Update GitHub Actions workflows. (#5282)

pulumi-bot · web-flow · commit 8da86ae234d6 · 2025-03-08T11:54:37.000-05:00
This PR was automatically generated by the
update-workflows-ecosystem-providers workflow in the pulumi/ci-mgmt
repo, from commit d77004611f0044baca1f99589d312808cfa72d60.
diff --git a/.github/actions/download-prerequisites/action.yml b/.github/actions/download-prerequisites/action.yml
@@ -5,7 +5,7 @@ runs:
   using: "composite"
   steps:
     - name: Download the prerequisites bin
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
       with:
         name: prerequisites-bin
         path: bin
@@ -19,7 +19,7 @@ runs:
       run: rm bin/executables.txt
 
     - name: Download schema-embed.json
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
       with:
         # Use a pattern to avoid failing if the artifact doesn't exist
         pattern: schema-embed.*
diff --git a/.github/actions/download-provider/action.yml b/.github/actions/download-provider/action.yml
@@ -6,7 +6,7 @@ runs:
   steps:
 
     - name: Download pulumi-resource-aws
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
       with:
         pattern: pulumi-resource-aws-*-linux-amd64.tar.gz
         path: ${{ github.workspace }}/bin
diff --git a/.github/actions/download-sdk/action.yml b/.github/actions/download-sdk/action.yml
@@ -10,7 +10,7 @@ runs:
   using: "composite"
   steps:
     - name: Download ${{ inputs.language }} SDK
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
       with:
         name: ${{ inputs.language }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/
diff --git a/.github/actions/setup-tools/action.yml b/.github/actions/setup-tools/action.yml
@@ -47,7 +47,7 @@ runs:
 
     - name: Install Pulumi CLI
       if: inputs.tools == 'all' || contains(inputs.tools, 'pulumicli')
-      uses: pulumi/actions@13b8b7177d6fb736766875dac9b78aab07bd785f # v6
+      uses: pulumi/actions@9519177da243fd32cab35cdbf19cce1ab7472fcc # v6
       with:
         pulumi-version: "dev"
 
diff --git a/.github/actions/upload-prerequisites/action.yml b/.github/actions/upload-prerequisites/action.yml
@@ -9,14 +9,14 @@ runs:
       run: find bin -type f -executable > bin/executables.txt
 
     - name: Upload prerequisites bin
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
       with:
         name: prerequisites-bin
         path: bin/*
         retention-days: 30
 
     - name: Upload schema-embed.json
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
       with:
         name: schema-embed.json
         path: provider/cmd/pulumi-resource-aws/schema-embed.json
diff --git a/.github/actions/upload-sdk/action.yml b/.github/actions/upload-sdk/action.yml
@@ -13,7 +13,7 @@ runs:
       shell: bash
       run: tar -zcf sdk/${{ inputs.language }}.tar.gz -C sdk/${{ inputs.language }} .
     - name: Upload artifacts
-      uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+      uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
       with:
         name: ${{ inputs.language  }}-sdk.tar.gz
         path: ${{ github.workspace}}/sdk/${{ inputs.language }}.tar.gz
diff --git a/.github/workflows/build_provider.yml b/.github/workflows/build_provider.yml
@@ -9,6 +9,19 @@ on:
         required: true
         type: string
         description: Version of the provider to build
+      matrix:
+        required: false
+        type: string
+        default: |
+          {
+            "platform": [
+              {"os": "linux",   "arch": "amd64"},
+              {"os": "linux",   "arch": "arm64"},
+              {"os": "darwin",  "arch": "amd64"},
+              {"os": "darwin",  "arch": "arm64"},
+              {"os": "windows", "arch": "amd64"}
+            ]
+          }
 
 jobs:
   build_provider:
@@ -19,18 +32,7 @@ jobs:
       GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
     strategy:
       fail-fast: true
-      matrix:
-        platform:
-          - os: linux
-            arch: amd64
-          - os: linux
-            arch: arm64
-          - os: darwin
-            arch: amd64
-          - os: darwin
-            arch: arm64
-          - os: windows
-            arch: amd64
+      matrix: ${{ fromJSON(inputs.matrix) }}
     steps:
       # Run as first step so we don't delete things that have just been installed
       - name: Free Disk Space (Ubuntu)
@@ -97,7 +99,7 @@ jobs:
         run: make provider_dist-${{ matrix.platform.os }}-${{ matrix.platform.arch }}
 
       - name: Upload artifacts
-        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
         with:
           name: pulumi-resource-aws-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
           path: bin/pulumi-resource-aws-v${{ inputs.version }}-${{ matrix.platform.os }}-${{ matrix.platform.arch }}.tar.gz
diff --git a/.github/workflows/build_sdk.yml b/.github/workflows/build_sdk.yml
@@ -60,7 +60,7 @@ jobs:
           submodules: true
           persist-credentials: false
       - name: Cache examples generation
-        uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
+        uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
         with:
           path: |
             .pulumi/examples-cache
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -54,5 +54,5 @@ jobs:
     - name: golangci-lint
       uses: golangci/golangci-lint-action@2226d7cb06a077cd73e56eedd38eecad18e5d837 # v6
       with:
-        version: v1.60
+        version: v1.64.6
         working-directory: provider
diff --git a/.github/workflows/prerequisites.yml b/.github/workflows/prerequisites.yml
@@ -65,7 +65,7 @@ jobs:
         major-version: 6
         set-env: 'PROVIDER_VERSION'
     - name: Cache examples generation
-      uses: actions/cache@0c907a75c2c80ebcb7f088228285e798b750cf8f # v4
+      uses: actions/cache@d4323d4df104b026a6aa633fdb11d772146be0bf # v4
       with:
         path: |
           .pulumi/examples-cache
@@ -83,7 +83,7 @@ jobs:
     - name: Unit-test provider code
       run: make test_provider
     - name: Upload coverage reports to Codecov
-      uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # v5.3.1
+      uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # v5.4.0
       env:
         CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
     - if: inputs.is_pr
diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml
@@ -75,14 +75,14 @@ jobs:
     - name: Create dist directory
       run: mkdir -p dist
     - name: Download provider assets
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
       with:
         pattern: pulumi-resource-aws-v${{ inputs.version }}-*
         path: dist
         # Don't create a directory for each artifact
         merge-multiple: true
     - name: Download schema
-      uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+      uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
       with:
         # Use a pattern to avoid failing if the artifact doesn't exist
         pattern: schema-embed.*
@@ -226,7 +226,5 @@ jobs:
     secrets: inherit
     with:
       providerVersion: ${{ inputs.version }}
-      # Prelease is run often but we only have 5 concurrent macos runners, so we only test after the stable release.
-      enableMacRunner: ${{ inputs.isPrerelease == false }}
       skipGoSdk: ${{ inputs.skipGoSdk }}
       pythonVersion: ${{ needs.publish_sdk.outputs.python_version }}
diff --git a/.github/workflows/run-acceptance-tests.yml b/.github/workflows/run-acceptance-tests.yml
@@ -57,6 +57,12 @@ jobs:
     secrets: inherit
     with:
       version: ${{ needs.prerequisites.outputs.version }}
+      matrix: |
+        {
+          "platform": [
+            {"os": "linux", "arch": "amd64"},
+          ]
+        }
 
   build_sdk:
     if: github.event_name == 'repository_dispatch' ||
diff --git a/.github/workflows/upgrade-bridge.yml b/.github/workflows/upgrade-bridge.yml
@@ -57,8 +57,26 @@ permissions:
 
 env:
   GH_TOKEN: ${{ secrets.PULUMI_PROVIDER_AUTOMATION_TOKEN || secrets.PULUMI_BOT_TOKEN || secrets.GITHUB_TOKEN }}
+  AWS_REGION: us-west-2
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        
+  NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
+  NUGET_PUBLISH_KEY: ${{ secrets.NUGET_PUBLISH_KEY }}
+  OIDC_ROLE_ARN: ${{ secrets.OIDC_ROLE_ARN }}
+  PUBLISH_REPO_PASSWORD: ${{ secrets.OSSRH_PASSWORD }}
+  PUBLISH_REPO_USERNAME: ${{ secrets.OSSRH_USERNAME }}
+  PULUMI_ACCESS_TOKEN: ${{ secrets.PULUMI_ACCESS_TOKEN }}
+  PULUMI_API: https://api.pulumi-staging.io
+  PULUMI_GO_DEP_ROOT: ${{ github.workspace }}/..
+  PULUMI_LOCAL_NUGET: ${{ github.workspace }}/nuget
+  PULUMI_MISSING_DOCS_ERROR: "true"
+  PYPI_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
+  PYPI_USERNAME: __token__
+  SIGNING_KEY: ${{ secrets.JAVA_SIGNING_KEY }}
+  SIGNING_KEY_ID: ${{ secrets.JAVA_SIGNING_KEY_ID }}
+  SIGNING_PASSWORD: ${{ secrets.JAVA_SIGNING_PASSWORD }}
+  TF_APPEND_USER_AGENT: pulumi
+
 jobs:
   upgrade_provider:
     name: upgrade-provider
diff --git a/.github/workflows/verify-release.yml b/.github/workflows/verify-release.yml
@@ -26,11 +26,6 @@ on:
         description: "The version of the provider to verify"
         required: true
         type: string
-      enableMacRunner:
-        description: "Enable the macos-latest runner in addition to ubuntu-latest and windows-latest. Defaults to 'false'."
-        required: false
-        type: boolean
-        default: false
       skipGoSdk:
         description: "Skip the Go SDK verification. Defaults to 'false'. This is used when we're not publishing a Go SDK on the default branch build."
         required: false
@@ -67,11 +62,7 @@ jobs:
     name: verify-release
     strategy:
       matrix:
-        # We always run on Linux and Windows, and optionally on MacOS. This is because MacOS runners have limited availability.
-        # Expression expands to ["ubuntu-latest","windows-latest"] or ["ubuntu-latest","windows-latest","macos-latest"]
-        # GitHub expressions don't have 'if' statements, so we use a ternary operator to conditionally include the MacOS runner suffix.
-        # See the docs for a similar example to this: https://docs.github.com/en/actions/learn-github-actions/expressions#fromjson
-        runner: ${{ fromJSON(format('["ubuntu-latest","windows-latest"{0}]', inputs.enableMacRunner && ',"macos-latest"' || '')) }}
+        runner: ["ubuntu-latest", "windows-latest", "macos-latest"]
     runs-on: ${{ matrix.runner }}
     permissions:
       contents: 'read'
