660b60348"
-name = "pulumictl-v0.0.50-linux-amd64.tar.gz"
 size = 27744219
 url = "https://github.com/pulumi/pulumictl/releases/download/v0.0.50/pulumictl-v0.0.50-linux-amd64.tar.gz"
-url_api = ""
 
 [[tools."github:pulumi/schema-tools"]]
 version = "0.6.0"
@@ -19,69 +17,29 @@ backend = "github:pulumi/schema-tools"
 
 [tools."github:pulumi/schema-tools".platforms.linux-x64]
 checksum = "blake3:82dfe616fee18b4258f6e3d2dc3c4e9f14afd43a0a4cc33eff2d2a04088d6ca3"
-name = "schema-tools-v0.6.0-linux-amd64.tar.gz"
 size = 14282746
 url = "https://github.com/pulumi/schema-tools/releases/download/v0.6.0/schema-tools-v0.6.0-linux-amd64.tar.gz"
-url_api = ""
 
 [[tools.go]]
-version = "1.24.1"
+version = "1.21.13"
 backend = "core:go"
 
-[tools.go.platforms.linux-x64]
-checksum = "sha256:cb2396bae64183cdccf81a9a6df0aea3bce9511fc21469fb89a0c00470088073"
-size = 78503123
-url = "https://dl.google.com/go/go1.24.1.linux-amd64.tar.gz"
-
-[[tools.golangci-lint]]
-version = "1.64.8"
-backend = "aqua:golangci/golangci-lint"
-
-[tools.golangci-lint.platforms.linux-x64]
-checksum = "sha256:b6270687afb143d019f387c791cd2a6f1cb383be9b3124d241ca11bd3ce2e54e"
-size = 12364828
-url = "https://github.com/golangci/golangci-lint/releases/download/v1.64.8/golangci-lint-1.64.8-linux-amd64.tar.gz"
-
 [[tools.gradle]]
 version = "7.6.6"
 backend = "aqua:gradle/gradle"
 
-[tools.gradle.platforms.linux-x64]
-checksum = "blake3:5cad8fc455b720b68a0bd2907d435e2919581708243f84f27845fe8812a09323"
-size = 128439774
-url = "https://github.com/gradle/gradle-distributions/releases/download/v7.6.6/gradle-7.6.6-bin.zip"
-
 [[tools.java]]
 version = "corretto-11.0.28.6.1"
 backend = "core:java"
 
-[tools.java.platforms.linux-x64]
-checksum = "sha256:70734c46e0bbeb7f45b721756ba0b2f1f1e1ef85a11e10d5a488f06b257dadd9"
-size = 195648709
-url = "https://corretto.aws/downloads/resources/11.0.28.6.1/amazon-corretto-11.0.28.6.1-linux-x64.tar.gz"
-
 [[tools.node]]
 version = "20.19.5"
 backend = "core:node"
 
-[tools.node.platforms.linux-x64]
-checksum = "sha256:4eba5fbe1fb10753bc06e42f001a91c5cec16798b7764a3e9257adc59af47fe1"
-size = 47041607
-url = "https://nodejs.org/dist/v20.19.5/node-v20.19.5-linux-x64.tar.gz"
-
-[[tools."npm:yarn"]]
-version = "1.22.22"
-backend = "npm:yarn"
-
 [[tools.pulumi]]
-version = "3.192.0"
+version = "3.198.0"
 backend = "aqua:pulumi/pulumi"
 
-[tools.pulumi.platforms.linux-x64]
-checksum = "sha512:6351213bee02ade5b76407d9b43cdb243fa461ca38231b03410de5aa1f697e55ab6467da2a9e37ebbff7be6cd3485d833e9ad8f29d4de6919bbdd471fb25e45a"
-size = 92867578
-url = "https://github.com/pulumi/pulumi/releases/download/v3.192.0/pulumi-v3.192.0-linux-x64.tar.gz"
-
 [[tools.python]]
 version = "3.11.8"
 backend = "core:python"

.config/mise.toml

@@ -8,20 +8,18 @@ _.source = "{{config_root}}/scripts/get-versions.sh"
 
 # Runtimes
 # TODO: we may not need `get_env` once https://github.com/jdx/mise/discussions/6339 is fixed
-go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}"
-node = '20.19.5'
+go = "{{ get_env(name='MISE_GO_VERSION', default='latest') }}"
+node = '20'
 python = '3.11.8'
-dotnet = '8.0.414'
+dotnet = '8.0'
 # Corretto version used as Java SE/OpenJDK version no longer offered
 java = 'corretto-11'
 
 # Executable tools
-pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
+pulumi = "{{ get_env(name='MISE_PULUMI_VERSION', default='latest') }}"
 "github:pulumi/pulumictl" = 'latest'
 "github:pulumi/schema-tools" = "latest"
 gradle = '7.6'
-golangci-lint = "1.64.8" # See note about about overrides if you need to customize this.
-"npm:yarn" = "1.22.22"
 
 [settings]
 experimental = true # Required for Go binaries (e.g. pulumictl).

.github/workflows/build.yml

@@ -16,7 +16,9 @@ on:
   workflow_dispatch: {}
 env:
   PROVIDER: docker-build
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -125,7 +127,6 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -253,7 +254,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -272,7 +273,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -301,7 +302,6 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -454,7 +454,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -473,7 +473,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -604,7 +604,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
       with:
         aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
@@ -681,7 +681,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -762,7 +762,8 @@ jobs:
       uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
       with:
         version: ${{ env.GOLANGCI_LINT_VERSION }}
-        working-directory: .
+        args: -c ../.golangci.yml
+        working-directory: provider
     name: lint
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/comment-on-stale-issues.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Stale issue job
     steps:
-    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc # v7.1.0
+    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc #v7.1.0
       with:
         issue-types: issues # only look at issues (ignore pull-requests)
 

.github/workflows/prerelease.yml

@@ -7,7 +7,9 @@ on:
     - v*.*.*-**
 env:
   PROVIDER: docker-build
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -114,7 +116,6 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -242,7 +243,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -261,7 +262,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -290,7 +291,6 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
     - name: Commit ${{ matrix.language }} SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -407,7 +407,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -426,7 +426,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -557,7 +557,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
       with:
         aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
@@ -634,7 +634,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -736,7 +736,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download java SDK
@@ -748,7 +748,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Publish Java SDK

.github/workflows/release.yml

@@ -8,7 +8,9 @@ on:
     - "!v*.*.*-**"
 env:
   PROVIDER: docker-build
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -117,7 +119,6 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -245,7 +246,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -264,7 +265,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -293,7 +294,6 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -410,7 +410,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -429,7 +429,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -560,7 +560,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
+      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
       with:
         aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
@@ -637,7 +637,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -739,7 +739,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download java SDK
@@ -751,7 +751,7 @@ jobs:
       run: tar -zxf ${{github.workspace}}/sdk/java.tar.gz -C
         ${{github.workspace}}/sdk/java
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Publish Java SDK

.github/workflows/release_command.yml

@@ -37,7 +37,7 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     - if: failure()
       name: Notify failure
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
@@ -46,7 +46,7 @@ jobs:
           "release command failed: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}"
     - if: success()
       name: Notify success
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}

.github/workflows/run-acceptance-tests.yml

@@ -11,7 +11,9 @@ on:
   workflow_dispatch: {}
 env:
   PROVIDER: docker-build
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -49,7 +51,7 @@ jobs:
         "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID"
         >> "$GITHUB_OUTPUT"
     - name: Update with Result
-      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
       with:
         token: ${{ secrets.GITHUB_TOKEN }}
         repository: ${{ github.event.client_payload.github.payload.repository.full_name }}
@@ -145,7 +147,6 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -277,7 +278,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -296,7 +297,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -325,7 +326,6 @@ jobs:
           sdk/go/**/pulumiUtilities.go
           sdk/nodejs/package.json
           sdk/python/pyproject.toml
-          sdk/java/build.gradle
     - name: Commit SDK changes for Renovate
       if: failure() && steps.worktreeClean.outcome == 'failure' &&
         contains(github.actor, 'renovate') && github.event_name ==
@@ -446,7 +446,7 @@ jobs:
     - name: Install Pulumi CLI
       uses: pulumi/actions@cc7494be991dba0978f7ffafaf995b0449a0998e # v6.5.0
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -465,7 +465,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Download provider
@@ -606,7 +606,8 @@ jobs:
       uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
       with:
         version: ${{ env.GOLANGCI_LINT_VERSION }}
-        working-directory: .
+        args: -c ../.golangci.yml
+        working-directory: provider
     name: lint
     if: github.event_name == 'repository_dispatch' ||
       github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/weekly-pulumi-update.yml

@@ -8,7 +8,9 @@ on:
 env:
   GITHUB_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PROVIDER: docker-build
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TRAVIS_OS_NAME: linux
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   GOVERSION: "1.21.x"
   NODEVERSION: "20.x"
   PYTHONVERSION: "3.11.8"
@@ -62,7 +64,7 @@ jobs:
       with:
         dotnet-version: ${{ env.DOTNETVERSION }}
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
       with:
         node-version: ${{ env.NODEVERSION }}
         registry-url: https://registry.npmjs.org
@@ -77,7 +79,7 @@ jobs:
         distribution: temurin
         cache: gradle
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@4d9f0ba0025fe599b4ebab900eb7f3a1d93ef4c2 # v5.0.0
+      uses: gradle/actions/setup-gradle@ed408507eac070d1f99cc633dbcf757c94c7933a # v4.4.3
       with:
         gradle-version: "7.6"
     - name: Update Pulumi/Pulumi

CHANGELOG.md

@@ -1,15 +1,5 @@
 ## Unreleased
 
-## Changed
-
-- Arguments `CacheFromGitHubActions.URL` and `CacheFromGitHubActions.Token` have been removed. If the previous behaviour is desired, set the `ACTIONS_CACHE_URL` and `ACTIONS_RUNTIME_TOKEN` environment variables. (https://github.com/pulumi/pulumi-docker-build/issues/75)
-
-## 0.0.14 (2025-09-30)
-
-### Fixed
-
-- A warning is no longer emitted for the reserved `__internal` key. (https://github.com/pulumi/pulumi-docker-build/issues/579)
-
 ## 0.0.13 (2025-08-27)
 
 ### Changed

Makefile

@@ -17,9 +17,8 @@ WORKING_DIR      := $(shell pwd)
 EXAMPLES_DIR     := ${WORKING_DIR}/examples/yaml
 TESTPARALLELISM  := 4
 
-PULUMI           := pulumi
-GOGLANGCILINT    := golangci-lint
-GOTEST           := go test
+PULUMI           := bin/pulumi
+GOGLANGCILINT    := bin/golangci-lint
 
 # Override during CI using `make [TARGET] PROVIDER_VERSION=""` or by setting a PROVIDER_VERSION environment variable
 # Local & branch builds will just used this fixed default version unless specified
@@ -47,10 +46,10 @@ provider_debug::
 	(cd provider && go build -o $(WORKING_DIR)/bin/${PROVIDER} -gcflags="all=-N -l" -ldflags "-X ${PROJECT}/${VERSION_PATH}=${VERSION_GENERIC}" $(PROJECT)/${PROVIDER_PATH}/cmd/$(PROVIDER))
 
 test_provider:: # Required by CI
-	${GOTEST} -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
+	go test -short -v -coverprofile="coverage.txt" -coverpkg=./provider/... -timeout 2h -parallel ${TESTPARALLELISM} ./provider/...
 
 test_examples: install_nodejs_sdk install_dotnet_sdk
-	${GOTEST} -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
+	go test -short -v -cover -tags=all -timeout 2h -parallel ${TESTPARALLELISM} ./examples/...
 
 test_all:: test_provider test_examples
 
@@ -64,26 +63,38 @@ examples/yaml:
 	rm -rf ${WORKING_DIR}/examples/yaml/app
 	cp -r ${WORKING_DIR}/examples/app ${WORKING_DIR}/examples/yaml/app
 
-examples/go: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/go: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,go)
 	@git checkout examples/go/go.mod
 
-examples/nodejs: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/nodejs: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,nodejs)
 	@git checkout examples/nodejs/package.json
 
-examples/python: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/python: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,python)
 	@git checkout examples/python/requirements.txt
 
-examples/dotnet: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/dotnet: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,dotnet)
 	@git checkout examples/dotnet/provider-docker-build.csproj
 
-examples/java: bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
+examples/java: ${PULUMI} bin/${PROVIDER} ${WORKING_DIR}/examples/yaml/Pulumi.yaml
 	$(call example,java)
 	@git checkout examples/java/pom.xml
 
+${PULUMI}: go.sum
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/pkg/v3/cmd/pulumi
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/go/pulumi-language-go/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/nodejs/cmd/pulumi-language-nodejs/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi/sdk/python/cmd/pulumi-language-python/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-java/pkg/cmd/pulumi-language-java
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3
+	GOBIN=${WORKING_DIR}/bin go install github.com/pulumi/pulumi-yaml/cmd/pulumi-converter-yaml
+
+${GOGLANGCILINT}: go.sum
+	GOBIN=${WORKING_DIR}/bin go install github.com/golangci/golangci-lint/cmd/golangci-lint@8b37f14
+
 define pulumi_login
     export PULUMI_CONFIG_PASSPHRASE=asdfqwerty1234; \
     pulumi login --local;
@@ -91,7 +102,7 @@ endef
 
 define example
 	rm -rf ${WORKING_DIR}/examples/$(1)
-	pulumi convert \
+	$(PULUMI) convert \
 		--cwd ${WORKING_DIR}/examples/yaml \
 		--logtostderr \
 		--generate-only \
@@ -129,7 +140,7 @@ build:: provider sdk/dotnet sdk/go sdk/nodejs sdk/python sdk/java ${SCHEMA_PATH}
 only_build:: build
 
 .PHONY: lint
-lint:
+lint: ${GOGLANGCILINT}
 	${GOGLANGCILINT} run --fix -c .golangci.yml
 
 install:: install_nodejs_sdk install_dotnet_sdk
@@ -194,7 +205,7 @@ sdk: sdk/python sdk/nodejs sdk/java sdk/python sdk/go sdk/dotnet
 .PHONY: sdk/*
 
 sdk/python: TMPDIR := $(shell mktemp -d)
-sdk/python: bin/${PROVIDER}
+sdk/python: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/python
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language python -o ${TMPDIR}
 	cp README.md ${TMPDIR}/python/
@@ -207,7 +218,7 @@ sdk/python: bin/${PROVIDER}
 	mv -f ${TMPDIR}/python ${WORKING_DIR}/sdk/.
 
 sdk/nodejs: TMPDIR := $(shell mktemp -d)
-sdk/nodejs: bin/${PROVIDER}
+sdk/nodejs: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/nodejs
 	$(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language nodejs -o ${TMPDIR}
 	cp README.md LICENSE ${TMPDIR}/nodejs
@@ -219,7 +230,7 @@ sdk/nodejs: bin/${PROVIDER}
 
 sdk/go: TMPDIR := $(shell mktemp -d)
 sdk/go: PATH := "$(WORKING_DIR)/bin:$(PATH)"
-sdk/go: bin/${PROVIDER}
+sdk/go: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/go
 	PATH=$(PATH) $(PULUMI) package gen-sdk ./bin/$(PROVIDER) --language go -o ${TMPDIR}
 	cp go.mod ${TMPDIR}/go/dockerbuild/go.mod
@@ -229,7 +240,7 @@ sdk/go: bin/${PROVIDER}
 	mv -f ${TMPDIR}/go ${WORKING_DIR}/sdk/go
 
 sdk/dotnet: TMPDIR := $(shell mktemp -d)
-sdk/dotnet: bin/${PROVIDER}
+sdk/dotnet: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/dotnet
 	$(PULUMI) package gen-sdk ./bin/${PROVIDER} --language dotnet -o ${TMPDIR}
 	cd ${TMPDIR}/dotnet/ && \
@@ -239,7 +250,7 @@ sdk/dotnet: bin/${PROVIDER}
 
 sdk/java: PACKAGE_VERSION := $(shell pulumictl convert-version --language generic -v "$(VERSION_GENERIC)")
 sdk/java: TMPDIR := $(shell mktemp -d)
-sdk/java: bin/${PROVIDER}
+sdk/java: $(PULUMI) bin/${PROVIDER}
 	rm -rf sdk/java
 	$(PULUMI) package gen-sdk --language java ./bin/${PROVIDER} -o ${TMPDIR}
 	cd ${TMPDIR}/java/ && gradle --console=plain build

docs/_index.md

@@ -1,428 +0,0 @@
----
-title: Docker Build
-meta_desc: Provides an overview of the Docker Build Provider for Pulumi.
-layout: package
----
-
-The Docker Build provider leverages [buildx and BuildKit](https://docs.docker.com/build/architecture/) to build modern Docker images with Pulumi.
-
-Not to be confused with the earlier
-[Docker](../docker) provider, which is still
-appropriate for managing resources unrelated to building images.
-
-| Provider               | Use cases                                                               |
-| ----------------       | ----------------------------------------------------------------------- |
-| `@pulumi/docker-build` | Anything related to building images with `docker build`.                |
-| `@pulumi/docker`       | Everything else -- including running containers and creating networks.  |
-
-## Example
-
-If your Pulumi program has a directory called `app` alongside it, containing a
-file named "Dockerfile" (which can be as simple as `FROM alpine` for the
-purpose of example), then the code below shows how to build a multi-platform
-image, publish it to a remote AWS ECR registry, and use an [inline
-cache](https://docs.docker.com/build/cache/backends/inline/) to speed up
-subsequent builds.
-
-{{< chooser language "typescript,python,csharp,go,yaml,java" / >}}
-
-{{% choosable language typescript %}}
-
-```typescript
-import * as aws from "@pulumi/aws";
-import * as docker_build from "@pulumi/docker-build";
-
-// Create an ECR repository for pushing.
-const ecrRepository = new aws.ecr.Repository("ecr-repository", {});
-
-// Grab auth credentials for ECR.
-const authToken = aws.ecr.getAuthorizationTokenOutput({
-    registryId: ecrRepository.registryId,
-});
-
-// Build and push an image to ECR with inline caching.
-const myImage = new docker_build.Image("my-image", {
-    // Tag our image with our ECR repository's address.
-    tags: [pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`],
-    context: {
-        location: "./app",
-    },
-    // Use the pushed image as a cache source.
-    cacheFrom: [{
-        registry: {
-            ref: pulumi.interpolate`${ecrRepository.repositoryUrl}:latest`,
-        },
-    }],
-    // Include an inline cache with our pushed image.
-    cacheTo: [{
-        inline: {},
-    }],
-    // Build a multi-platform image manifest for ARM and AMD.
-    platforms: [
-        "linux/amd64",
-        "linux/arm64",
-    ],
-    // Push the final result to ECR.
-    push: true,
-    // Provide our ECR credentials.
-    registries: [{
-        address: ecrRepository.repositoryUrl,
-        password: authToken.password,
-        username: authToken.userName,
-    }],
-});
-
-// Export a ref for the pushed images so we can deploy it.
-export const ref = myImage.ref;
-```
-
-{{% /choosable %}}
-
-{{% choosable language python %}}
-
-```python
-import pulumi
-import pulumi_aws as aws
-import pulumi_docker_build as docker_build
-
-# Create an ECR repository for pushing.
-ecr_repository = aws.ecr.Repository("ecr-repository")
-
-# Grab auth credentials for ECR.
-auth_token = aws.ecr.get_authorization_token_output(registry_id=ecr_repository.registry_id)
-
-# Build and push an image to ECR with inline caching.
-my_image = docker_build.Image("my-image",
-    # Tag our image with our ECR repository's address.
-    tags=[ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest")],
-    context=docker_build.BuildContextArgs(
-        location="./app",
-    ),
-    # Use the pushed image as a cache source.
-    cache_from=[docker_build.CacheFromArgs(
-        registry=docker_build.CacheFromRegistryArgs(
-            ref=ecr_repository.repository_url.apply(lambda repository_url: f"{repository_url}:latest"),
-        ),
-    )],
-    # Include an inline cache with our pushed image.
-    cache_to=[docker_build.CacheToArgs(
-        inline=docker_build.CacheToInlineArgs(),
-    )],
-    # Build a multi-platform image manifest for ARM and AMD.
-    platforms=[
-        docker_build.Platform.LINUX_AMD64,
-        docker_build.Platform.LINUX_ARM64,
-    ],
-    # Push the final result to ECR.
-    push=True,
-    # Provide our ECR credentials.
-    registries=[docker_build.RegistryArgs(
-        address=ecr_repository.repository_url,
-        password=auth_token.password,
-        username=auth_token.user_name,
-    )],
-)
-
-# Export a ref for the pushed images so we can deploy it.
-pulumi.export("ref", my_image.ref)
-```
-
-{{% /choosable %}}
-
-{{% choosable language csharp %}}
-
-```csharp
-using System.Collections.Generic;
-using System.Linq;
-using Pulumi;
-using Aws = Pulumi.Aws;
-using DockerBuild = Pulumi.DockerBuild;
-
-return await Deployment.RunAsync(() =>
-{
-    // Create an ECR repository for pushing.
-    var ecrRepository = new Aws.Ecr.Repository("ecr-repository");
-
-    // Grab auth credentials for ECR.
-    var authToken = Aws.Ecr.GetAuthorizationToken.Invoke(new()
-    {
-        RegistryId = ecrRepository.RegistryId,
-    });
-
-    // Build and push an image to ECR with inline caching.
-    var myImage = new DockerBuild.Image("my-image", new()
-    {
-        // Tag our image with our ECR repository's address.
-        Tags = new[]
-        {
-            ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
-        },
-        Context = new DockerBuild.Inputs.BuildContextArgs
-        {
-            Location = "./app",
-        },
-        // Use the pushed image as a cache source.
-        CacheFrom = new[]
-        {
-            new DockerBuild.Inputs.CacheFromArgs
-            {
-                Registry = new DockerBuild.Inputs.CacheFromRegistryArgs
-                {
-                    Ref = ecrRepository.RepositoryUrl.Apply(repositoryUrl => $"{repositoryUrl}:latest"),
-                },
-            },
-        },
-        // Include an inline cache with our pushed image.
-        CacheTo = new[]
-        {
-            new DockerBuild.Inputs.CacheToArgs
-            {
-                Inline = null,
-            },
-        },
-        // Build a multi-platform image manifest for ARM and AMD.
-        Platforms = new[]
-        {
-            DockerBuild.Platform.Linux_amd64,
-            DockerBuild.Platform.Linux_arm64,
-        },
-        // Push the final result to ECR.
-        Push = true,
-        // Provide our ECR credentials.
-        Registries = new[]
-        {
-            new DockerBuild.Inputs.RegistryArgs
-            {
-                Address = ecrRepository.RepositoryUrl,
-                Password = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.Password),
-                Username = authToken.Apply(getAuthorizationTokenResult => getAuthorizationTokenResult.UserName),
-            },
-        },
-    });
-
-    // Export a ref for the pushed images so we can deploy it.
-    return new Dictionary<string, object?>
-    {
-        ["ref"] = myImage.Ref,
-    };
-});
-
-```
-
-{{% /choosable %}}
-
-{{% choosable language go %}}
-
-```go
-package main
-
-import (
-    "fmt"
-
-    "github.com/pulumi/pulumi-aws/sdk/v6/go/aws/ecr"
-    "github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild"
-    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
-)
-
-func main() {
-    pulumi.Run(func(ctx *pulumi.Context) error {
-        // Create an ECR repository for pushing.
-        ecrRepository, err := ecr.NewRepository(ctx, "ecr-repository", nil)
-        if err != nil {
-            return err
-        }
-
-        // Grab auth credentials for ECR.
-        authToken := ecr.GetAuthorizationTokenOutput(ctx, ecr.GetAuthorizationTokenOutputArgs{
-            RegistryId: ecrRepository.RegistryId,
-        }, nil)
-
-        // Build and push an image to ECR with inline caching.
-        myImage, err := dockerbuild.NewImage(ctx, "my-image", &dockerbuild.ImageArgs{
-            // Tag our image with our ECR repository's address.
-            Tags: pulumi.StringArray{
-                ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
-                    return fmt.Sprintf("%v:latest", repositoryUrl), nil
-                }).(pulumi.StringOutput),
-            },
-            Context: &dockerbuild.BuildContextArgs{
-                Location: pulumi.String("./app"),
-            },
-            // Use the pushed image as a cache source.
-            CacheFrom: dockerbuild.CacheFromArray{
-                &dockerbuild.CacheFromArgs{
-                    Registry: &dockerbuild.CacheFromRegistryArgs{
-                        Ref: ecrRepository.RepositoryUrl.ApplyT(func(repositoryUrl string) (string, error) {
-                            return fmt.Sprintf("%v:latest", repositoryUrl), nil
-                        }).(pulumi.StringOutput),
-                    },
-                },
-            },
-            // Include an inline cache with our pushed image.
-            CacheTo: dockerbuild.CacheToArray{
-                &dockerbuild.CacheToArgs{
-                    Inline: nil,
-                },
-            },
-            // Build a multi-platform image manifest for ARM and AMD.
-            Platforms: dockerbuild.PlatformArray{
-                dockerbuild.Platform_Linux_amd64,
-                dockerbuild.Platform_Linux_arm64,
-            },
-            // Push the final result to ECR.
-            Push: pulumi.Bool(true),
-            // Provide our ECR credentials.
-            Registries: dockerbuild.RegistryArray{
-                &dockerbuild.RegistryArgs{
-                    Address: ecrRepository.RepositoryUrl,
-                    Password: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
-                        return &authToken.Password, nil
-                    }).(pulumi.StringPtrOutput),
-                    Username: authToken.ApplyT(func(authToken ecr.GetAuthorizationTokenResult) (*string, error) {
-                        return &authToken.UserName, nil
-                    }).(pulumi.StringPtrOutput),
-                },
-            },
-        })
-        if err != nil {
-            return err
-        }
-
-        // Export a ref for the pushed images so we can deploy it.
-        ctx.Export("ref", myImage.Ref)
-        return nil
-    })
-}
-```
-
-{{% /choosable %}}
-
-{{% choosable language yaml %}}
-
-```yaml
-description: Push to AWS ECR with caching
-name: ecr
-outputs:
-    ref: ${my-image.ref}
-resources:
-    # Create an ECR repository for pushing.
-    ecr-repository:
-        type: aws:ecr:Repository
-
-    # Build and push an image to ECR with inline caching.
-    my-image:
-        type: docker-build:Image
-        properties:
-            # Tag our image with our ECR repository's address.
-            tags:
-                - ${ecr-repository.repositoryUrl}:latest
-            context:
-                location: ./app
-            # Use the pushed image as a cache source.
-            cacheFrom:
-                - registry:
-                    ref: ${ecr-repository.repositoryUrl}:latest
-            # Include an inline cache with our pushed image.
-            cacheTo:
-                - inline: {}
-            # Build a multi-platform image manifest for ARM and AMD.
-            platforms:
-                - linux/amd64
-                - linux/arm64
-            # Push the final result to ECR.
-            push: true
-            # Provide our ECR credentials.
-            registries:
-                - address: ${ecr-repository.repositoryUrl}
-                  password: ${auth-token.password}
-                  username: ${auth-token.userName}
-
-runtime: yaml
-variables:
-    auth-token:
-        # Grab auth credentials for ECR.
-        fn::aws:ecr:getAuthorizationToken:
-            registryId: ${ecr-repository.registryId}
-```
-
-{{% /choosable %}}
-
-{{% choosable language java %}}
-
-```java
-package myapp;
-
-import com.pulumi.Context;
-import com.pulumi.Pulumi;
-import com.pulumi.core.Output;
-import com.pulumi.aws.ecr.Repository;
-import com.pulumi.aws.ecr.EcrFunctions;
-import com.pulumi.aws.ecr.inputs.GetAuthorizationTokenArgs;
-import com.pulumi.dockerbuild.Image;
-import com.pulumi.dockerbuild.ImageArgs;
-import com.pulumi.dockerbuild.inputs.CacheFromArgs;
-import com.pulumi.dockerbuild.inputs.CacheFromRegistryArgs;
-import com.pulumi.dockerbuild.inputs.CacheToArgs;
-import com.pulumi.dockerbuild.inputs.CacheToInlineArgs;
-import com.pulumi.dockerbuild.inputs.BuildContextArgs;
-import com.pulumi.dockerbuild.inputs.RegistryArgs;
-import java.util.List;
-import java.util.ArrayList;
-import java.util.Map;
-import java.io.File;
-import java.nio.file.Files;
-import java.nio.file.Paths;
-
-public class App {
-    public static void main(String[] args) {
-        Pulumi.run(App::stack);
-    }
-
-    public static void stack(Context ctx) {
-        // Create an ECR repository for pushing.
-        var ecrRepository = new Repository("ecrRepository");
-
-        // Grab auth credentials for ECR.
-        final var authToken = EcrFunctions.getAuthorizationToken(GetAuthorizationTokenArgs.builder()
-            .registryId(ecrRepository.registryId())
-            .build());
-
-        // Build and push an image to ECR with inline caching.
-        var myImage = new Image("myImage", ImageArgs.builder()
-            // Tag our image with our ECR repository's address.
-            .tags(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
-            .context(BuildContextArgs.builder()
-                .location("./app")
-                .build())
-            // Use the pushed image as a cache source.
-            .cacheFrom(CacheFromArgs.builder()
-                .registry(CacheFromRegistryArgs.builder()
-                    .ref(ecrRepository.repositoryUrl().applyValue(repositoryUrl -> String.format("%s:latest", repositoryUrl)))
-                    .build())
-                .build())
-            // Include an inline cache with our pushed image.
-            .cacheTo(CacheToArgs.builder()
-                .inline()
-                .build())
-            // Build a multi-platform image manifest for ARM and AMD.
-            .platforms(
-                "linux/amd64",
-                "linux/arm64")
-            // Push the final result to ECR.
-            .push(true)
-            // Provide our ECR credentials.
-            .registries(RegistryArgs.builder()
-                .address(ecrRepository.repositoryUrl())
-                .password(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.password())))
-                .username(authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult).applyValue(authToken -> authToken.applyValue(getAuthorizationTokenResult -> getAuthorizationTokenResult.userName())))
-                .build())
-            .build());
-
-        ctx.export("ref", myImage.ref());
-    }
-}
-```
-
-{{% /choosable %}}
-
-{{< /chooser >}}

docs/installation-configuration.md

@@ -1,33 +0,0 @@
----
-title: Docker-Build Installation & Configuration
-meta_desc: Provides an overview on how to configure the Pulumi Docker-Build Provider.
-layout: package
----
-
-The Pulumi Docker-build provider builds modern Docker images with [buildx](https://docs.docker.com/reference/cli/docker/buildx/) and [BuildKit](https://docs.docker.com/build/buildkit/).
-
-## Installation
-
-The Docker-Build provider is available as a package in all Pulumi languages:
-
-* JavaScript/TypeScript: [`@pulumi/docker-build`](https://www.npmjs.com/package/@pulumi/docker-build)
-* Python: [`pulumi-docker-build`](https://pypi.org/project/pulumi-docker-build/)
-* Go: [`github.com/pulumi/pulumi-docker-build/sdk/go/dockerbuild`](https://github.com/pulumi/pulumi-docker-build)
-* .NET: [`Pulumi.DockerBuild`](https://www.nuget.org/packages/Pulumi.DockerBuild)
-* Java: [`com.pulumi/docker-build`](https://central.sonatype.com/artifact/com.pulumi/docker-build)
-
-## Configuring The Provider
-
-### Host
-
-The `DOCKER_HOST` environment variable can be used to specify a custom build daemon's location.
-
-```bash
-$ export DOCKER_HOST=tcp://127.0.0.1:2376/
-```
-
-This can also be specified in your stack's configuration:
-
-```bash
-$ pulumi config set docker-build:host tcp://127.0.0.1:2376/
-```

go.mod

@@ -16,7 +16,7 @@ require (
 	github.com/otiai10/copy v1.14.0
 	github.com/pulumi/providertest v0.3.1
 	github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef
-	github.com/pulumi/pulumi-go-provider v1.1.2
+	github.com/pulumi/pulumi-go-provider v1.1.1
 	github.com/pulumi/pulumi-java/pkg v1.16.0
 	github.com/pulumi/pulumi-yaml v1.21.2
 	github.com/pulumi/pulumi/pkg/v3 v3.192.0

go.sum

@@ -896,8 +896,8 @@ github.com/pulumi/providertest v0.3.1 h1:vlftr7TZlObh81mL88IhhF0/9ZbLrZZos4NAvR4
 github.com/pulumi/providertest v0.3.1/go.mod h1:fFHUP4/9DRyYnHWiRnwcynMtM/a7hHR/QcJfcuZKO3A=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef h1:cxRa9R9To6OYKacIG2Em6zcM7BDNr6joC43uiV1lSVY=
 github.com/pulumi/pulumi-dotnet/pulumi-language-dotnet/v3 v3.0.0-20250806132441-44ca9a522cef/go.mod h1:VLcnE1lj92EfRi7CRMzdPkQ9OQvrlg2upJM1lBZzNmg=
-github.com/pulumi/pulumi-go-provider v1.1.2 h1:NUQDXaftBDFTPMBPwxo8FhJUX0ymkv6a1XiXTnCDpvg=
-github.com/pulumi/pulumi-go-provider v1.1.2/go.mod h1:3lNIuxT/BArFyiKrVfv+UT7gMMtplss7V69KuBZ4zIk=
+github.com/pulumi/pulumi-go-provider v1.1.1 h1:4UT3LeNT9CdGhkq8OSWKJsmKTW9Tg+vsfOO/hsFVyb4=
+github.com/pulumi/pulumi-go-provider v1.1.1/go.mod h1:3lNIuxT/BArFyiKrVfv+UT7gMMtplss7V69KuBZ4zIk=
 github.com/pulumi/pulumi-java/pkg v1.16.0 h1:8KCiIXWv2uxfIks0SdgOezyXg4HZIoPfHID9eMg4nuM=
 github.com/pulumi/pulumi-java/pkg v1.16.0/go.mod h1:VeMZ1s9LfXBypao4A1tRF3EB7fYnYZ1LwImyg6FBX0c=
 github.com/pulumi/pulumi-yaml v1.21.2 h1:czqC5AazinfX6Bj0nqAAQ6x/Cr8/3oUz3HUjJg6tJ4o=

provider/cmd/pulumi-resource-docker-build/schema.json

@@ -155,12 +155,32 @@
       ]
     },
     "docker-build:index:CacheFromGitHubActions": {
-      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
       "properties": {
         "scope": {
           "type": "string",
           "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
           "default": "buildkit"
+        },
+        "token": {
+          "type": "string",
+          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
+          "default": "",
+          "defaultInfo": {
+            "environment": [
+              "ACTIONS_RUNTIME_TOKEN"
+            ]
+          },
+          "secret": true
+        },
+        "url": {
+          "type": "string",
+          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
+          "default": "",
+          "defaultInfo": {
+            "environment": [
+              "ACTIONS_CACHE_URL"
+            ]
+          }
         }
       },
       "type": "object"
@@ -350,7 +370,6 @@
       ]
     },
     "docker-build:index:CacheToGitHubActions": {
-      "description": "Recommended for use with GitHub Actions workflows.\n\nAn action like `crazy-max/ghaction-github-runtime` is recommended to expose\nappropriate credentials to your GitHub workflow.",
       "properties": {
         "ignoreError": {
           "type": "boolean",
@@ -366,6 +385,27 @@
           "type": "string",
           "description": "The scope to use for cache keys. Defaults to `buildkit`.\n\nThis should be set if building and caching multiple images in one\nworkflow, otherwise caches will overwrite each other.",
           "default": "buildkit"
+        },
+        "token": {
+          "type": "string",
+          "description": "The GitHub Actions token to use. This is not a personal access tokens\nand is typically generated automatically as part of each job.\n\nDefaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
+          "default": "",
+          "defaultInfo": {
+            "environment": [
+              "ACTIONS_RUNTIME_TOKEN"
+            ]
+          },
+          "secret": true
+        },
+        "url": {
+          "type": "string",
+          "description": "The cache server URL to use for artifacts.\n\nDefaults to `$ACTIONS_CACHE_URL`, although a separate action like\n`crazy-max/ghaction-github-runtime` is recommended to expose this\nenvironment variable to your jobs.",
+          "default": "",
+          "defaultInfo": {
+            "environment": [
+              "ACTIONS_CACHE_URL"
+            ]
+          }
         }
       },
       "type": "object"

provider/internal/cache.go

@@ -17,7 +17,6 @@ package internal
 import (
 	"errors"
 	"fmt"
-	"os"
 	"strings"
 
 	controllerapi "github.com/docker/buildx/controller/pb"
@@ -149,20 +148,33 @@ func (c CacheWithOCI) String() string {
 
 // CacheFromGitHubActions pulls cache manifests from the GitHub actions cache.
 type CacheFromGitHubActions struct {
+	URL   string `pulumi:"url,optional"`
+	Token string `pulumi:"token,optional" provider:"secret"`
 	Scope string `pulumi:"scope,optional"`
 }
 
 // Annotate sets docstrings on CacheFromGitHubActions.
 func (c *CacheFromGitHubActions) Annotate(a infer.Annotator) {
-	a.Describe(&c, dedent(`
-		Recommended for use with GitHub Actions workflows.
-
-		An action like "crazy-max/ghaction-github-runtime" is recommended to expose
-		appropriate credentials to your GitHub workflow.
-	`))
-
+	a.SetDefault(&c.URL, "", "ACTIONS_CACHE_URL")
+	a.SetDefault(&c.Token, "", "ACTIONS_RUNTIME_TOKEN")
 	a.SetDefault(&c.Scope, "buildkit")
 
+	a.Describe(&c.URL, dedent(`
+		The cache server URL to use for artifacts.
+
+		Defaults to "$ACTIONS_CACHE_URL", although a separate action like
+		"crazy-max/ghaction-github-runtime" is recommended to expose this
+		environment variable to your jobs.
+	`))
+	a.Describe(&c.Token, dedent(`
+		The GitHub Actions token to use. This is not a personal access tokens
+		and is typically generated automatically as part of each job.
+
+		Defaults to "$ACTIONS_RUNTIME_TOKEN", although a separate action like
+		"crazy-max/ghaction-github-runtime" is recommended to expose this
+		environment variable to your jobs.
+
+	`))
 	a.Describe(&c.Scope, dedent(`
 		The scope to use for cache keys. Defaults to "buildkit".
 
@@ -179,12 +191,11 @@ func (c *CacheFromGitHubActions) String() string {
 	if c.Scope != "" {
 		parts = append(parts, "scope="+c.Scope)
 	}
-	// Preserving backwards compatibility with the old behaviour.
-	if token := os.Getenv("ACTIONS_RUNTIME_TOKEN"); token != "" {
-		parts = append(parts, "token="+token)
+	if c.Token != "" {
+		parts = append(parts, "token="+c.Token)
 	}
-	if url := os.Getenv("ACTIONS_CACHE_URL"); url != "" {
-		parts = append(parts, "url="+url)
+	if c.URL != "" {
+		parts = append(parts, "url="+c.URL)
 	}
 	return strings.Join(parts, ",")
 }

provider/internal/cache_test.go

@@ -24,15 +24,14 @@ import (
 	"github.com/pulumi/pulumi/sdk/v3/go/pulumi"
 )
 
-//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 func TestCacheString(t *testing.T) {
+	t.Parallel()
 	gzip := Gzip
 
 	tests := []struct {
-		name    string
-		arrange func(t *testing.T)
-		given   fmt.Stringer
-		want    string
+		name  string
+		given fmt.Stringer
+		want  string
 	}{
 		{
 			name: "s3",
@@ -56,37 +55,7 @@ func TestCacheString(t *testing.T) {
 		{
 			name:  "gha",
 			given: CacheTo{GHA: &CacheToGitHubActions{}},
-			arrange: func(t *testing.T) {
-				t.Setenv("ACTIONS_CACHE_URL", "")
-				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
-			},
-			want: "type=gha",
-		},
-		{
-			name: "gha-default-envs",
-			arrange: func(t *testing.T) {
-				t.Setenv("ACTIONS_CACHE_URL", "https://example.com")
-				t.Setenv("ACTIONS_RUNTIME_TOKEN", "token")
-			},
-			given: CacheTo{GHA: &CacheToGitHubActions{
-				CacheFromGitHubActions: CacheFromGitHubActions{
-					Scope: "scope",
-				},
-			}},
-			want: "type=gha,scope=scope,token=token,url=https://example.com",
-		},
-		{
-			name: "gha-with-scope",
-			arrange: func(t *testing.T) {
-				t.Setenv("ACTIONS_CACHE_URL", "")
-				t.Setenv("ACTIONS_RUNTIME_TOKEN", "")
-			},
-			given: CacheTo{GHA: &CacheToGitHubActions{
-				CacheFromGitHubActions: CacheFromGitHubActions{
-					Scope: "scope",
-				},
-			}},
-			want: "type=gha,scope=scope",
+			want:  "type=gha",
 		},
 		{
 			name:  "from-local",
@@ -152,12 +121,9 @@ func TestCacheString(t *testing.T) {
 		},
 	}
 
-	//nolint:paralleltest // We don't call t.Parallel here to prevent environment corruption.
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
-			if tt.arrange != nil {
-				tt.arrange(t)
-			}
+			t.Parallel()
 
 			actual := tt.given.String()
 			assert.Equal(t, tt.want, actual)

provider/internal/image_test.go

@@ -917,10 +917,8 @@ func TestValidateImageArgs(t *testing.T) {
 			{
 				name: "gha environment",
 				envs: map[string]string{
-					"ACTIONS_CACHE_URL":        "test-cache-url",
-					"ACTIONS_RUNTIME_TOKEN":    "test-runtime-token",
-					"ACTIONS_RESULTS_URL":      "test-results-url",
-					"ACTIONS_CACHE_SERVICE_V2": "true",
+					"ACTIONS_CACHE_URL":     "test-cache-url",
+					"ACTIONS_RUNTIME_TOKEN": "test-runtime-token",
 				},
 				args: ImageArgs{
 					Context:   &BuildContext{Context: Context{Location: "testdata/noop"}},
@@ -932,17 +930,15 @@ func TestValidateImageArgs(t *testing.T) {
 				wantCacheFrom: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token":  "test-runtime-token",
-						"url":    "test-cache-url",
-						"url_v2": "test-results-url",
+						"token": "test-runtime-token",
+						"url":   "test-cache-url",
 					},
 				},
 				wantCacheTo: &pb.CacheOptionsEntry{
 					Type: "gha",
 					Attrs: map[string]string{
-						"token":  "test-runtime-token",
-						"url":    "test-cache-url",
-						"url_v2": "test-results-url",
+						"token": "test-runtime-token",
+						"url":   "test-cache-url",
 					},
 				},
 			},

scripts/get-versions.sh

@@ -34,8 +34,8 @@ if [[ -z "${raw_version:-}" ]]; then
   exit 1
 fi
 
-echo "PULUMI_VERSION_MISE=$raw_version"
-export PULUMI_VERSION_MISE=$raw_version
+echo "MISE_PULUMI_VERSION=$raw_version"
+export MISE_PULUMI_VERSION=$raw_version
 
 # Prefer the toolchain directive if present, otherwise fall back to the `go` version line
 go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod")
@@ -51,5 +51,5 @@ if [[ -z "${go_version:-}" ]]; then
   exit 1
 fi
 
-echo "GO_VERSION_MISE=$go_version"
-export GO_VERSION_MISE=$go_version
+echo "MISE_GO_VERSION=$go_version"
+export MISE_GO_VERSION=$go_version

sdk/dotnet/Inputs/CacheFromGitHubActionsArgs.cs

@@ -10,12 +10,6 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
 
-    /// <summary>
-    /// Recommended for use with GitHub Actions workflows.
-    /// 
-    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    /// appropriate credentials to your GitHub workflow.
-    /// </summary>
     public sealed class CacheFromGitHubActionsArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
@@ -27,9 +21,42 @@ namespace Pulumi.DockerBuild.Inputs
         [Input("scope")]
         public Input<string>? Scope { get; set; }
 
+        [Input("token")]
+        private Input<string>? _token;
+
+        /// <summary>
+        /// The GitHub Actions token to use. This is not a personal access tokens
+        /// and is typically generated automatically as part of each job.
+        /// 
+        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public Input<string>? Token
+        {
+            get => _token;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
+
+        /// <summary>
+        /// The cache server URL to use for artifacts.
+        /// 
+        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        [Input("url")]
+        public Input<string>? Url { get; set; }
+
         public CacheFromGitHubActionsArgs()
         {
             Scope = "buildkit";
+            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
+            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
         }
         public static new CacheFromGitHubActionsArgs Empty => new CacheFromGitHubActionsArgs();
     }

sdk/dotnet/Inputs/CacheToGitHubActionsArgs.cs

@@ -10,12 +10,6 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Inputs
 {
 
-    /// <summary>
-    /// Recommended for use with GitHub Actions workflows.
-    /// 
-    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    /// appropriate credentials to your GitHub workflow.
-    /// </summary>
     public sealed class CacheToGitHubActionsArgs : global::Pulumi.ResourceArgs
     {
         /// <summary>
@@ -39,11 +33,44 @@ namespace Pulumi.DockerBuild.Inputs
         [Input("scope")]
         public Input<string>? Scope { get; set; }
 
+        [Input("token")]
+        private Input<string>? _token;
+
+        /// <summary>
+        /// The GitHub Actions token to use. This is not a personal access tokens
+        /// and is typically generated automatically as part of each job.
+        /// 
+        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public Input<string>? Token
+        {
+            get => _token;
+            set
+            {
+                var emptySecret = Output.CreateSecret(0);
+                _token = Output.Tuple<Input<string>?, int>(value, emptySecret).Apply(t => t.Item1);
+            }
+        }
+
+        /// <summary>
+        /// The cache server URL to use for artifacts.
+        /// 
+        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        [Input("url")]
+        public Input<string>? Url { get; set; }
+
         public CacheToGitHubActionsArgs()
         {
             IgnoreError = false;
             Mode = Pulumi.DockerBuild.CacheMode.Min;
             Scope = "buildkit";
+            Token = Utilities.GetEnv("ACTIONS_RUNTIME_TOKEN") ?? "";
+            Url = Utilities.GetEnv("ACTIONS_CACHE_URL") ?? "";
         }
         public static new CacheToGitHubActionsArgs Empty => new CacheToGitHubActionsArgs();
     }

sdk/dotnet/Outputs/CacheFromGitHubActions.cs

@@ -10,12 +10,6 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
 
-    /// <summary>
-    /// Recommended for use with GitHub Actions workflows.
-    /// 
-    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    /// appropriate credentials to your GitHub workflow.
-    /// </summary>
     [OutputType]
     public sealed class CacheFromGitHubActions
     {
@@ -26,11 +20,35 @@ namespace Pulumi.DockerBuild.Outputs
         /// workflow, otherwise caches will overwrite each other.
         /// </summary>
         public readonly string? Scope;
+        /// <summary>
+        /// The GitHub Actions token to use. This is not a personal access tokens
+        /// and is typically generated automatically as part of each job.
+        /// 
+        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public readonly string? Token;
+        /// <summary>
+        /// The cache server URL to use for artifacts.
+        /// 
+        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public readonly string? Url;
 
         [OutputConstructor]
-        private CacheFromGitHubActions(string? scope)
+        private CacheFromGitHubActions(
+            string? scope,
+
+            string? token,
+
+            string? url)
         {
             Scope = scope;
+            Token = token;
+            Url = url;
         }
     }
 }

sdk/dotnet/Outputs/CacheToGitHubActions.cs

@@ -10,12 +10,6 @@ using Pulumi.Serialization;
 namespace Pulumi.DockerBuild.Outputs
 {
 
-    /// <summary>
-    /// Recommended for use with GitHub Actions workflows.
-    /// 
-    /// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    /// appropriate credentials to your GitHub workflow.
-    /// </summary>
     [OutputType]
     public sealed class CacheToGitHubActions
     {
@@ -34,6 +28,23 @@ namespace Pulumi.DockerBuild.Outputs
         /// workflow, otherwise caches will overwrite each other.
         /// </summary>
         public readonly string? Scope;
+        /// <summary>
+        /// The GitHub Actions token to use. This is not a personal access tokens
+        /// and is typically generated automatically as part of each job.
+        /// 
+        /// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public readonly string? Token;
+        /// <summary>
+        /// The cache server URL to use for artifacts.
+        /// 
+        /// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        /// `crazy-max/ghaction-github-runtime` is recommended to expose this
+        /// environment variable to your jobs.
+        /// </summary>
+        public readonly string? Url;
 
         [OutputConstructor]
         private CacheToGitHubActions(
@@ -41,11 +52,17 @@ namespace Pulumi.DockerBuild.Outputs
 
             Pulumi.DockerBuild.CacheMode? mode,
 
-            string? scope)
+            string? scope,
+
+            string? token,
+
+            string? url)
         {
             IgnoreError = ignoreError;
             Mode = mode;
             Scope = scope;
+            Token = token;
+            Url = url;
         }
     }
 }

sdk/go/dockerbuild/pulumiTypes.go

@@ -834,16 +834,25 @@ func (o CacheFromAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token *string `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -856,6 +865,18 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			token_ := d.(string)
+			tmp.Token = &token_
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			url_ := d.(string)
+			tmp.Url = &url_
+		}
+	}
 	return &tmp
 }
 
@@ -870,16 +891,25 @@ type CacheFromGitHubActionsInput interface {
 	ToCacheFromGitHubActionsOutputWithContext(context.Context) CacheFromGitHubActionsOutput
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token pulumi.StringPtrInput `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -891,6 +921,16 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			tmp.Token = pulumi.StringPtr(d.(string))
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			tmp.Url = pulumi.StringPtr(d.(string))
+		}
+	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -958,10 +998,6 @@ func (i *cacheFromGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Ou
 	}
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -1000,6 +1036,25 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsOutput) Token() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsOutput) Url() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v CacheFromGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
+}
+
 type CacheFromGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -1043,6 +1098,35 @@ func (o CacheFromGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
+		if v == nil {
+			return nil
+		}
+		return v.Token
+	}).(pulumi.StringPtrOutput)
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *CacheFromGitHubActions) *string {
+		if v == nil {
+			return nil
+		}
+		return v.Url
+	}).(pulumi.StringPtrOutput)
+}
+
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -2277,10 +2361,6 @@ func (o CacheToAzureBlobPtrOutput) SecretAccessKey() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -2291,6 +2371,19 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token *string `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -2311,6 +2404,18 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			token_ := d.(string)
+			tmp.Token = &token_
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			url_ := d.(string)
+			tmp.Url = &url_
+		}
+	}
 	return &tmp
 }
 
@@ -2325,10 +2430,6 @@ type CacheToGitHubActionsInput interface {
 	ToCacheToGitHubActionsOutputWithContext(context.Context) CacheToGitHubActionsOutput
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumi.BoolPtrInput `pulumi:"ignoreError"`
@@ -2339,6 +2440,19 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumi.StringPtrInput `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token pulumi.StringPtrInput `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url pulumi.StringPtrInput `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -2356,6 +2470,16 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumi.StringPtr("buildkit")
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			tmp.Token = pulumi.StringPtr(d.(string))
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			tmp.Url = pulumi.StringPtr(d.(string))
+		}
+	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -2423,10 +2547,6 @@ func (i *cacheToGitHubActionsPtrType) ToOutput(ctx context.Context) pulumix.Outp
 	}
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -2475,6 +2595,25 @@ func (o CacheToGitHubActionsOutput) Scope() pulumi.StringPtrOutput {
 	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Scope }).(pulumi.StringPtrOutput)
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsOutput) Token() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Token }).(pulumi.StringPtrOutput)
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsOutput) Url() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v CacheToGitHubActions) *string { return v.Url }).(pulumi.StringPtrOutput)
+}
+
 type CacheToGitHubActionsPtrOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsPtrOutput) ElementType() reflect.Type {
@@ -2538,6 +2677,35 @@ func (o CacheToGitHubActionsPtrOutput) Scope() pulumi.StringPtrOutput {
 	}).(pulumi.StringPtrOutput)
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsPtrOutput) Token() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *CacheToGitHubActions) *string {
+		if v == nil {
+			return nil
+		}
+		return v.Token
+	}).(pulumi.StringPtrOutput)
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsPtrOutput) Url() pulumi.StringPtrOutput {
+	return o.ApplyT(func(v *CacheToGitHubActions) *string {
+		if v == nil {
+			return nil
+		}
+		return v.Url
+	}).(pulumi.StringPtrOutput)
+}
+
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }

sdk/go/dockerbuild/x/pulumiTypes.go

@@ -393,16 +393,25 @@ func (o CacheFromAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromAzureBlob](o, func(v CacheFromAzureBlob) *string { return v.SecretAccessKey })
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActions struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token *string `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActions
@@ -415,19 +424,40 @@ func (val *CacheFromGitHubActions) Defaults() *CacheFromGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			token_ := d.(string)
+			tmp.Token = &token_
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			url_ := d.(string)
+			tmp.Url = &url_
+		}
+	}
 	return &tmp
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsArgs struct {
 	// The scope to use for cache keys. Defaults to `buildkit`.
 	//
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token pulumix.Input[*string] `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url pulumix.Input[*string] `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -439,6 +469,16 @@ func (val *CacheFromGitHubActionsArgs) Defaults() *CacheFromGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			tmp.Token = pulumix.Ptr(d.(string))
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			tmp.Url = pulumix.Ptr(d.(string))
+		}
+	}
 	return &tmp
 }
 func (CacheFromGitHubActionsArgs) ElementType() reflect.Type {
@@ -457,10 +497,6 @@ func (i *CacheFromGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Outpu
 	return pulumix.Val(i)
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheFromGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheFromGitHubActionsOutput) ElementType() reflect.Type {
@@ -489,6 +525,25 @@ func (o CacheFromGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Scope })
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsOutput) Token() pulumix.Output[*string] {
+	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Token })
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheFromGitHubActionsOutput) Url() pulumix.Output[*string] {
+	return pulumix.Apply[CacheFromGitHubActions](o, func(v CacheFromGitHubActions) *string { return v.Url })
+}
+
 type CacheFromLocal struct {
 	// Digest of manifest to import.
 	Digest *string `pulumi:"digest"`
@@ -1079,10 +1134,6 @@ func (o CacheToAzureBlobOutput) SecretAccessKey() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToAzureBlob](o, func(v CacheToAzureBlob) *string { return v.SecretAccessKey })
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActions struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError *bool `pulumi:"ignoreError"`
@@ -1093,6 +1144,19 @@ type CacheToGitHubActions struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope *string `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token *string `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url *string `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActions
@@ -1113,13 +1177,21 @@ func (val *CacheToGitHubActions) Defaults() *CacheToGitHubActions {
 		scope_ := "buildkit"
 		tmp.Scope = &scope_
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			token_ := d.(string)
+			tmp.Token = &token_
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			url_ := d.(string)
+			tmp.Url = &url_
+		}
+	}
 	return &tmp
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsArgs struct {
 	// Ignore errors caused by failed cache exports.
 	IgnoreError pulumix.Input[*bool] `pulumi:"ignoreError"`
@@ -1130,6 +1202,19 @@ type CacheToGitHubActionsArgs struct {
 	// This should be set if building and caching multiple images in one
 	// workflow, otherwise caches will overwrite each other.
 	Scope pulumix.Input[*string] `pulumi:"scope"`
+	// The GitHub Actions token to use. This is not a personal access tokens
+	// and is typically generated automatically as part of each job.
+	//
+	// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Token pulumix.Input[*string] `pulumi:"token"`
+	// The cache server URL to use for artifacts.
+	//
+	// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+	// `crazy-max/ghaction-github-runtime` is recommended to expose this
+	// environment variable to your jobs.
+	Url pulumix.Input[*string] `pulumi:"url"`
 }
 
 // Defaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -1147,6 +1232,16 @@ func (val *CacheToGitHubActionsArgs) Defaults() *CacheToGitHubActionsArgs {
 	if tmp.Scope == nil {
 		tmp.Scope = pulumix.Ptr("buildkit")
 	}
+	if tmp.Token == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_RUNTIME_TOKEN"); d != nil {
+			tmp.Token = pulumix.Ptr(d.(string))
+		}
+	}
+	if tmp.Url == nil {
+		if d := internal.GetEnvOrDefault("", nil, "ACTIONS_CACHE_URL"); d != nil {
+			tmp.Url = pulumix.Ptr(d.(string))
+		}
+	}
 	return &tmp
 }
 func (CacheToGitHubActionsArgs) ElementType() reflect.Type {
@@ -1165,10 +1260,6 @@ func (i *CacheToGitHubActionsArgs) ToOutput(ctx context.Context) pulumix.Output[
 	return pulumix.Val(i)
 }
 
-// Recommended for use with GitHub Actions workflows.
-//
-// An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-// appropriate credentials to your GitHub workflow.
 type CacheToGitHubActionsOutput struct{ *pulumi.OutputState }
 
 func (CacheToGitHubActionsOutput) ElementType() reflect.Type {
@@ -1207,6 +1298,25 @@ func (o CacheToGitHubActionsOutput) Scope() pulumix.Output[*string] {
 	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Scope })
 }
 
+// The GitHub Actions token to use. This is not a personal access tokens
+// and is typically generated automatically as part of each job.
+//
+// Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsOutput) Token() pulumix.Output[*string] {
+	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Token })
+}
+
+// The cache server URL to use for artifacts.
+//
+// Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+// `crazy-max/ghaction-github-runtime` is recommended to expose this
+// environment variable to your jobs.
+func (o CacheToGitHubActionsOutput) Url() pulumix.Output[*string] {
+	return pulumix.Apply[CacheToGitHubActions](o, func(v CacheToGitHubActions) *string { return v.Url })
+}
+
 // Include an inline cache with the exported image.
 type CacheToInline struct {
 }

sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheFromGitHubActionsArgs.java

@@ -12,13 +12,6 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 
 
-/**
- * Recommended for use with GitHub Actions workflows.
- * 
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- * 
- */
 public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
 
     public static final CacheFromGitHubActionsArgs Empty = new CacheFromGitHubActionsArgs();
@@ -44,10 +37,60 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
         return Optional.ofNullable(this.scope);
     }
 
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    @Import(name="token")
+    private @Nullable Output<String> token;
+
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<Output<String>> token() {
+        return Optional.ofNullable(this.token);
+    }
+
+    /**
+     * The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    @Import(name="url")
+    private @Nullable Output<String> url;
+
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<Output<String>> url() {
+        return Optional.ofNullable(this.url);
+    }
+
     private CacheFromGitHubActionsArgs() {}
 
     private CacheFromGitHubActionsArgs(CacheFromGitHubActionsArgs $) {
         this.scope = $.scope;
+        this.token = $.token;
+        this.url = $.url;
     }
 
     public static Builder builder() {
@@ -95,8 +138,70 @@ public final class CacheFromGitHubActionsArgs extends com.pulumi.resources.Resou
             return scope(Output.of(scope));
         }
 
+        /**
+         * @param token The GitHub Actions token to use. This is not a personal access tokens
+         * and is typically generated automatically as part of each job.
+         * 
+         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder token(@Nullable Output<String> token) {
+            $.token = token;
+            return this;
+        }
+
+        /**
+         * @param token The GitHub Actions token to use. This is not a personal access tokens
+         * and is typically generated automatically as part of each job.
+         * 
+         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder token(String token) {
+            return token(Output.of(token));
+        }
+
+        /**
+         * @param url The cache server URL to use for artifacts.
+         * 
+         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder url(@Nullable Output<String> url) {
+            $.url = url;
+            return this;
+        }
+
+        /**
+         * @param url The cache server URL to use for artifacts.
+         * 
+         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder url(String url) {
+            return url(Output.of(url));
+        }
+
         public CacheFromGitHubActionsArgs build() {
             $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
+            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
+            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
             return $;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/inputs/CacheToGitHubActionsArgs.java

@@ -14,13 +14,6 @@ import java.util.Optional;
 import javax.annotation.Nullable;
 
 
-/**
- * Recommended for use with GitHub Actions workflows.
- * 
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- * 
- */
 public final class CacheToGitHubActionsArgs extends com.pulumi.resources.ResourceArgs {
 
     public static final CacheToGitHubActionsArgs Empty = new CacheToGitHubActionsArgs();
@@ -76,12 +69,62 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
         return Optional.ofNullable(this.scope);
     }
 
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    @Import(name="token")
+    private @Nullable Output<String> token;
+
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<Output<String>> token() {
+        return Optional.ofNullable(this.token);
+    }
+
+    /**
+     * The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    @Import(name="url")
+    private @Nullable Output<String> url;
+
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<Output<String>> url() {
+        return Optional.ofNullable(this.url);
+    }
+
     private CacheToGitHubActionsArgs() {}
 
     private CacheToGitHubActionsArgs(CacheToGitHubActionsArgs $) {
         this.ignoreError = $.ignoreError;
         this.mode = $.mode;
         this.scope = $.scope;
+        this.token = $.token;
+        this.url = $.url;
     }
 
     public static Builder builder() {
@@ -171,10 +214,72 @@ public final class CacheToGitHubActionsArgs extends com.pulumi.resources.Resourc
             return scope(Output.of(scope));
         }
 
+        /**
+         * @param token The GitHub Actions token to use. This is not a personal access tokens
+         * and is typically generated automatically as part of each job.
+         * 
+         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder token(@Nullable Output<String> token) {
+            $.token = token;
+            return this;
+        }
+
+        /**
+         * @param token The GitHub Actions token to use. This is not a personal access tokens
+         * and is typically generated automatically as part of each job.
+         * 
+         * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder token(String token) {
+            return token(Output.of(token));
+        }
+
+        /**
+         * @param url The cache server URL to use for artifacts.
+         * 
+         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder url(@Nullable Output<String> url) {
+            $.url = url;
+            return this;
+        }
+
+        /**
+         * @param url The cache server URL to use for artifacts.
+         * 
+         * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+         * `crazy-max/ghaction-github-runtime` is recommended to expose this
+         * environment variable to your jobs.
+         * 
+         * @return builder
+         * 
+         */
+        public Builder url(String url) {
+            return url(Output.of(url));
+        }
+
         public CacheToGitHubActionsArgs build() {
             $.ignoreError = Codegen.booleanProp("ignoreError").output().arg($.ignoreError).def(false).getNullable();
             $.mode = Codegen.objectProp("mode", CacheMode.class).output().arg($.mode).def(CacheMode.Min).getNullable();
             $.scope = Codegen.stringProp("scope").output().arg($.scope).def("buildkit").getNullable();
+            $.token = Codegen.stringProp("token").secret().arg($.token).env("ACTIONS_RUNTIME_TOKEN").def("").getNullable();
+            $.url = Codegen.stringProp("url").output().arg($.url).env("ACTIONS_CACHE_URL").def("").getNullable();
             return $;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheFromGitHubActions.java

@@ -19,6 +19,25 @@ public final class CacheFromGitHubActions {
      * 
      */
     private @Nullable String scope;
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    private @Nullable String token;
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    private @Nullable String url;
 
     private CacheFromGitHubActions() {}
     /**
@@ -31,6 +50,29 @@ public final class CacheFromGitHubActions {
     public Optional<String> scope() {
         return Optional.ofNullable(this.scope);
     }
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<String> token() {
+        return Optional.ofNullable(this.token);
+    }
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<String> url() {
+        return Optional.ofNullable(this.url);
+    }
 
     public static Builder builder() {
         return new Builder();
@@ -42,10 +84,14 @@ public final class CacheFromGitHubActions {
     @CustomType.Builder
     public static final class Builder {
         private @Nullable String scope;
+        private @Nullable String token;
+        private @Nullable String url;
         public Builder() {}
         public Builder(CacheFromGitHubActions defaults) {
     	      Objects.requireNonNull(defaults);
     	      this.scope = defaults.scope;
+    	      this.token = defaults.token;
+    	      this.url = defaults.url;
         }
 
         @CustomType.Setter
@@ -54,9 +100,23 @@ public final class CacheFromGitHubActions {
             this.scope = scope;
             return this;
         }
+        @CustomType.Setter
+        public Builder token(@Nullable String token) {
+
+            this.token = token;
+            return this;
+        }
+        @CustomType.Setter
+        public Builder url(@Nullable String url) {
+
+            this.url = url;
+            return this;
+        }
         public CacheFromGitHubActions build() {
             final var _resultValue = new CacheFromGitHubActions();
             _resultValue.scope = scope;
+            _resultValue.token = token;
+            _resultValue.url = url;
             return _resultValue;
         }
     }

sdk/java/src/main/java/com/pulumi/dockerbuild/outputs/CacheToGitHubActions.java

@@ -31,6 +31,25 @@ public final class CacheToGitHubActions {
      * 
      */
     private @Nullable String scope;
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    private @Nullable String token;
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    private @Nullable String url;
 
     private CacheToGitHubActions() {}
     /**
@@ -57,6 +76,29 @@ public final class CacheToGitHubActions {
     public Optional<String> scope() {
         return Optional.ofNullable(this.scope);
     }
+    /**
+     * @return The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     * 
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<String> token() {
+        return Optional.ofNullable(this.token);
+    }
+    /**
+     * @return The cache server URL to use for artifacts.
+     * 
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     * 
+     */
+    public Optional<String> url() {
+        return Optional.ofNullable(this.url);
+    }
 
     public static Builder builder() {
         return new Builder();
@@ -70,12 +112,16 @@ public final class CacheToGitHubActions {
         private @Nullable Boolean ignoreError;
         private @Nullable CacheMode mode;
         private @Nullable String scope;
+        private @Nullable String token;
+        private @Nullable String url;
         public Builder() {}
         public Builder(CacheToGitHubActions defaults) {
     	      Objects.requireNonNull(defaults);
     	      this.ignoreError = defaults.ignoreError;
     	      this.mode = defaults.mode;
     	      this.scope = defaults.scope;
+    	      this.token = defaults.token;
+    	      this.url = defaults.url;
         }
 
         @CustomType.Setter
@@ -96,11 +142,25 @@ public final class CacheToGitHubActions {
             this.scope = scope;
             return this;
         }
+        @CustomType.Setter
+        public Builder token(@Nullable String token) {
+
+            this.token = token;
+            return this;
+        }
+        @CustomType.Setter
+        public Builder url(@Nullable String url) {
+
+            this.url = url;
+            return this;
+        }
         public CacheToGitHubActions build() {
             final var _resultValue = new CacheToGitHubActions();
             _resultValue.ignoreError = ignoreError;
             _resultValue.mode = mode;
             _resultValue.scope = scope;
+            _resultValue.token = token;
+            _resultValue.url = url;
             return _resultValue;
         }
     }

sdk/nodejs/types/input.ts

@@ -104,12 +104,6 @@ export interface CacheFromAzureBlobArgs {
     secretAccessKey?: pulumi.Input<string>;
 }
 
-/**
- * Recommended for use with GitHub Actions workflows.
- *
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- */
 export interface CacheFromGitHubActionsArgs {
     /**
      * The scope to use for cache keys. Defaults to `buildkit`.
@@ -118,6 +112,23 @@ export interface CacheFromGitHubActionsArgs {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: pulumi.Input<string>;
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     *
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    token?: pulumi.Input<string>;
+    /**
+     * The cache server URL to use for artifacts.
+     *
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    url?: pulumi.Input<string>;
 }
 /**
  * cacheFromGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheFromGitHubActionsArgs
@@ -126,6 +137,8 @@ export function cacheFromGitHubActionsArgsProvideDefaults(val: CacheFromGitHubAc
     return {
         ...val,
         scope: (val.scope) ?? "buildkit",
+        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
+        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 
@@ -290,12 +303,6 @@ export function cacheToAzureBlobArgsProvideDefaults(val: CacheToAzureBlobArgs):
     };
 }
 
-/**
- * Recommended for use with GitHub Actions workflows.
- *
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- */
 export interface CacheToGitHubActionsArgs {
     /**
      * Ignore errors caused by failed cache exports.
@@ -312,6 +319,23 @@ export interface CacheToGitHubActionsArgs {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: pulumi.Input<string>;
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     *
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    token?: pulumi.Input<string>;
+    /**
+     * The cache server URL to use for artifacts.
+     *
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    url?: pulumi.Input<string>;
 }
 /**
  * cacheToGitHubActionsArgsProvideDefaults sets the appropriate defaults for CacheToGitHubActionsArgs
@@ -322,6 +346,8 @@ export function cacheToGitHubActionsArgsProvideDefaults(val: CacheToGitHubAction
         ignoreError: (val.ignoreError) ?? false,
         mode: (val.mode) ?? "min",
         scope: (val.scope) ?? "buildkit",
+        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
+        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 

sdk/nodejs/types/output.ts

@@ -104,12 +104,6 @@ export interface CacheFromAzureBlob {
     secretAccessKey?: string;
 }
 
-/**
- * Recommended for use with GitHub Actions workflows.
- *
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- */
 export interface CacheFromGitHubActions {
     /**
      * The scope to use for cache keys. Defaults to `buildkit`.
@@ -118,6 +112,23 @@ export interface CacheFromGitHubActions {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: string;
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     *
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    token?: string;
+    /**
+     * The cache server URL to use for artifacts.
+     *
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    url?: string;
 }
 /**
  * cacheFromGitHubActionsProvideDefaults sets the appropriate defaults for CacheFromGitHubActions
@@ -126,6 +137,8 @@ export function cacheFromGitHubActionsProvideDefaults(val: CacheFromGitHubAction
     return {
         ...val,
         scope: (val.scope) ?? "buildkit",
+        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
+        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 
@@ -290,12 +303,6 @@ export function cacheToAzureBlobProvideDefaults(val: CacheToAzureBlob): CacheToA
     };
 }
 
-/**
- * Recommended for use with GitHub Actions workflows.
- *
- * An action like `crazy-max/ghaction-github-runtime` is recommended to expose
- * appropriate credentials to your GitHub workflow.
- */
 export interface CacheToGitHubActions {
     /**
      * Ignore errors caused by failed cache exports.
@@ -312,6 +319,23 @@ export interface CacheToGitHubActions {
      * workflow, otherwise caches will overwrite each other.
      */
     scope?: string;
+    /**
+     * The GitHub Actions token to use. This is not a personal access tokens
+     * and is typically generated automatically as part of each job.
+     *
+     * Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    token?: string;
+    /**
+     * The cache server URL to use for artifacts.
+     *
+     * Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+     * `crazy-max/ghaction-github-runtime` is recommended to expose this
+     * environment variable to your jobs.
+     */
+    url?: string;
 }
 /**
  * cacheToGitHubActionsProvideDefaults sets the appropriate defaults for CacheToGitHubActions
@@ -322,6 +346,8 @@ export function cacheToGitHubActionsProvideDefaults(val: CacheToGitHubActions):
         ignoreError: (val.ignoreError) ?? false,
         mode: (val.mode) ?? "min",
         scope: (val.scope) ?? "buildkit",
+        token: (val.token) ?? (utilities.getEnv("ACTIONS_RUNTIME_TOKEN") || ""),
+        url: (val.url) ?? (utilities.getEnv("ACTIONS_CACHE_URL") || ""),
     };
 }
 

sdk/python/pulumi_docker_build/_inputs.py

@@ -281,12 +281,6 @@ class CacheFromAzureBlobArgs:
 
 if not MYPY:
     class CacheFromGitHubActionsArgsDict(TypedDict):
-        """
-        Recommended for use with GitHub Actions workflows.
-
-        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-        appropriate credentials to your GitHub workflow.
-        """
         scope: NotRequired[pulumi.Input[_builtins.str]]
         """
         The scope to use for cache keys. Defaults to `buildkit`.
@@ -294,27 +288,61 @@ if not MYPY:
         This should be set if building and caching multiple images in one
         workflow, otherwise caches will overwrite each other.
         """
+        token: NotRequired[pulumi.Input[_builtins.str]]
+        """
+        The GitHub Actions token to use. This is not a personal access tokens
+        and is typically generated automatically as part of each job.
+
+        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        url: NotRequired[pulumi.Input[_builtins.str]]
+        """
+        The cache server URL to use for artifacts.
+
+        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
 elif False:
     CacheFromGitHubActionsArgsDict: TypeAlias = Mapping[str, Any]
 
 @pulumi.input_type
 class CacheFromGitHubActionsArgs:
     def __init__(__self__, *,
-                 scope: Optional[pulumi.Input[_builtins.str]] = None):
+                 scope: Optional[pulumi.Input[_builtins.str]] = None,
+                 token: Optional[pulumi.Input[_builtins.str]] = None,
+                 url: Optional[pulumi.Input[_builtins.str]] = None):
         """
-        Recommended for use with GitHub Actions workflows.
-
-        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-        appropriate credentials to your GitHub workflow.
         :param pulumi.Input[_builtins.str] scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
+        :param pulumi.Input[_builtins.str] token: The GitHub Actions token to use. This is not a personal access tokens
+               and is typically generated automatically as part of each job.
+               
+               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+               `crazy-max/ghaction-github-runtime` is recommended to expose this
+               environment variable to your jobs.
+        :param pulumi.Input[_builtins.str] url: The cache server URL to use for artifacts.
+               
+               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+               `crazy-max/ghaction-github-runtime` is recommended to expose this
+               environment variable to your jobs.
         """
         if scope is None:
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
+        if token is None:
+            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
+        if token is not None:
+            pulumi.set(__self__, "token", token)
+        if url is None:
+            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
+        if url is not None:
+            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter
@@ -331,6 +359,39 @@ class CacheFromGitHubActionsArgs:
     def scope(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "scope", value)
 
+    @_builtins.property
+    @pulumi.getter
+    def token(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The GitHub Actions token to use. This is not a personal access tokens
+        and is typically generated automatically as part of each job.
+
+        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        return pulumi.get(self, "token")
+
+    @token.setter
+    def token(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "token", value)
+
+    @_builtins.property
+    @pulumi.getter
+    def url(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The cache server URL to use for artifacts.
+
+        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        return pulumi.get(self, "url")
+
+    @url.setter
+    def url(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "url", value)
+
 
 if not MYPY:
     class CacheFromLocalArgsDict(TypedDict):
@@ -916,12 +977,6 @@ class CacheToAzureBlobArgs:
 
 if not MYPY:
     class CacheToGitHubActionsArgsDict(TypedDict):
-        """
-        Recommended for use with GitHub Actions workflows.
-
-        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-        appropriate credentials to your GitHub workflow.
-        """
         ignore_error: NotRequired[pulumi.Input[_builtins.bool]]
         """
         Ignore errors caused by failed cache exports.
@@ -937,6 +992,23 @@ if not MYPY:
         This should be set if building and caching multiple images in one
         workflow, otherwise caches will overwrite each other.
         """
+        token: NotRequired[pulumi.Input[_builtins.str]]
+        """
+        The GitHub Actions token to use. This is not a personal access tokens
+        and is typically generated automatically as part of each job.
+
+        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        url: NotRequired[pulumi.Input[_builtins.str]]
+        """
+        The cache server URL to use for artifacts.
+
+        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
 elif False:
     CacheToGitHubActionsArgsDict: TypeAlias = Mapping[str, Any]
 
@@ -945,18 +1017,27 @@ class CacheToGitHubActionsArgs:
     def __init__(__self__, *,
                  ignore_error: Optional[pulumi.Input[_builtins.bool]] = None,
                  mode: Optional[pulumi.Input['CacheMode']] = None,
-                 scope: Optional[pulumi.Input[_builtins.str]] = None):
+                 scope: Optional[pulumi.Input[_builtins.str]] = None,
+                 token: Optional[pulumi.Input[_builtins.str]] = None,
+                 url: Optional[pulumi.Input[_builtins.str]] = None):
         """
-        Recommended for use with GitHub Actions workflows.
-
-        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-        appropriate credentials to your GitHub workflow.
         :param pulumi.Input[_builtins.bool] ignore_error: Ignore errors caused by failed cache exports.
         :param pulumi.Input['CacheMode'] mode: The cache mode to use. Defaults to `min`.
         :param pulumi.Input[_builtins.str] scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
+        :param pulumi.Input[_builtins.str] token: The GitHub Actions token to use. This is not a personal access tokens
+               and is typically generated automatically as part of each job.
+               
+               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+               `crazy-max/ghaction-github-runtime` is recommended to expose this
+               environment variable to your jobs.
+        :param pulumi.Input[_builtins.str] url: The cache server URL to use for artifacts.
+               
+               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+               `crazy-max/ghaction-github-runtime` is recommended to expose this
+               environment variable to your jobs.
         """
         if ignore_error is None:
             ignore_error = False
@@ -970,6 +1051,14 @@ class CacheToGitHubActionsArgs:
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
+        if token is None:
+            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
+        if token is not None:
+            pulumi.set(__self__, "token", token)
+        if url is None:
+            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
+        if url is not None:
+            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter(name="ignoreError")
@@ -1010,6 +1099,39 @@ class CacheToGitHubActionsArgs:
     def scope(self, value: Optional[pulumi.Input[_builtins.str]]):
         pulumi.set(self, "scope", value)
 
+    @_builtins.property
+    @pulumi.getter
+    def token(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The GitHub Actions token to use. This is not a personal access tokens
+        and is typically generated automatically as part of each job.
+
+        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        return pulumi.get(self, "token")
+
+    @token.setter
+    def token(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "token", value)
+
+    @_builtins.property
+    @pulumi.getter
+    def url(self) -> Optional[pulumi.Input[_builtins.str]]:
+        """
+        The cache server URL to use for artifacts.
+
+        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        return pulumi.get(self, "url")
+
+    @url.setter
+    def url(self, value: Optional[pulumi.Input[_builtins.str]]):
+        pulumi.set(self, "url", value)
+
 
 if not MYPY:
     class CacheToInlineArgsDict(TypedDict):

sdk/python/pulumi_docker_build/outputs.py

@@ -293,28 +293,39 @@ class CacheFromAzureBlob(dict):
 
 @pulumi.output_type
 class CacheFromGitHubActions(dict):
-    """
-    Recommended for use with GitHub Actions workflows.
-
-    An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    appropriate credentials to your GitHub workflow.
-    """
     def __init__(__self__, *,
-                 scope: Optional[_builtins.str] = None):
+                 scope: Optional[_builtins.str] = None,
+                 token: Optional[_builtins.str] = None,
+                 url: Optional[_builtins.str] = None):
         """
-        Recommended for use with GitHub Actions workflows.
-
-        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-        appropriate credentials to your GitHub workflow.
         :param _builtins.str scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
+        :param _builtins.str token: The GitHub Actions token to use. This is not a personal access tokens
+               and is typically generated automatically as part of each job.
+               
+               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+               `crazy-max/ghaction-github-runtime` is recommended to expose this
+               environment variable to your jobs.
+        :param _builtins.str url: The cache server URL to use for artifacts.
+               
+               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+               `crazy-max/ghaction-github-runtime` is recommended to expose this
+               environment variable to your jobs.
         """
         if scope is None:
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
+        if token is None:
+            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
+        if token is not None:
+            pulumi.set(__self__, "token", token)
+        if url is None:
+            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
+        if url is not None:
+            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter
@@ -327,6 +338,31 @@ class CacheFromGitHubActions(dict):
         """
         return pulumi.get(self, "scope")
 
+    @_builtins.property
+    @pulumi.getter
+    def token(self) -> Optional[_builtins.str]:
+        """
+        The GitHub Actions token to use. This is not a personal access tokens
+        and is typically generated automatically as part of each job.
+
+        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        return pulumi.get(self, "token")
+
+    @_builtins.property
+    @pulumi.getter
+    def url(self) -> Optional[_builtins.str]:
+        """
+        The cache server URL to use for artifacts.
+
+        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        return pulumi.get(self, "url")
+
 
 @pulumi.output_type
 class CacheFromLocal(dict):
@@ -748,12 +784,6 @@ class CacheToAzureBlob(dict):
 
 @pulumi.output_type
 class CacheToGitHubActions(dict):
-    """
-    Recommended for use with GitHub Actions workflows.
-
-    An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-    appropriate credentials to your GitHub workflow.
-    """
     @staticmethod
     def __key_warning(key: str):
         suggest = None
@@ -774,18 +804,27 @@ class CacheToGitHubActions(dict):
     def __init__(__self__, *,
                  ignore_error: Optional[_builtins.bool] = None,
                  mode: Optional['CacheMode'] = None,
-                 scope: Optional[_builtins.str] = None):
+                 scope: Optional[_builtins.str] = None,
+                 token: Optional[_builtins.str] = None,
+                 url: Optional[_builtins.str] = None):
         """
-        Recommended for use with GitHub Actions workflows.
-
-        An action like `crazy-max/ghaction-github-runtime` is recommended to expose
-        appropriate credentials to your GitHub workflow.
         :param _builtins.bool ignore_error: Ignore errors caused by failed cache exports.
         :param 'CacheMode' mode: The cache mode to use. Defaults to `min`.
         :param _builtins.str scope: The scope to use for cache keys. Defaults to `buildkit`.
                
                This should be set if building and caching multiple images in one
                workflow, otherwise caches will overwrite each other.
+        :param _builtins.str token: The GitHub Actions token to use. This is not a personal access tokens
+               and is typically generated automatically as part of each job.
+               
+               Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+               `crazy-max/ghaction-github-runtime` is recommended to expose this
+               environment variable to your jobs.
+        :param _builtins.str url: The cache server URL to use for artifacts.
+               
+               Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+               `crazy-max/ghaction-github-runtime` is recommended to expose this
+               environment variable to your jobs.
         """
         if ignore_error is None:
             ignore_error = False
@@ -799,6 +838,14 @@ class CacheToGitHubActions(dict):
             scope = 'buildkit'
         if scope is not None:
             pulumi.set(__self__, "scope", scope)
+        if token is None:
+            token = (_utilities.get_env('ACTIONS_RUNTIME_TOKEN') or '')
+        if token is not None:
+            pulumi.set(__self__, "token", token)
+        if url is None:
+            url = (_utilities.get_env('ACTIONS_CACHE_URL') or '')
+        if url is not None:
+            pulumi.set(__self__, "url", url)
 
     @_builtins.property
     @pulumi.getter(name="ignoreError")
@@ -827,6 +874,31 @@ class CacheToGitHubActions(dict):
         """
         return pulumi.get(self, "scope")
 
+    @_builtins.property
+    @pulumi.getter
+    def token(self) -> Optional[_builtins.str]:
+        """
+        The GitHub Actions token to use. This is not a personal access tokens
+        and is typically generated automatically as part of each job.
+
+        Defaults to `$ACTIONS_RUNTIME_TOKEN`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        return pulumi.get(self, "token")
+
+    @_builtins.property
+    @pulumi.getter
+    def url(self) -> Optional[_builtins.str]:
+        """
+        The cache server URL to use for artifacts.
+
+        Defaults to `$ACTIONS_CACHE_URL`, although a separate action like
+        `crazy-max/ghaction-github-runtime` is recommended to expose this
+        environment variable to your jobs.
+        """
+        return pulumi.get(self, "url")
+
 
 @pulumi.output_type
 class CacheToInline(dict):