pulumi · pulumi-bot · Sep 11, 2025 · Sep 11, 2025
diff --git a/.github/actions/esc-action/index.js b/.github/actions/esc-action/index.js
@@ -5,7 +5,7 @@ var stream = fs.createWriteStream(file, { flags: "a" });
 
 for (const [name, value] of Object.entries(process.env)) {
   try {
-    stream.write(`${name}=${value}\n`);
+    stream.write(`${name}<<EEEOOOFFF\n${value}\nEEEOOOFFF\n`); // << syntax accommodates multiline strings.
   } catch (err) {
     console.log(`error: failed to set output for ${name}: ${err.message}`);
   }

diff --git a/.github/actions/setup-tools/action.yml b/.github/actions/setup-tools/action.yml
@@ -59,20 +59,20 @@ runs:
 
     - name: Setup Node
       if: inputs.tools == 'all' || contains(inputs.tools, 'nodejs')
-      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+      uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5
       with:
         node-version: 20.x
         registry-url: https://registry.npmjs.org
 
     - name: Setup DotNet
       if: inputs.tools == 'all' || contains(inputs.tools, 'dotnet')
-      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
+      uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0
       with:
         dotnet-version: 8.0.x
 
     - name: Setup Python
       if: inputs.tools == 'all' || contains(inputs.tools, 'python')
-      uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+      uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
       with:
         python-version: 3.11.8
 

diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -0,0 +1,144 @@
+# Pulumi postgresql Provider
+
+The Pulumi postgresql provider is a Go-based Pulumi resource provider that bridges the Terraform provider to Pulumi. It generates SDKs for TypeScript/JavaScript, Python, .NET, Go, and Java. The provider uses the Terraform provider as an upstream source via git submodules.
+
+Always reference these instructions first and fallback to search or bash commands only when you encounter unexpected information that does not match the info here.
+
+## Working Effectively
+
+### Prerequisites and Environment Setup
+- All required dependencies are automatically installed via the `.github/workflows/copilot-setup-steps.yml` workflow
+- This includes Go, Node.js, Python, .NET, Gradle, and all necessary Pulumi tools
+
+### Initial Repository Setup
+- Initialize the upstream submodule: `make upstream`
+
+### Build Process
+- **ALWAYS use `make` targets** - Never run custom commands unless explicitly told to
+- **NEVER work directly in the `sdk/` folder** - All SDK generation and building is automated through `make`
+- If a `make` target fails, there is something wrong with the environment setup, not the target itself
+
+### Available Make Targets
+
+#### Primary Build Targets:
+- `make build` -- Build the provider and all SDKs
+- `make provider` -- Build the provider binary
+- `make schema` -- Generate the provider schema  
+- `make tfgen` -- Generate SDKs from schema
+- `make upstream` -- Initialize upstream submodule
+
+#### SDK Targets:
+- `make build_sdks` -- Build all SDK packages
+- `make generate_sdks` -- Generate all SDK source code
+- `make build_nodejs` -- Build TypeScript/Node.js SDK
+- `make build_python` -- Build Python SDK
+- `make build_dotnet` -- Build .NET SDK
+- `make build_go` -- Build Go SDK
+- `make build_java` -- Build Java SDK
+
+#### Development Targets:
+- `make lint_provider` -- Lint provider Go code
+- `make test_provider` -- Run provider unit tests
+
+### Build Guidelines:
+- **NEVER CANCEL** any build command once started - builds may take several minutes
+- Set timeouts to 300+ seconds for build operations
+- **DO NOT run tests in `examples/`** - They require cloud credentials and will run in PR workflows
+
+## Repository Structure
+
+### Key Directories:
+- `provider/` -- Go provider implementation
+- `sdk/` -- Generated SDKs for all languages
+- `upstream/` -- Git submodule with the Terraform provider
+- `scripts/` -- Build and utility scripts
+- `examples/` -- Example Pulumi programs (test framework available but skipped)
+
+### Important Files:
+- `Makefile` -- Primary build orchestration with all available targets
+- `provider/go.mod` -- Provider dependencies
+- `.github/workflows/copilot-setup-steps.yml` -- Environment setup for AI coding agents
+- `.github/workflows/` -- CI/CD pipelines
+
+## Development Workflow
+
+### Making Code Changes:
+1. Initialize repository: `make upstream`
+2. Make changes to provider code in `provider/`
+3. Validate with: `make lint_provider`
+4. Test with: `make test_provider`
+5. Build provider: `make provider`
+6. Generate and build SDKs: `make build_sdks`
+
+### Validation Steps:
+- Always use `make lint_provider` to lint provider code
+- Use `make test_provider` to run provider unit tests  
+- Use `make build` to validate the full build process
+
+### Working with SDKs:
+- **NEVER work directly in `sdk/` folders** - All SDK operations are automated via `make` targets
+- All SDKs are generated and built through `make` commands
+- TypeScript SDK: Use `make build_nodejs` 
+- Python SDK: Use `make build_python`
+- .NET SDK: Use `make build_dotnet`  
+- Go SDK: Use `make build_go`
+- Java SDK: Use `make build_java`
+
+## Validation Scenarios
+
+### Code Quality Validation:
+- Use `make lint_provider` to lint provider Go code
+- Use `make test_provider` to run provider unit tests
+- Use `make build` to validate full build process
+
+### Manual Code Review:
+- Check Go code follows standard patterns
+- Validate resource definitions in `provider/resources.go`
+- Ensure imports and dependencies are correct
+
+## Common Tasks Reference
+
+### Repository Root Contents:
+```
+.ci-mgmt.yaml          -- CI management configuration
+.devcontainer/         -- Dev container setup  
+.github/               -- GitHub workflows and templates
+.gitmodules           -- Git submodule configuration
+.golangci.yml         -- Go linter configuration
+.mise.toml            -- Mise tool configuration
+CONTRIBUTING.md       -- Contribution guidelines
+Makefile              -- Build orchestration with all available targets
+README.md             -- Project documentation
+devbox.json           -- Development environment
+provider/             -- Go provider implementation
+scripts/              -- Build utilities
+sdk/                  -- Generated SDKs (managed via make targets)
+upstream/             -- Terraform provider submodule
+```
+
+### Common File Operations:
+- **Provider source**: `provider/resources.go` -- Resource definitions
+- **Provider tests**: `provider/resources_test.go` -- Unit tests  
+- **Generated SDKs**: All in `sdk/` directory, managed via `make` targets only
+
+### Common Development Tasks:
+- Run provider tests: `make test_provider`
+- Build provider: `make provider` 
+- Generate schema: `make schema`
+- Build all SDKs: `make build_sdks`
+
+## Build Expectations
+
+- Provider builds: 1-3 minutes depending on system
+- SDK generation: 2-5 minutes for all SDKs
+- Individual SDK builds: 30 seconds to 2 minutes each
+- Full build (`make build`): 5-10 minutes total
+
+Set timeouts of 300+ seconds for build operations and NEVER CANCEL running builds.
+
+## Critical Reminders
+
+- **ALWAYS** use `make` targets - never run custom commands unless explicitly instructed
+- **NEVER** work directly in `sdk/` folders - use `make` targets for all SDK operations  
+- **DO NOT** run tests in `examples/` - they require cloud credentials
+- **FOCUS** on `make` targets for all development, building, and validation tasks
diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml
@@ -38,7 +38,10 @@ jobs:
       - name: Checkout Repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          persist-credentials: false
+          persist-credentials: false      
+      - id: esc-secrets
+        name: Map environment to ESC outputs
+        uses: ./.github/actions/esc-action
       # Without ldid cross-compiling Node binaries on a Linux worker intended to work on darwin-arm64 fails to sign the
       # binaries properly and they do not work as expected. See https://github.com/pulumi/pulumi-awsx/issues/1490
       - uses: MOZGIII/install-ldid-action@v1
@@ -83,11 +86,11 @@ jobs:
       - name: Build provider
         run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}"
         env:
-          AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
-          AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
-          AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
-          AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
-          SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+          AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
+          AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
+          AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
+          AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
+          SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
 
       - name: Package provider
         run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}

diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml
@@ -10,9 +10,17 @@ on:
         type: string
 
 env:
+  AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }}
+  AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }}
+  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+  RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+  S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }}
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   TF_APPEND_USER_AGENT: pulumi
   PROVIDER_VERSION: ${{ inputs.version }}
 
@@ -35,7 +43,10 @@ jobs:
       - name: Checkout Repo
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
-          persist-credentials: false
+          persist-credentials: false      
+      - id: esc-secrets
+        name: Map environment to ESC outputs
+        uses: ./.github/actions/esc-action
       - name: Cache examples generation
         uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
         with:
@@ -102,7 +113,7 @@ jobs:
 
           # Push with pulumi-bot credentials to trigger a re-run of the
           # workflow. https://github.com/orgs/community/discussions/25702
-          git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \
+          git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \
               "HEAD:$HEAD_REF"
         env:
           # head_ref is untrusted so it's recommended to pass via env var to

diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml
@@ -1,10 +1,19 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 
 env:
+  AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }}
+  AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }}
+  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+  RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+  S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }}
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   TF_APPEND_USER_AGENT: pulumi
+
 jobs:
   command-dispatch-for-testing:
     name: command-dispatch-for-testing
@@ -13,7 +22,10 @@ jobs:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
-        persist-credentials: false
+        persist-credentials: false    
+    - id: esc-secrets
+      name: Map environment to ESC outputs
+      uses: ./.github/actions/esc-action
     - uses: peter-evans/slash-command-dispatch@13bc09769d122a64f75aa5037256f6f2d78be8c4 # v4
       with:
         commands: |
@@ -23,7 +35,7 @@ jobs:
         permission: write
         reaction-token: ${{ secrets.GITHUB_TOKEN }}
         repository: pulumi/pulumi-postgresql
-        token: ${{ secrets.PULUMI_BOT_TOKEN }}
+        token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
 name: command-dispatch
 on:
   issue_comment:

diff --git a/.github/workflows/community-moderation.yml b/.github/workflows/community-moderation.yml
@@ -1,7 +1,5 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 
-env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 jobs:
   warn_codegen:
     name: warn_codegen
@@ -10,7 +8,10 @@ jobs:
     - name: Checkout Repo
       uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
-        persist-credentials: false
+        persist-credentials: false    
+    - id: esc-secrets
+      name: Map environment to ESC outputs
+      uses: ./.github/actions/esc-action
     - id: schema_changed
       name: Check for diff in schema
       uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3.0.2

diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -0,0 +1,42 @@
+name: "Copilot Setup Steps"
+
+# Automatically run the setup steps when they are changed to allow for easy validation, and
+# allow manual testing through the repository's "Actions" tab
+on:
+  workflow_dispatch:
+  push:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+  pull_request:
+    paths:
+      - .github/workflows/copilot-setup-steps.yml
+env:
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+jobs:
+  # The job MUST be called `copilot-setup-steps` or it will not be picked up by Copilot.
+  copilot-setup-steps:
+    runs-on: ubuntu-latest
+
+    # Set the permissions to the lowest permissions possible needed for your steps.
+    # Copilot will be given its own token for its operations.
+    permissions:
+      # If you want to clone the repository as part of your setup steps, for example to install dependencies, you'll need the `contents: read` permission. If you don't clone the repository in your setup steps, Copilot will do this for you automatically after the steps complete.
+      contents: read
+
+    # You can define any steps you want, and they will run before the agent starts.
+    # If you do not check out your code, Copilot will do this for you.
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Setup tools
+        uses: ./.github/actions/setup-tools
+        with:
+          tools: pulumictl, pulumicli, nodejs, python, dotnet, go, java
+
+      - name: Prepare local workspace
+        # this runs install_plugins and upstream
+        run: make prepare_local_workspace
diff --git a/.github/workflows/export-repo-secrets.yml b/.github/workflows/export-repo-secrets.yml
@@ -13,7 +13,7 @@ jobs:
           app-id: 1256780 # Export Secrets GitHub App
           private-key: ${{ secrets.EXPORT_SECRETS_PRIVATE_KEY }}
       - name: Export secrets to ESC
-        uses: pulumi/esc-export-secrets-action@v1
+        uses: pulumi/esc-export-secrets-action@9d6485759b6adff2538ae91f1b77cc96265c9dad # v1
         with:
           organization: pulumi
           org-environment: imports/github-secrets

diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
@@ -7,9 +7,17 @@ on:
     inputs: {}
 
 env:
+  AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }}
+  AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }}
+  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+  RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+  S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }}
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   TF_APPEND_USER_AGENT: pulumi
 
 jobs:

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -7,9 +7,17 @@ on:
     inputs: {}
 
 env:
+  AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }}
+  AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY: ${{ secrets.AWS_CORP_S3_UPLOAD_SECRET_ACCESS_KEY }}
+  CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
   PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_BOT_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
   PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
   PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+  RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+  S3_COVERAGE_BUCKET_NAME: ${{ secrets.S3_COVERAGE_BUCKET_NAME }}
+  SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
   TF_APPEND_USER_AGENT: pulumi
 
 jobs: