pulumi · corymhall · Aug 27, 2025 · Aug 27, 2025 · Aug 27, 2025 · Aug 28, 2025
diff --git a/.ci-mgmt.yaml b/.ci-mgmt.yaml
@@ -8,6 +8,13 @@ generate-nightly-test-workflow: true
 providerVersion: github.com/hashicorp/terraform-provider-aws/version.ProviderVersion
 
 buildProviderPre: "VERSION=${VERSION_GENERIC} ./scripts/minimal_schema.sh"
+testProviderCmd: |
+  VERSION=${VERSION_GENERIC} ./scripts/minimal_schema.sh && \
+  cd provider && go test -v -short \
+    -coverprofile="coverage.txt" \
+    -coverpkg="./...,github.com/hashicorp/terraform-provider-..." \
+    -parallel $(TESTPARALLELISM) \
+    ./...
 
 toolVersions:
   go: "1.23.x"

diff --git a/.github/actions/download-prerequisites/action.yml b/.github/actions/download-prerequisites/action.yml
@@ -5,7 +5,7 @@ runs:
   using: "composite"
   steps:
     - name: Download the prerequisites bin
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: prerequisites-bin
         path: bin
@@ -19,7 +19,7 @@ runs:
       run: rm bin/executables.txt
 
     - name: Download schema-embed.json
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         # Use a pattern to avoid failing if the artifact doesn't exist
         pattern: schema-embed.*

diff --git a/.github/actions/download-provider/action.yml b/.github/actions/download-provider/action.yml
@@ -6,7 +6,7 @@ runs:
   steps:
 
     - name: Download pulumi-resource-aws
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         pattern: pulumi-resource-aws-*-linux-amd64.tar.gz
         path: ${{ github.workspace }}/bin

diff --git a/.github/actions/download-sdk/action.yml b/.github/actions/download-sdk/action.yml
@@ -10,7 +10,7 @@ runs:
   using: "composite"
   steps:
     - name: Download ${{ inputs.language }} SDK
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         name: ${{ inputs.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/

diff --git a/.github/actions/esc-action/action.yaml b/.github/actions/esc-action/action.yaml
@@ -0,0 +1,12 @@
+name: "Load secrets"
+description: |
+  This is a temporary action which assists with our migration to ESC. Instead
+  of surrounding every step that references secrets with an "if ESC" block, we
+  instead modify those steps to consume their secrets from this step's outputs.
+  Then, later, we can replace this action with esc-action to actually load
+  secrets from ESC.
+inputs: {}
+outputs: {}
+runs:
+  using: "node20"
+  main: "index.js"
diff --git a/.github/actions/esc-action/index.js b/.github/actions/esc-action/index.js
@@ -0,0 +1,14 @@
+const fs = require("fs");
+
+const file = process.env["GITHUB_OUTPUT"];
+var stream = fs.createWriteStream(file, { flags: "a" });
+
+for (const [name, value] of Object.entries(process.env)) {
+  try {
+    stream.write(`${name}=${value}\n`);
+  } catch (err) {
+    console.log(`error: failed to set output for ${name}: ${err.message}`);
+  }
+}
+
+stream.end();
diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml
@@ -19,7 +19,8 @@ on:
               {"os": "linux",   "arch": "arm64"},
               {"os": "darwin",  "arch": "amd64"},
               {"os": "darwin",  "arch": "arm64"},
-              {"os": "windows", "arch": "amd64"}
+              {"os": "windows", "arch": "amd64"},
+              {"os": "windows", "arch": "arm64"}
             ]
           }
 
@@ -43,7 +44,7 @@ jobs:
           dotnet: false
           large-packages: false
       - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           submodules: true
           persist-credentials: false

diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml
@@ -43,7 +43,7 @@ jobs:
           swap-storage: false
           dotnet: false
       - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           submodules: true
           persist-credentials: false
@@ -63,6 +63,8 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Download prerequisites
         uses: ./.github/actions/download-prerequisites
+      - name: Download bin
+        uses: ./.github/actions/download-provider
       - name: Update path
         run: echo "${{ github.workspace }}/bin" >> "$GITHUB_PATH"
       - name: Restore makefile progress

diff --git a/.github/workflows/command-dispatch.yml b/.github/workflows/command-dispatch.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         persist-credentials: false

diff --git a/.github/workflows/community-moderation.yml b/.github/workflows/community-moderation.yml
@@ -8,7 +8,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         persist-credentials: false

diff --git a/.github/workflows/license.yml b/.github/workflows/license.yml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
       - name: Setup tools

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -21,7 +21,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         persist-credentials: false

diff --git a/.github/workflows/main-post-build.yml b/.github/workflows/main-post-build.yml
@@ -30,12 +30,12 @@ jobs:
           tool-cache: false
           swap-storage: false
       - name: Checkout Repo
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           submodules: true
           persist-credentials: false
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
         with:
           aws-access-key-id: ${{ secrets.AWS_CORP_S3_UPLOAD_ACCESS_KEY_ID }}
           aws-region: us-west-2

diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml
@@ -38,15 +38,8 @@ jobs:
     outputs:
       version: ${{ steps.provider-version.outputs.version }}
     steps:
-    # Run as first step so we don't delete things that have just been installed
-    - name: Free Disk Space (Ubuntu)
-      uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
-      with:
-        tool-cache: false
-        swap-storage: false
-        dotnet: false
     - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         persist-credentials: false
@@ -55,48 +48,9 @@ jobs:
       with:
         major-version: 7
         set-env: 'PROVIDER_VERSION'
-    - name: Cache examples generation
-      uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4
-      with:
-        path: |
-          .pulumi/examples-cache
-        key: ${{ runner.os }}-${{ hashFiles('provider/go.sum') }}
-    - name: Setup tools
-      uses: ./.github/actions/setup-tools
-      with:
-        tools: go, pulumictl, pulumicli, schema-tools
-    - name: Prepare local workspace before restoring previously built files
-      run: make prepare_local_workspace
-    - name: Generate schema
-      run: make schema
-    - name: Build provider binary
-      run: make provider
-    - name: Unit-test provider code
-      run: make test_provider
-    - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@18283e04ce6e62d37312384ff67231eb8fd56d24 # v5.4.3
-      env:
-        CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
-    - if: inputs.is_pr
-      name: Check Schema is Valid
-      run: |
-        EOF=$(dd if=/dev/urandom bs=15 count=1 status=none | base64)
-        {
-          echo "SCHEMA_CHANGES<<$EOF";
-          schema-tools compare -r github://api.github.com/pulumi -p aws -o "${{ inputs.default_branch }}" -n --local-path=provider/cmd/pulumi-resource-aws/schema.json;
-          echo "$EOF";
-        } >> "$GITHUB_ENV"
-    - if: inputs.is_pr && inputs.is_automated == false && github.actor != 'dependabot[bot]'
-      name: Comment on PR with Details of Schema Check
-      uses: thollander/actions-comment-pull-request@24bffb9b452ba05a4f3f77933840a6a841d1b32b # v3.0.1
-      with:
-        github-token: ${{ secrets.GITHUB_TOKEN }}
-        comment-tag: schemaCheck
-        message: >+
-          ${{ env.SCHEMA_CHANGES }}
-
-
-          Maintainer note: consult the [runbook](https://github.com/pulumi/platform-providers-team/blob/main/playbooks/tf-provider-updating.md) for dealing with any breaking changes.
-
+    - name: Generate schema-embed
+      run: make schema_embed
+    - name: Build tfgen
+      run: make tfgen_build_only
     - name: Upload artifacts
       uses: ./.github/actions/upload-prerequisites
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -41,7 +41,7 @@ jobs:
       if: inputs.skipGoSdk && inputs.isPrerelease == false
       run: echo "Can't skip Go SDK for stable releases. This is likely a bug in the calling workflow." && exit 1
     - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         persist-credentials: false
@@ -51,7 +51,7 @@ jobs:
         tools: pulumictl, pulumicli, go, schema-tools
         cache-go: false
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df # v4.2.1
+      uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
       with:
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-region: us-east-2
@@ -63,14 +63,14 @@ jobs:
     - name: Create dist directory
       run: mkdir -p dist
     - name: Download provider assets
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         pattern: pulumi-resource-aws-v${{ inputs.version }}-*
         path: dist
         # Don't create a directory for each artifact
         merge-multiple: true
     - name: Download schema
-      uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+      uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0
       with:
         # Use a pattern to avoid failing if the artifact doesn't exist
         pattern: schema-embed.*
@@ -117,7 +117,7 @@ jobs:
       python_version: ${{ steps.python_version.outputs.version }}
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         # Persist credentials so we can push back to the repo
@@ -211,7 +211,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false
     - name: Clean up release labels

diff --git a/.github/workflows/pull-request.yml b/.github/workflows/pull-request.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         submodules: true
         persist-credentials: false

diff --git a/.github/workflows/release_command.yml b/.github/workflows/release_command.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       with:
         persist-credentials: false
     - name: Should release PR