Update GitHub Actions workflows.

.ci-mgmt.yaml

@@ -7,14 +7,6 @@ env:
     PULUMI_GITLAB_TOKEN: ${{ secrets.PULUMI_GITLAB_TOKEN }}
 makeTemplate: bridged
 team: ecosystem
-plugins:
-    - name: std
-      version: "1.6.2"
-    - name: terraform
-      version: "1.0.16"
-      kind: converter
-    - name: local
-      version: "0.0.1"
 pulumiConvert: 1
 registryDocs: true
 integrationTestProvider: true

.config/mise.lock

@@ -8,17 +8,21 @@ backend = "github:pulumi/pulumictl"
 
 [tools."github:pulumi/pulumictl".platforms.linux-x64]
 checksum = "blake3:c128dd74993f779c613296fe7cd21c20cbd323f24e59cb76e007620660b60348"
+name = "pulumictl-v0.0.50-linux-amd64.tar.gz"
 size = 27744219
 url = "https://github.com/pulumi/pulumictl/releases/download/v0.0.50/pulumictl-v0.0.50-linux-amd64.tar.gz"
+url_api = ""
 
 [[tools."github:pulumi/schema-tools"]]
 version = "0.6.0"
 backend = "github:pulumi/schema-tools"
 
 [tools."github:pulumi/schema-tools".platforms.linux-x64]
 checksum = "blake3:82dfe616fee18b4258f6e3d2dc3c4e9f14afd43a0a4cc33eff2d2a04088d6ca3"
+name = "schema-tools-v0.6.0-linux-amd64.tar.gz"
 size = 14282746
 url = "https://github.com/pulumi/schema-tools/releases/download/v0.6.0/schema-tools-v0.6.0-linux-amd64.tar.gz"
+url_api = ""
 
 [[tools.go]]
 version = "1.24.5"
@@ -77,3 +81,15 @@ url = "https://github.com/pulumi/pulumi/releases/download/v3.190.0/pulumi-v3.190
 [[tools.python]]
 version = "3.11.8"
 backend = "core:python"
+
+[[tools."vfox-pulumi:pulumi/pulumi-converter-terraform"]]
+version = "1.2.4"
+backend = "vfox-pulumi:pulumi/pulumi-converter-terraform"
+
+[[tools."vfox-pulumi:pulumi/pulumi-local"]]
+version = "0.1.6"
+backend = "vfox-pulumi:pulumi/pulumi-local"
+
+[[tools."vfox-pulumi:pulumi/pulumi-std"]]
+version = "2.2.0"
+backend = "vfox-pulumi:pulumi/pulumi-std"

.config/mise.test.toml

@@ -1,6 +1,10 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 
-# Overrides tool versions for test workflows
+# Overrides for test workflows
+
+[env]
+# Acceptance (specifically providertest) tests require that PULUMI_HOME be the default
+PULUMI_HOME = "{{ env.HOME }}/.pulumi"
 
 [tools]
 # always use pulumi latest for tests

.config/mise.toml

@@ -21,7 +21,13 @@ pulumi = "{{ get_env(name='MISE_PULUMI_VERSION', default='latest') }}"
 "github:pulumi/schema-tools" = "latest"
 gradle = '7.6'
 golangci-lint = "1.64.8" # See note about about overrides if you need to customize this.
+"vfox-pulumi:pulumi/pulumi-std" = "latest"
+"vfox-pulumi:pulumi/pulumi-converter-terraform" = "latest"
+"vfox-pulumi:pulumi/pulumi-local" = "latest"
 
 [settings]
 experimental = true # Required for Go binaries (e.g. pulumictl).
 lockfile = true
+
+[plugins]
+vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"

.github/actions/download-prerequisites/action.yml

@@ -5,7 +5,7 @@ runs:
   using: "composite"
   steps:
     - name: Download the prerequisites bin
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: prerequisites-bin
         path: bin
@@ -19,7 +19,7 @@ runs:
       run: rm bin/executables.txt
 
     - name: Download schema-embed.json
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         # Use a pattern to avoid failing if the artifact doesn't exist
         pattern: schema-embed.*

.github/actions/download-provider/action.yml

@@ -6,7 +6,7 @@ runs:
   steps:
 
     - name: Download pulumi-resource-gitlab
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         pattern: pulumi-resource-gitlab-*-linux-amd64.tar.gz
         path: ${{ github.workspace }}/bin

.github/actions/download-sdk/action.yml

@@ -10,7 +10,7 @@ runs:
   using: "composite"
   steps:
     - name: Download ${{ inputs.language }} SDK
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         name: ${{ inputs.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/

.github/actions/upload-prerequisites/action.yml

@@ -9,14 +9,14 @@ runs:
       run: find bin -type f -executable > bin/executables.txt
 
     - name: Upload prerequisites bin
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: prerequisites-bin
         path: bin/*
         retention-days: 30
 
     - name: Upload schema-embed.json
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: schema-embed.json
         path: provider/cmd/pulumi-resource-gitlab/schema-embed.json

.github/actions/upload-sdk/action.yml

@@ -13,7 +13,7 @@ runs:
       shell: bash
       run: tar -zcf sdk/${{ inputs.language }}.tar.gz -C sdk/${{ inputs.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
       with:
         name: ${{ inputs.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ inputs.language }}.tar.gz

.github/workflows/build_provider.yml

@@ -59,6 +59,8 @@ jobs:
       - name: Setup mise
         uses: jdx/mise-action@v3
         with:
+          # Latest working version. See https://github.com/jdx/mise/discussions/6781
+          version: 2025.10.16
           github_token: ${{ secrets.GITHUB_TOKEN }}
           cache_key: "mise-{{platform}}-{{file_hash}}"
           # only saving the cache in the prerequisites job
@@ -106,7 +108,7 @@ jobs:
         run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: pulumi-resource-gitlab-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
           path: bin/pulumi-resource-gitlab-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz

.github/workflows/build_sdk.yml

@@ -57,6 +57,8 @@ jobs:
       - name: Setup mise
         uses: jdx/mise-action@v3
         with:
+          # Latest working version. See https://github.com/jdx/mise/discussions/6781
+          version: 2025.10.16
           github_token: ${{ secrets.GITHUB_TOKEN }}
           cache_key: "mise-{{platform}}-{{file_hash}}"
           # only saving the cache in the prerequisites job
@@ -96,6 +98,10 @@ jobs:
             sdk/nodejs/package.json
             sdk/python/pyproject.toml
             sdk/java/build.gradle
+            **/mise.lock
+            **/.config/mise.lock
+            **/mise.*.lock
+            **/.config/mise.*.lock
       - name: Commit ${{ matrix.language }} SDK changes for Renovate
         # If the worktree is dirty and this is a Renovate PR to bump
         # dependencies, commit the updated SDK and push it back to the PR. The

.github/workflows/comment-on-stale-issues.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Stale issue job
     steps:
-    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc #v7.1.0
+    - uses: aws-actions/stale-issue-cleanup@5650b49bcd757a078f6ca06c373d7807b773f9bc # v7.1.0
       with:
         issue-types: issues # only look at issues (ignore pull-requests)
 

.github/workflows/copilot-setup-steps.yml

@@ -35,6 +35,8 @@ jobs:
       - name: Setup mise
         uses: jdx/mise-action@v3
         with:
+          # Latest working version. See https://github.com/jdx/mise/discussions/6781
+          version: 2025.10.16
           github_token: ${{ secrets.GITHUB_TOKEN }}
           cache_key: "mise-{{platform}}-{{file_hash}}"
           # only saving the cache in the prerequisites job

.github/workflows/license.yml

@@ -24,6 +24,8 @@ jobs:
       - name: Setup mise
         uses: jdx/mise-action@v3
         with:
+          # Latest working version. See https://github.com/jdx/mise/discussions/6781
+          version: 2025.10.16
           github_token: ${{ secrets.GITHUB_TOKEN }}
           cache_key: "mise-{{platform}}-{{file_hash}}"
           # only saving the cache in the prerequisites job

.github/workflows/lint.yml

@@ -24,6 +24,8 @@ jobs:
     - name: Setup mise
       uses: jdx/mise-action@v3
       with:
+        # Latest working version. See https://github.com/jdx/mise/discussions/6781
+        version: 2025.10.16
         github_token: ${{ secrets.GITHUB_TOKEN }}
         cache_save: false # A different job handles caching our tools.
     - name: disarm go:embed directives to enable lint

.github/workflows/main-post-build.yml

@@ -43,14 +43,16 @@ jobs:
         name: Fetch secrets from ESC
         uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }}
           aws-region: us-west-2
           aws-secret-access-key: ${{ steps.esc-secrets.outputs.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }}
       - name: Setup mise
         uses: jdx/mise-action@v3
         with:
+          # Latest working version. See https://github.com/jdx/mise/discussions/6781
+          version: 2025.10.16
           github_token: ${{ secrets.GITHUB_TOKEN }}
           cache_key: "mise-{{platform}}-{{file_hash}}"
           # only saving the cache in the prerequisites job

.github/workflows/master.yml

@@ -75,6 +75,7 @@ jobs:
     with:
       version: ${{ needs.prerequisites.outputs.version }}
       isPrerelease: true
+      setLatestRelease: false
       skipGoSdk: true
       skipJavaSdk: true
 

.github/workflows/prerelease.yml

@@ -58,6 +58,7 @@ jobs:
     with:
       version: ${{ needs.prerequisites.outputs.version }}
       isPrerelease: true
+      setLatestRelease: false
 
   test:
     uses: ./.github/workflows/test.yml

.github/workflows/prerequisites.yml

@@ -63,6 +63,8 @@ jobs:
     - name: Setup mise
       uses: jdx/mise-action@v3
       with:
+        # Latest working version. See https://github.com/jdx/mise/discussions/6781
+        version: 2025.10.16
         github_token: ${{ secrets.GITHUB_TOKEN }}
         cache_key: "mise-{{platform}}-{{file_hash}}"
         # only saving the cache in the prerequisites job

.github/workflows/publish.yml

@@ -7,6 +7,9 @@ on:
       version:
         required: true
         type: string
+      setLatestRelease:
+        required: true
+        type: boolean
       isPrerelease:
         required: true
         type: boolean
@@ -53,11 +56,13 @@ jobs:
     - name: Setup mise
       uses: jdx/mise-action@v3
       with:
+        # Latest working version. See https://github.com/jdx/mise/discussions/6781
+        version: 2025.10.16
         github_token: ${{ secrets.GITHUB_TOKEN }}
         cache_key: "mise-{{platform}}-${{ hashFiles('mise.lock') }}"
         cache_save: false
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+      uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
       with:
         aws-access-key-id: ${{ steps.esc-secrets.outputs.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
@@ -69,14 +74,14 @@ jobs:
     - name: Create dist directory
       run: mkdir -p dist
     - name: Download provider assets
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         pattern: pulumi-resource-gitlab-v${{ inputs.version }}-*
         path: dist
         # Don't create a directory for each artifact
         merge-multiple: true
     - name: Download schema
-      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
       with:
         # Use a pattern to avoid failing if the artifact doesn't exist
         pattern: schema-embed.*
@@ -102,13 +107,15 @@ jobs:
     - name: Upload Provider Binaries
       run: aws s3 cp dist s3://get.pulumi.com/releases/plugins/ --recursive
     - name: Create GH Release
-      uses: softprops/action-gh-release@6cbd405e2c4e67a21c47fa9e383d020e4e28b836 # v2
+      uses: softprops/action-gh-release@6da8fa9354ddfdc4aeace5fc48d7f679b5214090 # v2
       if: inputs.isPrerelease == false
       with:
         tag_name: v${{ inputs.version }}
         prerelease: ${{ inputs.isPrerelease }}
         # We keep pre-releases as drafts so they're not visible until we manually publish them.
         draft: ${{ inputs.isPrerelease }}
+        # Explicitly set make_latest to account for backported releases
+        make_latest: ${{ inputs.setLatestRelease }}
         body: ${{ steps.schema-summary.outputs.summary }}
         generate_release_notes: true
         files: dist/*
@@ -139,12 +146,14 @@ jobs:
     - name: Setup mise
       uses: jdx/mise-action@v3
       with:
+        # Latest working version. See https://github.com/jdx/mise/discussions/6781
+        version: 2025.10.16
         github_token: ${{ secrets.GITHUB_TOKEN }}
         cache_key: "mise-{{platform}}-{{file_hash}}"
         # only saving the cache in the prerequisites job
         cache_save: false
     - name: Setup Node
-      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
+      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6
       with:
         # we don't set node-version because we install with mise.
         # this step is needed to setup npm auth
@@ -207,8 +216,8 @@ jobs:
   create_docs_build:
     name: create_docs_build
     needs: publish_sdk
-    # Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
-    if: inputs.isPrerelease == false
+    # Only run for non-prerelease and for non-backported releases, if the publish_go_sdk job was successful or skipped
+    if: inputs.isPrerelease == false && inputs.setLatestRelease == true
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
@@ -225,7 +234,7 @@ jobs:
         name: Fetch secrets from ESC
         uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
       - name: Dispatch Metadata build
-        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
+        uses: peter-evans/repository-dispatch@5fc4efd1a4797ddb68ffd0714a238564e4cc0e6f # v4
         with:
           token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
           repository: pulumi/registry

.github/workflows/pull-request.yml

@@ -6,25 +6,18 @@ env:
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
   TF_APPEND_USER_AGENT: pulumi
 
+name: Comment on community PRs
+on:
+  pull_request_target: {}
+
 jobs:
   comment-on-pr:
     if: github.event.pull_request.head.repo.full_name != github.repository
     name: comment-on-pr
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
-    - name: Checkout Repo
-      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      with:
-        persist-credentials: false    
-    - env:
-        ESC_ACTION_ENVIRONMENT: github-secrets/${{ github.repository_owner }}-${{ github.event.repository.name }}
-        ESC_ACTION_EXPORT_ENVIRONMENT_VARIABLES: "false"
-        ESC_ACTION_OIDC_AUTH: "true"
-        ESC_ACTION_OIDC_ORGANIZATION: pulumi
-        ESC_ACTION_OIDC_REQUESTED_TOKEN_TYPE: urn:pulumi:token-type:access_token:organization
-      id: esc-secrets
-      name: Fetch secrets from ESC
-      uses: pulumi/esc-action@9eb774255b1a4afb7855678ae8d4a77359da0d9b
     - name: Comment PR
       uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
       with:
@@ -33,6 +26,3 @@ jobs:
           PR is now waiting for a maintainer to run the acceptance tests.
 
           **Note for the maintainer:** To run the acceptance tests, please comment */run-acceptance-tests* on the PR
-name: pull-request
-on:
-  pull_request_target: {}