Merge branch 'main' into npalm/security-lock-version-mmkdocs

npalm · web-flow · commit e3a3c728170f · 2025-07-23T08:18:57.000+02:00
diff --git a/.github/workflows/actions.yml b/.github/workflows/actions.yml
@@ -51,7 +51,7 @@ jobs:
           path: results.sarif
 
       - name: Upload SARIF file
-        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+        uses: github/codeql-action/upload-sarif@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
         with:
           sarif_file: results.sarif
           category: actions-zizmor
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -28,7 +28,7 @@ jobs:
 
     steps:
     - name: Harden the runner (Audit all outbound calls)
-      uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+      uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
       with:
         egress-policy: audit
 
@@ -39,12 +39,12 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+      uses: github/codeql-action/init@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
       with:
         languages: ${{ matrix.language }}
         build-mode: none
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3.29.2
+      uses: github/codeql-action/analyze@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -9,15 +9,17 @@
 name: 'Dependency Review'
 on: [pull_request]
 
-permissions:
-  contents: read
+permissions: {}
 
 jobs:
   dependency-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      pull-requests: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
@@ -27,3 +29,5 @@ jobs:
           persist-credentials: false
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
+        with:
+          comment-summary-in-pr: always
diff --git a/.github/workflows/lambda.yml b/.github/workflows/lambda.yml
@@ -25,7 +25,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/ossf-scorecard.yml b/.github/workflows/ossf-scorecard.yml
@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
@@ -48,6 +48,6 @@ jobs:
       # Upload the results to GitHub's code scanning dashboard (optional).
       # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@181d5eefc20863364f96762470ba6f862bdef56b
+        uses: github/codeql-action/upload-sarif@d6bbdef45e766d081b84a2def353b0055f728d3e
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/packer-build.yml b/.github/workflows/packer-build.yml
@@ -29,7 +29,7 @@ jobs:
         working-directory: images/${{ matrix.image }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -20,7 +20,7 @@ jobs:
       attestations: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/semantic-check.yml b/.github/workflows/semantic-check.yml
@@ -14,7 +14,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml
@@ -11,7 +11,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/terraform.yml b/.github/workflows/terraform.yml
@@ -22,7 +22,7 @@ jobs:
       image: hashicorp/terraform:${{ matrix.terraform }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
@@ -96,7 +96,7 @@ jobs:
       image: hashicorp/terraform:${{ matrix.terraform }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
@@ -159,7 +159,7 @@ jobs:
       image: hashicorp/terraform:${{ matrix.terraform }}
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
diff --git a/.github/workflows/update-docs.yml b/.github/workflows/update-docs.yml
@@ -18,7 +18,7 @@ jobs:
       pull-requests: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
@@ -67,7 +67,7 @@ jobs:
       contents: write
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@6c439dc8bdf85cadbbce9ed30d1c7b959517bc49 # v2.12.2
+        uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with:
           egress-policy: audit
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,18 @@
 # Changelog
 
+## [6.7.0](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.6.2...v6.7.0) (2025-07-22)
+
+
+### Features
+
+* Add last chance check before orphan termination ([#4595](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4595)) ([7cbd9e0](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/7cbd9e0430c5213157a1befa804edde03e8f4336))
+
+
+### Bug Fixes
+
+* [#4391](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4391) ([7cbd9e0](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/7cbd9e0430c5213157a1befa804edde03e8f4336))
+* **lambda:** bump form-data from 2.5.1 to 2.5.5 in /lambdas ([#4672](https://github.com/github-aws-runners/terraform-aws-github-runner/issues/4672)) ([0ec1c9a](https://github.com/github-aws-runners/terraform-aws-github-runner/commit/0ec1c9ab505ff25214312bc020b033104fe04a60))
+
 ## [6.6.2](https://github.com/github-aws-runners/terraform-aws-github-runner/compare/v6.6.1...v6.6.2) (2025-07-15)
 
 
diff --git a/lambdas/functions/control-plane/package.json b/lambdas/functions/control-plane/package.json
@@ -20,7 +20,7 @@
     "@aws-sdk/types": "^3.840.0",
     "@octokit/types": "^14.1.0",
     "@types/aws-lambda": "^8.10.147",
-    "@types/node": "^22.14.0",
+    "@types/node": "^22.16.5",
     "@vercel/ncc": "^0.38.3",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0",
diff --git a/lambdas/functions/gh-agent-syncer/package.json b/lambdas/functions/gh-agent-syncer/package.json
@@ -19,7 +19,7 @@
   "devDependencies": {
     "@aws-sdk/types": "^3.840.0",
     "@types/aws-lambda": "^8.10.147",
-    "@types/node": "^22.14.0",
+    "@types/node": "^22.16.5",
     "@types/request": "^2.48.12",
     "@vercel/ncc": "^0.38.3",
     "aws-sdk-client-mock": "^4.1.0",
diff --git a/lambdas/functions/termination-watcher/package.json b/lambdas/functions/termination-watcher/package.json
@@ -17,7 +17,7 @@
   "devDependencies": {
     "@aws-sdk/types": "^3.840.0",
     "@types/aws-lambda": "^8.10.147",
-    "@types/node": "^22.14.0",
+    "@types/node": "^22.16.5",
     "@vercel/ncc": "^0.38.3",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0"
diff --git a/lambdas/functions/webhook/package.json b/lambdas/functions/webhook/package.json
@@ -21,7 +21,7 @@
     "@octokit/webhooks-types": "^7.6.1",
     "@types/aws-lambda": "^8.10.147",
     "@types/express": "^5.0.0",
-    "@types/node": "^22.14.0",
+    "@types/node": "^22.16.5",
     "@vercel/ncc": "0.38.3",
     "body-parser": "^2.2.0",
     "express": "^5.1.0",
diff --git a/lambdas/libs/aws-powertools-util/package.json b/lambdas/libs/aws-powertools-util/package.json
@@ -16,7 +16,7 @@
   },
   "devDependencies": {
     "@types/aws-lambda": "^8.10.147",
-    "@types/node": "^22.14.0",
+    "@types/node": "^22.16.5",
     "body-parser": "^2.2.0"
   },
   "dependencies": {
diff --git a/lambdas/libs/aws-ssm-util/package.json b/lambdas/libs/aws-ssm-util/package.json
@@ -17,7 +17,7 @@
   "devDependencies": {
     "@aws-sdk/types": "^3.840.0",
     "@types/aws-lambda": "^8.10.147",
-    "@types/node": "^22.14.0",
+    "@types/node": "^22.16.5",
     "aws-sdk-client-mock": "^4.1.0",
     "aws-sdk-client-mock-jest": "^4.1.0"
   },
diff --git a/lambdas/package.json b/lambdas/package.json
@@ -22,11 +22,11 @@
   },
   "devDependencies": {
     "@eslint/eslintrc": "^3.3.1",
-    "@nx/eslint": "20.8.2",
-    "@nx/js": "^20.8.2",
-    "@nx/vite": "^20.8.2",
+    "@nx/eslint": "21.3.2",
+    "@nx/js": "^21.3.2",
+    "@nx/vite": "^21.3.2",
     "@swc-node/register": "~1.10.10",
-    "@swc/core": "~1.11.21",
+    "@swc/core": "~1.13.1",
     "@swc/helpers": "~0.5.17",
     "@trivago/prettier-plugin-sort-imports": "^5.2.2",
     "@typescript-eslint/eslint-plugin": "^8.35.1",
@@ -35,7 +35,7 @@
     "chalk": "^5.4.1",
     "eslint": "^9.31.0",
     "eslint-plugin-prettier": "5.5.1",
-    "nx": "20.8.2",
+    "nx": "21.3.2",
     "prettier": "^3.5.3",
     "ts-node": "^10.9.2",
     "ts-node-dev": "^2.0.0",
diff --git a/lambdas/yarn.lock b/lambdas/yarn.lock
