From b6bb2689a1434ea8e3d85a8d33a9d443b51abde0 Mon Sep 17 00:00:00 2001
From: Arjun Raja Yogidas <arjunry@amazon.com>
Date: Wed, 15 Oct 2025 01:08:25 +0000
Subject: [PATCH 1/2] ci: group dependabot alerts

Signed-off-by: Arjun Raja Yogidas <arjunry@amazon.com>
---
 .github/dependabot.yaml | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/.github/dependabot.yaml b/.github/dependabot.yaml
index 63ecaf79f..13915545a 100644
--- a/.github/dependabot.yaml
+++ b/.github/dependabot.yaml
@@ -13,6 +13,11 @@ updates:
     prefix: "build"
     include: "scope"
   groups:
+    non-breaking:
+      exclude-patterns: 
+        - "github.com/containerd/nerdctl/v2"
+        - "github.com/docker/docker"
+        - "github.com/docker/cli"
     docker:
       patterns:
         - "github.com/docker/docker"

From 5be308c1c03a0a6f6d8b76001ce30987300194ca Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 15 Oct 2025 01:32:13 +0000
Subject: [PATCH 2/2] ci(deps): bump aws-actions/configure-aws-credentials from
 5.0.0 to 5.1.0

Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 5.0.0 to 5.1.0.
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/a03048d87541d1d9fcf2ecf528a4a65ba9bd7838...00943011d9042930efac3dcd3a170e4273319bc8)

---
updated-dependencies:
- dependency-name: aws-actions/configure-aws-credentials
  dependency-version: 5.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/build-and-test-deb.yaml              | 2 +-
 .github/workflows/build-and-test-msi.yaml              | 6 +++---
 .github/workflows/build-pkg.yaml                       | 2 +-
 .github/workflows/e2e-linux.yaml                       | 2 +-
 .github/workflows/e2e-macos.yaml                       | 2 +-
 .github/workflows/e2e-windows.yaml                     | 2 +-
 .github/workflows/release-automation.yaml              | 4 ++--
 .github/workflows/sync-submodules-and-deps.yaml        | 2 +-
 .github/workflows/test-pkg.yaml                        | 2 +-
 .github/workflows/upload-build-to-S3.yaml              | 2 +-
 .github/workflows/upload-deb-to-release.yaml           | 8 ++++----
 .github/workflows/upload-installer-to-release.yaml     | 2 +-
 .github/workflows/upload-msi-to-release.yaml           | 2 +-
 .github/workflows/upload-test-report.yaml              | 2 +-
 .github/workflows/upload-verified-artifacts-to-s3.yaml | 2 +-
 15 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/.github/workflows/build-and-test-deb.yaml b/.github/workflows/build-and-test-deb.yaml
index 26b371d68..78df53492 100644
--- a/.github/workflows/build-and-test-deb.yaml
+++ b/.github/workflows/build-and-test-deb.yaml
@@ -79,7 +79,7 @@ jobs:
     timeout-minutes: 60
     steps:
         - name: Configure AWS credentials
-          uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+          uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
           with:
             role-to-assume: ${{ secrets.DEB_ROLE_PROD }}
             role-session-name: ubuntu-deb
diff --git a/.github/workflows/build-and-test-msi.yaml b/.github/workflows/build-and-test-msi.yaml
index 64de3fc9e..e4680743d 100644
--- a/.github/workflows/build-and-test-msi.yaml
+++ b/.github/workflows/build-and-test-msi.yaml
@@ -96,7 +96,7 @@ jobs:
           persist-credentials: false
           submodules: recursive
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.WINDOWS_ROLE }}
           role-session-name: windows-msi
@@ -152,7 +152,7 @@ jobs:
               throw "Failed after $maxRetries attempts."
           }
       - name: configure aws credentials for upload signed MSI to installer bucket
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: windows-msi
@@ -210,7 +210,7 @@ jobs:
           echo "has_creds=$has_creds" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
           exit 0 # if $has_creds is false, powershell will exit with code 1 and this step will fail
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: msi-test
diff --git a/.github/workflows/build-pkg.yaml b/.github/workflows/build-pkg.yaml
index 98fe1ce7a..1ab09b07c 100644
--- a/.github/workflows/build-pkg.yaml
+++ b/.github/workflows/build-pkg.yaml
@@ -68,7 +68,7 @@ jobs:
         shell: zsh {0}
 
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: dependency-upload-session
diff --git a/.github/workflows/e2e-linux.yaml b/.github/workflows/e2e-linux.yaml
index 8b1f5e10e..875ecf6b6 100644
--- a/.github/workflows/e2e-linux.yaml
+++ b/.github/workflows/e2e-linux.yaml
@@ -68,7 +68,7 @@ jobs:
           has_creds=${{ (github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name) && github.actor != 'dependabot[bot]' }}
           echo "has_creds=$has_creds" >> $GITHUB_OUTPUT
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         # this action requires node20, skip on AL2
         if: ${{ steps.vars.outputs.has_creds == 'true' && (!(startsWith(inputs.os, 'amazon') && inputs.version == '2' ))}}
         with:
diff --git a/.github/workflows/e2e-macos.yaml b/.github/workflows/e2e-macos.yaml
index d3ca99cc1..d08cfff0a 100644
--- a/.github/workflows/e2e-macos.yaml
+++ b/.github/workflows/e2e-macos.yaml
@@ -61,7 +61,7 @@ jobs:
           has_creds=${{ (github.event_name == 'push' || github.repository == github.event.pull_request.head.repo.full_name) && github.actor != 'dependabot[bot]' }}
           echo "has_creds=$has_creds" >> $GITHUB_OUTPUT
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         if: ${{ steps.vars.outputs.has_creds == 'true' }}
         with:
           role-to-assume: ${{ secrets.ROLE }}
diff --git a/.github/workflows/e2e-windows.yaml b/.github/workflows/e2e-windows.yaml
index 009ed92cd..01a878f2e 100644
--- a/.github/workflows/e2e-windows.yaml
+++ b/.github/workflows/e2e-windows.yaml
@@ -62,7 +62,7 @@ jobs:
           echo "has_creds=$has_creds" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf8 -Append
           exit 0 # if $has_creds is false, powershell will exit with code 1 and this step will fail
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         if: env.has_creds == 'true'
         with:
           role-to-assume: ${{ secrets.ROLE }}
diff --git a/.github/workflows/release-automation.yaml b/.github/workflows/release-automation.yaml
index 1ab83738c..9ddb10a6e 100644
--- a/.github/workflows/release-automation.yaml
+++ b/.github/workflows/release-automation.yaml
@@ -104,7 +104,7 @@ jobs:
       contents: read
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: update-latest-version-in-s3
@@ -131,7 +131,7 @@ jobs:
       contents: read
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ vars.AWS_RELEASE_TRIGGER_ROLE }}
           role-session-name: upload-release-definition-to-s3
diff --git a/.github/workflows/sync-submodules-and-deps.yaml b/.github/workflows/sync-submodules-and-deps.yaml
index 8a11ce3b0..953fb2f03 100644
--- a/.github/workflows/sync-submodules-and-deps.yaml
+++ b/.github/workflows/sync-submodules-and-deps.yaml
@@ -25,7 +25,7 @@ jobs:
           token: ${{ secrets.GITHUB_TOKEN }}
 
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           aws-region: ${{ secrets.REGION }}
           role-to-assume: ${{ secrets.ROLE }}
diff --git a/.github/workflows/test-pkg.yaml b/.github/workflows/test-pkg.yaml
index 4dc9bb33e..8bcdfd083 100644
--- a/.github/workflows/test-pkg.yaml
+++ b/.github/workflows/test-pkg.yaml
@@ -68,7 +68,7 @@ jobs:
             sudo pkill '^socket_vmnet'
           fi
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: download-installer-session
diff --git a/.github/workflows/upload-build-to-S3.yaml b/.github/workflows/upload-build-to-S3.yaml
index 25205c86b..dfd03466d 100644
--- a/.github/workflows/upload-build-to-S3.yaml
+++ b/.github/workflows/upload-build-to-S3.yaml
@@ -84,7 +84,7 @@ jobs:
           persist-credentials: false
 
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: dependency-upload-session
diff --git a/.github/workflows/upload-deb-to-release.yaml b/.github/workflows/upload-deb-to-release.yaml
index 112107794..77953532a 100644
--- a/.github/workflows/upload-deb-to-release.yaml
+++ b/.github/workflows/upload-deb-to-release.yaml
@@ -47,7 +47,7 @@ jobs:
     timeout-minutes: 10
     steps:
       - name: Configure Signing AWS credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.DEB_ROLE_PROD }}
           role-session-name: ubuntu-deb
@@ -98,7 +98,7 @@ jobs:
           KEY_ID=$(sudo gpg --import pool/main/f/runfinch-finch/publickey.pem 2>&1 | grep "gpg: key" | cut -d' ' -f3 | cut -d':' -f1)
           sudo gpg --import pool/main/f/runfinch-finch/publickey.pem && sudo gpg --export --armor $KEY_ID > GPG_KEY.pub
       - name: Configure Artifacts AWS credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: ubuntu-deb-create-release
@@ -136,7 +136,7 @@ jobs:
           done
           } >> dists/noble/Release
       - name: Configure Signing AWS credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.DEB_ROLE_PROD }}
           role-session-name: ubuntu-deb
@@ -168,7 +168,7 @@ jobs:
           mv Release.gpg dists/noble/
           mv Release dists/noble/
       - name: Configure Artifacts AWS credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: ubuntu-deb-create-release
diff --git a/.github/workflows/upload-installer-to-release.yaml b/.github/workflows/upload-installer-to-release.yaml
index a32e9d364..af7672bd4 100644
--- a/.github/workflows/upload-installer-to-release.yaml
+++ b/.github/workflows/upload-installer-to-release.yaml
@@ -34,7 +34,7 @@ jobs:
     timeout-minutes: 2
     steps:
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: download-installer-session
diff --git a/.github/workflows/upload-msi-to-release.yaml b/.github/workflows/upload-msi-to-release.yaml
index d74900c0c..4144d2195 100644
--- a/.github/workflows/upload-msi-to-release.yaml
+++ b/.github/workflows/upload-msi-to-release.yaml
@@ -44,7 +44,7 @@ jobs:
     timeout-minutes: 2
     steps:
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           role-to-assume: ${{ secrets.ROLE }}
           role-session-name: download-installer-session
diff --git a/.github/workflows/upload-test-report.yaml b/.github/workflows/upload-test-report.yaml
index 7a782e41c..2d12bb746 100644
--- a/.github/workflows/upload-test-report.yaml
+++ b/.github/workflows/upload-test-report.yaml
@@ -46,7 +46,7 @@ jobs:
           is_al2=${{ (startsWith(inputs.os, 'amazon') && inputs.version == '2' ) }}
           echo "is_al2=$is_al2" >> $GITHUB_OUTPUT
       - name: configure aws credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         if: |
             steps.linux2.outputs.is_al2 == 'false'
             && inputs.has-creds == 'true'
diff --git a/.github/workflows/upload-verified-artifacts-to-s3.yaml b/.github/workflows/upload-verified-artifacts-to-s3.yaml
index e61836c91..88b20ccef 100644
--- a/.github/workflows/upload-verified-artifacts-to-s3.yaml
+++ b/.github/workflows/upload-verified-artifacts-to-s3.yaml
@@ -23,7 +23,7 @@ jobs:
           submodules: recursive
           
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
+        uses: aws-actions/configure-aws-credentials@00943011d9042930efac3dcd3a170e4273319bc8 # v5.1.0
         with:
           aws-region: ${{ secrets.REGION }}
           role-to-assume: ${{ secrets.ROLE }}