threading-clouds
diff --git a/‎.ci/Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎.ci/Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.ci/terraform-init-all.sh‎
Lines changed: 2 additions & 2 deletions b/‎.ci/terraform-init-all.sh‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.devcontainer/Dockerfile‎
Lines changed: 1 addition & 2 deletions b/‎.devcontainer/Dockerfile‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎.devcontainer/devcontainer.json‎
Lines changed: 1 addition & 2 deletions b/‎.devcontainer/devcontainer.json‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎.github/dependabot.yml‎
Lines changed: 51 additions & 7 deletions b/‎.github/dependabot.yml‎
Lines changed: 51 additions & 7 deletions
diff --git a/‎.github/workflows/codeql.yml‎
Lines changed: 49 additions & 0 deletions b/‎.github/workflows/codeql.yml‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎.github/workflows/dependency-review.yml‎
Lines changed: 34 additions & 0 deletions b/‎.github/workflows/dependency-review.yml‎
Lines changed: 34 additions & 0 deletions
diff --git a/‎.github/workflows/lambda.yml‎
Lines changed: 16 additions & 6 deletions b/‎.github/workflows/lambda.yml‎
Lines changed: 16 additions & 6 deletions
diff --git a/‎.github/workflows/mkdocs/requirements.in‎
Lines changed: 1 addition & 0 deletions b/‎.github/workflows/mkdocs/requirements.in‎
Lines changed: 1 addition & 0 deletions
@@ -1,5 +1,5 @@
 #syntax=docker/dockerfile:1.2
-FROM node:20 as build
+FROM node@sha256:0c0734eb7051babbb3e95cd74e684f940552b31472152edf0bb23e54ab44a0d7 as build
 WORKDIR /lambdas
 RUN apt-get update \
         && apt-get install -y zip \
 
@@ -4,9 +4,9 @@
 # required to run tflint via pre-commit
 
 # only run the script if a uniique pid file exits if not creat it or --force flag is passed
-pid="/tmp/philips-labs-terraform-aws-github-runner.pid"
+pid="/tmp/github-aws-runners-terraform-aws-github-runner.pid"
 if [ "$1" == "--force" ]; then
-  rm -f /tmp/philips-labs-terraform-aws-github-runner.pid
+  rm -f /tmp/github-aws-runners-terraform-aws-github-runner.pid
 fi
 
 if [ ! -f $pid ]; then
 
@@ -1,2 +1 @@
-ARG VARIANT="20-bullseye"
-FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:0-${VARIANT}
+FROM mcr.microsoft.com/vscode/devcontainers/typescript-node@sha256:acdce1045a2ddce4c66846d5cd09adf746d157fce9233124e4925b647f192b2e
@@ -16,11 +16,10 @@
         "dbaeumer.vscode-eslint",
         "editorconfig.editorconfig",
         "esbenp.prettier-vscode",
-        "firsttris.vscode-jest-runner",
         "hashicorp.hcl",
         "hashicorp.terraform",
         "hashicorp.terraform",
-        "orta.vscode-jest",
+        "vitest.explorer",
         "yzhang.markdown-all-in-one"
       ]
     }
 
@@ -15,6 +15,11 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      github:
+        patterns:
+          - "actions/*"
+          - "github/"
 
   - package-ecosystem: "npm"
     directory: "/lambdas"
@@ -30,14 +35,53 @@ updates:
       aws-powertools:
         patterns:
           - "@aws-lambda-powertools/*"
+      nx:
+        patterns:
+          - "@nx/*"
+          - "nx/*"
+      eslint:
+        patterns:
+          - "eslint*"
+          - "@typescript-eslint-*"
+      vite:
+        patterns:
+          - "vite*"
+          - "@vite/*"
 
-    ignore:
-      - dependency-name: "@middy/core"
-        update-types: ["version-update:semver-major"]
-      - dependency-name: "@octokit/*"
-        update-types: ["version-update:semver-major"]
-      - dependency-name: "eslint"
-        update-types: ["version-update:semver-major"]
     commit-message:
       prefix: "fix(lambda)"
       prefix-development: "chore(lambda)"
+
+  - package-ecosystem: "docker"
+    directory: "/.ci/Dockerfile"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(docker)"
+
+  - package-ecosystem: "docker"
+    directory: "/.devcontainer/Dockerfile"
+    schedule:
+      interval: "weekly"
+    labels:
+      - "dependencies"
+      - "docker"
+    commit-message:
+      prefix: "chore(devcontainer)"
+
+  - package-ecosystem: "pip"
+    directory: "/.github/workflows/mkdocs"
+    schedule:
+      interval: "weekly"
+    groups:
+      python-deps:
+        patterns:
+          - "*"
+    labels:
+      - "dependencies"
+      - "python"
+    commit-message:
+      prefix: "chore(docs)"
@@ -0,0 +1,49 @@
+name: "CodeQL Advanced"
+
+on:
+  push:
+    branches: [ "main", "develop", "v1" ]
+  pull_request:
+    branches: [ "main", "develop", "v1" ]
+    paths-ignore:
+      - '**/*.md'
+  schedule:
+    - cron: '25 19 * * 2'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
+    permissions:
+      security-events: write # required for CodeQL to upload security scan results
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: ['javascript-typescript', 'actions']
+
+    steps:
+    - name: Harden the runner (Audit all outbound calls)
+      uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      with:
+        egress-policy: audit
+
+    - name: Checkout repository
+      uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      with:
+        persist-credentials: false
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+      with:
+        languages: ${{ matrix.language }}
+        build-mode: none
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@f443b600d91635bebf5b0d9ebc620189c0d6fba5 # v4.30.8
+      with:
+        category: "/language:${{matrix.language}}"
@@ -0,0 +1,34 @@
+# Dependency Review Action
+#
+# This Action will scan dependency manifest files that change as part of a Pull Request,
+# surfacing known-vulnerable versions of the packages declared or updated in the PR.
+# Once installed, if the workflow run is marked as required,
+# PRs introducing known-vulnerable packages will be blocked from merging.
+#
+# Source repository: https://github.com/actions/dependency-review-action
+name: 'Dependency Review'
+on: [pull_request]
+
+permissions: {}
+
+jobs:
+  dependency-review:
+    name: Dependency vulnerability scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout
+      pull-requests: write # for actions/dependency-review-action to comment on PRs
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - name: 'Checkout Repository'
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
+      - name: 'Dependency Review'
+        uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a # v4.8.1
+        with:
+          comment-summary-in-pr: always
@@ -1,25 +1,35 @@
 name: Build lambdas
+
 on:
   pull_request:
     branches:
       - main
     paths:
       - 'lambdas/**'
+      - '.github/workflows/lambda.yml'
+
+permissions:
+  contents: read
 
 jobs:
   build:
+    name: Build and test lambda functions
     runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node: [20]
     container:
-      image: node:${{ matrix.node }}
+      image: node:22@sha256:2bb201f33898d2c0ce638505b426f4dd038cc00e5b2b4cbba17b069f0fff1496
     defaults:
       run:
         working-directory: ./lambdas
 
     steps:
-      - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+        with:
+          egress-policy: audit
+
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: false
       - name: Install dependencies
         run: yarn install --frozen-lockfile
       - name: Run prettier
@@ -32,7 +42,7 @@ jobs:
       - name: Build distribution
         run: yarn build
       - name: Upload coverage report
-        uses: actions/upload-artifact@604373da6381bf24206979c74d06a550515601b9 # v4.4.1
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         if: ${{ failure() }}
         with:
           name: coverage-reports
 
@@ -0,0 +1 @@
+mkdocs-material==9.6.21
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1 @@`
`1`		`-ARG VARIANT="20-bullseye"`
`2`		`-FROM mcr.microsoft.com/vscode/devcontainers/typescript-node:0-${VARIANT}`
	`1`	`+FROM mcr.microsoft.com/vscode/devcontainers/typescript-node@sha256:acdce1045a2ddce4c66846d5cd09adf746d157fce9233124e4925b647f192b2e`
Original file line number	Diff line number	Diff line change
`@@ -16,11 +16,10 @@`
`16`	`16`	`"dbaeumer.vscode-eslint",`
`17`	`17`	`"editorconfig.editorconfig",`
`18`	`18`	`"esbenp.prettier-vscode",`
`19`		`- "firsttris.vscode-jest-runner",`
`20`	`19`	`"hashicorp.hcl",`
`21`	`20`	`"hashicorp.terraform",`
`22`	`21`	`"hashicorp.terraform",`
`23`		`- "orta.vscode-jest",`
	`22`	`+ "vitest.explorer",`
`24`	`23`	`"yzhang.markdown-all-in-one"`
`25`	`24`	`]`
`26`	`25`	`}`