diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
index e050ea06536..e9eb39f8bad 100644
--- a/.github/workflows/publish.yml
+++ b/.github/workflows/publish.yml
@@ -113,6 +113,8 @@ jobs:
       with:
         tag_name: v${{ inputs.version }}
         prerelease: ${{ inputs.isPrerelease }}
+        # This is a backport branch. We don't want to set this release to latest.
+        make_latest: false
         # We keep pre-releases as drafts so they're not visible until we manually publish them.
         draft: ${{ inputs.isPrerelease }}
         body: ${{ steps.schema-summary.outputs.summary }}
@@ -176,47 +178,6 @@ jobs:
         pip install toml-cli==0.7.0
         version=$(toml get --toml-path pyproject.toml project.version)
         echo "version=${version}" >> "$GITHUB_OUTPUT"
-  create_docs_build:
-    name: create_docs_build
-    needs: publish_sdk
-    # Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
-    if: inputs.isPrerelease == false
-    runs-on: ubuntu-latest
-    steps:
-      - name: Dispatch Metadata build
-        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3
-        with:
-          token: ${{ secrets.PULUMI_BOT_TOKEN }}
-          repository: pulumi/registry
-          event-type: resource-provider
-          client-payload: |-
-            {
-              "project": "${{ github.repository }}",
-              "project-shortname": "aws",
-              "ref": "${{ github.ref_name }}"
-            }
-
-  clean_up_release_labels:
-    name: Clean up release labels
-    # Only run for non-prerelease, if the publish_go_sdk job was successful or skipped
-    if: inputs.isPrerelease == false
-    needs: create_docs_build
-    
-    runs-on: ubuntu-latest
-    steps:
-    - name: Checkout Repo
-      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-      with:
-        persist-credentials: false
-    - name: Clean up release labels
-      uses: pulumi/action-release-by-pr-label@main
-      with:
-        command: "clean-up-release-labels"
-        repo: ${{ github.repository }}
-        commit: ${{ github.sha }}
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-
   verify_release:
     name: verify_release
     needs: publish_sdk
diff --git a/patches/0042-Revert-r-aws_db_proxy-Change-auth-from-TypeList-to-T.patch b/patches/0042-Revert-r-aws_db_proxy-Change-auth-from-TypeList-to-T.patch
index 260faa1bf2e..4ba4e34bf08 100644
--- a/patches/0042-Revert-r-aws_db_proxy-Change-auth-from-TypeList-to-T.patch
+++ b/patches/0042-Revert-r-aws_db_proxy-Change-auth-from-TypeList-to-T.patch
@@ -392,41 +392,14 @@ index 884f83084b..0856302c30 100644
    recovery_window_in_days = 0
  }
  
-@@ -952,18 +954,18 @@ resource "aws_secretsmanager_secret_version" "test2" {
+@@ -952,46 +954,18 @@ resource "aws_secretsmanager_secret_version" "test2" {
    secret_id     = aws_secretsmanager_secret.test2.id
    secret_string = "{\"username\":\"db_user\",\"password\":\"db_user_password\"}"
  }
 -`, rName, nName))
-+`, rName, nName)
- }
- 
--func testAccProxyConfig_tags1(rName, tagKey1, tagValue1 string) string {
--	return acctest.ConfigCompose(testAccProxyConfig_base(rName), fmt.Sprintf(`
-+func testAccProxyConfig_tags(rName, key, value string) string {
-+	return acctest.ConfigCompose(testAccProxyBaseConfig(rName), fmt.Sprintf(`
- resource "aws_db_proxy" "test" {
-   depends_on = [
-     aws_secretsmanager_secret_version.test,
-     aws_iam_role_policy.test
-   ]
- 
--  name                   = %[1]q
-+  name                   = "%[1]s"
-   engine_family          = "MYSQL"
-   role_arn               = aws_iam_role.test.arn
-   vpc_security_group_ids = [aws_security_group.test.id]
-@@ -977,37 +979,8 @@ resource "aws_db_proxy" "test" {
-   }
- 
-   tags = {
--    %[2]q = %[3]q
-+    %[2]s = "%[3]s"
-   }
- }
--`, rName, tagKey1, tagValue1))
 -}
 -
--func testAccProxyConfig_tags2(rName, tagKey1, tagValue1, tagKey2, tagValue2 string) string {
+-func testAccProxyConfig_tags1(rName, tagKey1, tagValue1 string) string {
 -	return acctest.ConfigCompose(testAccProxyConfig_base(rName), fmt.Sprintf(`
 -resource "aws_db_proxy" "test" {
 -  depends_on = [
@@ -449,9 +422,36 @@ index 884f83084b..0856302c30 100644
 -
 -  tags = {
 -    %[2]q = %[3]q
--    %[4]q = %[5]q
 -  }
 -}
+-`, rName, tagKey1, tagValue1))
++`, rName, nName)
+ }
+ 
+-func testAccProxyConfig_tags2(rName, tagKey1, tagValue1, tagKey2, tagValue2 string) string {
+-	return acctest.ConfigCompose(testAccProxyConfig_base(rName), fmt.Sprintf(`
++func testAccProxyConfig_tags(rName, key, value string) string {
++	return acctest.ConfigCompose(testAccProxyBaseConfig(rName), fmt.Sprintf(`
+ resource "aws_db_proxy" "test" {
+   depends_on = [
+     aws_secretsmanager_secret_version.test,
+     aws_iam_role_policy.test
+   ]
+ 
+-  name                   = %[1]q
++  name                   = "%[1]s"
+   engine_family          = "MYSQL"
+   role_arn               = aws_iam_role.test.arn
+   vpc_security_group_ids = [aws_security_group.test.id]
+@@ -1005,9 +979,8 @@ resource "aws_db_proxy" "test" {
+   }
+ 
+   tags = {
+-    %[2]q = %[3]q
+-    %[4]q = %[5]q
++    %[2]s = "%[3]s"
+   }
+ }
 -`, rName, tagKey1, tagValue1, tagKey2, tagValue2))
 +`, rName, key, value))
  }
diff --git a/patches/0060-Adding-APN-1.1-marketplace-identifier-to-User-Agent-.patch b/patches/0060-Adding-APN-1.1-marketplace-identifier-to-User-Agent-.patch
new file mode 100644
index 00000000000..94a2c6a5a52
--- /dev/null
+++ b/patches/0060-Adding-APN-1.1-marketplace-identifier-to-User-Agent-.patch
@@ -0,0 +1,19 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Alberto Pose <albertopose@gmail.com>
+Date: Thu, 23 Oct 2025 11:11:23 +0100
+Subject: [PATCH] Adding APN 1.1 marketplace identifier to User Agent request
+ string.
+
+
+diff --git a/internal/conns/config.go b/internal/conns/config.go
+index c1d3e94c55..74be293b99 100644
+--- a/internal/conns/config.go
++++ b/internal/conns/config.go
+@@ -80,6 +80,7 @@ func (c *Config) ConfigureProvider(ctx context.Context, client *AWSClient) (*AWS
+ 			Products: []awsbase.UserAgentProduct{
+ 				{Name: "Pulumi", Version: "1.0"},
+ 				{Name: "Pulumi-Aws", Version: c.TerraformVersion, Comment: "+https://pulumi.com"},
++				{Name: "APN", Version: "1.1", Comment: "c7qiae2l6usvzoynupds6v7hf"},
+ 			},
+ 		},
+ 		AssumeRole:                     c.AssumeRole,
diff --git a/provider/provider_endpoint_test.go b/provider/provider_endpoint_test.go
new file mode 100644
index 00000000000..08808f2fc8a
--- /dev/null
+++ b/provider/provider_endpoint_test.go
@@ -0,0 +1,91 @@
+package provider
+
+import (
+	"context"
+	"net/http"
+	"net/http/httptest"
+	"testing"
+
+	structpb "github.com/golang/protobuf/ptypes/struct"
+	pfbridge "github.com/pulumi/pulumi-terraform-bridge/v3/pkg/pf/tfbridge"
+	pulumirpc "github.com/pulumi/pulumi/sdk/v3/proto/go"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func testProviderServer() (pulumirpc.ResourceProviderServer, error) {
+	info := *Provider()
+	ctx := context.Background()
+	p, err := pfbridge.MakeMuxedServer(ctx, info.Name, info,
+		/*
+		 * We leave the schema blank. This will result in incorrect calls to
+		 * GetSchema, but otherwise does not effect the provider. It reduces the
+		 * time to test start by minutes.
+		 */
+		[]byte("{}"),
+	)(nil)
+	return p, err
+}
+
+func TestProviderEndpoints(t *testing.T) {
+	stsGetCallerIdentityResponse := `
+<GetCallerIdentityResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
+	<GetCallerIdentityResult>
+	<Arn>arn:aws:iam::123456789012:user/Alice</Arn>
+	<UserId>AIDACKCEVSQ6C2EXAMPLE</UserId>
+	<Account>123456789012</Account>
+	</GetCallerIdentityResult>
+	<ResponseMetadata>
+		<RequestId>01234567-89ab-cdef-0123-456789abcdef</RequestId>
+	</ResponseMetadata>
+</GetCallerIdentityResponse>`
+
+	t.Run("requests to AWS use the APN/1.1 marketplace identifier in the User-Agent request header", func(t *testing.T) {
+		requestCount := 0
+		server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			assert.Contains(t, r.Header.Get("User-Agent"), "APN/1.1 (c7qiae2l6usvzoynupds6v7hf)")
+			switch requestCount {
+			case 0:
+				w.Write([]byte(stsGetCallerIdentityResponse))
+			case 1:
+				w.Write([]byte("{}"))
+			default:
+				t.Fatalf("Unexpected request count: %d", requestCount)
+			}
+			requestCount++
+		}))
+		t.Cleanup(server.Close)
+
+		// Using environment variables since configuring passing variables to
+		// provider.Configure is too late on the lifecycle of the provider. These
+		// values are fetched when the provider is initialized.
+		t.Setenv("AWS_ENDPOINT_URL", server.URL)
+		t.Setenv("AWS_SKIP_METADATA_API_CHECK", "true")
+		t.Setenv("AWS_SKIP_CREDENTIALS_VALIDATION", "true")
+		t.Setenv("AWS_ACCESS_KEY_ID", "test")
+		t.Setenv("AWS_SECRET_ACCESS_KEY", "test")
+		t.Setenv("AWS_SESSION_TOKEN", "test")
+		t.Setenv("AWS_REGION", "us-west-2")
+		t.Setenv("AWS_PROFILE", "")
+
+		provider, err := testProviderServer()
+		require.NoError(t, err)
+		ctx := context.Background()
+		_, err = provider.Configure(ctx, &pulumirpc.ConfigureRequest{})
+		require.NoError(t, err)
+		_, err = provider.Invoke(ctx, &pulumirpc.InvokeRequest{
+			Tok: "aws:s3/getObjects:getObjects",
+			Args: &structpb.Struct{
+				Fields: map[string]*structpb.Value{
+					"bucket": {
+						Kind: &structpb.Value_StringValue{
+							StringValue: "test-bucket",
+						},
+					},
+				},
+			},
+		})
+		require.NoError(t, err)
+		assert.Equal(t, 2, requestCount)
+	})
+}