Test upgrade check (#510)

* Enable automated upgrades

- We've now made a release of the upstream test provider so this shouldn't fail.
- This will let us test the upgrade-provider tool in an isolated setting.

* Test pre-release ci-mgmt so we can specify upgrade-provider versions

.ci-mgmt.yaml

@@ -18,7 +18,7 @@ plugins:
     kind: converter
 releaseVerification:
   nodejs: examples/basic
-checkUpstreamUpgrade: false
+checkUpstreamUpgrade: true
 
 # Enable these to test that the disk cleaning works correctly
 freeDiskSpaceBeforeBuild: false

.github/workflows/upgrade-provider.yml

@@ -0,0 +1,76 @@
+# WARNING: This file is autogenerated - changes will be overwritten if not made via https://github.com/pulumi/ci-mgmt
+
+name: Upgrade provider
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: |
+          The version of the upstream provider to upgrade to, without the 'v' prefix
+
+          If no version is specified, it will be inferred from the upstream provider's release tags.
+        required: false
+        type: string
+      upgradeProviderVersion:
+        description: |
+          Version of upgrade-provider to use. This must be a valid git reference in the pulumi/upgrade-provider repo. Defaults to "main"
+        default: main
+        type: string
+  schedule:
+    # 3 AM UTC ~ 8 PM PDT / 7 PM PST daily. Time chosen to run during off hours.
+    - cron: 0 3 * * *
+
+env:
+  GH_TOKEN: ${{ secrets.PULUMI_BOT_TOKEN }}
+  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+jobs:
+  upgrade_provider:
+    name: upgrade-provider
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout Repo
+        uses: actions/checkout@v4
+        with:
+          # Persist credentials so upgrade-provider can push a new branch.
+          persist-credentials: true
+      - name: Setup tools
+        uses: ./.github/actions/setup-tools
+        with:
+          tools: pulumictl, pulumicli, nodejs, python, dotnet, go, java
+      - name: Install upgrade-provider
+        run: go install github.com/pulumi/upgrade-provider@${{ inputs.upgradeProviderVersion || 'main' }}
+        shell: bash
+      - name: "Set up git identity"
+        run: |
+          git config --global user.name '[email protected]'
+          git config --global user.email '[email protected]'
+        shell: bash
+      - name: Create issues for new upstream version
+        if: inputs.version == ''
+        id: upstream_version
+        # This step outputs `latest_version` if there is a pending upgrade
+        run: upgrade-provider "$REPO" --kind=check-upstream-version
+        env:
+          REPO: ${{ github.repository }}
+        shell: bash
+      - name: Calculate target version
+        id: target_version
+        # Prefer the manually specified version if it exists
+        # upstream_version will be empty if the provider is up-to-date
+        run: echo "version=${{ github.event.inputs.version || steps.upstream_version.outputs.latest_version }}" >> "$GITHUB_OUTPUT"
+        shell: bash
+      - name: Attempt provider upgrade
+        id: upgrade_provider
+        # Only attempt the upgrade if we have a target version
+        if: steps.target_version.outputs.version != ''
+        # Don't mark the build as failed if we can't auto-open a PR as we've already opened the upgrade issue for tracking
+        continue-on-error: true
+        run: upgrade-provider "${{ github.repository }}" --kind="all" --target-version="${{ steps.target_version.outputs.version }}" 
+        shell: bash
+      - name: Comment on upgrade issue if automated PR failed
+        if: steps.upgrade_provider.outcome == 'failure'
+        shell: bash
+        run: |
+          issue_number=$(gh issue list --search "pulumiupgradeproviderissue" --repo "${{ github.repository }}" --json=number --jq=".[0].number")
+          gh issue comment "${issue_number}" --repo "${{ github.repository }}" --body "Failed to create automatic PR: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/"
+