From 5125f5d8a91cb6756bcb053bd2d60d700b5eef92 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 8 Dec 2025 22:35:06 +0000 Subject: [PATCH 1/2] build(deps): bump the all-github-actions group with 5 updates Bumps the all-github-actions group with 5 updates: | Package | From | To | | --- | --- | --- | | [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) | `5.0.0` | `5.1.1` | | [actions/checkout](https://github.com/actions/checkout) | `4.2.2` | `6.0.1` | | [actions/setup-dotnet](https://github.com/actions/setup-dotnet) | `5.0.0` | `5.0.1` | | [actions/setup-python](https://github.com/actions/setup-python) | `5.6.0` | `6.1.0` | | [github/codeql-action](https://github.com/github/codeql-action) | `3.30.5` | `4.31.7` | Updates `aws-actions/configure-aws-credentials` from 5.0.0 to 5.1.1 - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/a03048d87541d1d9fcf2ecf528a4a65ba9bd7838...61815dcd50bd041e203e49132bacad1fd04d2708) Updates `actions/checkout` from 4.2.2 to 6.0.1 - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/11bd71901bbe5b1630ceea73d27597364c9af683...8e8c483db84b4bee98b60c0593521ed34d9990e8) Updates `actions/setup-dotnet` from 5.0.0 to 5.0.1 - [Release notes](https://github.com/actions/setup-dotnet/releases) - [Commits](https://github.com/actions/setup-dotnet/compare/d4c94342e560b34958eacfc5d055d21461ed1c5d...2016bd2012dba4e32de620c46fe006a3ac9f0602) Updates `actions/setup-python` from 5.6.0 to 6.1.0 - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](https://github.com/actions/setup-python/compare/a26af69be951a213d495a4c3e4e4022e16d87065...83679a892e2d95755f2dac6acb0bfd1e9ac5d548) Updates `github/codeql-action` from 3.30.5 to 4.31.7 - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/3599b3baa15b485a2e49ef411a7a4bb2452e7f93...cf1bb45a277cb3c205638b2cd5c984db1c46a412) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-version: 5.1.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: all-github-actions - dependency-name: actions/checkout dependency-version: 6.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-github-actions - dependency-name: actions/setup-dotnet dependency-version: 5.0.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: all-github-actions - dependency-name: actions/setup-python dependency-version: 6.1.0 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-github-actions - dependency-name: github/codeql-action dependency-version: 4.31.7 dependency-type: direct:production update-type: version-update:semver-major dependency-group: all-github-actions ... Signed-off-by: dependabot[bot] --- .github/workflows/AutoUpdateBootstrap.yml | 6 +++--- .github/workflows/DetectCDKBootstrapVersionChanges.yml | 2 +- .github/workflows/DetectDocGeneratorChanges.yml | 6 +++--- .github/workflows/DetectRestAPIClientChanges.yml | 4 ++-- .github/workflows/UploadDockerImage.yml | 6 +++--- .github/workflows/aws-ci.yml | 4 ++-- .github/workflows/change-file-in-pr.yml | 2 +- .github/workflows/create-release-pr.yml | 6 +++--- .github/workflows/doc-builder.yml | 8 ++++---- .github/workflows/semgrep-analysis.yml | 4 ++-- .github/workflows/sync-main-dev.yml | 10 +++++----- 11 files changed, 29 insertions(+), 29 deletions(-) diff --git a/.github/workflows/AutoUpdateBootstrap.yml b/.github/workflows/AutoUpdateBootstrap.yml index 7b7d04f0..6c9a0ab8 100644 --- a/.github/workflows/AutoUpdateBootstrap.yml +++ b/.github/workflows/AutoUpdateBootstrap.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 #v5.1.1 with: role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} aws-region: us-west-2 @@ -28,14 +28,14 @@ jobs: AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} parse-json-secrets: true - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: '0' ref: dev token: ${{ env.AWS_SECRET_TOKEN }} - name: Setup .NET - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d #v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 #v5.0.1 with: dotnet-version: '8.0.x' diff --git a/.github/workflows/DetectCDKBootstrapVersionChanges.yml b/.github/workflows/DetectCDKBootstrapVersionChanges.yml index 6cf5e123..296b0113 100644 --- a/.github/workflows/DetectCDKBootstrapVersionChanges.yml +++ b/.github/workflows/DetectCDKBootstrapVersionChanges.yml @@ -6,7 +6,7 @@ jobs: detect-cdk-bootstrap-changes: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: '0' - name: Install AWS CDK diff --git a/.github/workflows/DetectDocGeneratorChanges.yml b/.github/workflows/DetectDocGeneratorChanges.yml index dc61c088..cbac2c97 100644 --- a/.github/workflows/DetectDocGeneratorChanges.yml +++ b/.github/workflows/DetectDocGeneratorChanges.yml @@ -10,16 +10,16 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 #v5.1.1 with: role-to-assume: ${{ secrets.CI_MAIN_TESTING_ACCOUNT_ROLE_ARN }} role-duration-seconds: 7200 aws-region: us-west-2 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: '0' - name: Setup .NET 10.0 - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d #v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 #v5.0.1 with: dotnet-version: 10.0.x - name: Restore dependencies diff --git a/.github/workflows/DetectRestAPIClientChanges.yml b/.github/workflows/DetectRestAPIClientChanges.yml index 0fd283c0..ddbe1b74 100644 --- a/.github/workflows/DetectRestAPIClientChanges.yml +++ b/.github/workflows/DetectRestAPIClientChanges.yml @@ -6,11 +6,11 @@ jobs: detect-restapi-client-changes: runs-on: ubuntu-latest steps: - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: '0' - name: Setup .NET 10.0 - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d #v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 #v5.0.1 with: dotnet-version: 10.0.x - name: Restore dependencies diff --git a/.github/workflows/UploadDockerImage.yml b/.github/workflows/UploadDockerImage.yml index 42cbf3e3..6dba6cd0 100644 --- a/.github/workflows/UploadDockerImage.yml +++ b/.github/workflows/UploadDockerImage.yml @@ -16,19 +16,19 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 #v5.1.1 with: aws-region: us-west-2 role-to-assume: ${{ secrets.DOCKER_IMAGE_UPLOADER_ROLE }} role-duration-seconds: 1800 - name: Checkout Repository - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: 0 - name: Setup .NET 8 - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d #v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 #v5.0.1 with: dotnet-version: 8.0.x diff --git a/.github/workflows/aws-ci.yml b/.github/workflows/aws-ci.yml index 39040e66..d759d7a4 100644 --- a/.github/workflows/aws-ci.yml +++ b/.github/workflows/aws-ci.yml @@ -17,7 +17,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 #v5.1.1 with: role-to-assume: ${{ secrets.CI_MAIN_TESTING_ACCOUNT_ROLE_ARN }} role-duration-seconds: 7200 @@ -30,7 +30,7 @@ jobs: $roleArn=$(cat ./response.json) "roleArn=$($roleArn -replace '"', '')" >> $env:GITHUB_OUTPUT - name: Configure Test Runner Credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 #v5.1.1 with: role-to-assume: ${{ steps.lambda.outputs.roleArn }} role-duration-seconds: 7200 diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index 60661a47..bb03bd29 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Checkout PR code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 - name: Get List of Changed Files id: changed-files diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index a2dbda16..b96b7a34 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -25,7 +25,7 @@ jobs: steps: # Assume an AWS Role that provides access to the Access Token - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 #v5.1.1 with: role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} aws-region: us-west-2 @@ -38,13 +38,13 @@ jobs: parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: '0' token: ${{ env.AWS_SECRET_TOKEN }} # Install .NET8 which is needed for AutoVer - name: Setup .NET 8.0 - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d #v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 #v5.0.1 with: dotnet-version: 8.0.x # Install AutoVer to automate versioning and changelog creation diff --git a/.github/workflows/doc-builder.yml b/.github/workflows/doc-builder.yml index 7752e6e9..8f5013b5 100644 --- a/.github/workflows/doc-builder.yml +++ b/.github/workflows/doc-builder.yml @@ -16,18 +16,18 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 #v5.1.1 with: role-to-assume: ${{ secrets.CI_MAIN_TESTING_ACCOUNT_ROLE_ARN }} aws-region: us-west-2 - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: fetch-depth: '0' - - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0 + - uses: actions/setup-python@83679a892e2d95755f2dac6acb0bfd1e9ac5d548 #v6.1.0 with: python-version: 3.x - name: Setup .NET 10 - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d #v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 #v5.0.1 with: dotnet-version: 10.0.x - run: pip install mkdocs-material==8.2.9 diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml index 9f0d99d0..2fd88012 100644 --- a/.github/workflows/semgrep-analysis.yml +++ b/.github/workflows/semgrep-analysis.yml @@ -20,7 +20,7 @@ jobs: if: (github.actor != 'dependabot[bot]') steps: # Fetch project source - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 - run: semgrep scan --sarif --output=semgrep.sarif env: @@ -30,7 +30,7 @@ jobs: p/owasp-top-ten - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 #v3.30.5 + uses: github/codeql-action/upload-sarif@cf1bb45a277cb3c205638b2cd5c984db1c46a412 #v4.31.7 with: sarif_file: semgrep.sarif if: always() diff --git a/.github/workflows/sync-main-dev.yml b/.github/workflows/sync-main-dev.yml index 85dd0a49..66013784 100644 --- a/.github/workflows/sync-main-dev.yml +++ b/.github/workflows/sync-main-dev.yml @@ -26,7 +26,7 @@ jobs: steps: # Assume an AWS Role that provides access to the Access Token - name: Configure AWS Credentials - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0 + uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 #v5.1.1 with: role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }} aws-region: us-west-2 @@ -39,14 +39,14 @@ jobs: parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: ref: dev fetch-depth: 0 token: ${{ env.AWS_SECRET_TOKEN }} # Install .NET8 which is needed for AutoVer - name: Setup .NET 8.0 - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d #v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 #v5.0.1 with: dotnet-version: 8.0.x # Install AutoVer which is needed to retrieve information about the current release. @@ -106,13 +106,13 @@ jobs: steps: # Checkout a full clone of the repo - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 #v6.0.1 with: ref: releases/next-release fetch-depth: 0 # Install .NET8 which is needed for AutoVer - name: Setup .NET 8.0 - uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d #v5.0.0 + uses: actions/setup-dotnet@2016bd2012dba4e32de620c46fe006a3ac9f0602 #v5.0.1 with: dotnet-version: 8.0.x # Install AutoVer which is needed to retrieve information about the current release. From dc9ed0269ddaf8cf1e8712f6a7a95fcbc4a722d5 Mon Sep 17 00:00:00 2001 From: Adnan Khan Date: Tue, 21 Oct 2025 17:34:48 -0400 Subject: [PATCH 2/2] ci: scope down permissions for stale_issues.yml ci: scope down permissions for closed-issue-message.yml ci: scope down permissions for change-file-in-pr.yml ci: scope down permissions for semgrep-analysis.yml --- .github/workflows/change-file-in-pr.yml | 3 +++ .github/workflows/closed-issue-message.yml | 3 +++ .github/workflows/semgrep-analysis.yml | 3 +++ .github/workflows/stale_issues.yml | 4 ++++ 4 files changed, 13 insertions(+) diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index 60661a47..a078ba57 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -4,6 +4,9 @@ on: pull_request: types: [opened, synchronize, reopened, labeled] +permissions: + contents: read + jobs: check-files-in-directory: if: ${{ !contains(github.event.pull_request.labels.*.name, 'Release Not Needed') && !contains(github.event.pull_request.labels.*.name, 'Release PR') }} diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 114d4bf4..85745df8 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -2,6 +2,9 @@ name: Closed Issue Message on: issues: types: [closed] +permissions: + issues: write + jobs: auto_comment: runs-on: ubuntu-latest diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml index b886b910..467b31fd 100644 --- a/.github/workflows/semgrep-analysis.yml +++ b/.github/workflows/semgrep-analysis.yml @@ -10,6 +10,9 @@ on: schedule: - cron: '23 20 * * 1' +permissions: + contents: read + jobs: semgrep: name: Scan diff --git a/.github/workflows/stale_issues.yml b/.github/workflows/stale_issues.yml index b6462a55..e9ae5267 100644 --- a/.github/workflows/stale_issues.yml +++ b/.github/workflows/stale_issues.yml @@ -5,6 +5,10 @@ on: schedule: - cron: "0 0/3 * * *" +permissions: + issues: write + pull-requests: write + jobs: cleanup: name: Stale issue job