Merge branch 'main' into stu/allow_custom_tags

npalm · web-flow · commit 18bd83dde055 · 2025-09-18T23:48:15.000+02:00
diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml
@@ -51,7 +51,7 @@ jobs:
           path: results.sarif
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
         with:
           sarif_file: results.sarif
           category: actions-zizmor
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
       with:
         egress-policy: audit
 
@@ -39,12 +39,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5
+      uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
       with:
         languages: ${{ matrix.language }}
         build-mode: none
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@f1f6e5f6af878fb37288ce1c627459e94dbf7d01 # v3.29.5
+      uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -19,7 +19,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/lambda.yml b/.github/workflows/lambda.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/mkdocs/requirements.in b/.github/workflows/mkdocs/requirements.in
@@ -1 +1 @@
-mkdocs-material==9.6.19
+mkdocs-material==9.6.20
diff --git a/.github/workflows/mkdocs/requirements.txt b/.github/workflows/mkdocs/requirements.txt
@@ -225,9 +225,9 @@ mkdocs-get-deps==0.2.0 \
     --hash=sha256:162b3d129c7fad9b19abfdcb9c1458a651628e4b1dea628ac68790fb3061c60c \
     --hash=sha256:2bf11d0b133e77a0dd036abeeb06dec8775e46efa526dc70667d8863eefc6134
     # via mkdocs
-mkdocs-material==9.6.19 \
-    --hash=sha256:7492d2ac81952a467ca8a10cac915d6ea5c22876932f44b5a0f4f8e7d68ac06f \
-    --hash=sha256:80e7b3f9acabfee9b1f68bd12c26e59c865b3d5bbfb505fd1344e970db02c4aa
+mkdocs-material==9.6.20 \
+    --hash=sha256:b8d8c8b0444c7c06dd984b55ba456ce731f0035c5a1533cc86793618eb1e6c82 \
+    --hash=sha256:e1f84d21ec5fb730673c4259b2e0d39f8d32a3fef613e3a8e7094b012d43e790
     # via -r requirements.in
 mkdocs-material-extensions==1.3.1 \
     --hash=sha256:10c9511cea88f568257f960358a467d12b970e1f7b2c0e5fb2bb48cab1928443 \
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
@@ -48,6 +48,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@f1f6e5f6af878fb37288ce1c627459e94dbf7d01
+        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml
@@ -29,7 +29,7 @@ jobs:
         working-directory: images/${{ matrix.image }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
       attestations: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
@@ -34,7 +34,7 @@ jobs:
         working-directory: lambdas
         run: yarn install --frozen-lockfile && yarn run test && yarn dist
       - name: Get installation token
-        uses: actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b # v2.1.1
+        uses: actions/create-github-app-token@67018539274d69449ef7c02e8e71183d1719ab42 # v2.1.4
         id: token
         with:
           app-id: ${{ vars.RELEASER_APP_ID }}
diff --git a/.github/workflows/semantic-check.yml b/.github/workflows/semantic-check.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -22,7 +22,7 @@ jobs:
       image: hashicorp/terraform:${{ matrix.terraform }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
@@ -96,7 +96,7 @@ jobs:
       image: hashicorp/terraform:${{ matrix.terraform }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
@@ -159,7 +159,7 @@ jobs:
       image: hashicorp/terraform:${{ matrix.terraform }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml
@@ -18,7 +18,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
@@ -67,7 +67,7 @@ jobs:
       contents: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with:
           egress-policy: audit
 
diff --git a/lambdas/functions/ami-housekeeper/package.json b/lambdas/functions/ami-housekeeper/package.json
@@ -17,7 +17,7 @@
     "all": "yarn build && yarn format && yarn lint && yarn test"
   },
   "devDependencies": {
-    "@aws-sdk/types": "^3.862.0",
+    "@aws-sdk/types": "^3.887.0",
     "@types/aws-lambda": "^8.10.152",
     "@vercel/ncc": "^0.38.3",
     "aws-sdk-client-mock": "^4.1.0",
@@ -26,8 +26,8 @@
   "dependencies": {
     "@aws-github-runner/aws-powertools-util": "*",
     "@aws-github-runner/aws-ssm-util": "*",
-    "@aws-sdk/client-ec2": "^3.883.0",
-    "@aws-sdk/client-ssm": "^3.883.0",
+    "@aws-sdk/client-ec2": "^3.892.0",
+    "@aws-sdk/client-ssm": "^3.891.0",
     "cron-parser": "^5.3.1"
   },
   "nx": {
diff --git a/lambdas/functions/control-plane/package.json b/lambdas/functions/control-plane/package.json
@@ -17,7 +17,7 @@
     "all": "yarn build && yarn format && yarn lint && yarn test"
   },
   "devDependencies": {
-    "@aws-sdk/types": "^3.862.0",
+    "@aws-sdk/types": "^3.887.0",
     "@octokit/types": "^14.1.0",
     "@types/aws-lambda": "^8.10.152",
     "@types/node": "^22.16.5",
@@ -32,9 +32,9 @@
   "dependencies": {
     "@aws-github-runner/aws-powertools-util": "*",
     "@aws-github-runner/aws-ssm-util": "*",
-    "@aws-lambda-powertools/parameters": "^2.25.2",
-    "@aws-sdk/client-ec2": "^3.883.0",
-    "@aws-sdk/client-sqs": "^3.883.0",
+    "@aws-lambda-powertools/parameters": "^2.26.1",
+    "@aws-sdk/client-ec2": "^3.892.0",
+    "@aws-sdk/client-sqs": "^3.891.0",
     "@middy/core": "^6.4.1",
     "@octokit/auth-app": "8.1.0",
     "@octokit/core": "7.0.3",
diff --git a/lambdas/functions/gh-agent-syncer/package.json b/lambdas/functions/gh-agent-syncer/package.json
@@ -17,7 +17,7 @@
     "all": "yarn build && yarn format && yarn lint && yarn test"
   },
   "devDependencies": {
-    "@aws-sdk/types": "^3.862.0",
+    "@aws-sdk/types": "^3.887.0",
     "@types/aws-lambda": "^8.10.152",
     "@types/node": "^22.16.5",
     "@types/request": "^2.48.13",
@@ -28,11 +28,11 @@
   },
   "dependencies": {
     "@aws-github-runner/aws-powertools-util": "*",
-    "@aws-sdk/client-s3": "^3.884.0",
-    "@aws-sdk/lib-storage": "^3.884.0",
+    "@aws-sdk/client-s3": "^3.892.0",
+    "@aws-sdk/lib-storage": "^3.892.0",
     "@middy/core": "^6.4.1",
     "@octokit/rest": "22.0.0",
-    "axios": "^1.12.0"
+    "axios": "^1.12.2"
   },
   "nx": {
     "includedScripts": [
diff --git a/lambdas/functions/termination-watcher/package.json b/lambdas/functions/termination-watcher/package.json
@@ -15,7 +15,7 @@
     "all": "yarn build && yarn format && yarn lint && yarn test"
   },
   "devDependencies": {
-    "@aws-sdk/types": "^3.862.0",
+    "@aws-sdk/types": "^3.887.0",
     "@types/aws-lambda": "^8.10.152",
     "@types/node": "^22.16.5",
     "@vercel/ncc": "^0.38.3",
@@ -24,7 +24,7 @@
   },
   "dependencies": {
     "@aws-github-runner/aws-powertools-util": "*",
-    "@aws-sdk/client-ec2": "^3.883.0",
+    "@aws-sdk/client-ec2": "^3.892.0",
     "@middy/core": "^6.4.1"
   },
   "nx": {
diff --git a/lambdas/functions/webhook/package.json b/lambdas/functions/webhook/package.json
@@ -17,7 +17,7 @@
     "all": "yarn build && yarn format && yarn lint && yarn test"
   },
   "devDependencies": {
-    "@aws-sdk/client-eventbridge": "^3.883.0",
+    "@aws-sdk/client-eventbridge": "^3.891.0",
     "@octokit/webhooks-types": "^7.6.1",
     "@types/aws-lambda": "^8.10.152",
     "@types/express": "^5.0.0",
@@ -30,7 +30,7 @@
   "dependencies": {
     "@aws-github-runner/aws-powertools-util": "*",
     "@aws-github-runner/aws-ssm-util": "*",
-    "@aws-sdk/client-sqs": "^3.883.0",
+    "@aws-sdk/client-sqs": "^3.891.0",
     "@middy/core": "^6.4.1",
     "@octokit/rest": "22.0.0",
     "@octokit/types": "^14.1.0",
diff --git a/lambdas/functions/webhook/src/runners/dispatch.ts b/lambdas/functions/webhook/src/runners/dispatch.ts
@@ -30,39 +30,39 @@ async function handleWorkflowJob(
   githubEvent: string,
   matcherConfig: Array<RunnerMatcherConfig>,
 ): Promise<Response> {
-  if (body.action === 'queued') {
-    // sort the queuesConfig by order of matcher config exact match, with all true matches lined up ahead.
-    matcherConfig.sort((a, b) => {
-      return a.matcherConfig.exactMatch === b.matcherConfig.exactMatch ? 0 : a.matcherConfig.exactMatch ? -1 : 1;
-    });
-    for (const queue of matcherConfig) {
-      if (canRunJob(body.workflow_job.labels, queue.matcherConfig.labelMatchers, queue.matcherConfig.exactMatch)) {
-        await sendActionRequest({
-          id: body.workflow_job.id,
-          repositoryName: body.repository.name,
-          repositoryOwner: body.repository.owner.login,
-          eventType: githubEvent,
-          installationId: body.installation?.id ?? 0,
-          queueId: queue.id,
-          repoOwnerType: body.repository.owner.type,
-        });
-        logger.info(`Successfully dispatched job for ${body.repository.full_name} to the queue ${queue.id}`);
-        return {
-          statusCode: 201,
-          body: `Successfully queued job for ${body.repository.full_name} to the queue ${queue.id}`,
-        };
-      }
-    }
-    logger.warn(`Received event contains runner labels '${body.workflow_job.labels}' that are not accepted.`);
+  if (body.action !== 'queued') {
     return {
-      statusCode: 202,
-      body: `Received event contains runner labels '${body.workflow_job.labels}' that are not accepted.`,
+      statusCode: 201,
+      body: `Workflow job not queued, not dispatching to queue.`,
     };
   }
-  return {
-    statusCode: 201,
-    body: `Received not queued and will not be ignored.`,
-  };
+  // sort the queuesConfig by order of matcher config exact match, with all true matches lined up ahead.
+  matcherConfig.sort((a, b) => {
+    return a.matcherConfig.exactMatch === b.matcherConfig.exactMatch ? 0 : a.matcherConfig.exactMatch ? -1 : 1;
+  });
+  for (const queue of matcherConfig) {
+    if (canRunJob(body.workflow_job.labels, queue.matcherConfig.labelMatchers, queue.matcherConfig.exactMatch)) {
+      await sendActionRequest({
+        id: body.workflow_job.id,
+        repositoryName: body.repository.name,
+        repositoryOwner: body.repository.owner.login,
+        eventType: githubEvent,
+        installationId: body.installation?.id ?? 0,
+        queueId: queue.id,
+        repoOwnerType: body.repository.owner.type,
+      });
+      logger.info(`Successfully dispatched job for ${body.repository.full_name} to the queue ${queue.id}`);
+      return {
+        statusCode: 201,
+        body: `Successfully queued job for ${body.repository.full_name} to the queue ${queue.id}`,
+      };
+    }
+  }
+  const notAcceptedErrorMsg = `Received event contains runner labels '${body.workflow_job.labels}' from '${
+    body.repository.full_name
+  }' that are not accepted.`;
+  logger.warn(notAcceptedErrorMsg);
+  return { statusCode: 202, body: notAcceptedErrorMsg };
 }
 
 export function canRunJob(
diff --git a/lambdas/libs/aws-powertools-util/package.json b/lambdas/libs/aws-powertools-util/package.json
@@ -20,9 +20,9 @@
     "body-parser": "^2.2.0"
   },
   "dependencies": {
-    "@aws-lambda-powertools/logger": "^2.25.2",
-    "@aws-lambda-powertools/metrics": "^2.25.2",
-    "@aws-lambda-powertools/tracer": "^2.25.2",
+    "@aws-lambda-powertools/logger": "^2.26.1",
+    "@aws-lambda-powertools/metrics": "^2.26.1",
+    "@aws-lambda-powertools/tracer": "^2.26.1",
     "aws-lambda": "^1.0.7"
   },
   "nx": {
diff --git a/lambdas/libs/aws-ssm-util/package.json b/lambdas/libs/aws-ssm-util/package.json
@@ -15,15 +15,15 @@
     "all": "yarn build && yarn format && yarn lint && yarn test"
   },
   "devDependencies": {
-    "@aws-sdk/types": "^3.862.0",
+    "@aws-sdk/types": "^3.887.0",
     "@types/aws-lambda": "^8.10.152",
     "@types/node": "^22.16.5",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0"
   },
   "dependencies": {
     "@aws-github-runner/aws-powertools-util": "*",
-    "@aws-sdk/client-ssm": "^3.883.0"
+    "@aws-sdk/client-ssm": "^3.891.0"
   },
   "nx": {
     "includedScripts": [
diff --git a/lambdas/package.json b/lambdas/package.json
@@ -22,15 +22,15 @@
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3.3.1",
-    "@nx/eslint": "21.5.1",
-    "@nx/js": "^21.5.1",
-    "@nx/vite": "^21.5.1",
+    "@nx/eslint": "21.5.2",
+    "@nx/js": "^21.5.2",
+    "@nx/vite": "^21.5.2",
     "@swc-node/register": "~1.10.10",
     "@swc/core": "~1.13.3",
     "@swc/helpers": "~0.5.17",
     "@trivago/prettier-plugin-sort-imports": "^5.2.2",
     "@typescript-eslint/eslint-plugin": "^8.35.1",
-    "@typescript-eslint/parser": "^8.39.1",
+    "@typescript-eslint/parser": "^8.44.0",
     "@vitest/coverage-v8": "^3.2.4",
     "chalk": "^5.4.1",
     "eslint": "^9.35.0",
diff --git a/lambdas/yarn.lock b/lambdas/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-mkdocs-material==9.6.19`
	`1`	`+mkdocs-material==9.6.20`