chore: make ci-mgmt

2025-12-06 01:43:51 -05:00
parent ef3fde0b79
commit 4f829f9e0a
34 changed files with 623 additions and 467 deletions
--- a/.ci-mgmt.yaml
+++ b/.ci-mgmt.yaml
@@ -1,53 +1,31 @@
 # REQUIRED: provider is the name of the provider without the pulumi-prefix e.g. "aws".
 provider: incus
 # The name of the GitHub organization or username the repository lives in. Defaults to 'pulumi'
-organization: brandonkal
+organization: kiterun
 # The external template only includes workflows relevant for non-Pulumi managed providers.
 template: external-bridged-provider
 # The name of the GitHub organisation or username where the upstream terraform provider lives.
-upstreamProviderOrg: pulumi
+upstreamProviderOrg: lxc
 # major version of the current provider - used in make files
 # This should always be set by all providers as this is key to go module paths.
 major-version: 1
 # Enable using the terraform converter for example generation.
 pulumiConvert: 1
 # Set a GitHub username here for automatic upgrade PRs to be assigned to.
 # pr-assign: pulumi-bot
 # List of pulumi plugins to install in the "install_plugins" makefile target. Will include at least the terraform plugin
 # Should be set for all bridged providers
 plugins:
  - name: terraform
    version: "1.0.16"
    kind: converter
 # providerDefaultBranch is used to customise the default branch for the repo
 providerDefaultBranch: main
 # Explicit list of languages to support for SDKs. Java is currently excluded because it doesn't yet work well for non-internal providers.
 languages:
-  - go
+    - go
-  - nodejs
+    - nodejs
 # Disable Java publishing and pushing the provider binary to the CDN as these only work internally within Pulumi.
 publish:
-  sdk: "all,!java"
+    sdk: "all,!java"
-  cdn: false
+    cdn: false
 # Enables automatic generation of basic docs pages for the registry.
 # registryDocs: true
 # Disables a pulumi-internal-only step for running create_docs_build during the release
 publishRegistry: false
 # For additional options, please refer to the defaults set in ci-mgmt:
 # https://github.com/pulumi/ci-mgmt/blob/master/provider-ci/internal/pkg/templates/defaults.config.yaml
 toolVersions:
  pulumictl: "v0.0.48"
--- a/.config/mise.test.toml
+++ b/.config/mise.test.toml
@@ -0,0 +1,11 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 # Overrides for test workflows
 [env]
 # Acceptance (specifically providertest) tests require that PULUMI_HOME be the default
 PULUMI_HOME = "{{ env.HOME }}/.pulumi"
 [tools]
 # always use pulumi latest for tests
 pulumi = "latest"
--- a/.config/mise.toml
+++ b/.config/mise.toml
@@ -0,0 +1,33 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 # You can create your own root-level mise.toml file to override/augment this. See https://mise.jdx.dev/configuration.html
 [env]
 _.source = "{{config_root}}/scripts/get-versions.sh"
 PULUMI_HOME = "{{config_root}}/.pulumi"
 [tools]
 # Runtimes
 # TODO: we may not need 'get_env' once https://github.com/jdx/mise/discussions/6339 is fixed
 go = "{{ get_env(name='GO_VERSION_MISE', default='latest') }}"
 node = '20.19.5'
 python = '3.11.8'
 dotnet = '8.0.414'
 # Corretto version used as Java SE/OpenJDK version no longer offered
 java = 'corretto-11'
 # Executable tools
 pulumi = "{{ get_env(name='PULUMI_VERSION_MISE', default='latest') }}"
 "github:pulumi/pulumictl" = '0.0.50'
 "github:pulumi/schema-tools" = "0.6.0"
 "aqua:gradle/gradle-distributions" = '7.6.6'
 golangci-lint = "1.64.8" # See note about about overrides if you need to customize this.
 "npm:yarn" = "1.22.22"
 "vfox-pulumi:pulumi/pulumi-converter-terraform" = "1.0.16"
 [settings]
 experimental = true # Required for Go binaries (e.g. pulumictl).
 lockfile = false
 [plugins]
 vfox-pulumi = "https://github.com/pulumi/vfox-pulumi"
--- a/.devcontainer/Dockerfile
+++ b/.devcontainer/Dockerfile
@@ -1,4 +1,4 @@
-FROM jetpackio/devbox:latest
+FROM jetpackio/devbox:latest@sha256:293d6d0a33205e88550198835e68bcff65a2e33d143857ad92c6c888e6a75ad7
 # Installing your devbox project
 WORKDIR /code
--- a/.github/actions/download-prerequisites/action.yml
+++ b/.github/actions/download-prerequisites/action.yml
@@ -5,7 +5,7 @@ runs:
  using: "composite"
  steps:
    - name: Download the prerequisites bin
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: prerequisites-bin
        path: bin
@@ -19,7 +19,7 @@ runs:
      run: rm bin/executables.txt
    - name: Download schema-embed.json
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        # Use a pattern to avoid failing if the artifact doesn't exist
        pattern: schema-embed.*
--- a/.github/actions/download-provider/action.yml
+++ b/.github/actions/download-provider/action.yml
@@ -6,7 +6,7 @@ runs:
  steps:
    - name: Download pulumi-resource-incus
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        pattern: pulumi-resource-incus-*-linux-amd64.tar.gz
        path: ${{ github.workspace }}/bin
--- a/.github/actions/download-sdk/action.yml
+++ b/.github/actions/download-sdk/action.yml
@@ -10,7 +10,7 @@ runs:
  using: "composite"
  steps:
    - name: Download ${{ inputs.language }} SDK
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        name: ${{ inputs.language }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/
--- a/.github/actions/esc-action/action.yaml
+++ b/.github/actions/esc-action/action.yaml
@@ -0,0 +1,12 @@
 name: "Load secrets"
 description: |
  This is a temporary action which assists with our migration to ESC. Instead
  of surrounding every step that references secrets with an "if ESC" block, we
  instead modify those steps to consume their secrets from this step's outputs.
  Then, later, we can replace this action with esc-action to actually load
  secrets from ESC.
 inputs: {}
 outputs: {}
 runs:
  using: "node20"
  main: "index.js"
--- a/.github/actions/esc-action/index.js
+++ b/.github/actions/esc-action/index.js
@@ -0,0 +1,14 @@
 const fs = require("fs");
 const file = process.env["GITHUB_OUTPUT"];
 var stream = fs.createWriteStream(file, { flags: "a" });
 for (const [name, value] of Object.entries(process.env)) {
  try {
    stream.write(`${name}<<EEEOOOFFF\n${value}\nEEEOOOFFF\n`); // << syntax accommodates multiline strings.
  } catch (err) {
    console.log(`error: failed to set output for ${name}: ${err.message}`);
  }
 }
 stream.end();
--- a/.github/actions/setup-tools/action.yml
+++ b/.github/actions/setup-tools/action.yml
@@ -1,91 +0,0 @@
 name: Setup tools
 description: Installs Go, Pulumi, pulumictl, schema-tools, Node.JS, Python, dotnet and Java.
 inputs:
  tools:
    description: |
      Comma separated list of tools to install. The default of "all" installs all tools. Available tools are:
        go
        pulumicli
        pulumictl
        schema-tools
        nodejs
        python
        dotnet
        java
    default: all
  cache-go:
    description: |
      Whether to enable the GitHub cache for Go. Appropriate for disabling in
      smaller jobs that typically completely before the "real" job has an
      opportunity to populate the cache.
    default: "true"
 runs:
  using: "composite"
  steps:
    - name: Install Go
      if: inputs.tools == 'all' || contains(inputs.tools, 'go')
      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
      with:
        go-version: "1.21.x"
        cache-dependency-path: |
          provider/*.sum
          upstream/*.sum
          sdk/go/*.sum
          sdk/*.sum
          *.sum
        # TODO(https://github.com/actions/setup-go/issues/316): Restore but don't save the cache.
        cache: ${{ inputs.cache-go }}
    - name: Install pulumictl
      if: inputs.tools == 'all' || contains(inputs.tools, 'pulumictl')
      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
      with:
        tag: v0.0.48
        repo: pulumi/pulumictl
    - name: Install Pulumi CLI
      if: inputs.tools == 'all' || contains(inputs.tools, 'pulumicli')
      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6
      with:
        pulumi-version: "dev"
    - name: Install Schema Tools
      if: inputs.tools == 'all' || contains(inputs.tools, 'schema-tools')
      uses: jaxxstorm/action-install-gh-release@4304621e8c48d66093a8a214af5d5b5bc3b3d943 # v2.0.0
      with:
        repo: pulumi/schema-tools
    - name: Setup Node
      if: inputs.tools == 'all' || contains(inputs.tools, 'nodejs')
      uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
      with:
        node-version: 20.x
        registry-url: https://registry.npmjs.org
    - name: Setup DotNet
      if: inputs.tools == 'all' || contains(inputs.tools, 'dotnet')
      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 # v4.3.1
      with:
        dotnet-version: 8.0.x
    - name: Setup Python
      if: inputs.tools == 'all' || contains(inputs.tools, 'python')
      uses: actions/setup-python@8d9ed9ac5c53483de85588cdf95a591a75ab9f55 # v5.5.0
      with:
        python-version: 3.11.8
    - name: Setup Java
      if: inputs.tools == 'all' || contains(inputs.tools, 'java')
      uses: actions/setup-java@c5195efecf7bdfc987ee8bae7a71cb8b11521c00 # v4.7.1
      with:
        cache: gradle
        distribution: temurin
        java-version: 11
    - name: Setup Gradle
      if: inputs.tools == 'all' || contains(inputs.tools, 'java')
      uses: gradle/gradle-build-action@ac2d340dc04d9e1113182899e983b5400c17cda1 # v3
      with:
        gradle-version: 7.6
--- a/.github/actions/upload-prerequisites/action.yml
+++ b/.github/actions/upload-prerequisites/action.yml
@@ -9,14 +9,14 @@ runs:
      run: find bin -type f -executable > bin/executables.txt
    - name: Upload prerequisites bin
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: prerequisites-bin
        path: bin/*
        retention-days: 30
    - name: Upload schema-embed.json
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: schema-embed.json
        path: provider/cmd/pulumi-resource-incus/schema-embed.json
--- a/.github/actions/upload-sdk/action.yml
+++ b/.github/actions/upload-sdk/action.yml
@@ -13,7 +13,7 @@ runs:
      shell: bash
      run: tar -zcf sdk/${{ inputs.language }}.tar.gz -C sdk/${{ inputs.language }} .
    - name: Upload artifacts
-      uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
      with:
        name: ${{ inputs.language  }}-sdk.tar.gz
        path: ${{ github.workspace}}/sdk/${{ inputs.language }}.tar.gz
--- a/.github/workflows/build_provider.yml
+++ b/.github/workflows/build_provider.yml
@@ -19,7 +19,8 @@ on:
              {"os": "linux",   "arch": "arm64"},
              {"os": "darwin",  "arch": "amd64"},
              {"os": "darwin",  "arch": "arm64"},
-              {"os": "windows", "arch": "amd64"}
+              {"os": "windows", "arch": "amd64"},
              {"os": "windows", "arch": "arm64"}
            ]
          }
@@ -33,22 +34,31 @@ jobs:
    strategy:
      fail-fast: true
      matrix: ${{ fromJSON(inputs.matrix) }}
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
      - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
-          persist-credentials: false
+          persist-credentials: false      
      - id: esc-secrets
        name: Map environment to ESC outputs
        uses: ./.github/actions/esc-action
      # Without ldid cross-compiling Node binaries on a Linux worker intended to work on darwin-arm64 fails to sign the
      # binaries properly and they do not work as expected. See https://github.com/pulumi/pulumi-awsx/issues/1490
-      - uses: MOZGIII/install-ldid-action@v1
+      - uses: MOZGIII/install-ldid-action@d5ab465f3a66a4d60a59882b935eb30e18e8d043 # v1
        with:
          tag: v2.1.5-procursus2
-      - name: Setup tools
+      - name: Setup mise
-        uses: ./.github/actions/setup-tools
+        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
        env:
          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
        with:
-          tools: pulumictl, go
+          version: 2025.11.6
-          # use per-platform/arch caches instead since we are doing cross-builds
+          github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
-          cache-go: false
+          # only saving the cache in the prerequisites job
          cache_save: false
      # Based on https://github.com/actions/cache/blob/main/examples.md#go---modules
      - name: Get GOCACHE
        id: gocache
@@ -61,7 +71,7 @@ jobs:
        run: |
          echo "path=$(go env GOMODCACHE)" >> "${GITHUB_OUTPUT}"
      - name: Go Cache
-        uses: actions/cache@v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            ${{ steps.gocache.outputs.path }}
@@ -71,6 +81,8 @@ jobs:
            go-provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}-
      - name: Prepare local workspace before restoring previously built
        run: make prepare_local_workspace
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Restore prerequisites
        uses: ./.github/actions/download-prerequisites
      - name: Restore makefile progress
@@ -80,17 +92,17 @@ jobs:
      - name: Build provider
        run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}"
        env:
-          AZURE_SIGNING_CLIENT_ID: ${{ secrets.AZURE_SIGNING_CLIENT_ID }}
+          AZURE_SIGNING_CLIENT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID }}
-          AZURE_SIGNING_CLIENT_SECRET: ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }}
+          AZURE_SIGNING_CLIENT_SECRET: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_SECRET }}
-          AZURE_SIGNING_TENANT_ID: ${{ secrets.AZURE_SIGNING_TENANT_ID }}
+          AZURE_SIGNING_TENANT_ID: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_TENANT_ID }}
-          AZURE_SIGNING_KEY_VAULT_URI: ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }}
+          AZURE_SIGNING_KEY_VAULT_URI: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_KEY_VAULT_URI }}
-          SKIP_SIGNING: ${{ secrets.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
+          SKIP_SIGNING: ${{ steps.esc-secrets.outputs.AZURE_SIGNING_CLIENT_ID == '' && secrets.AZURE_SIGNING_CLIENT_SECRET == '' && secrets.AZURE_SIGNING_TENANT_ID == '' && secrets.AZURE_SIGNING_KEY_VAULT_URI == '' }}
      - name: Package provider
        run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
      - name: Upload artifacts
-        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
        with:
          name: pulumi-resource-incus-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
          path: bin/pulumi-resource-incus-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
--- a/.github/workflows/build_sdk.yml
+++ b/.github/workflows/build_sdk.yml
@@ -10,21 +10,11 @@ on:
        type: string
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
  PROVIDER_VERSION: ${{ inputs.version }}
@@ -38,27 +28,48 @@ jobs:
      fail-fast: ${{ ! contains(github.actor, 'renovate') }}
      matrix:
        language:
        - dotnet
        - go
        - nodejs
-        - python
+    permissions:
      contents: write # For Renovate SDKs.
      id-token: write # For ESC secrets.
    steps:
      - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
-          persist-credentials: false
+          persist-credentials: false      
      - id: esc-secrets
        name: Map environment to ESC outputs
        uses: ./.github/actions/esc-action
      - name: Cache examples generation
-        uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
        with:
          path: |
            .pulumi/examples-cache
          key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }}
-      - name: Setup tools
+      - name: Setup mise
-        uses: ./.github/actions/setup-tools
+        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
        env:
          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
        with:
-          tools: pulumictl, pulumicli, ${{ matrix.language }}
+          version: 2025.11.6
          github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
          # only saving the cache in the prerequisites job
          cache_save: false
      - name: Setup Go Cache
        if: matrix.language == 'go' || contains(matrix.language, 'go')
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
          cache-dependency-path: |
            provider/*.sum
            upstream/*.sum
            sdk/go/*.sum
            sdk/*.sum
            *.sum
      - name: Prepare local workspace
        run: make prepare_local_workspace
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - name: Download prerequisites
        uses: ./.github/actions/download-prerequisites
      - name: Update path
@@ -67,6 +78,7 @@ jobs:
        run: make --touch provider schema
      - name: Build SDK
        run: make build_${{ matrix.language }}
      - name: Check worktree clean
        id: worktreeClean
        uses: pulumi/git-status-check-action@v1
@@ -78,6 +90,7 @@ jobs:
            sdk/go/**/pulumiUtilities.go
            sdk/nodejs/package.json
            sdk/python/pyproject.toml
            sdk/java/build.gradle
      - name: Commit ${{ matrix.language }} SDK changes for Renovate
        # If the worktree is dirty and this is a Renovate PR to bump
        # dependencies, commit the updated SDK and push it back to the PR. The
@@ -111,7 +124,7 @@ jobs:
          # Push with pulumi-bot credentials to trigger a re-run of the
          # workflow. https://github.com/orgs/community/discussions/25702
-          git push https://pulumi-bot:${{ secrets.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \
+          git push https://pulumi-bot:${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}@github.com/${{ github.repository }} \
              "HEAD:$HEAD_REF"
        env:
          # head_ref is untrusted so it's recommended to pass via env var to
--- a/.github/workflows/license.yml
+++ b/.github/workflows/license.yml
@@ -7,39 +7,42 @@ on:
    inputs: {}
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
  license_check:
    name: License Check
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      id-token: write # For ESC secrets.
    steps:
      - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
-          persist-credentials: false
+          persist-credentials: false      
-      - name: Setup tools
+      - id: esc-secrets
-        uses: ./.github/actions/setup-tools
+        name: Map environment to ESC outputs
        uses: ./.github/actions/esc-action
      - name: Setup mise
        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
        env:
          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
        with:
-          tools: go
+          version: 2025.11.6
-          cache-go: false
+          github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
          # only saving the cache in the prerequisites job
          cache_save: false
      - run: make prepare_local_workspace
        continue-on-error: true
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      - uses: pulumi/license-check-action@main
        with:
          module-path: provider
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -7,39 +7,37 @@ on:
    inputs: {}
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
  lint:
    name: lint
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
-        persist-credentials: false
+        persist-credentials: false    
-    - name: Install go
+    - id: esc-secrets
-      uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5
+      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: Setup mise
      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        # The versions of golangci-lint and setup-go here cross-depend and need to update together.
+        version: 2025.11.6
-        go-version: 1.23
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
-        # Either this action or golangci-lint needs to disable the cache
+        cache_save: false # A different job handles caching our tools.
        cache: false
    - name: disarm go:embed directives to enable lint
      continue-on-error: true # this fails if there are no go:embed directives
      run: |
@@ -47,8 +45,10 @@ jobs:
    - name: prepare workspace
      continue-on-error: true
      run: make prepare_local_workspace
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: golangci-lint
      uses: golangci/golangci-lint-action@55c2c1448f86e01eaae002a5a3a9624417608d84 # v6
      with:
-        version: v1.64.6
+        install-mode: none # Handled by mise.
        working-directory: provider
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -1,24 +1,19 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
  prerequisites:
    permissions:
      contents: read
      pull-requests: write
      id-token: write # For ESC secrets.
    uses: ./.github/workflows/prerequisites.yml
    secrets: inherit
    with:
@@ -30,6 +25,9 @@ jobs:
    uses: ./.github/workflows/build_provider.yml
    needs: prerequisites
    secrets: inherit
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}
@@ -38,6 +36,9 @@ jobs:
    needs: prerequisites
    uses: ./.github/workflows/build_sdk.yml
    secrets: inherit
    permissions:
      contents: write # For Renovate SDKs.
      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}
@@ -46,6 +47,9 @@ jobs:
    needs: prerequisites
    uses: ./.github/workflows/main-post-build.yml
    secrets: inherit
    permissions:
      contents: write # For Renovate SDKs.
      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}
@@ -73,6 +77,7 @@ jobs:
    with:
      version: ${{ needs.prerequisites.outputs.version }}
      isPrerelease: true
      setLatestRelease: false
      skipGoSdk: true
      skipJavaSdk: true
@@ -80,7 +85,17 @@ jobs:
    name: Tag release if labeled as needs-release
    needs: publish
    runs-on: ubuntu-latest
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    steps:
    - name: Checkout Repo
      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        persist-credentials: false    
    - id: esc-secrets
      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: check if this commit needs release
      if: ${{ env.RELEASE_BOT_ENDPOINT != '' }}
      uses: pulumi/action-release-by-pr-label@main
@@ -88,10 +103,10 @@ jobs:
        command: "release-if-needed"
        repo: ${{ github.repository }}
        commit: ${{ github.sha }}
-        slack_channel: ${{ secrets.RELEASE_OPS_SLACK_CHANNEL }}
+        slack_channel: C02MGR8JVST
      env:
-        RELEASE_BOT_ENDPOINT: ${{ secrets.RELEASE_BOT_ENDPOINT }}
+        RELEASE_BOT_ENDPOINT: ${{ steps.esc-secrets.outputs.RELEASE_BOT_ENDPOINT }}
-        RELEASE_BOT_KEY: ${{ secrets.RELEASE_BOT_KEY }}
+        RELEASE_BOT_KEY: ${{ steps.esc-secrets.outputs.RELEASE_BOT_KEY }}
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  test:
--- a/.github/workflows/prerelease.yml
+++ b/.github/workflows/prerelease.yml
@@ -2,24 +2,18 @@
 env:
  IS_PRERELEASE: true
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
  prerequisites:
    permissions:
      contents: read
      pull-requests: write
    uses: ./.github/workflows/prerequisites.yml
    secrets: inherit
    with:
@@ -66,6 +60,7 @@ jobs:
    with:
      version: ${{ needs.prerequisites.outputs.version }}
      isPrerelease: true
      setLatestRelease: false
  test:
    uses: ./.github/workflows/test.yml
--- a/.github/workflows/prerequisites.yml
+++ b/.github/workflows/prerequisites.yml
@@ -20,68 +20,83 @@ on:
        value: ${{ jobs.prerequisites.outputs.version }}
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
  prerequisites:
    name: prerequisites
    runs-on: ubuntu-latest
    permissions:
      contents: read
      pull-requests: write
      id-token: write # For ESC secrets.
    outputs:
      version: ${{ steps.provider-version.outputs.version }}
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
-        persist-credentials: false
+        persist-credentials: false    
-    - uses: pulumi/provider-version-action@f96d032a2758fdda7939e5728eff6c0d980ae894 # v1.6.0
+    - id: esc-secrets
      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - uses: pulumi/provider-version-action@3a647064cf4697c7c6352b9a1d9e554450cbe957 # v1.6.1
      id: provider-version
      with:
        major-version: 1
        set-env: 'PROVIDER_VERSION'
    - name: Cache examples generation
-      uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4
+      uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
      with:
        path: |
          .pulumi/examples-cache
        key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }}
-    - name: Setup tools
+    - name: Setup mise
-      uses: ./.github/actions/setup-tools
+      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        tools: go, pulumictl, pulumicli, schema-tools
+        version: 2025.11.6
        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        # only saving the cache in the prerequisites job
        cache_save: true
    - name: Setup Go Cache
      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
      with:
        cache-dependency-path: |
          provider/*.sum
          upstream/*.sum
          sdk/go/*.sum
          sdk/*.sum
          *.sum
    - name: Prepare local workspace before restoring previously built files
      run: make prepare_local_workspace
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Generate schema
      run: make schema
    - name: Build provider binary
      run: make provider
    - name: Unit-test provider code
      run: make test_provider
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Upload coverage reports to Codecov
      uses: codecov/codecov-action@5a1091511ad55cbe89839c7260b706298ca349f7 # v5.5.1
      env:
        CODECOV_TOKEN: ${{ steps.esc-secrets.outputs.CODECOV_TOKEN }}
    - if: inputs.is_pr
      name: Check Schema is Valid
      run: |
        EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
        {
          echo "SCHEMA_CHANGES<<$EOF";
-          schema-tools compare -r github://api.github.com/brandonkal -p incus -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-incus/schema.json;
+          schema-tools compare -r github://api.github.com/kiterun -p incus -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-incus/schema.json;
          echo "$EOF";
        } >> "$GITHUB_ENV"
    - if: inputs.is_pr && inputs.is_automated == false && github.actor != 'dependabot[bot]'
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -7,6 +7,9 @@ on:
      version:
        required: true
        type: string
      setLatestRelease:
        required: true
        type: boolean
      isPrerelease:
        required: true
        type: boolean
@@ -21,21 +24,17 @@ on:
 env:
  IS_PRERELEASE: ${{ inputs.isPrerelease }}
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
-  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
-  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
  PYPI_USERNAME: __token__
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
@@ -50,25 +49,31 @@ jobs:
      if: inputs.skipGoSdk && inputs.isPrerelease == false
      run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
-        persist-credentials: false
+        persist-credentials: false    
-    - name: Setup tools
+    - id: esc-secrets
-      uses: ./.github/actions/setup-tools
+      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: Setup mise
      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        tools: pulumictl, pulumicli, go, schema-tools
+        version: 2025.11.6
-        cache-go: false
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        cache_save: false
    - name: Create dist directory
      run: mkdir -p dist
    - name: Download provider assets
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        pattern: pulumi-resource-incus-v${{ inputs.version }}-*
        path: dist
        # Don't create a directory for each artifact
        merge-multiple: true
    - name: Download schema
-      uses: actions/download-artifact@95815c38cf2ff2164869cbab79da8d1f422bc89e # v4.2.1
+      uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
      with:
        # Use a pattern to avoid failing if the artifact doesn't exist
        pattern: schema-embed.*
@@ -83,22 +88,24 @@ jobs:
      shell: bash
      run: |
        # Get latest stable release. Return only first column from result (tag).
-        LAST_VERSION=$(gh release view --repo brandonkal/pulumi-incus --json tagName -q .tagName || echo "No stable release" )
+        LAST_VERSION=$(gh release view --repo kiterun/pulumi-incus --json tagName -q .tagName || echo "No stable release" )
        {
          echo 'summary<<EOF'
          if [[ "$LAST_VERSION" != "No stable release" ]]; then
-            schema-tools compare --provider="incus" --old-commit="$LAST_VERSION" --repository="github://api.github.com/brandonkal" --new-commit="--local-path=provider/cmd/pulumi-resource-incus/schema.json"
+            schema-tools compare --provider="incus" --old-commit="$LAST_VERSION" --repository="github://api.github.com/kiterun" --new-commit="--local-path=provider/cmd/pulumi-resource-incus/schema.json"
          fi
          echo 'EOF'
        } >> "$GITHUB_OUTPUT"
    - name: Create GH Release
-      uses: softprops/action-gh-release@c95fe1489396fe8a9eb87c0abf8aa5b2ef267fda # v2
+      uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2
      if: inputs.isPrerelease == false
      with:
        tag_name: v${{ inputs.version }}
        prerelease: ${{ inputs.isPrerelease }}
        # We keep pre-releases as drafts so they're not visible until we manually publish them.
        draft: ${{ inputs.isPrerelease }}
        # Explicitly set make_latest to account for backported releases
        make_latest: ${{ inputs.setLatestRelease }}
        body: ${{ steps.schema-summary.outputs.summary }}
        generate_release_notes: true
        files: dist/*
@@ -113,27 +120,58 @@ jobs:
      python_version: ${{ steps.python_version.outputs.version }}
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        # Persist credentials so we can push back to the repo
-        persist-credentials: true
+        persist-credentials: true    
-    - name: Setup tools
+    - id: esc-secrets
-      uses: ./.github/actions/setup-tools
+      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: Setup mise
      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        tools: pulumictl, pulumicli, dotnet, go, nodejs, python
+        version: 2025.11.6
-        cache-go: false
+        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        # only saving the cache in the prerequisites job
        cache_save: false
    - name: Setup Node
      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
      with:
        # we don't set node-version because we install with mise.
        # this step is needed to setup npm auth
        registry-url: https://registry.npmjs.org
    - name: Publish SDKs
      if: inputs.skipJavaSdk == false
-      uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
+      uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
      with:
        sdk: all,!java
        version: ${{ inputs.version }}
      env:
        PYPI_USERNAME: __token__
        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
        PUBLISH_REPO_PASSWORD: ${{ steps.esc-secrets.outputs.OSSRH_PASSWORD }}
        PUBLISH_REPO_USERNAME: ${{ steps.esc-secrets.outputs.OSSRH_USERNAME }}
        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
    - name: Publish SDKs (except Java)
      if: inputs.skipJavaSdk == true
-      uses: pulumi/pulumi-package-publisher@696a0fe98f86d86ada2a842d1859f3e8c40d6cd7 # v0.0.21
+      uses: pulumi/pulumi-package-publisher@3ec1409d3e894142b9825c7859be8e57d362762a # v0.0.23
      with:
        sdk: all,!java,!java
        version: ${{ inputs.version }}
      env:
        PYPI_USERNAME: __token__
        PYPI_PASSWORD: ${{ steps.esc-secrets.outputs.PYPI_API_TOKEN }}
        NODE_AUTH_TOKEN: ${{ steps.esc-secrets.outputs.NPM_TOKEN }}
        SIGNING_KEY: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY }}
        SIGNING_KEY_ID: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_KEY_ID }}
        SIGNING_PASSWORD: ${{ steps.esc-secrets.outputs.JAVA_SIGNING_PASSWORD }}
        NUGET_PUBLISH_KEY: ${{ steps.esc-secrets.outputs.NUGET_PUBLISH_KEY }}
    - name: Download Go SDK
      uses: ./.github/actions/download-sdk
      with:
@@ -169,9 +207,12 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
-        persist-credentials: false
+        persist-credentials: false    
    - id: esc-secrets
      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: Clean up release labels
      uses: pulumi/action-release-by-pr-label@main
      with:
--- a/.github/workflows/pull-request.yml
+++ b/.github/workflows/pull-request.yml
@@ -1,32 +1,25 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 name: Comment on community PRs
 on:
  pull_request_target: {}
 jobs:
  comment-on-pr:
    if: github.event.pull_request.head.repo.full_name != github.repository
    name: comment-on-pr
    runs-on: ubuntu-latest
    permissions:
      pull-requests: write
    steps:
    - name: Checkout Repo
      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      with:
        persist-credentials: false
    - name: Comment PR
      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
      with:
@@ -35,6 +28,3 @@ jobs:
          PR is now waiting for a maintainer to run the acceptance tests.
          **Note for the maintainer:** To run the acceptance tests, please comment */run-acceptance-tests* on the PR
 name: pull-request
 on:
  pull_request_target: {}
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -7,24 +7,19 @@ on:
    - "!v*.*.*-**"
 env:
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
  prerequisites:
    permissions:
      contents: read
      pull-requests: write
      id-token: write # For ESC secrets.
    uses: ./.github/workflows/prerequisites.yml
    secrets: inherit
    with:
@@ -36,6 +31,9 @@ jobs:
    uses: ./.github/workflows/build_provider.yml
    needs: prerequisites
    secrets: inherit
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}
@@ -44,6 +42,9 @@ jobs:
    needs: prerequisites
    uses: ./.github/workflows/build_sdk.yml
    secrets: inherit
    permissions:
      contents: write # For Renovate SDKs.
      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}
@@ -72,6 +73,8 @@ jobs:
    with:
      version: ${{ needs.prerequisites.outputs.version }}
      isPrerelease: false
      # Only tags on the default branch should set the release as `latest`; backported releases (tagged on a feature branch) should not.
      setLatestRelease: ${{ github.event.base_ref == format('refs/heads/{0}', github.event.repository.default_branch) }}
  test:
    uses: ./.github/workflows/test.yml
--- a/.github/workflows/resync-build.yml
+++ b/.github/workflows/resync-build.yml
@@ -2,32 +2,36 @@
 name: "Resync Build Workflows"
 on:
-  schedule:
+  workflow_dispatch:
    # 3 AM UTC ~ 8 PM PDT / 7 PM PST every Tuesday.
    - cron: 0 3 * * TUE
 permissions:
  contents: write
  pull-requests: write
 env:
  GITHUB_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
 jobs:
  upgrade_provider:
    name: pull-workflow-changes
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
-        uses: actions/checkout@v4
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
        with:
          # Persist credentials so pull-workflow-changes can push a new branch.
          persist-credentials: true
      - name: Setup mise
        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
        env:
          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
        with:
          version: 2025.11.6
          github_token: ${{ secrets.GITHUB_TOKEN }}
          # only saving the cache in the prerequisites job
          cache_save: false
      - name: Regenerate the workflow files via https://github.com/pulumi/ci-mgmt
        run: |
          make ci-mgmt
      - name: Create PR (no linked issue)
-        uses: peter-evans/create-pull-request@271a8d0340265f705b14b6d32b9829c1cb33d45e # v7.0.8
+        uses: peter-evans/create-pull-request@84ae59a2cdc2258d6fa0732dd66352dddae2a412 # v7.0.9
        with:
          author: pulumi-bot <bot@pulumi.com>
          base: main
@@ -39,3 +43,5 @@ jobs:
          labels: impact/no-changelog-required
          title: Regenerate Github Actions workflows for pulumi-incus
          token: ${{ env.GITHUB_TOKEN }}
        env:
          GITHUB_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
--- a/.github/workflows/run-acceptance-tests.yml
+++ b/.github/workflows/run-acceptance-tests.yml
@@ -12,21 +12,11 @@ on:
 env:
  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 # This should cancel any previous runs of the same workflow on the same branch which are still running.
@@ -41,10 +31,11 @@ jobs:
    permissions:
      contents: read
      pull-requests: write
      id-token: write # For ESC secrets.
    uses: ./.github/workflows/prerequisites.yml
    secrets: inherit
    with:
-      default_branch: ${{ github.event.repository.default_branch }}
+      default_branch: ${{ github.event.pull_request.base.ref }}
      is_pr: ${{ github.event_name == 'pull_request' }}
      is_automated: ${{ github.actor == 'dependabot[bot]' }}
@@ -52,6 +43,9 @@ jobs:
    uses: ./.github/workflows/build_provider.yml
    needs: prerequisites
    secrets: inherit
    permissions:
      contents: read
      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}
      matrix: |
@@ -69,6 +63,9 @@ jobs:
    needs: prerequisites
    uses: ./.github/workflows/build_sdk.yml
    secrets: inherit
    permissions:
      contents: write # For Renovate SDKs.
      id-token: write # For ESC secrets.
    with:
      version: ${{ needs.prerequisites.outputs.version }}
@@ -79,11 +76,15 @@ jobs:
      pull-requests: write
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        persist-credentials: false
    - id: run-url
      name: Create URL to the run output
      run: echo "run-url=https://github.com/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID" >> "$GITHUB_OUTPUT"
    - name: Update with Result
-      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
+      uses: peter-evans/create-or-update-comment@e8674b075228eee787fea43ef493e45ece1004c9 # v5.0.0
      with:
        body: "Please view the PR build: ${{ steps.run-url.outputs.run-url }}"
        issue-number: ${{ github.event.client_payload.github.payload.issue.number }}
@@ -108,9 +109,9 @@ jobs:
    - lint
    runs-on: ubuntu-latest
    steps:
-    - uses: guibranco/github-status-action-v2@0849440ec82c5fa69b2377725b9b7852a3977e76 # v1.1.13
+    - uses: guibranco/github-status-action-v2@631f55ea0251f0fb284525ad86c30e9f7a8dd284 # v1.1.14
      with:
-        authToken: ${{secrets.GITHUB_TOKEN}}
+        authToken: ${{ secrets.GITHUB_TOKEN }}
        # Write an explicit status check called "Sentinel" which will only pass if this code really runs.
        # This should always be a required check for PRs.
        context: 'Sentinel'
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -12,21 +12,13 @@ on:
 env:
  PR_COMMIT_SHA: ${{ github.event.client_payload.pull_request.head.sha }}
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  MISE_ENV: test
-  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
@@ -39,24 +31,45 @@ jobs:
      PROVIDER_VERSION: ${{ inputs.version }}
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        ref: ${{ env.PR_COMMIT_SHA }}
-        persist-credentials: false
+        persist-credentials: false    
    - id: esc-secrets
      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: Checkout p/examples
      if: matrix.testTarget == 'pulumiExamples'
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
        repository: pulumi/examples
        path: p-examples
-    - name: Setup tools
+    - name: Setup mise
-      uses: ./.github/actions/setup-tools
+      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
      env:
        MISE_ENV: test
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        tools: pulumictl, pulumicli, ${{ matrix.language }}
+        version: 2025.11.6
        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        # also save this cache since we are using a different mise env.
        cache_save: true
    - name: Prepare local workspace
      run: make prepare_local_workspace
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Download bin
      uses: ./.github/actions/download-provider
    - name: Setup Go Cache
      uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
      if: matrix.language == 'go' || contains(matrix.language, 'go')
      with:
        cache-dependency-path: |
          provider/*.sum
          upstream/*.sum
          sdk/go/*.sum
          sdk/*.sum
          *.sum
    - name: Download SDK
      uses: ./.github/actions/download-sdk
      with:
@@ -75,15 +88,17 @@ jobs:
    - name: Run tests
      if: matrix.testTarget == 'local'
      run: cd examples && go test -v -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -skip TestPulumiExamples -parallel 4 .
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    - name: Run pulumi/examples tests
      if: matrix.testTarget == 'pulumiExamples'
      run: cd examples && go test -v -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -run TestPulumiExamples -parallel 4 .
      env:
        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
    strategy:
      fail-fast: false
      matrix:
        language:
        - dotnet
        - go
        - nodejs
        - python
        testTarget: [local]
--- a/.github/workflows/upgrade-bridge.yml
+++ b/.github/workflows/upgrade-bridge.yml
@@ -49,29 +49,24 @@ on:
        required: false
        type: boolean
        default: false
      patch-release:
        description: Whether to create a patch release
        required: false
        type: boolean
        default: false
 permissions:
  contents: write
  issues: write
  pull-requests: write
  id-token: write # For ESC secrets.
 env:
  GH_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
-  PYPI_USERNAME: __token__
+  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
@@ -80,16 +75,24 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
      with:
-        persist-credentials: false
+        persist-credentials: false    
-    - name: Setup tools
+    - id: esc-secrets
-      uses: ./.github/actions/setup-tools
+      name: Map environment to ESC outputs
      uses: ./.github/actions/esc-action
    - name: Setup mise
      uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
      env:
        MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
      with:
-        tools: pulumictl, pulumicli, dotnet, go, nodejs, python
+        version: 2025.11.6
        github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
        # only saving the cache in the prerequisites job
        cache_save: false
    - name: Call upgrade provider action
      if: github.event_name == 'workflow_dispatch'
-      uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15
+      uses: pulumi/pulumi-upgrade-provider-action@e247104aede3eb4641f48c8ad0ea9de9346f2457 # v0.0.18
      with:
        kind: ${{ inputs.kind }}
        email: bot@pulumi.com
@@ -100,9 +103,12 @@ jobs:
        pr-reviewers: ${{ inputs.pr-reviewers }}
        pr-description: ${{ inputs.pr-description }}
        pr-title-prefix: ${{ inputs.pr-title-prefix }}
        patch-release: ${{ github.event.client_payload.patch-release }}
      env:
        GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
    - name: Call upgrade provider action
      if: github.event_name == 'repository_dispatch'
-      uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15
+      uses: pulumi/pulumi-upgrade-provider-action@e247104aede3eb4641f48c8ad0ea9de9346f2457 # v0.0.18
      with:
        kind: ${{ github.event.client_payload.kind || 'bridge' }}
        email: bot@pulumi.com
@@ -113,3 +119,6 @@ jobs:
        pr-reviewers: ${{ github.event.client_payload.pr-reviewers }}
        pr-description: ${{ github.event.client_payload.pr-description }}
        pr-title-prefix: ${{ github.event.client_payload.pr-title-prefix }}
        patch-release: ${{ github.event.client_payload.patch-release }}
      env:
        GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
--- a/.github/workflows/upgrade-provider.yml
+++ b/.github/workflows/upgrade-provider.yml
@@ -22,14 +22,19 @@ on:
    # 3 AM UTC ~ 8 PM PDT / 7 PM PST daily. Time chosen to run during off hours.
    - cron: 0 3 * * *
 env:
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
  PULUMI_PROVIDER_AUTOMATION_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN }}
  PULUMI_PULUMI_ENABLE_JOURNALING: "true"
  TF_APPEND_USER_AGENT: pulumi
 permissions:
  contents: write
  issues: write
  pull-requests: write
-
+  id-token: write # For ESC secrets.
 env:
  GH_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 jobs:
  upgrade_provider:
@@ -37,14 +42,22 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
          # Persist credentials so upgrade-provider can push a new branch.
-          persist-credentials: true
+          persist-credentials: true      
-      - name: Setup tools
+      - id: esc-secrets
-        uses: ./.github/actions/setup-tools
+        name: Map environment to ESC outputs
        uses: ./.github/actions/esc-action
      - name: Setup mise
        uses: jdx/mise-action@146a28175021df8ca24f8ee1828cc2a60f980bd5 # v3
        env:
          MISE_FETCH_REMOTE_VERSIONS_TIMEOUT: 30s
        with:
-          tools: pulumictl, pulumicli, dotnet, go, nodejs, python
+          version: 2025.11.6
          github_token: ${{ steps.esc-secrets.outputs.PULUMI_BOT_TOKEN }}
          # only saving the cache in the prerequisites job
          cache_save: false
      - name: Install upgrade-provider
        run: go install github.com/pulumi/upgrade-provider@${{ inputs.upgradeProviderVersion || 'main' }}
        shell: bash
@@ -60,6 +73,7 @@ jobs:
        run: upgrade-provider "$REPO" --kind=check-upstream-version
        env:
          REPO: ${{ github.repository }}
          GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
        shell: bash
      - name: Calculate target version
        id: target_version
@@ -71,7 +85,7 @@ jobs:
        id: upgrade_provider
        if: steps.target_version.outputs.version != ''
        continue-on-error: true
-        uses: pulumi/pulumi-upgrade-provider-action@ff5cb5907aecba099e61146c4d4d074c7fd6ca99 # v0.0.15
+        uses: pulumi/pulumi-upgrade-provider-action@e247104aede3eb4641f48c8ad0ea9de9346f2457 # v0.0.18
        with:
          kind: provider
          email: bot@pulumi.com
@@ -79,10 +93,14 @@ jobs:
          automerge: true
          target-version: ${{ steps.target_version.outputs.version }}
          allow-missing-docs: true
        env:
          GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
      - name: Comment on upgrade issue if automated PR failed
        if: steps.upgrade_provider.outcome == 'failure'
        shell: bash
        run: |
          issue_number=$(gh issue list --search "pulumiupgradeproviderissue" --repo "${{ github.repository }}" --json=number --jq=".[0].number")
          gh issue comment "${issue_number}" --repo "${{ github.repository }}" --body "Failed to create automatic PR: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/"
        env:
          GH_TOKEN: ${{ steps.esc-secrets.outputs.PULUMI_PROVIDER_AUTOMATION_TOKEN || steps.esc-secrets.outputs.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
--- a/.github/workflows/verify-release.yml
+++ b/.github/workflows/verify-release.yml
@@ -37,21 +37,17 @@ on:
        required: false
 env:
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  JAVA_SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
-  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  JAVA_SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  JAVA_SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
-  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  OSSRH_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
-  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  OSSRH_USERNAME: ${{ secrets.OSSRH_USERNAME }}
  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
  PULUMI_API: https://api.pulumi-staging.io
  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
-  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PYPI_API_TOKEN: ${{ secrets.PYPI_API_TOKEN }}
  PYPI_USERNAME: __token__
  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
  TF_APPEND_USER_AGENT: pulumi
 jobs:
@@ -74,10 +70,32 @@ jobs:
      - name: Configure Git to checkout files with long names
        run: git config --global core.longpaths true
      - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
        with:
-          persist-credentials: false
+          persist-credentials: false      
-      - name: Setup tools
+      - id: esc-secrets
-        uses: ./.github/actions/setup-tools
+        name: Map environment to ESC outputs
        uses: ./.github/actions/esc-action
      - name: Setup Node
        uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6
        with:
-          tools: pulumicli, dotnet, go, nodejs, python
+          node-version: 20.x
          registry-url: https://registry.npmjs.org
      - name: Install Go
        uses: actions/setup-go@4dc6199c7b1a012772edbd06daecab0f50c9053c # v6
        with:
          go-version: "1.21.x"
          cache-dependency-path: |
            provider/*.sum
            upstream/*.sum
            sdk/go/*.sum
            sdk/*.sum
            *.sum
          cache: true
      - name: Set Go Toolchain to auto explicitly
        run: |
          echo "GOTOOLCHAIN=auto" >> "$GITHUB_ENV"
      - name: Install Pulumi CLI
        uses: pulumi/actions@8582a9e8cc630786854029b4e09281acd6794b58 # v6
        with:
          pulumi-version: "dev"
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -33,5 +33,5 @@ linters-settings:
      - blank # Blank section: contains all blank imports.
      - default # Default section: contains all imports that could not be matched to another section type.
      - prefix(github.com/pulumi/) # Custom section: groups all imports with the github.com/pulumi/ prefix.
-      - prefix(git.kalinow.ski/nimbus/pulumi-incus) # Custom section: local imports
+      - prefix(github.com/kiterun/pulumi-incus) # Custom section: local imports
    custom-order: true
--- a/75
+++ b/75
@@ -1,13 +1,12 @@
 # WARNING: This file is autogenerated - changes will be overwritten when regenerated by https://github.com/pulumi/ci-mgmt
 PACK := incus
-ORG := nimbus
+ORG := kiterun
-PROJECT := git.kalinow.ski/$(ORG)/pulumi-$(PACK)
+PROJECT := github.com/$(ORG)/pulumi-$(PACK)
 PROVIDER_PATH := provider
 VERSION_PATH := $(PROVIDER_PATH)/pkg/version.Version
 CODEGEN := pulumi-tfgen-$(PACK)
 PROVIDER := pulumi-resource-$(PACK)
 JAVA_GEN := pulumi-java-gen
 TESTPARALLELISM := 10
 GOTESTARGS := ""
 WORKING_DIR := $(shell pwd)
@@ -41,19 +40,36 @@ LDFLAGS=$(LDFLAGS_PROJ_VERSION) $(LDFLAGS_UPSTREAM_VERSION) $(LDFLAGS_EXTRAS) $(
 _ := $(shell mkdir -p .make bin .pulumi/bin)
 # Build the provider and all SDKs and install ready for testing
-build: install_plugins provider build_sdks install_sdks
+build: .make/mise_install provider build_sdks install_sdks
 build: | mise_env
 # Keep aliases for old targets to ensure backwards compatibility
 development: build
 only_build: build
 # Prepare the workspace for building the provider and SDKs
 # Importantly this is run by CI ahead of restoring the bin directory and resuming SDK builds
-prepare_local_workspace: install_plugins upstream
+prepare_local_workspace: .make/mise_install upstream
 prepare_local_workspace: | mise_env
 # Creates all generated files which need to be committed
 generate: generate_sdks schema
 generate_sdks: generate_go generate_nodejs
 build_sdks: build_go build_nodejs
 install_sdks: install_go_sdk install_nodejs_sdk
-.PHONY: development only_build build generate generate_sdks build_sdks install_sdks
+.PHONY: development only_build build generate generate_sdks build_sdks install_sdks mise_install mise_env
 # Installs all necessary tools with mise and records completion in a sentinel
 # file so dependent targets can participate in make's caching behaviour. The
 # environment is refreshed via an order-only prerequisite so it still runs on
 # every invocation without invalidating the sentinel.
 mise_install: .make/mise_install | mise_env
 mise_env:
 	@mise env -q  > /dev/null
 .make/mise_install:
 	@mise install -q
 	@touch $@
 help:
 	@echo "Usage: make [target]"
@@ -80,7 +96,7 @@ help:
 	@echo ""
 	@echo "Internal Targets (automatically run as dependencies of other targets)"
 	@echo "  prepare_local_workspace  Prepare for building"
-	@echo "  install_plugins          Install plugin dependencies"
+	@echo "  mise_install             Install tools with mise"
 	@echo "  upstream                 Initialize the upstream submodule, if present"
 	@echo ""
 	@echo "Language-Specific Targets"
@@ -88,7 +104,7 @@ help:
 	@echo "  build_[language]       Build the SDK to check correctness"
 	@echo "  install_[language]_sdk Install the SDK ready for testing"
 	@echo ""
-	@echo "  [language] = dotnet go nodejs python"
+	@echo "  [language] = go nodejs"
 	@echo ""
 .PHONY: help
@@ -98,8 +114,8 @@ GEN_ENVS := PULUMI_HOME=$(GEN_PULUMI_HOME) PULUMI_CONVERT_EXAMPLES_CACHE_DIR=$(G
 generate_dotnet: .make/generate_dotnet
 build_dotnet: .make/build_dotnet
-.make/generate_dotnet: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
+.make/generate_dotnet: .make/mise_install bin/$(CODEGEN)
-.make/generate_dotnet: .make/install_plugins bin/$(CODEGEN)
+.make/generate_dotnet: | mise_env
 	$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) dotnet --out sdk/dotnet/
 	cd sdk/dotnet/ && \
 		printf "module fake_dotnet_module // Exclude this directory from Go tools\n\ngo 1.17\n" > go.mod && \
@@ -112,8 +128,8 @@ build_dotnet: .make/build_dotnet
 generate_go: .make/generate_go
 build_go: .make/build_go
-.make/generate_go: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
+.make/generate_go: .make/mise_install bin/$(CODEGEN)
-.make/generate_go: .make/install_plugins bin/$(CODEGEN)
+.make/generate_go: | mise_env
 	$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) go --out sdk/go/
 	@touch $@
 .make/build_go: .make/generate_go
@@ -123,10 +139,10 @@ build_go: .make/build_go
 generate_java: .make/generate_java
 build_java: .make/build_java
 .make/generate_java: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
 .make/generate_java: PACKAGE_VERSION := $(PROVIDER_VERSION)
-.make/generate_java: .make/install_plugins bin/pulumi-java-gen .make/schema
+.make/generate_java: .make/mise_install bin/$(CODEGEN)
-	PULUMI_HOME=$(GEN_PULUMI_HOME) PULUMI_CONVERT_EXAMPLES_CACHE_DIR=$(GEN_PULUMI_CONVERT_EXAMPLES_CACHE_DIR) bin/$(JAVA_GEN) generate --schema provider/cmd/$(PROVIDER)/schema.json --out sdk/java  --build gradle-nexus
+.make/generate_java: | mise_env
 	$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) java --out sdk/java/
 	printf "module fake_java_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/java/go.mod
 	@touch $@
 .make/build_java: PACKAGE_VERSION := $(PROVIDER_VERSION)
@@ -139,23 +155,23 @@ build_java: .make/build_java
 generate_nodejs: .make/generate_nodejs
 build_nodejs: .make/build_nodejs
-.make/generate_nodejs: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
+.make/generate_nodejs: .make/mise_install bin/$(CODEGEN)
-.make/generate_nodejs: .make/install_plugins bin/$(CODEGEN)
+.make/generate_nodejs: | mise_env
 	$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) nodejs --out sdk/nodejs/
 	printf "module fake_nodejs_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/nodejs/go.mod
 	@touch $@
 .make/build_nodejs: .make/generate_nodejs
 	cd sdk/nodejs/ && \
-		pnpm install && \
+		yarn install && \
-		pnpm tsc && \
+		yarn run tsc && \
-		cp ../../README.md ../../LICENSE* package.json pnpm-lock.yaml ./bin/
+		cp ../../README.md ../../LICENSE package.json yarn.lock ./bin/
 	@touch $@
 .PHONY: generate_nodejs build_nodejs
 generate_python: .make/generate_python
 build_python: .make/build_python
-.make/generate_python: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
+.make/generate_python: .make/mise_install bin/$(CODEGEN)
-.make/generate_python: .make/install_plugins bin/$(CODEGEN)
+.make/generate_python: | mise_env
 	$(GEN_ENVS) $(WORKING_DIR)/bin/$(CODEGEN) python --out sdk/python/
 	printf "module fake_python_module // Exclude this directory from Go tools\n\ngo 1.17\n" > sdk/python/go.mod
 	cp README.md sdk/python/
@@ -175,6 +191,7 @@ clean:
 	rm -rf sdk/{dotnet,nodejs,go,python}
 	rm -rf bin/*
 	rm -rf .make/*
 	rm -rf "$(GEN_PULUMI_CONVERT_EXAMPLES_CACHE_DIR)"
 	if dotnet nuget list source | grep "$(WORKING_DIR)/nuget"; then \
 		dotnet nuget remove source "$(WORKING_DIR)/nuget" \
 	; fi
@@ -192,7 +209,7 @@ install_go_sdk:
 install_java_sdk:
 install_nodejs_sdk: .make/install_nodejs_sdk
 .make/install_nodejs_sdk: .make/build_nodejs
-	pnpm link --global $(WORKING_DIR)/sdk/nodejs/bin
+	yarn link --cwd $(WORKING_DIR)/sdk/nodejs/bin
 	@touch $@
 install_python_sdk:
 .PHONY: install_dotnet_sdk install_go_sdk install_java_sdk install_nodejs_sdk install_python_sdk
@@ -235,12 +252,12 @@ schema: .make/schema
 # This does actually have dependencies, but we're keeping it around for backwards compatibility for now
 tfgen_no_deps: .make/schema
 .make/schema: export PULUMI_HOME := $(WORKING_DIR)/.pulumi
 .make/schema: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
 .make/schema: export PULUMI_CONVERT := $(PULUMI_CONVERT)
 .make/schema: export PULUMI_CONVERT_EXAMPLES_CACHE_DIR := $(WORKING_DIR)/.pulumi/examples-cache
 .make/schema: export PULUMI_DISABLE_AUTOMATIC_PLUGIN_ACQUISITION := $(PULUMI_CONVERT)
 .make/schema: export PULUMI_MISSING_DOCS_ERROR := $(PULUMI_MISSING_DOCS_ERROR)
-.make/schema: bin/$(CODEGEN) .make/install_plugins .make/upstream
+.make/schema: bin/$(CODEGEN) .make/mise_install .make/upstream
 .make/schema: | mise_env
 	$(WORKING_DIR)/bin/$(CODEGEN) schema --out provider/cmd/$(PROVIDER)
 	(cd provider && VERSION=$(PROVIDER_VERSION) go generate cmd/$(PROVIDER)/main.go)
 	@touch $@
@@ -257,13 +274,6 @@ upstream: .make/upstream
 	@touch $@
 .PHONY: upstream
 bin/pulumi-java-gen: PULUMI_JAVA_VERSION := $(shell cat .pulumi-java-gen.version)
 bin/pulumi-java-gen: PLAT := $(shell go version | sed -En "s/go version go.* (.*)\/(.*)/\1-\2/p")
 bin/pulumi-java-gen: PULUMI_JAVA_URL := "https://github.com/pulumi/pulumi-java/releases/download/v$(PULUMI_JAVA_VERSION)/pulumi-language-java-v$(PULUMI_JAVA_VERSION)-$(PLAT).tar.gz"
 bin/pulumi-java-gen:
 	wget -q -O - "$(PULUMI_JAVA_URL)" | tar -xzf - -C $(WORKING_DIR)/bin pulumi-java-gen
 	@touch bin/pulumi-language-java
 # To make an immediately observable change to .ci-mgmt.yaml:
 #
 # - Edit .ci-mgmt.yaml
@@ -278,7 +288,6 @@ debug_tfgen:
 	dlv  --listen=:2345 --headless=true --api-version=2  exec $(WORKING_DIR)/bin/$(CODEGEN) -- schema --out provider/cmd/$(PROVIDER)
 .PHONY: debug_tfgen
 include scripts/plugins.mk
 include scripts/crossbuild.mk
 # Permit providers to extend the Makefile with provider-specific Make includes.
--- a/mise.toml
+++ b/mise.toml
@@ -0,0 +1,3 @@
 # Overwrites mise configuration at .config/mise.toml
 [tools]
 pulumictl = "v0.0.48"
--- a/scripts/crossbuild.mk
+++ b/scripts/crossbuild.mk
@@ -19,6 +19,8 @@ bin/darwin-arm64/$(PROVIDER): GOOS := darwin
 bin/darwin-arm64/$(PROVIDER): GOARCH := arm64
 bin/windows-amd64/$(PROVIDER).exe: GOOS := windows
 bin/windows-amd64/$(PROVIDER).exe: GOARCH := amd64
 bin/windows-arm64/$(PROVIDER).exe: GOOS := windows
 bin/windows-arm64/$(PROVIDER).exe: GOARCH := arm64
 bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar
 	$(call build_provider_cmd,$(GOOS),$(GOARCH),$(WORKING_DIR)/$@)
@@ -26,7 +28,7 @@ bin/%/$(PROVIDER) bin/%/$(PROVIDER).exe: bin/jsign-6.0.jar
 	@# Test variables set by joining with | between and looking for || showing at least one variable is empty.
 	@# Move the binary to a temporary location and sign it there to avoid the target being up-to-date if signing fails.
 	@set -e; \
-	if [[ "${GOOS}-${GOARCH}" = "windows-amd64" && "${SKIP_SIGNING}" != "true" ]]; then \
+	if [[ "${GOOS}" = "windows" && "${SKIP_SIGNING}" != "true" ]]; then \
 		if [[ "|${AZURE_SIGNING_CLIENT_ID}|${AZURE_SIGNING_CLIENT_SECRET}|${AZURE_SIGNING_TENANT_ID}|${AZURE_SIGNING_KEY_VAULT_URI}|" == *"||"* ]]; then \
 			echo "Can't sign windows binaries as required configuration not set: AZURE_SIGNING_CLIENT_ID, AZURE_SIGNING_CLIENT_SECRET, AZURE_SIGNING_TENANT_ID, AZURE_SIGNING_KEY_VAULT_URI"; \
 			echo "To rebuild with signing delete the unsigned $@ and rebuild with the fixed configuration"; \
@@ -58,13 +60,15 @@ provider-linux-arm64: bin/linux-arm64/$(PROVIDER)
 provider-darwin-amd64: bin/darwin-amd64/$(PROVIDER)
 provider-darwin-arm64: bin/darwin-arm64/$(PROVIDER)
 provider-windows-amd64: bin/windows-amd64/$(PROVIDER).exe
-.PHONY: provider-linux-amd64 provider-linux-arm64 provider-darwin-amd64 provider-darwin-arm64 provider-windows-amd64
+provider-windows-arm64: bin/windows-arm64/$(PROVIDER).exe
 .PHONY: provider-linux-amd64 provider-linux-arm64 provider-darwin-amd64 provider-darwin-arm64 provider-windows-amd64 provider-windows-arm64
 bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-amd64.tar.gz: bin/linux-amd64/$(PROVIDER)
 bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.gz: bin/linux-arm64/$(PROVIDER)
 bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz: bin/darwin-amd64/$(PROVIDER)
 bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz: bin/darwin-arm64/$(PROVIDER)
 bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz: bin/windows-amd64/$(PROVIDER).exe
 bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-arm64.tar.gz: bin/windows-arm64/$(PROVIDER).exe
 bin/$(PROVIDER)-v$(PROVIDER_VERSION)-%.tar.gz:
 	@mkdir -p dist
 	@# $< is the last dependency (the binary path from above) e.g. bin/linux-amd64/pulumi-resource-xyz
@@ -76,5 +80,6 @@ provider_dist-linux-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-linux-arm64.tar.
 provider_dist-darwin-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-amd64.tar.gz
 provider_dist-darwin-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-darwin-arm64.tar.gz
 provider_dist-windows-amd64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-amd64.tar.gz
 provider_dist-windows-arm64: bin/$(PROVIDER)-v$(PROVIDER_VERSION)-windows-arm64.tar.gz
 provider_dist: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64
 .PHONY: provider_dist-linux-amd64 provider_dist-linux-arm64 provider_dist-darwin-amd64 provider_dist-darwin-arm64 provider_dist-windows-amd64 provider_dist
--- a/scripts/get-versions.sh
+++ b/scripts/get-versions.sh
@@ -0,0 +1,55 @@
 #!/usr/bin/env bash
 set -euo pipefail
 # This script can be simplified to use go when https://github.com/jdx/mise/discussions/6374 is fixed
 # e.g. go list -m -f '{{.GoVersion}}'
 module_path="github.com/pulumi/pulumi/pkg/v3"
 go_mod_path="provider"
 gomod="go.mod"
 if [[ "$go_mod_path" != "" && "$go_mod_path" != "." ]]; then
  gomod="$go_mod_path/$gomod"
 fi
 if [[ ! -f "$gomod" ]]; then
  echo "missing $gomod" >&2
  exit 1
 fi
 raw_version=$(awk -v module="$module_path" '
    $1 == module || $2 == module {
        for (i = 1; i <= NF; i++) {
            if ($i ~ /^v[0-9]/) {
                sub(/^v/, "", $i)
                print $i
                exit
            }
        }
    }
 ' "$gomod")
 if [[ -z "${raw_version:-}" ]]; then
  echo "failed to determine Pulumi version from $gomod" >&2
  exit 1
 fi
 echo "PULUMI_VERSION_MISE=$raw_version"
 export PULUMI_VERSION_MISE=$raw_version
 # Prefer the toolchain directive if present, otherwise fall back to the `go` version line
 go_toolchain=$(awk '/^toolchain[[:space:]]+go[0-9]/{ print $2; exit }' "$gomod")
 if [[ -n "${go_toolchain:-}" ]]; then
  go_version=${go_toolchain#go}
 else
  go_version=$(awk '/^go[[:space:]]+[0-9]/{ print $2; exit }' "$gomod")
 fi
 if [[ -z "${go_version:-}" ]]; then
  echo "failed to determine Go version from $gomod" >&2
  exit 1
 fi
 echo "GO_VERSION_MISE=$go_version"
 export GO_VERSION_MISE=$go_version
--- a/scripts/plugins.mk
+++ b/scripts/plugins.mk
@@ -1,27 +0,0 @@
 # Install Pulumi and plugins required at build time.
 install_plugins: .make/install_plugins
 .make/install_plugins: export PULUMI_HOME := $(WORKING_DIR)/.pulumi
 .make/install_plugins: export PATH := $(WORKING_DIR)/.pulumi/bin:$(PATH)
 .make/install_plugins: .pulumi/bin/pulumi
 	.pulumi/bin/pulumi plugin install converter terraform 1.0.16
 	@touch $@
 .PHONY: install_plugins
 # Because some codegen depends on the version of the CLI used, we install a local CLI
 # version pinned to the same version as the provider `go.mod`.
 #
 # This logic compares the version of .pulumi/bin/pulumi already installed. If it matches
 # the desired version, we just print. Otherwise we (re)install pulumi at the desired
 # version.
 .pulumi/bin/pulumi: .pulumi/version
 	@if [ -x .pulumi/bin/pulumi ] && [ "v$$(cat .pulumi/version)" = "$$(.pulumi/bin/pulumi version)" ]; then \
 		echo "pulumi/bin/pulumi version: v$$(cat .pulumi/version)"; \
 		touch $@; \
 	else \
 		curl -fsSL https://get.pulumi.com | \
 			HOME=$(WORKING_DIR) sh -s -- --version "$$(cat .pulumi/version)"; \
 	fi
 # Compute the version of Pulumi to use by inspecting the Go dependencies of the provider.
 .pulumi/version: provider/go.mod
 	(cd provider && go list -f "{{slice .Version 1}}" -m github.com/pulumi/pulumi/pkg/v3) | tee $@