Refactor bridged acceptance workflow ordering

[corymhall]

Summary

• split traditional bridged-provider acceptance prerequisites into a lightweight prerequisite phase plus separate test_provider and build_schema jobs
• allow provider and SDK builds, and then examples, to start without waiting on provider unit tests or schema comparison
• keep the old prerequisite ordering for NoSchema, UseProviderBinarySchemaGen, and non-acceptance workflow callers

Motivation

pulumi/pulumi-aws has been spending too much wall-clock time in run-acceptance-tests because the prerequisites job serializes work that does not need to block provider builds, SDK builds, or example tests.

We prototyped this ordering change directly in pulumi-aws before moving it into ci-mgmt. In that experiment, the improvement came from workflow ordering rather than dropping validation. The old critical path was roughly 1h50m+, while the refactored ordering finished closer to 1h00m. The key behavioral change was that examples could start once provider and SDK artifacts were ready, instead of waiting for test_provider.

This PR brings that ordering into generated bridged-provider acceptance workflows while keeping the scope conservative. Only traditional schema-based acceptance workflows opt into the split. Release, prerelease, main, and nightly workflows continue to use the full existing prerequisites behavior unless they explicitly opt into the fan-out path later.

Details

• adds an acceptance_fanout input to prerequisites.yml, defaulting to false
• when fan-out is enabled, prerequisites only prepares the workspace, generates schema_embed, builds tfgen, and uploads prerequisite artifacts
• adds separate test_provider and build_schema jobs to run-acceptance-tests.yml
• updates sentinel dependencies so test does not need test_provider, while sentinel still depends on test, build_provider, build_schema, test_provider, and license_check
• adds a generated schema_embed Makefile target for traditional bridged providers
• preserves the old ordering for NoSchema and UseProviderBinarySchemaGen

Testing

• cd provider-ci && make gen
• git diff --check
• cd provider-ci && make all

[corymhall]

Tested this on pulumi-aws in pulumi/pulumi-aws#6366

Before: ~1h30m

After: ~1h

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5c42d49f05

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove touched provider state before schema build

In the new build_schema job, running make --touch provider right before make schema causes schema generation to be skipped for traditional bridged providers: provider depends on .make/schema (via bin/$(PROVIDER) in base/Makefile), so --touch creates/updates .make/schema, and the subsequent make schema becomes a no-op. That means schema validation/comment steps run against the checked-in schema instead of a freshly generated one, so acceptance fanout can miss schema drift introduced by the PR.

Useful? React with 👍 / 👎.

[corymhall]

Fixed in 2677d2b by removing the make --touch provider step from build_schema, so the split schema job runs make schema directly after restoring prerequisites.

[github-actions]

The new test_provider and build_schema jobs lack a runtime inputs.acceptance_fanout guard. When the flag is false (default), these jobs still run and build_sdk waits for them — regressing the non-fanout path. See inline comment for details and suggested fix.

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• proxy.golang.org

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "proxy.golang.org"

See Network Configuration for more information.

Reviewed by Internal Trusted PR Reviewer

To install this agentic workflow, run

gh aw add pulumi-labs/gh-aw-internal/.github/workflows/gh-aw-pr-review.md@8a92f53fac170563f7727cacab2dbedb5d5b9e29

[corymhall]

On the inputs.acceptance_fanout point: I don't think a runtime guard applies in run-acceptance-tests.yml.

run-acceptance-tests.yml is not itself a reusable workflow with inputs; the only reusable workflow input is on prerequisites.yml. For traditional schema providers, the generated acceptance workflow always passes acceptance_fanout: true to prerequisites, and the split test_provider / build_schema jobs are generated in that same template branch.

For NoSchema and UseProviderBinarySchemaGen, those jobs are not generated at all. For non-acceptance callers (main, release, prerelease, nightly-test), these jobs also do not exist; they call prerequisites.yml without acceptance_fanout, so the default-false path keeps the old full prerequisites behavior.

So adding inputs.acceptance_fanout to these jobs would either be invalid for this workflow or redundant with the template-level guard.

invalid