From 38f3b1af82c0a14e1044e73811037ea96823e4e2 Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Tue, 29 Apr 2025 12:53:16 -0400 Subject: [PATCH 01/10] Add dependabot configuration (#216) --- .github/dependabot.yml | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 .github/dependabot.yml diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..b76d5c8 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,13 @@ +# Set update schedule for GitHub Actions + +version: 2 +updates: + + - package-ecosystem: "github-actions" + directory: "/" + schedule: + # Check for updates to GitHub Actions every week + interval: "weekly" + labels: + - "Release Not Needed" + target-branch: "dev" \ No newline at end of file From 20db9e035ba4b4489123cd4cd85f78481335b205 Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Wed, 7 May 2025 17:37:20 -0400 Subject: [PATCH 02/10] Add Semgrep security scanning workflow (#217) --- .github/workflows/semgrep-analysis.yml | 41 ++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) create mode 100644 .github/workflows/semgrep-analysis.yml diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml new file mode 100644 index 0000000..021f0fe --- /dev/null +++ b/.github/workflows/semgrep-analysis.yml @@ -0,0 +1,41 @@ +name: Semgrep + +on: + # Scan changed files in PRs, block on new issues only (existing issues ignored) + pull_request: + + push: + branches: ["dev", "main"] + + schedule: + - cron: '23 20 * * 1' + + # Manually trigger the workflow + workflow_dispatch: + +jobs: + semgrep: + name: Scan + permissions: + security-events: write + runs-on: ubuntu-latest + container: + image: returntocorp/semgrep + # Skip any PR created by dependabot to avoid permission issues + if: (github.actor != 'dependabot[bot]') + steps: + # Fetch project source + - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + + - run: semgrep ci --sarif > semgrep.sarif + env: + SEMGREP_RULES: >- # more at semgrep.dev/explore + p/security-audit + p/secrets + p/owasp-top-ten + + - name: Upload SARIF file for GitHub Advanced Security Dashboard + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 + with: + sarif_file: semgrep.sarif + if: always() From 461e6f1d62181b986cef83f62d280f43c85faa92 Mon Sep 17 00:00:00 2001 From: Ashish Dhingra <67916761+ashishdhingra@users.noreply.github.com> Date: Tue, 3 Jun 2025 14:18:07 -0700 Subject: [PATCH 03/10] chore: Pinned to v1.6.0 of aws-github-ops/handle-stale-discussions so that closed GitHub discussions are not auto-reopened. --- .github/workflows/handle-stale-discussions.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml index bfa00bd..25a7055 100644 --- a/.github/workflows/handle-stale-discussions.yml +++ b/.github/workflows/handle-stale-discussions.yml @@ -13,6 +13,6 @@ jobs: discussions: write steps: - name: Stale discussions action - uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 #v1.6 + uses: aws-github-ops/handle-stale-discussions@c0beee451a5d33d9c8f048a6d4e7c856b5422544 #v1.6.0 env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} From d1e9bd1a7dd8395d7133029b6db41cca1e773ed4 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Jun 2025 17:47:22 +0000 Subject: [PATCH 04/10] chore(deps): bump actions/checkout from 3.6.0 to 4.2.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.6.0 to 4.2.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](https://github.com/actions/checkout/compare/v3.6.0...11bd71901bbe5b1630ceea73d27597364c9af683) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: 4.2.2 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- .github/workflows/change-file-in-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index 43d1f29..f25a315 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Checkout PR code - uses: actions/checkout@f43a0e5ff2bd294095638e18286ca9a3d1956744 #v3.6.0 + uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 - name: Get List of Changed Files id: changed-files From d7a6d9a8e42da8f27fc09101298224cc37250ad8 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Jun 2025 14:48:17 -0400 Subject: [PATCH 05/10] chore(deps): bump github/codeql-action from 3.28.16 to 3.28.19 (#223) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.28.16 to 3.28.19. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](https://github.com/github/codeql-action/compare/28deaeda66b76a05916b6923827895f2b14ab387...fca7ace96b7d713c7035871441bd52efbe39e27e) --- updated-dependencies: - dependency-name: github/codeql-action dependency-version: 3.28.19 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/semgrep-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml index 021f0fe..7b24516 100644 --- a/.github/workflows/semgrep-analysis.yml +++ b/.github/workflows/semgrep-analysis.yml @@ -35,7 +35,7 @@ jobs: p/owasp-top-ten - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 + uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e #v3.28.19 with: sarif_file: semgrep.sarif if: always() From e3793dcad3b77d3fbff7c2c73e91362aa18ee584 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Jun 2025 14:48:28 -0400 Subject: [PATCH 06/10] chore(deps): bump tj-actions/changed-files from 45.0.4 to 46.0.5 (#224) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 45.0.4 to 46.0.5. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/4edd678ac3f81e2dc578756871e4d00c19191daf...ed68ef82c095e0d48ec87eccea555d944a631a4c) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-version: 46.0.5 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/change-file-in-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index 43d1f29..287685c 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -16,7 +16,7 @@ jobs: - name: Get List of Changed Files id: changed-files - uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf #v45 + uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c #v45 - name: Check for Change File(s) in .autover/changes/ run: | From 11d26555aa4cf1171974f261f134cb5f14130ade Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Wed, 11 Jun 2025 14:48:31 -0400 Subject: [PATCH 07/10] chore(deps): bump aws-actions/aws-secretsmanager-get-secrets (#222) Bumps [aws-actions/aws-secretsmanager-get-secrets](https://github.com/aws-actions/aws-secretsmanager-get-secrets) from 2.0.8 to 2.0.9. - [Release notes](https://github.com/aws-actions/aws-secretsmanager-get-secrets/releases) - [Commits](https://github.com/aws-actions/aws-secretsmanager-get-secrets/compare/fbd65ea98e018858715f591f03b251f02b2316cb...5e19ff380d035695bdd56bbad320ca535c9063f2) --- updated-dependencies: - dependency-name: aws-actions/aws-secretsmanager-get-secrets dependency-version: 2.0.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/create-release-pr.yml | 2 +- .github/workflows/sync-main-dev.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 124d857..67d95ff 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -31,7 +31,7 @@ jobs: aws-region: us-west-2 # Retrieve the Access Token from Secrets Manager - name: Retrieve secret from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 + uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9 with: secret-ids: | AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} diff --git a/.github/workflows/sync-main-dev.yml b/.github/workflows/sync-main-dev.yml index 3d1b8a4..268099b 100644 --- a/.github/workflows/sync-main-dev.yml +++ b/.github/workflows/sync-main-dev.yml @@ -32,7 +32,7 @@ jobs: aws-region: us-west-2 # Retrieve the Access Token from Secrets Manager - name: Retrieve secret from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 + uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9 with: secret-ids: | AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} From 196ef3cdfceb136f10f17437ba81a362f30d11f8 Mon Sep 17 00:00:00 2001 From: Sanket T <59204773+sankettangade@users.noreply.github.com> Date: Mon, 16 Jun 2025 14:40:23 -0700 Subject: [PATCH 08/10] Update dependabot.yml --- .github/dependabot.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index b76d5c8..6d94fa0 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,7 +7,7 @@ updates: directory: "/" schedule: # Check for updates to GitHub Actions every week - interval: "weekly" + interval: "quarterly" labels: - "Release Not Needed" - target-branch: "dev" \ No newline at end of file + target-branch: "dev" From 3fde433d8506429b5c618a4a1d17452120775f7d Mon Sep 17 00:00:00 2001 From: Sanket T <59204773+sankettangade@users.noreply.github.com> Date: Mon, 16 Jun 2025 14:42:12 -0700 Subject: [PATCH 09/10] Update dependabot.yml --- .github/dependabot.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6d94fa0..8190c86 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -6,7 +6,7 @@ updates: - package-ecosystem: "github-actions" directory: "/" schedule: - # Check for updates to GitHub Actions every week + # Check for updates to GitHub Actions every quarter interval: "quarterly" labels: - "Release Not Needed" From e755cb0cf7c0960a1b0f20b0663de0c31f5a7862 Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Fri, 20 Jun 2025 13:37:58 -0400 Subject: [PATCH 10/10] Sync main from dev (#219) (#231) * Add dependabot configuration (#216) * Add Semgrep security scanning workflow (#217) * chore: Pinned to v1.6.0 of aws-github-ops/handle-stale-discussions so that closed GitHub discussions are not auto-reopened. --------- Co-authored-by: Ashish Dhingra <67916761+ashishdhingra@users.noreply.github.com>