Merge remote-tracking branch 'origin/main' into feat/dynamic-pool

Author: galargh

.ci/terraform-init-all.sh

@@ -4,9 +4,9 @@
 # required to run tflint via pre-commit
 
 # only run the script if a uniique pid file exits if not creat it or --force flag is passed
-pid="/tmp/philips-labs-terraform-aws-github-runner.pid"
+pid="/tmp/github-aws-runners-terraform-aws-github-runner.pid"
 if [ "$1" == "--force" ]; then
-  rm -f /tmp/philips-labs-terraform-aws-github-runner.pid
+  rm -f /tmp/github-aws-runners-terraform-aws-github-runner.pid
 fi
 
 if [ ! -f $pid ]; then

.github/dependabot.yml

@@ -27,6 +27,17 @@ updates:
       octokit:
         patterns:
           - "@octokit/*"
+      aws-powertools:
+        patterns:
+          - "@aws-lambda-powertools/*"
+
+    ignore:
+      - dependency-name: "@middy/core"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "@octokit/*"
+        update-types: ["version-update:semver-major"]
+      - dependency-name: "eslint"
+        update-types: ["version-update:semver-major"]
     commit-message:
       prefix: "fix(lambda)"
       prefix-development: "chore(lambda)"

.github/workflows/actions.yml

@@ -0,0 +1,57 @@
+name: Lint GitHub Actions
+
+on:
+  push:
+    paths:
+      - '.github/workflows/*.ya?ml'
+    branches:
+      - main
+  pull_request:
+    paths:
+      - '.github/workflows/*.ya?ml'
+
+concurrency:
+  group: "actionlint-${{ github.ref }}"
+  cancel-in-progress: ${{ github.event_name == 'pull_request' }}
+
+permissions: {}
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: lint wit zizmor
+        run: |
+          pipx install zizmor
+          zizmor --gh-token ${{ secrets.GITHUB_TOKEN }} --format sarif . > results.sarif || true
+
+      - name: Upload SARIF file
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
+        with:
+          name: results.sarif
+          path: results.sarif
+
+  upload:
+    needs: lint
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Download SARIF file
+        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        with:
+          name: results.sarif
+          path: results.sarif
+
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@f6091c0113d1dcf9b98e269ee48e8a7e51b7bdd4 # v3.28.5
+        with:
+          sarif_file: results.sarif
+          category: actions-zizmor

.github/workflows/auto-approve-dependabot.yml

@@ -0,0 +1,42 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main", "develop", "v1" ]
+  pull_request:
+    branches: [ "main", "develop", "v1" ]
+    paths-ignore:
+      - '**/*.md'
+  schedule:
+    - cron: '25 19 * * 2'
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      # required for all workflows
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript-typescript', 'actions']
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        persist-credentials: false
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: none
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
+      with:
+        category: "/language:${{matrix.language}}"

.github/workflows/codeql.yml

@@ -1,25 +1,32 @@
 name: Build lambdas
+
 on:
   pull_request:
     branches:
       - main
     paths:
       - 'lambdas/**'
+      - '.github/workflows/lambda.yml'
+
+permissions:
+  contents: read
 
 jobs:
   build:
     runs-on: ubuntu-latest
     strategy:
       matrix:
-        node: [20]
+        node: [22]
     container:
       image: node:${{ matrix.node }}
     defaults:
       run:
         working-directory: ./lambdas
 
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v3.2.0
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: yarn install --frozen-lockfile
       - name: Run prettier
@@ -32,7 +39,7 @@ jobs:
       - name: Build distribution
         run: yarn build
       - name: Upload coverage report
-        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v31.2
+        uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
         if: ${{ failure() }}
         with:
           name: coverage-reports

.github/workflows/lambda.yml

@@ -8,15 +8,19 @@ on:
       - "images/**"
       - ".github/workflows/packer-build.yml"
       - "module/runners/templates/**"
+permissions:
+  contents: read
+
 env:
   AWS_REGION: eu-west-1
   GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
 jobs:
   verify_packer:
     name: Verify packer
     runs-on: ubuntu-latest
     container:
-      image: index.docker.io/hashicorp/packer@sha256:297bbbbbbf3ce9e0431ac1e8f02934b20e1197613f877b55dfdb1ebfd94eb748 # ratchet:index.docker.io/hashicorp/packer:1.8.6
+      image: index.docker.io/hashicorp/packer@sha256:12c441b8a3994e7df9f0e2692d9298f14c387e70bcc06139420977dbf80a137b # 1.11.2
     strategy:
       matrix:
         image: ["linux-al2023", "windows-core-2019", "windows-core-2022", "ubuntu-focal", "ubuntu-jammy", "ubuntu-jammy-arm64"]
@@ -25,7 +29,9 @@ jobs:
         working-directory: images/${{ matrix.image }}
     steps:
       - name: "Checkout"
-        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # ratchet:actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: packer init
         run: packer init .
       - name: check packer formatting

.github/workflows/packer-build.yml

@@ -13,37 +13,64 @@ jobs:
     permissions:
       contents: write
       actions: write
+      id-token: write
+      attestations: write
     steps:
-      - uses: actions/setup-node@60edb5dd545a775178f52524783378180af0d1f8 # v4.0.2
+      - uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
         with:
-          node-version: 20
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # ratchet:actions/checkout@v4
+          node-version: 22
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
       - name: Build dist
         working-directory: lambdas
         run: yarn install --frozen-lockfile && yarn run test && yarn dist
       - name: Get installation token
-        uses: philips-software/app-token-action@9f5d57062c9f2beaffafaa9a34f66f824ead63a9 # ratchet:philips-software/[email protected]
+        uses: actions/create-github-app-token@136412a57a7081aa63c935a2cc2918f76c34f514 # v1.11.2
         id: token
         with:
-          app_id: ${{ secrets.FOREST_RELEASER_APP_ID }}
-          app_base64_private_key: ${{ secrets.FOREST_RELEASER_APP_PRIVATE_KEY_BASE64 }}
-          auth_type: installation
+          app-id: ${{ vars.RELEASER_APP_ID }}
+          private-key: ${{ secrets.RELEASER_APP_PRIVATE_KEY }}
       - name: Extract branch name
         id: branch
         shell: bash
         run: echo "name=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT
       - name: Release
         id: release
-        uses: google-github-actions/release-please-action@a37ac6e4f6449ce8b3f7607e4d97d0146028dc0b # ratchet:google-github-actions/release-please-action@v3
+        uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
         with:
-          default-branch: ${{ steps.branch.outputs.name }}
+          target-branch: ${{ steps.branch.outputs.name }}
           release-type: terraform-module
           token: ${{ steps.token.outputs.token }}
-      - name: Upload Release Asset
+      - name: Attest
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        id: attest
+        uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
+        with:
+          subject-path: '${{ github.workspace }}/lambdas/functions/**/*.zip'
+      - name: Update release notes with attestation
+        if: ${{ steps.release.outputs.releases_created == 'true' }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ github.event.inputs.version }}
+          TAG_NAME: ${{ steps.release.outputs.tag_name }}
+          ATTESTATION_URL: ${{ steps.attest.outputs.attestation-url }}
+        run: |
+          version="${VERSION}"
+          tag_name="${TAG_NAME}"
+          attestation_url="${ATTESTATION_URL}"
+          gh release view $version --json body -q '.body' > new-release-notes.md
+          echo "## Attestation" >> new-release-notes.md
+          echo "Attestation url: $attestation_url" >> new-release-notes.md
+          echo "Verify the artifacts by running \`gh attest verify <name_of_artifact> --repo ${{ github.repository }}\`" >> new-release-notes.md
+          gh release edit $tag_name -F new-release-notes.md -t $tag_name
+      - name: Upload release assets
         if: ${{ steps.release.outputs.releases_created == 'true' }}
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          TAG_NAME: ${{ steps.release.outputs.tag_name }}
         run: |
+          tag_name="${TAG_NAME}"
           for f in $(find . -name '*.zip'); do
-            gh release upload ${{ steps.release.outputs.tag_name }} $f
+            gh release upload $tag_name $f
           done

.github/workflows/release.yml

@@ -13,8 +13,10 @@ jobs:
     name: Semantic Commit Message Check
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # ratchet:actions/checkout@v4
-      - uses: amannn/action-semantic-pull-request@cfb60706e18bc85e8aec535e3c577abe8f70378e # ratchet:amannn/action-semantic-pull-request@v5
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          persist-credentials: false
+      - uses: amannn/action-semantic-pull-request@0723387faaf9b38adef4775cd42cfd5155ed6017 # v5.5.3
         name: Check PR for Semantic Commit Message
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/semantic-check.yml

@@ -10,15 +10,15 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@28ca1036281a5e5922ead5184a1bbf96e5fc984e # ratchet:actions/stale@v7
+      - uses: actions/stale@5bef64f19d7facfb25b37b414482c7164d639639 # v9.1.0
         with:
           stale-issue-message: >
             This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs.  Thank you for your contributions.
 
           stale-pr-message: >
             This pull request has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed if no further activity occurs. Thank you for your contributions.
 
-          days-before-stale: 30
-          days-before-close: 10
+          days-before-stale: 90
+          days-before-close: 14
           close-issue-label: "abandoned"
           exempt-issue-labels: "stale:exempt"