Update GitHub Actions workflows. (#4920)

This PR was automatically generated by the
update-workflows-single-bridged-provider workflow in the pulumi/ci-mgmt
repo, from commit 3e4be1caba9e051f1cbc2ecfdca169360313e9dd.

Author: pulumi-bot

.github/actions/setup-tools/action.yml

@@ -14,23 +14,31 @@ inputs:
         dotnet
         java
     default: all
+  cache-go:
+    description: |
+      Whether to enable the GitHub cache for Go. Appropriate for disabling in
+      smaller jobs that typically completely before the "real" job has an
+      opportunity to populate the cache.
+    default: "true"
 
 runs:
   using: "composite"
   steps:
     - name: Install Go
       if: inputs.tools == 'all' || contains(inputs.tools, 'go')
-      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
+      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
       with:
         go-version: "1.23.x"
         cache-dependency-path: |
           provider/*.sum
           upstream/*.sum
           sdk/*.sum
+        # TODO(https://github.com/actions/setup-go/issues/316): Restore but don't save the cache.
+        cache: ${{ inputs.cache-go }}
 
     - name: Install pulumictl
       if: inputs.tools == 'all' || contains(inputs.tools, 'pulumictl')
-      uses: jaxxstorm/action-install-gh-release@71d17cb091aa850acb2a1a4cf87258d183eb941b # v1.11.0
+      uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0
       with:
         tag: v0.0.46
         repo: pulumi/pulumictl
@@ -43,7 +51,7 @@ runs:
 
     - name: Install Schema Tools
       if: inputs.tools == 'all' || contains(inputs.tools, 'schema-tools')
-      uses: jaxxstorm/action-install-gh-release@71d17cb091aa850acb2a1a4cf87258d183eb941b # v1.11.0
+      uses: jaxxstorm/action-install-gh-release@cd6b2b78ad38bdd294341cda064ec0692b06215b # v1.14.0
       with:
         repo: pulumi/schema-tools
 

.github/workflows/build_provider.yml

@@ -15,6 +15,7 @@ jobs:
     env:
       PROVIDER_VERSION: ${{ inputs.version }}
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      AZURE_SIGNING_CONFIGURED: ${{ secrets.AZURE_SIGNING_CLIENT_ID != '' && secrets.AZURE_SIGNING_CLIENT_SECRET != '' && secrets.AZURE_SIGNING_TENANT_ID != '' && secrets.AZURE_SIGNING_KEY_VAULT_URI != '' }}
     strategy:
       fail-fast: true
       matrix:
@@ -37,6 +38,7 @@ jobs:
           tool-cache: false
           swap-storage: false
           dotnet: false
+          large-packages: false
       - name: Checkout Repo
         uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
         with:
@@ -58,8 +60,31 @@ jobs:
           path: provider/cmd/pulumi-resource-aws
       - name: Restore makefile progress
         run: make --touch provider schema
-      - name: Build & package provider
+
+      - name: Build provider
+        run: make "provider-${{ matrix.platform.os }}-${{ matrix.platform.arch }}"
+
+      - name: Sign windows provider
+        if: matrix.platform.os == 'windows' && env.AZURE_SIGNING_CONFIGURED == 'true'
+        run: |
+          az login --service-principal \
+            -u ${{ secrets.AZURE_SIGNING_CLIENT_ID }} \
+            -p ${{ secrets.AZURE_SIGNING_CLIENT_SECRET }} \
+            -t ${{ secrets.AZURE_SIGNING_TENANT_ID }} \
+            -o none;
+
+          wget https://github.com/ebourg/jsign/releases/download/6.0/jsign-6.0.jar;
+
+          java -jar jsign-6.0.jar \
+             --storetype AZUREKEYVAULT \
+             --keystore "PulumiCodeSigning" \
+             --url ${{ secrets.AZURE_SIGNING_KEY_VAULT_URI }} \
+             --storepass "$(az account get-access-token --resource "https://vault.azure.net" | jq -r .accessToken)" \
+             bin/windows-amd64/pulumi-resource-aws.exe;
+
+      - name: Package provider
         run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
+
       - name: Upload artifacts
         uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
         with:

.github/workflows/build_sdk.yml

@@ -56,7 +56,7 @@ jobs:
           submodules: true
           persist-credentials: false
       - name: Cache examples generation
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4
         with:
           path: |
             .pulumi/examples-cache

.github/workflows/community-moderation.yml

@@ -26,7 +26,7 @@ jobs:
     - if: steps.sdk_changed.outputs.changed == 'true' &&
         github.event.pull_request.head.repo.full_name != github.repository
       name: Send codegen warning as comment on PR
-      uses: thollander/actions-comment-pull-request@fabd468d3a1a0b97feee5f6b9e499eab0dd903f6 # v2.5.0
+      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
       with:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         message: >

.github/workflows/license.yml

@@ -40,6 +40,7 @@ jobs:
         uses: ./.github/actions/setup-tools
         with:
           tools: go
+          cache-go: false
       - run: make upstream
       - uses: pulumi/license-check-action@main
         with:

.github/workflows/lint.yml

@@ -38,7 +38,7 @@ jobs:
         submodules: true
         persist-credentials: false
     - name: Install go
-      uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5
+      uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
       with:
         # The versions of golangci-lint and setup-go here cross-depend and need to update together.
         go-version: 1.23

.github/workflows/master.yml

@@ -99,7 +99,6 @@ jobs:
       - build_provider
       - test
       - license_check
-      - upstream_lint
     uses: ./.github/workflows/publish.yml
     secrets: inherit
     with:
@@ -127,106 +126,14 @@ jobs:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
 
   test:
-    name: test
+    uses: ./.github/workflows/test.yml
     needs:
       - prerequisites
       - build_provider
       - build_sdk
-    permissions:
-      contents: read
-      id-token: write
-    runs-on: ubuntu-latest
-    env:
-      PROVIDER_VERSION: ${{ needs.prerequisites.outputs.version }}
-    steps:
-    # Run as first step so we don't delete things that have just been installed
-    - name: Free Disk Space (Ubuntu)
-      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
-      with:
-        tool-cache: false
-        swap-storage: false
-        dotnet: false
-    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        submodules: true
-        persist-credentials: false
-    - name: Setup tools
-      uses: ./.github/actions/setup-tools
-      with:
-        tools: pulumictl, pulumicli, ${{ matrix.language }}
-    - name: Prepare local workspace
-      run: make prepare_local_workspace
-    - name: Download bin
-      uses: ./.github/actions/download-bin
-    - name: Download SDK
-      uses: ./.github/actions/download-sdk
-      with:
-        language: ${{ matrix.language }}
-    - name: Restore makefile progress
-      run: make --touch provider schema build_${{ matrix.language }}
-    - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
-    - name: Install Python deps
-      if: matrix.language == 'python'
-      run: |-
-        pip3 install virtualenv==20.0.23
-        pip3 install pipenv
-    - name: Install dependencies
-      run: make install_${{ matrix.language}}_sdk
-    - name: Install gotestfmt
-      uses: GoTestTools/gotestfmt-action@v2
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        version: v2.5.0
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-region: ${{ env.AWS_REGION }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        role-duration-seconds: 7200
-        role-session-name: aws@githubActions
-        role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
-    - name: Make upstream
-      run: make upstream
-    - name: Run tests
-      run: cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4
-    strategy:
-      fail-fast: false
-      matrix:
-        language:
-        - nodejs
-        - python
-        - dotnet
-        - go
-        - java
-  upstream_lint:
-      name: Run upstream provider-lint
-      runs-on: ubuntu-latest
-      steps:
-          - name: Free Disk Space (Ubuntu)
-            uses: jlumbroso/free-disk-space@main
-            with:
-              swap-storage: false
-              tool-cache: false
-          - name: Checkout Repo
-            uses: actions/checkout@v4
-            with:
-              ref: ${{ env.PR_COMMIT_SHA }}
-              submodules: true
-          - name: Install Go
-            uses: actions/setup-go@v5
-            with:
-              cache: false
-              go-version: 1.23.x
-          - name: Prepare local workspace
-            run: make prepare_local_workspace
-          - name: upstream lint
-            run: |
-              cd upstream
-              make provider-lint
-      timeout-minutes: 60
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
 
 name: master
 on:

.github/workflows/nightly-test.yml

@@ -45,80 +45,15 @@ jobs:
       version: ${{ needs.prerequisites.outputs.version }}
 
   test:
-    name: test
+    uses: ./.github/workflows/test.yml
     needs:
       - prerequisites
       - build_provider
       - build_sdk
-    permissions:
-      contents: read
-      id-token: write
-    runs-on: ubuntu-latest
-    env:
-      PROVIDER_VERSION: ${{ needs.prerequisites.outputs.version }}
-    steps:
-    # Run as first step so we don't delete things that have just been installed
-    - name: Free Disk Space (Ubuntu)
-      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
-      with:
-        tool-cache: false
-        swap-storage: false
-        dotnet: false
-    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        submodules: true
-        persist-credentials: false
-    - name: Setup tools
-      uses: ./.github/actions/setup-tools
-      with:
-        tools: pulumictl, pulumicli, ${{ matrix.language}}
-    - name: Prepare local workspace
-      run: make prepare_local_workspace
-    - name: Download bin
-      uses: ./.github/actions/download-bin
-    - name: Download SDK
-      uses: ./.github/actions/download-sdk
-      with:
-        language: ${{ matrix.language }}
-    - name: Restore makefile progress
-      run: make --touch provider schema build_${{ matrix.language }}
-    - name: Update path
-      run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
-    - name: Install Python deps
-      if: matrix.language == 'python'
-      run: |-
-        pip3 install virtualenv==20.0.23
-        pip3 install pipenv
-    - name: Install dependencies
-      run: make install_${{ matrix.language}}_sdk
-    - name: Install gotestfmt
-      uses: GoTestTools/gotestfmt-action@v2
-      with:
-        token: ${{ secrets.GITHUB_TOKEN }}
-        version: v2.5.0
-    - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@v4
-      with:
-        aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
-        aws-region: ${{ env.AWS_REGION }}
-        aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        role-duration-seconds: 7200
-        role-session-name: aws@githubActions
-        role-to-assume: ${{ secrets.AWS_CI_ROLE_ARN }}
-    - name: Make upstream
-      run: make upstream
-    - name: Run tests
-      run: cd examples && go test -count=1 -cover -timeout 2h -tags=${{ matrix.language }} -parallel 4
-    strategy:
-      fail-fast: false
-      matrix:
-        language:
-          - nodejs
-          - python
-          - dotnet
-          - go
-          - java
+    secrets: inherit
+    with:
+      version: ${{ needs.prerequisites.outputs.version }}
+
 name: cron
 on:
   schedule: