From 93f0425e258393ca23f4aa3a828327c8e60f69ae Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 May 2025 14:04:50 -0400 Subject: [PATCH 01/10] Bump aws-actions/closed-issue-message from 1 to 2 (#2054) Bumps [aws-actions/closed-issue-message](https://github.com/aws-actions/closed-issue-message) from 1 to 2. - [Release notes](https://github.com/aws-actions/closed-issue-message/releases) - [Commits](https://github.com/aws-actions/closed-issue-message/compare/v1...v2) --- updated-dependencies: - dependency-name: aws-actions/closed-issue-message dependency-version: '2' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/closed-issue-message.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/closed-issue-message.yml b/.github/workflows/closed-issue-message.yml index 3691dead6..bceb11297 100644 --- a/.github/workflows/closed-issue-message.yml +++ b/.github/workflows/closed-issue-message.yml @@ -6,7 +6,7 @@ jobs: auto_comment: runs-on: ubuntu-latest steps: - - uses: aws-actions/closed-issue-message@v1 + - uses: aws-actions/closed-issue-message@v2 with: # These inputs are both required repo-token: "${{ secrets.GITHUB_TOKEN }}" From 4172228ce6fac161265aa8f7c5adbba5ab66d91b Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 May 2025 14:11:46 -0400 Subject: [PATCH 02/10] Bump actions/checkout from 3 to 4 (#2053) Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4. - [Release notes](https://github.com/actions/checkout/releases) - [Commits](https://github.com/actions/checkout/compare/v3...v4) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/change-file-in-pr.yml | 2 +- .github/workflows/create-release-pr.yml | 2 +- .github/workflows/sync-master-dev.yml | 4 ++-- .github/workflows/update-Dockerfiles.yml | 2 +- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index 7204e3101..3c5bc3da5 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -12,7 +12,7 @@ jobs: steps: - name: Checkout PR code - uses: actions/checkout@v3 + uses: actions/checkout@v4 - name: Get List of Changed Files id: changed-files diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 2f70cbf28..750e6101e 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -38,7 +38,7 @@ jobs: parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2 with: fetch-depth: '0' token: ${{ env.AWS_SECRET_TOKEN }} diff --git a/.github/workflows/sync-master-dev.yml b/.github/workflows/sync-master-dev.yml index eb0a3ae65..93bd72c2e 100644 --- a/.github/workflows/sync-master-dev.yml +++ b/.github/workflows/sync-master-dev.yml @@ -39,7 +39,7 @@ jobs: parse-json-secrets: true # Checkout a full clone of the repo - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2 with: ref: dev fetch-depth: 0 @@ -111,7 +111,7 @@ jobs: steps: # Checkout a full clone of the repo - name: Checkout code - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2 with: ref: releases/next-release fetch-depth: 0 diff --git a/.github/workflows/update-Dockerfiles.yml b/.github/workflows/update-Dockerfiles.yml index 03846fb0d..18141b8a2 100644 --- a/.github/workflows/update-Dockerfiles.yml +++ b/.github/workflows/update-Dockerfiles.yml @@ -45,7 +45,7 @@ jobs: # Steps represent a sequence of tasks that will be executed as part of the job steps: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2 + - uses: actions/checkout@85e6279cec87321a52edac9c87bce653a07cf6c2 #v4.2.2 with: ref: 'dev' From 3db10993e834b8f4adf057d576a4cdf000f6bf49 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 May 2025 14:11:53 -0400 Subject: [PATCH 03/10] Bump tj-actions/changed-files from 45.0.4 to 46.0.5 (#2052) Bumps [tj-actions/changed-files](https://github.com/tj-actions/changed-files) from 45.0.4 to 46.0.5. - [Release notes](https://github.com/tj-actions/changed-files/releases) - [Changelog](https://github.com/tj-actions/changed-files/blob/main/HISTORY.md) - [Commits](https://github.com/tj-actions/changed-files/compare/4edd678ac3f81e2dc578756871e4d00c19191daf...ed68ef82c095e0d48ec87eccea555d944a631a4c) --- updated-dependencies: - dependency-name: tj-actions/changed-files dependency-version: 46.0.5 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/change-file-in-pr.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/change-file-in-pr.yml b/.github/workflows/change-file-in-pr.yml index 3c5bc3da5..7a1b4d90d 100644 --- a/.github/workflows/change-file-in-pr.yml +++ b/.github/workflows/change-file-in-pr.yml @@ -16,7 +16,7 @@ jobs: - name: Get List of Changed Files id: changed-files - uses: tj-actions/changed-files@4edd678ac3f81e2dc578756871e4d00c19191daf #v45 + uses: tj-actions/changed-files@ed68ef82c095e0d48ec87eccea555d944a631a4c #v45 - name: Check for Change File(s) in .autover/changes/ run: | From 2faf92cf223c988c38e138dc5324e67334761645 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 May 2025 15:45:21 -0400 Subject: [PATCH 04/10] Bump aws-actions/aws-secretsmanager-get-secrets from 2.0.8 to 2.0.9 (#2050) Bumps [aws-actions/aws-secretsmanager-get-secrets](https://github.com/aws-actions/aws-secretsmanager-get-secrets) from 2.0.8 to 2.0.9. - [Release notes](https://github.com/aws-actions/aws-secretsmanager-get-secrets/releases) - [Commits](https://github.com/aws-actions/aws-secretsmanager-get-secrets/compare/fbd65ea98e018858715f591f03b251f02b2316cb...5e19ff380d035695bdd56bbad320ca535c9063f2) --- updated-dependencies: - dependency-name: aws-actions/aws-secretsmanager-get-secrets dependency-version: 2.0.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/create-release-pr.yml | 2 +- .github/workflows/sync-master-dev.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/create-release-pr.yml b/.github/workflows/create-release-pr.yml index 750e6101e..d78c0b4bc 100644 --- a/.github/workflows/create-release-pr.yml +++ b/.github/workflows/create-release-pr.yml @@ -31,7 +31,7 @@ jobs: aws-region: us-west-2 # Retrieve the Access Token from Secrets Manager - name: Retrieve secret from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 + uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9 with: secret-ids: | AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} diff --git a/.github/workflows/sync-master-dev.yml b/.github/workflows/sync-master-dev.yml index 93bd72c2e..c50e20a05 100644 --- a/.github/workflows/sync-master-dev.yml +++ b/.github/workflows/sync-master-dev.yml @@ -32,7 +32,7 @@ jobs: aws-region: us-west-2 # Retrieve the Access Token from Secrets Manager - name: Retrieve secret from AWS Secrets Manager - uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8 + uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9 with: secret-ids: | AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }} From b2b2e8adea4ddf7b71895db7a17e8a96881ee9b7 Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Thu, 1 May 2025 18:42:51 -0400 Subject: [PATCH 05/10] Pin commit hash (#2059) --- .github/workflows/semgrep-analysis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml index 1ae557e76..5de1f34ba 100644 --- a/.github/workflows/semgrep-analysis.yml +++ b/.github/workflows/semgrep-analysis.yml @@ -35,7 +35,7 @@ jobs: p/owasp-top-ten - name: Upload SARIF file for GitHub Advanced Security Dashboard - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 with: sarif_file: semgrep.sarif if: always() \ No newline at end of file From 1fb4a8195164156a9998ef4703fdbea921316a3d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Thu, 1 May 2025 20:12:28 -0400 Subject: [PATCH 06/10] Bump aws-actions/configure-aws-credentials from 4.0.2 to 4.1.0 (#2051) Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 4.0.2 to 4.1.0. - [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases) - [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md) - [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/v4.0.2...ececac1a45f3b08a01d2dd070d28d111c5fe6722) --- updated-dependencies: - dependency-name: aws-actions/configure-aws-credentials dependency-version: 4.1.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- .github/workflows/aws-ci.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/.github/workflows/aws-ci.yml b/.github/workflows/aws-ci.yml index b960c3fa2..4c2eace7b 100644 --- a/.github/workflows/aws-ci.yml +++ b/.github/workflows/aws-ci.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest steps: - name: Configure Load Balancer Credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4 with: role-to-assume: ${{ secrets.CI_MAIN_TESTING_ACCOUNT_ROLE_ARN }} role-duration-seconds: 7200 @@ -29,7 +29,7 @@ jobs: $roleArn=$(cat ./response.json) "roleArn=$($roleArn -replace '"', '')" >> $env:GITHUB_OUTPUT - name: Configure Test Runner Credentials - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4 with: role-to-assume: ${{ steps.lambda.outputs.roleArn }} role-duration-seconds: 7200 @@ -41,7 +41,7 @@ jobs: project-name: ${{ secrets.CI_TESTING_CODE_BUILD_PROJECT_NAME }} - name: Configure Test Sweeper Lambda Credentials if: always() - uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 #v4 + uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4 with: role-to-assume: ${{ steps.lambda.outputs.roleArn }} role-duration-seconds: 7200 From 96390e2f2e99236a10010107ff0538167e183f6d Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Mon, 5 May 2025 10:01:13 -0400 Subject: [PATCH 07/10] Fix semgrep findings (#2061) --- .semgrepignore | 15 +++++++++++++++ LambdaRuntimeDockerfiles/sample/Sample/Dockerfile | 3 +++ 2 files changed, 18 insertions(+) create mode 100644 .semgrepignore diff --git a/.semgrepignore b/.semgrepignore new file mode 100644 index 000000000..5a02b9ea5 --- /dev/null +++ b/.semgrepignore @@ -0,0 +1,15 @@ +# Ignore test and example files containing dummy credentials +**/test/**/*.json +**/tests/**/*.json +**/SampleRequests/**/*.json +**/*.example.* +**/*.test.* +**/*.min.js +**/env.configs.yml + +# Ignore third-party libraries +**/node_modules/** +**/vendor/** +**/dist/** +**/build/** +**/bootstrap/**/*.js diff --git a/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile b/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile index 755f2f08e..653983f67 100644 --- a/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile +++ b/LambdaRuntimeDockerfiles/sample/Sample/Dockerfile @@ -17,4 +17,7 @@ RUN dotnet publish "Sample.csproj" -c Release -o /app/publish FROM base AS final COPY --from=publish /app/publish ${LAMBDA_TASK_ROOT} # ref. https://docs.aws.amazon.com/lambda/latest/dg/csharp-handler.html#csharp-handler-signatures +# Create a non-root user and switch to it +RUN adduser --disabled-password --gecos "" appuser +USER appuser CMD [ "Sample::Sample.Function::FunctionHandler" ] From ed01d09ca3d11b4f61f619edd29e2ebbadfba29b Mon Sep 17 00:00:00 2001 From: Garrett Beatty Date: Mon, 5 May 2025 11:02:07 -0400 Subject: [PATCH 08/10] Update semgrep-analysis.yml (#2063) --- .github/workflows/semgrep-analysis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/semgrep-analysis.yml b/.github/workflows/semgrep-analysis.yml index 5de1f34ba..4d785c99d 100644 --- a/.github/workflows/semgrep-analysis.yml +++ b/.github/workflows/semgrep-analysis.yml @@ -5,7 +5,7 @@ on: pull_request: push: - branches: ["dev", "main"] + branches: ["dev", "master"] schedule: - cron: '23 20 * * 1' @@ -38,4 +38,4 @@ jobs: uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 with: sarif_file: semgrep.sarif - if: always() \ No newline at end of file + if: always() From 7d31b4b19b8ef44302486e70918462a7bc278432 Mon Sep 17 00:00:00 2001 From: Phil Asmar Date: Thu, 8 May 2025 09:25:17 -0400 Subject: [PATCH 09/10] chore: add test sweeper for TestServerlessApp --- Libraries/test/TestServerlessApp/serverless.template | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Libraries/test/TestServerlessApp/serverless.template b/Libraries/test/TestServerlessApp/serverless.template index 06d788b8f..fc39db53e 100644 --- a/Libraries/test/TestServerlessApp/serverless.template +++ b/Libraries/test/TestServerlessApp/serverless.template @@ -18,7 +18,11 @@ { "Ref": "ArchitectureTypeParameter" } - ] + ], + "Tags": { + "aws-tests": "TestServerlessApp", + "aws-repo": "aws-lambda-dotnet" + } } }, "Resources": { From 97abedae04f8a13c89d9799ed35fa2553ec8f22e Mon Sep 17 00:00:00 2001 From: Gediminas Malakauskas Date: Thu, 8 May 2025 22:44:03 +0300 Subject: [PATCH 10/10] Update LambdaStartupAttribute.cs (#2064) Update Summary of LambdaStartupAttribute to match docs: https://github.com/aws/aws-lambda-dotnet/blob/master/Libraries/src/Amazon.Lambda.Annotations/README.md --- .../src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs b/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs index c426f48eb..f46a17800 100644 --- a/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs +++ b/Libraries/src/Amazon.Lambda.Annotations/LambdaStartupAttribute.cs @@ -7,7 +7,7 @@ namespace Amazon.Lambda.Annotations /// can be injected into Lambda functions. /// /// - /// The class should implement a ConfigureServices method that + /// The class should implement a ConfigureHostBuilder method (recommended) or ConfigureServices (legacy) that /// adds one or more services to an IServiceCollection. /// [AttributeUsage(AttributeTargets.Class)]