Merge branch 'main' into stu/add_tag_plus_check

Author: stuartp44

.ci/Dockerfile

@@ -1,5 +1,5 @@
 #syntax=docker/dockerfile:1.2
-FROM node:20 as build
+FROM node@sha256:0c0734eb7051babbb3e95cd74e684f940552b31472152edf0bb23e54ab44a0d7 as build
 WORKDIR /lambdas
 RUN apt-get update \
         && apt-get install -y zip \

.devcontainer/Dockerfile

@@ -1,2 +1 @@
-ARG VARIANT="20-bullseye"
-FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:0-${VARIANT}
+FROM mcr.microsoft.com/vscode/devcontainers/typescript-node@sha256:acdce1045a2ddce4c66846d5cd09adf746d157fce9233124e4925b647f192b2e

.github/dependabot.yml

@@ -51,3 +51,23 @@ updates:
     commit-message:
       prefix: "fix(lambda)"
       prefix-development: "chore(lambda)"
+
+  - package-ecosystem: "docker"
+    directory: "/.ci/Dockerfile"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(docker)"
+
+  - package-ecosystem: "docker"
+    directory: "/.devcontainer/Dockerfile"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(devcontainer)"

.github/workflows/actions.yml

@@ -51,7 +51,7 @@ jobs:
           path: results.sarif
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
         with:
           sarif_file: results.sarif
           category: actions-zizmor

.github/workflows/codeql.yml

@@ -31,12 +31,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+      uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
       with:
         languages: ${{ matrix.language }}
         build-mode: none
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@fca7ace96b7d713c7035871441bd52efbe39e27e # v3.28.19
+      uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/ossf-scorecard.yml

@@ -0,0 +1,48 @@
+name: OSSF Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '44 19 * * 2'
+  workflow_dispatch:
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
+      # format to the repository Actions tab.
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b
+        with:
+          sarif_file: results.sarif

.github/workflows/release.yml

@@ -45,7 +45,7 @@ jobs:
       - name: Attest
         if: ${{ steps.release.outputs.releases_created == 'true' }}
         id: attest
-        uses: actions/attest-build-provenance@db473fddc028af60658334401dc6fa3ffd8669fd # v2.3.0
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # v2.4.0
         with:
           subject-path: '${{ github.workspace }}/lambdas/functions/**/*.zip'
       - name: Update release notes with attestation
@@ -62,7 +62,7 @@ jobs:
           gh release view $version --json body -q '.body' > new-release-notes.md
           echo "## Attestation" >> new-release-notes.md
           echo "Attestation url: $attestation_url" >> new-release-notes.md
-          echo "Verify the artifacts by running \`gh attest verify <name_of_artifact> --repo ${{ github.repository }}\`" >> new-release-notes.md
+          echo "Verify the artifacts by running \`gh attestation verify <name_of_artifact> --repo ${{ github.repository }}\`" >> new-release-notes.md
           gh release edit $tag_name -F new-release-notes.md -t $tag_name
       - name: Upload release assets
         if: ${{ steps.release.outputs.releases_created == 'true' }}
@@ -74,3 +74,23 @@ jobs:
           for f in $(find . -name '*.zip'); do
             gh release upload $tag_name $f
           done
+      - name: Attach attestation
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        env:
+          ATTESTATION_BUNDLE: ${{ steps.attest.outputs.bundle-path }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ steps.release.outputs.tag_name }}
+          ATTESTATION_ID: ${{ steps.attest.outputs.attestation-id }}
+        run: |
+          # rename attest bundle to github-aws-runners-terraform-aws-github-runner-attestation-$attestation-id.sigstore
+          # OpenSSF expects the attestation bundle to be named in this format (*.sigstore)
+          SIGSTORE_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.sigstore
+          INTOTO_BUNDLE=$RUNNER_TEMP/github-aws-runners-terraform-aws-github-runner-attestation-${ATTESTATION_ID}.intoto.jsonl
+          mv ${ATTESTATION_BUNDLE} $SIGSTORE_BUNDLE
+          if [ -z "$SIGSTORE_BUNDLE" ]; then
+            echo "No attestation bundle found, skipping attachment."
+            exit 0
+          fi
+          gh release upload $TAG_NAME "$SIGSTORE_BUNDLE"
+          cat ${SIGSTORE_BUNDLE} | jq -r '.dsseEnvelope | select(.payloadType == "application/vnd.in-toto+json").payload' | base64 -d | jq .> ${INTOTO_BUNDLE}
+          gh release upload $TAG_NAME "${INTOTO_BUNDLE}"

CHANGELOG.md

@@ -1,5 +1,64 @@
 # Changelog
 
+## [6.6.0](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.5.11...v6.6.0) (2025-07-01)
+
+
+### Features
+
+* **runner:** support Ubuntu 24.04 ([#4246](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4246)) ([76456b5](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/76456b5f625fa36140b7a7e9c1a104b248eeef7f))
+
+
+### Bug Fixes
+
+* **lambda:** bump @octokit/webhooks from 14.0.2 to 14.1.0 in /lambdas in the octokit group ([#4651](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4651)) ([754ffc8](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/754ffc80fd7c70b3260be5d2c9ac88e350325cf9))
+* **lambda:** bump the aws group in /lambdas with 6 updates ([#4641](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4641)) ([1955841](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/19558416b8b43080235329eadb2000f8d63555fa))
+* **lambda:** bump the aws group in /lambdas with 7 updates ([#4650](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4650)) ([e53710e](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/e53710ef6d7e20b15e839bcdb7754d47d7ce612f))
+* support Terraform AWS Provider v6 ([#4646](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4646)) ([aebef80](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/aebef800ce165fd0df26d774f9c344c1cf02d245))
+
+## [6.5.11](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.5.10...v6.5.11) (2025-06-24)
+
+
+### Bug Fixes
+
+* **lambda:** bump the aws group in /lambdas with 3 updates ([#4632](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4632)) ([59d67f5](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/59d67f52d88eac2fd79161dcf02cb3145cddb2cc))
+* **lambda:** bump the aws-powertools group in /lambdas with 4 updates ([#4633](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4633)) ([bf91646](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/bf9164643d8a82c381c7043fd17110ab17e5959e))
+
+## [6.5.10](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.5.9...v6.5.10) (2025-06-23)
+
+
+### Bug Fixes
+
+* **ami-housekeeper:** don't delete referenced AMIs in default config ([#4623](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4623)) ([d860feb](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/d860febe38b52cfd410c5f0e4d668791346cebda))
+* **docs:** github artifact attestation command in release notes ([#4624](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4624)) ([ff39d4f](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/ff39d4f30992f7e37db086ae01c49c9ce233334f))
+
+## [6.5.9](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.5.8...v6.5.9) (2025-06-17)
+
+
+### Bug Fixes
+
+* Dynamic set SSM-paramater tier [#4613](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4613) ([#4622](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4622)) ([430c6e8](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/430c6e8b62bc06f5daa7690d9e09bc4c359f866e))
+* **lambda:** bump the aws group in /lambdas with 6 updates ([ddbe7db](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/ddbe7dbd311b2cd296c189403bc24f79718a6477))
+* **lambda:** bump the aws-powertools group in /lambdas with 4 updates ([91a06e9](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/91a06e9d8f25b15247fe1c3733ac6d230ab45bf1))
+
+## [6.5.8](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.5.7...v6.5.8) (2025-06-12)
+
+
+### Bug Fixes
+
+* scale down log level ([1d32d26](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/1d32d262ff67a13b0eab8cb6b4f19fa5f9479324))
+
+## [6.5.7](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.5.6...v6.5.7) (2025-06-11)
+
+
+### Bug Fixes
+
+* add comment in terraform code ([d9d6373](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/d9d6373b217f8abe7b112c1746c437deae25f569))
+* handle enable_on_demand_failover_for_errors default value ([ab8b15f](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/ab8b15f9f2686a7a0cffe5b9de05432014a01cda))
+* **lambda:** bump the aws group across 1 directory with 7 updates ([0558831](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/05588310ee8c409e29b5148930b16b3ea4f4e7d5))
+* **lambda:** bump the aws-powertools group in /lambdas with 4 updates ([0219411](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/0219411d2b9bc56fad6d6e90fe94de42cc95216e))
+* **lambda:** bump the octokit group across 1 directory with 3 updates ([015752a](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/015752a93b05a6ceef34f0936202a2f8ea7df35d))
+* only tag spot requests if no on-demand fallback ([2a28ef1](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/2a28ef1bc5aeb0280b92c5f7b6aabf69c1a68b81))
+
 ## [6.5.6](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.5.5...v6.5.6) (2025-05-24)
 
 

README.md

@@ -1,6 +1,6 @@
 # Terraform module Self-Hosted Scalable GitHub Actions runners on AWS.
 
-[![docs](https://img.shields.io/badge/docs-runners-blue.svg)](https://github-aws-runners.github.io/terraform-aws-github-runner) [![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners) [![Terraform registry](https://img.shields.io/github/v/release/github-aws-runners/terraform-aws-github-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/github-aws-runners/github-runner/aws/) [![Terraform checks](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml) [![Lambdas](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml)
+[![docs](https://img.shields.io/badge/docs-runners-blue.svg)](https://github-aws-runners.github.io/terraform-aws-github-runner) [![awesome-runners](https://img.shields.io/badge/listed%20on-awesome--runners-blue.svg)](https://github.com/jonico/awesome-runners) [![Terraform registry](https://img.shields.io/github/v/release/github-aws-runners/terraform-aws-github-runner?label=Terraform%20Registry)](https://registry.terraform.io/modules/github-aws-runners/github-runner/aws/) [![Terraform checks](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/terraform.yml) [![Lambdas](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml/badge.svg)](https://github.com/github-aws-runners/terraform-aws-github-runner/actions/workflows/lambda.yml) [![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/github-aws-runners/terraform-aws-github-runner/badge)](https://scorecard.dev/viewer/?uri=github.com/github-aws-runners/terraform-aws-github-runner)
 
 > 📢 We're moving `terraform-aws-github-runner` to a new organization https://github.com/github-aws-runners in January to foster growth and community ownership! 🎉 Join us on our new [Discord server](https://discord.gg/bxgXW8jJGh) for discussions and updates. Please see #4298 for more details.
 
@@ -70,14 +70,14 @@ Join our discord community via [this invite link](https://discord.gg/bxgXW8jJGh)
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_aws"></a> [aws](#requirement\_aws) | ~> 5.77 |
+| <a name="requirement_aws"></a> [aws](#requirement\_aws) | >= 5.77 |
 | <a name="requirement_random"></a> [random](#requirement\_random) | ~> 3.0 |
 
 ## Providers
 
 | Name | Version |
 |------|---------|
-| <a name="provider_aws"></a> [aws](#provider\_aws) | ~> 5.77 |
+| <a name="provider_aws"></a> [aws](#provider\_aws) | >= 5.77 |
 | <a name="provider_random"></a> [random](#provider\_random) | ~> 3.0 |
 
 ## Modules

docs/configuration.md

@@ -19,6 +19,12 @@ To be able to support a number of use-cases, the module has quite a lot of confi
 
 The module uses the AWS System Manager Parameter Store to store configuration for the runners, as well as registration tokens and secrets for the Lambdas. Paths for the parameters can be configured via the variable `ssm_paths`. The location of the configuration parameters is retrieved by the runners via the instance tag `ghr:ssm_config_path`. The following default paths will be used. Tokens or JIT config stored in the token path will be deleted after retrieval by instance, data not deleted after a day will be deleted by a SSM housekeeper lambda.
 
+Furthermore, to accommodate larger JIT configurations or other stored values, the module implements automatic tier selection for SSM parameters:
+
+-   **Parameter Tiering**: If the size of a parameter's value exceeds 4KB (specifically, 4000 bytes), the module will automatically use the 'Advanced' tier for that SSM parameter. Values smaller than this threshold will use the 'Standard' tier.
+-   **Cost Implications**: While the 'Standard' tier is generally free for a certain number of parameters and operations, the 'Advanced' tier incurs costs. These costs are typically pro-rated per hour for each parameter stored using the Advanced tier. For detailed and up-to-date pricing, please refer to the [AWS Systems Manager Pricing page](https://aws.amazon.com/systems-manager/pricing/#Parameter_Store).
+-   **Housekeeping Recommendation**: The last sentence of the "AWS SSM Parameters" section already mentions that "data not deleted after a day will be deleted by a SSM housekeeper lambda." It is crucial to ensure this or a similar housekeeping mechanism is active and correctly configured, especially considering the potential costs associated with 'Advanced' tier parameters. This utility should identify and delete any orphaned parameters to help manage costs and maintain a clean SSM environment.
+
 | Path                                                          | Description                                                                                                                                                                                                                     |
 | ------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
 | `ssm_paths.root/var.prefix?/app/`                             | App secrets used by Lambda's                                                                                                                                                                                                    |