Updated modules

This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit 1131c4d395e39e42386bf9a4dfb975eb219d604b.

Co-authored-by: Pulumi Bot <bot@pulumi.com>

.config/mise.toml

@@ -17,7 +17,7 @@ python = '3.11.8'
 java = 'corretto-11'
 
 # Executable tools
-pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
+"github:pulumi/pulumi" = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
 "github:pulumi/pulumictl" = '0.0.50'
 "github:pulumi/schema-tools" = "0.6.0"
 "aqua:gradle/gradle-distributions" = '7.6.6'
@@ -29,6 +29,7 @@ experimental = true # Required for Go binaries (e.g. pulumictl).
 lockfile = false
 http_retries = 3
 pin = true # `mise use` should pin versions instead of defaulting to latest.
+fetch_remote_versions_cache = "24h" # Mise queries versions even if they're pinned to confirm they exist. Reduce GitHub API calls by doing that less often.
 
 [plugins]
 vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"

.github/workflows/build.yml

@@ -352,7 +352,7 @@ jobs:
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
+      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:
@@ -562,26 +562,6 @@ jobs:
       env:
         SLACK_WEBHOOK_URL: ${{ steps.esc-secrets.outputs.SLACK_WEBHOOK_URL }}
   lint:
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
-      with:
-        lfs: true
-        persist-credentials: false
-        ref: ${{ env.PR_COMMIT_SHA }}
-    - name: Setup Tools
-      uses: ./.github/actions/setup-tools
-      with:
-        github_token: ${{ steps.app-auth.outputs.token }}
-    - name: Disarm go:embed directives to enable linters that compile source code
-      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
-        's/go:embed/ goembed/g'
-    - name: golangci-lint provider pkg
-      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
-      with:
-        install-mode: none # Handled by mise.
-        working-directory: .
     name: lint
-    if: github.event_name == 'repository_dispatch' ||
+    uses: ./.github/workflows/lint.yml
-      github.event.pull_request.head.repo.full_name == github.repository
+    secrets: inherit

.github/workflows/claude.yml

@@ -0,0 +1,98 @@
+name: Claude Code
+
+on:
+  # Responds to @claude mentions in comments.
+  issue_comment:
+    types: [created]
+  pull_request_review_comment:
+    types: [created]
+  issues:
+    types: [opened]
+  pull_request_review:
+    types: [submitted]
+
+jobs:
+  claude:
+    # Only run when @claude is mentioned by a trusted user (OWNER, MEMBER, or COLLABORATOR)
+    # Note: the claude-code-action can only be triggered by users with write access to the repository so this is extra
+    # see https://github.com/anthropics/claude-code-action/blob/main/docs/security.md
+    if: |
+      (github.event_name == 'issue_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review_comment' &&
+        contains(github.event.comment.body, '@claude') &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association)) ||
+      (github.event_name == 'pull_request_review' &&
+        contains(github.event.review.body, '@claude') &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.review.author_association)) ||
+      (github.event_name == 'issues' &&
+        (contains(github.event.issue.body, '@claude') || contains(github.event.issue.title, '@claude')) &&
+        contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.issue.author_association))
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
+      issues: write
+      id-token: write
+    steps:
+      - env:
+          ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
+          ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
+          ESC_ACTION_OIDC_AUTH: "true"
+          ESC_ACTION_OIDC_ORGANIZATION: pulumi
+          ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
+        id: esc-secrets
+        name: Fetch secrets from ESC
+        uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+        with:
+          fetch-depth: 1
+      - name: Setup mise
+        uses: blampe/mise-action@blampe/plugins
+        env:
+          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
+        with:
+          version: 2026.1.1
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          plugin_install: https://github.com/pulumi/vfox-pulumi
+          # only saving the cache in the prerequisites job
+          cache_save: false
+      - name: Prepare local workspace
+        # this runs install_plugins and upstream
+        run: make prepare_local_workspace
+      - name: Run Claude Code Review
+        # Comment must contain '@claude review'
+        if: |
+          (github.event_name == 'issue_comment' && contains(github.event.comment.body, '@claude review')) ||
+          (github.event_name == 'pull_request_review_comment' && contains(github.event.comment.body, '@claude review')) ||
+          (github.event_name == 'pull_request_review' && contains(github.event.review.body, '@claude review'))
+        id: claude-review
+        uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
+        with:
+          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
+          prompt: |
+            REPO: ${{ github.repository }}
+            PR NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
+
+            Review this pull request using the provider-code-review skill for guidelines.
+            The PR branch is already checked out in the current working directory.
+
+            Use `gh pr comment` for top-level feedback.
+            Use `mcp__github_inline_comment__create_inline_comment` to highlight specific code issues.
+            Only post GitHub comments - don't submit review text as messages.
+          # Taken from https://github.com/anthropics/claude-code/blob/main/plugins/code-review/commands/code-review.md
+          claude_args: |
+            --allowedTools "Bash(gh issue view:*),Bash(gh search:*),Bash(gh issue list:*),Bash(gh pr comment:*),Bash(gh pr diff:*),Bash(gh pr view:*),Bash(gh pr list:*),mcp__github_inline_comment__create_inline_comment"
+      - name: Run Claude Code
+        # Comment must contain '@claude', but not '@claude review'
+        if: |
+          !contains(github.event.comment.body, '@claude review') &&
+          !contains(github.event.review.body, '@claude review')
+        id: claude-action
+        uses: anthropics/claude-code-action@8341a564b0c1693e9fa29c681852ee3714980098 # v1
+        with:
+          anthropic_api_key: ${{ steps.esc-secrets.outputs.ANTHROPIC_API_KEY }}
+          claude_args: |
+            # --max-turns 10 # this is the default
+            --allowedTools "Edit,MultiEdit,Write,Read,Glob,Grep,LS,Bash(upgrade-provider:*),Bash(./scripts/upstream.sh:*),Bash(git:*),Bash(GIT_EDITOR=*),Bash(make:*),Bash(gh:*),Bash(mkdir:*),Bash(cd:*),Bash(go install:*)"

.github/workflows/comment-on-stale-issues.yml

@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Stale issue job
     steps:
-    - uses: aws-actions/stale-issue-cleanup@0604f2edf84a3a66bc0dfb4a30eb07814cbdf440
+    - uses: pose/stale-issue-cleanup@40050776bcfdf0e518aa89e2871e3f1e0b7b4209
       with:
         issue-types: issues # only look at issues (ignore pull-requests)
 

.github/workflows/lint.yml

@@ -0,0 +1,57 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+name: lint
+
+on:
+  workflow_call:
+    inputs: {}
+
+env:
+  PROVIDER: docker-build
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  TRAVIS_OS_NAME: linux
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  GOVERSION: "1.21.x"
+  NODEVERSION: "20.x"
+  PYTHONVERSION: "3.11.8"
+  DOTNETVERSION: "8.0.x"
+  JAVAVERSION: "11"
+  ARM_CLIENT_ID: 30e520fa-12b4-4e21-b473-9426c5ac2e1e
+  ARM_SUBSCRIPTION_ID: 0282681f-7a9e-424b-80b2-96babd57a8a1
+  ARM_TENANT_ID: 706143bc-e1d4-4593-aee2-c9dc60ab9be7
+  AWS_REGION: us-west-2
+  AZURE_LOCATION: westus
+  GOOGLE_CI_SERVICE_ACCOUNT_EMAIL: pulumi-ci@pulumi-ci-gcp-provider.iam.gserviceaccount.com
+  GOOGLE_CI_WORKLOAD_IDENTITY_POOL: pulumi-ci
+  GOOGLE_CI_WORKLOAD_IDENTITY_PROVIDER: pulumi-ci
+  GOOGLE_PROJECT: pulumi-ci-gcp-provider
+  GOOGLE_PROJECT_NUMBER: "895284651812"
+  GOOGLE_REGION: us-central1
+  GOOGLE_ZONE: us-central1-a
+  PULUMI_API: https://api.pulumi-staging.io
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout Repo
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        lfs: true
+        persist-credentials: false
+        ref: ${{ env.PR_COMMIT_SHA }}
+    - name: Setup Tools
+      uses: ./.github/actions/setup-tools
+      with:
+        github_token: ${{ steps.app-auth.outputs.token }}
+    - name: Disarm go:embed directives to enable linters that compile source code
+      run: git grep -l 'go:embed' -- provider | xargs --no-run-if-empty sed -i
+        's/go:embed/ goembed/g'
+    - name: golangci-lint provider pkg
+      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6.5.2
+      with:
+        install-mode: none # Handled by mise.
+        working-directory: .
+    name: lint
+    if: github.event_name == 'repository_dispatch' ||
+      github.event.pull_request.head.repo.full_name == github.repository

.github/workflows/prerelease.yml

@@ -308,7 +308,7 @@ jobs:
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
+      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:

.github/workflows/release.yml

@@ -308,7 +308,7 @@ jobs:
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
+      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:

.github/workflows/run-acceptance-tests.yml

@@ -459,7 +459,7 @@ jobs:
         requested-token-type: urn:pulumi:token-type:access_token:organization
         export-environment-variables: false
     - name: Export AWS Credentials
-      uses: pulumi/esc-action@6cf9520e68354d86f81c455e8d43eabd58f5c9f5 # v1.5.0
+      uses: pulumi/esc-action@9840934db12128a33f6afb60b17d9de8f7ec5519
       env:
         PULUMI_ACCESS_TOKEN: ${{ steps.generate_pulumi_token.outputs.pulumi-access-token }}
       with:

.pulumi.version

@@ -1 +1 @@
-3.216.0
+3.217.1