Merge branch 'main' into amazon-linux-2023-arm

Author: npalm

.github/workflows/actions.yml

@@ -18,8 +18,7 @@ jobs:
     name: Analyze (${{ matrix.language }})
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     permissions:
-      # required for all workflows
-      security-events: write
+      security-events: write # required for CodeQL to upload security scan results
 
     strategy:
       fail-fast: false
@@ -39,12 +38,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
+      uses: github/codeql-action/init@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
       with:
         languages: ${{ matrix.language }}
         build-mode: none
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@192325c86100d080feab897ff886c34abd4c83a3 # v3.29.5
+      uses: github/codeql-action/analyze@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/codeql.yml

@@ -13,10 +13,11 @@ permissions: {}
 
 jobs:
   dependency-review:
+    name: Dependency vulnerability scan
     runs-on: ubuntu-latest
     permissions:
-      contents: read
-      pull-requests: write
+      contents: read # for actions/checkout
+      pull-requests: write # for actions/dependency-review-action to comment on PRs
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -28,6 +29,6 @@ jobs:
         with:
           persist-credentials: false
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@595b5aeba73380359d98a5e087f648dbb0edce1b # v4.7.3
+        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 # v4.8.0
         with:
           comment-summary-in-pr: always

.github/workflows/dependency-review.yml

@@ -13,12 +13,10 @@ permissions:
 
 jobs:
   build:
+    name: Build and test lambda functions
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node: [22]
     container:
-      image: node:${{ matrix.node }}
+      image: node:22@sha256:2bb201f33898d2c0ce638505b426f4dd038cc00e5b2b4cbba17b069f0fff1496
     defaults:
       run:
         working-directory: ./lambdas

.github/workflows/lambda.yml

@@ -7,16 +7,17 @@ on:
   push:
     branches: [ "main" ]
 
-permissions: read-all
+permissions:
+  contents: read # for actions/checkout and repository analysis
 
 jobs:
   analysis:
     name: Scorecard analysis
     runs-on: ubuntu-latest
     if: github.event.repository.default_branch == github.ref_name || github.event_name == 'pull_request'
     permissions:
-      security-events: write
-      id-token: write
+      security-events: write # for github/codeql-action/upload-sarif to upload security scan results
+      id-token: write # for ossf/scorecard-action to generate attestations
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
@@ -48,6 +49,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@192325c86100d080feab897ff886c34abd4c83a3
+        uses: github/codeql-action/upload-sarif@dd196fa9ce80b6bacc74ca1c32bd5b0ba22efca7 # v3.28.3
         with:
           sarif_file: results.sarif

.github/workflows/ossf-scorecard.yml

@@ -0,0 +1,16 @@
+name: OSV-Scanner
+on:
+  pull_request:
+    branches: [main]
+  merge_group:
+    branches: [main]
+
+permissions: {}
+
+jobs:
+  scan-pr:
+    permissions:
+      actions: read            # Required to upload SARIF file to CodeQL
+      security-events: write   # Require writing security events to upload
+      contents: read           # for checkout
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@e92b5d07338d4f0ba0981dffed17c48976ca4730" # v2.2.3

.github/workflows/ovs.yml

@@ -14,10 +14,10 @@ jobs:
     name: Release
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      actions: write
-      id-token: write
-      attestations: write
+      contents: write # for release-please-action to create releases and update changelogs
+      actions: write # for release-please-action to trigger other workflows
+      id-token: write # for actions/attest-build-provenance to generate attestations
+      attestations: write # for actions/attest-build-provenance to write attestations
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
@@ -27,6 +27,7 @@ jobs:
       - uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: 22
+          package-manager-cache: false
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with:
           persist-credentials: false
@@ -63,14 +64,16 @@ jobs:
           VERSION: ${{ github.event.inputs.version }}
           TAG_NAME: ${{ steps.release.outputs.tag_name }}
           ATTESTATION_URL: ${{ steps.attest.outputs.attestation-url }}
+          REPOSITORY: ${{ github.repository }}
         run: |
           version="${VERSION}"
           tag_name="${TAG_NAME}"
           attestation_url="${ATTESTATION_URL}"
+          repository="${REPOSITORY}"
           gh release view $version --json body -q '.body' > new-release-notes.md
           echo "## Attestation" >> new-release-notes.md
           echo "Attestation url: $attestation_url" >> new-release-notes.md
-          echo "Verify the artifacts by running \`gh attestation verify <name_of_artifact> --repo ${{ github.repository }}\`" >> new-release-notes.md
+          echo "Verify the artifacts by running \`gh attestation verify <name_of_artifact> --repo ${repository}\`" >> new-release-notes.md
           gh release edit $tag_name -F new-release-notes.md -t $tag_name
       - name: Upload release assets
         if: ${{ steps.release.outputs.releases_created == 'true' }}

.github/workflows/release.yml

@@ -6,8 +6,8 @@ on:
       - edited
       - synchronize
 permissions:
-  contents: read
-  pull-requests: read
+  contents: read # for actions/checkout
+  pull-requests: read # for amannn/action-semantic-pull-request to check PR details
 jobs:
   main:
     name: Semantic Commit Message Check

.github/workflows/semantic-check.yml

@@ -3,12 +3,14 @@ on:
   schedule:
     - cron: "30 1 * * *"
   workflow_dispatch:
-permissions:
-  issues: write
-  pull-requests: write
+permissions: {}
 jobs:
   stale:
+    name: Mark stale issues and PRs
     runs-on: ubuntu-latest
+    permissions:
+      issues: write # for actions/stale to close stale issues
+      pull-requests: write # for actions/stale to close stale PRs
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1

.github/workflows/stale.yml

@@ -16,7 +16,7 @@ jobs:
     name: Verify module
     strategy:
       matrix:
-        terraform: [1.5.6, "latest"]
+        terraform: ["1.5.6", "latest"]
     runs-on: ubuntu-latest
     container:
       image: hashicorp/terraform:${{ matrix.terraform }}
@@ -53,7 +53,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.5.')
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins
@@ -74,7 +74,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        terraform: [1.5.6, "latest"]
+        terraform: ["1.5.6", "latest"]
         module:
           [
             "ami-housekeeper",
@@ -119,7 +119,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.3.')
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins
@@ -132,16 +132,18 @@ jobs:
       - if: contains(matrix.terraform, '1.3.')
         name: Run TFLint
         working-directory: ${{ github.workspace }}
+        env:
+          MODULE_NAME: ${{ matrix.module }}
         run: |
-          tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }}
-          tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir modules/${{ matrix.module }}
+          tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir "modules/${MODULE_NAME}"
+          tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir "modules/${MODULE_NAME}"
 
   verify_examples:
     name: Verify examples
     strategy:
       fail-fast: false
       matrix:
-        terraform: [1.5.6, "latest"]
+        terraform: ["1.5.6", "latest"]
         example:
           [
             "default",
@@ -182,7 +184,7 @@ jobs:
         run: apk add --no-cache tar
         continue-on-error: true
       - if: contains(matrix.terraform, '1.5.')
-        uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4.3.0
         name: Cache TFLint plugin dir
         with:
           path: ~/.tflint.d/plugins
@@ -195,6 +197,8 @@ jobs:
       - if: contains(matrix.terraform, '1.5.')
         name: Run TFLint
         working-directory: ${{ github.workspace }}
+        env:
+          EXAMPLE_NAME: ${{ matrix.example }}
         run: |
-          tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir modules/${{ matrix.module }}
-          tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir examples/${{ matrix.example }}
+          tflint --init -c ${GITHUB_WORKSPACE}/.tflint.hcl --chdir "examples/${EXAMPLE_NAME}"
+          tflint -f compact -c ${GITHUB_WORKSPACE}/.tflint.hcl --var-file ${GITHUB_WORKSPACE}/.github/lint/tflint.tfvars --chdir "examples/${EXAMPLE_NAME}"