fix: add retry logic for GitHub API calls in scale-down Lambda by shivdesh · Pull Request #1 · isovalent/terraform-aws-github-runner

shivdesh · 2026-03-09T20:25:00Z

Summary

Add exponential backoff retry for transient GitHub API failures (5xx, 429) when de-registering runners during scale-down operations.

Problem

When the scale-down Lambda attempts to de-register a runner from GitHub, transient API failures (e.g., 502 Server Error) cause the operation to fail. The current code catches the error, logs it, but still terminates the EC2 instance. This leaves stale/offline runner entries in the GitHub org settings.

Solution

Add withRetry() helper with configurable max retries (3) and exponential backoff delays (1s, 2s, 4s)
Wrap deleteSelfHostedRunnerFromOrg/Repo calls with retry logic
Only terminate EC2 instance if GitHub de-registration succeeds
If de-registration fails after all retries, leave the instance running so the next scale-down cycle can retry

Changes

lambdas/functions/control-plane/src/scale-runners/scale-down.ts:
- Added RETRY_CONFIG, sleep(), isRetryableError(), and withRetry() helper functions
- Added deleteGitHubRunner() wrapper that uses retry logic
- Modified removeRunner() to only terminate EC2 if all GitHub de-registrations succeed

Testing

Tested locally with simulated 502 errors
Retry logic handles 5xx errors and 429 rate limiting

…ollisions (github-aws-runners#5056) ## Summary Fixes concurrent JWT collisions that cause silent job loss during burst workloads. When multiple scale-up Lambda invocations generate GitHub App JWTs within the same second, `universal-github-app-jwt` produces byte-identical tokens (same `iat`, `exp`, `iss`, no `jti`). GitHub rejects the duplicates, returning HTTP 404 on `POST /app/installations/{id}/access_tokens`, which triggers silent batch dropping. ### Root cause `universal-github-app-jwt` generates JWTs with only `{ iat, exp, iss }` claims. The `iat` uses seconds precision (`Math.floor(Date.now() / 1000)`). With the same App ID and private key, concurrent invocations within the same second produce identical tokens. ### Fix Replace `privateKey`-based auth with a custom `createJwt` callback — a first-class API in `@octokit/auth-app` v8.x that completely bypasses `universal-github-app-jwt`. The callback: - Signs JWTs using `node:crypto.createSign` (zero new dependencies) - Includes a `crypto.randomUUID()` `jti` claim, ensuring every token is unique - Preserves the existing `iat`/`exp` logic (30s safety margin, 10-minute expiry) - Properly forwards the `timeDifference` parameter for clock drift correction - Supports both PKCS#1 and PKCS#8 private key formats (via `node:crypto`) ### Changes - `lambdas/functions/control-plane/src/github/auth.ts` — replace `privateKey` with `createJwt` callback in `createAuth()` - `lambdas/functions/control-plane/src/github/auth.test.ts` — update tests to assert `createJwt` instead of `privateKey`, add test verifying unique JWTs with `jti` ### Test coverage - Existing tests updated to verify `createJwt` callback is passed instead of `privateKey` - New test generates two JWTs in rapid succession and verifies they differ (proving `jti` uniqueness) - New test validates JWT structure (header.payload.signature) and verifies `jti`, `iat`, `exp`, `iss` claims are present - All 343 control-plane tests pass Fixes github-aws-runners#5025

Currently, when using the Debian OS, the existing `install-runner.sh` script will take an additional 25s during start up as the script attempts to install `libicu` via `dnf` This PR adds support for the `debian` OS which is listed as a supported OS in the GitHub docs: https://docs.github.com/en/actions/reference/runners/self-hosted-runners#linux

… instance (github-aws-runners#4990) This pull request enhances the robustness and reliability of the GitHub Actions runner scaling logic by improving error handling and retry mechanisms for GitHub API calls. It introduces the `@octokit/plugin-retry` plugin to automatically retry failed API requests, adds detailed logging for retry attempts, and ensures that failures in creating JIT configs for individual runner instances do not halt the entire scaling process. Additionally, new tests are added to verify handling of various API failure scenarios. **GitHub API client improvements:** * Added `@octokit/plugin-retry` to dependencies (`package.json`) and integrated it into the Octokit client initialization to enable automatic retries for failed GitHub API requests. [[1]](diffhunk://#diff-37d09418dae74ded5678eabfa3b60993ee491e2fd9e49e11142f639b078ac9b2R41) [[2]](diffhunk://#diff-cf7cdd79fe0ed0e3a2e8928c0c7667a096c47c47abdb2354ddadee67e80a226dR21) [[3]](diffhunk://#diff-cf7cdd79fe0ed0e3a2e8928c0c7667a096c47c47abdb2354ddadee67e80a226dL29-R30) * Configured the retry plugin to log detailed warnings on each retry attempt, including the HTTP method, URL, error message, and status code. **Error handling and resilience in JIT config creation:** * Updated `createJitConfig` in `scale-up.ts` to catch and log errors for individual runner instances when creating JIT configs, allowing the process to continue for remaining instances and logging a summary of failed attempts at the end. [[1]](diffhunk://#diff-fbc68af2a40bf14ad13a80b13958c0b52d1d0fde5f0009416a693fb4b691ceaeR537-R542) [[2]](diffhunk://#diff-fbc68af2a40bf14ad13a80b13958c0b52d1d0fde5f0009416a693fb4b691ceaeR582-R596) * Instances that failed to generate a configuration, will now be terminated to avoid generating waste. **Testing improvements:** * Added comprehensive tests to `scale-up.test.ts` to verify correct behavior when GitHub API calls fail for some instances, including retryable errors (e.g., 5xx), non-retryable errors (e.g., 4xx), and partial failures, ensuring only successful JIT configs are stored.

…b-aws-runners#5034) Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.4.1 to 0.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor-action/releases">zizmorcore/zizmor-action's releases</a>.</em></p> <blockquote> <h2>v0.5.0</h2> <h2>What's Changed</h2> <ul> <li>Expose <code>output-file</code> as an output when <code>advanced-security: true</code> by <a href="https://github.com/unlobito"><code>@unlobito</code></a> in <a href="https://redirect.github.com/zizmorcore/zizmor-action/pull/87">zizmorcore/zizmor-action#87</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/unlobito"><code>@unlobito</code></a> made their first contribution in <a href="https://redirect.github.com/zizmorcore/zizmor-action/pull/87">zizmorcore/zizmor-action#87</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/zizmorcore/zizmor-action/compare/v0.4.1...v0.5.0">https://github.com/zizmorcore/zizmor-action/compare/v0.4.1...v0.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/zizmorcore/zizmor-action/commit/0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d"><code>0dce257</code></a> chore(deps): bump peter-evans/create-pull-request (<a href="https://redirect.github.com/zizmorcore/zizmor-action/issues/88">#88</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor-action/commit/fb9497493b591ad90176d3ecac5ca4aeff8c9faf"><code>fb94974</code></a> Expose <code>output-file</code> as an output when <code>advanced-security: true</code> (<a href="https://redirect.github.com/zizmorcore/zizmor-action/issues/87">#87</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor-action/commit/867562a69bb7adcc63dd1e8c003600a58b5f70e2"><code>867562a</code></a> chore(deps): bump the github-actions group with 2 updates (<a href="https://redirect.github.com/zizmorcore/zizmor-action/issues/85">#85</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor-action/commit/7462f075f718787753331c6d98ca9ef8eb41e735"><code>7462f07</code></a> Bump pins in README (<a href="https://redirect.github.com/zizmorcore/zizmor-action/issues/84">#84</a>)</li> <li>See full diff in <a href="https://github.com/zizmorcore/zizmor-action/compare/135698455da5c3b3e55f73f4419e481ab68cdd95...0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zizmorcore/zizmor-action&package-manager=github_actions&previous-version=0.4.1&new-version=0.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ithub-aws-runners#5002) Bumps [@types/express](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express) from 5.0.3 to 5.0.6. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@types/express&package-manager=npm_and_yarn&previous-version=5.0.3&new-version=5.0.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…aws-runners#5050) Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.9 to 4.32.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v4.32.4</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li> <li>Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. <a href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li> <li>When the CodeQL Action is run <a href="https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup">with debugging enabled in Default Setup</a> and <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. <a href="https://redirect.github.com/github/codeql-action/pull/3486">#3486</a></li> <li>Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3485">#3485</a></li> <li>Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a <a href="https://github.com/dsp-testing/codeql-cli-nightlies">nightly CodeQL CLI release</a> instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3484">#3484</a></li> </ul> <h2>v4.32.3</h2> <ul> <li>Added experimental support for testing connections to <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a>. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. <a href="https://redirect.github.com/github/codeql-action/pull/3466">#3466</a></li> </ul> <h2>v4.32.2</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1">2.24.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3460">#3460</a></li> </ul> <h2>v4.32.1</h2> <ul> <li>A warning is now shown in Default Setup workflow logs if a <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registry is configured</a> using a GitHub Personal Access Token (PAT), but no username is configured. <a href="https://redirect.github.com/github/codeql-action/pull/3422">#3422</a></li> <li>Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. <a href="https://redirect.github.com/github/codeql-action/pull/3421">#3421</a></li> </ul> <h2>v4.32.0</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0">2.24.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3425">#3425</a></li> </ul> <h2>v4.31.11</h2> <ul> <li>When running a Default Setup workflow with <a href="https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging">Actions debugging enabled</a>, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. <a href="https://redirect.github.com/github/codeql-action/pull/3409">#3409</a></li> <li>Improved error handling throughout the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3415">#3415</a></li> <li>Added experimental support for automatically excluding <a href="https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github">generated files</a> from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3318">#3318</a></li> <li>The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. <a href="https://redirect.github.com/github/codeql-action/pull/3403">#3403</a></li> </ul> <h2>v4.31.10</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>4.31.10 - 12 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to 2.23.9. <a href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li> </ul> <p>See the full <a href="https://github.com/github/codeql-action/blob/v4.31.10/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>4.32.4 - 20 Feb 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li> <li>Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. <a href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li> <li>When the CodeQL Action is run <a href="https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup">with debugging enabled in Default Setup</a> and <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. <a href="https://redirect.github.com/github/codeql-action/pull/3486">#3486</a></li> <li>Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3485">#3485</a></li> <li>Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a <a href="https://github.com/dsp-testing/codeql-cli-nightlies">nightly CodeQL CLI release</a> instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3484">#3484</a></li> </ul> <h2>4.32.3 - 13 Feb 2026</h2> <ul> <li>Added experimental support for testing connections to <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a>. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. <a href="https://redirect.github.com/github/codeql-action/pull/3466">#3466</a></li> </ul> <h2>4.32.2 - 05 Feb 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1">2.24.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3460">#3460</a></li> </ul> <h2>4.32.1 - 02 Feb 2026</h2> <ul> <li>A warning is now shown in Default Setup workflow logs if a <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registry is configured</a> using a GitHub Personal Access Token (PAT), but no username is configured. <a href="https://redirect.github.com/github/codeql-action/pull/3422">#3422</a></li> <li>Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. <a href="https://redirect.github.com/github/codeql-action/pull/3421">#3421</a></li> </ul> <h2>4.32.0 - 26 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0">2.24.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3425">#3425</a></li> </ul> <h2>4.31.11 - 23 Jan 2026</h2> <ul> <li>When running a Default Setup workflow with <a href="https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging">Actions debugging enabled</a>, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. <a href="https://redirect.github.com/github/codeql-action/pull/3409">#3409</a></li> <li>Improved error handling throughout the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3415">#3415</a></li> <li>Added experimental support for automatically excluding <a href="https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github">generated files</a> from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3318">#3318</a></li> <li>The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. <a href="https://redirect.github.com/github/codeql-action/pull/3403">#3403</a></li> </ul> <h2>4.31.10 - 12 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to 2.23.9. <a href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li> </ul> <h2>4.31.9 - 16 Dec 2025</h2> <p>No user facing changes.</p> <h2>4.31.8 - 11 Dec 2025</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/89a39a4e59826350b863aa6b6252a07ad50cf83e"><code>89a39a4</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3494">#3494</a> from github/update-v4.32.4-39ba80c47</li> <li><a href="https://github.com/github/codeql-action/commit/e5d84c885c00d506f7816d26a298534dbbffac6d"><code>e5d84c8</code></a> Apply remaining review suggestions</li> <li><a href="https://github.com/github/codeql-action/commit/0c202097b5de484e2a3725d4467f9cb7e3107881"><code>0c20209</code></a> Apply suggestions from code review</li> <li><a href="https://github.com/github/codeql-action/commit/314172e5a1e1691ba4ad232b3d0230ceaf3d9239"><code>314172e</code></a> Fix typo</li> <li><a href="https://github.com/github/codeql-action/commit/cdda72d36b93310932b0afe1784acd0209d190dd"><code>cdda72d</code></a> Add changelog entries</li> <li><a href="https://github.com/github/codeql-action/commit/cfda84cc5509282e2adc1570c3cf29c3167ae87f"><code>cfda84c</code></a> Update changelog for v4.32.4</li> <li><a href="https://github.com/github/codeql-action/commit/39ba80c47550c834104c0f222b502461ac312c29"><code>39ba80c</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3493">#3493</a> from github/update-bundle/codeql-bundle-v2.24.2</li> <li><a href="https://github.com/github/codeql-action/commit/00150dad957fc9c1cba52bdab82e458ae5c09fe5"><code>00150da</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/d97dce6561ae3dd4e4db9bfa95479f7572bd7566"><code>d97dce6</code></a> Update default bundle to codeql-bundle-v2.24.2</li> <li><a href="https://github.com/github/codeql-action/commit/50fdbb9ec845c41d6d3509d794e3a28af7032c59"><code>50fdbb9</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3492">#3492</a> from github/henrymercer/new-repository-properties-ff</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/5d4e8d1aca955e8d8589aabd499c5cae939e33c7...89a39a4e59826350b863aa6b6252a07ad50cf83e">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=4.31.9&new-version=4.32.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…nner-reusable-pr.yml from 2.3.2 to 2.3.3 (github-aws-runners#5043) Bumps [google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml](https://github.com/google/osv-scanner-action) from 2.3.2 to 2.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google/osv-scanner-action/releases">google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml's releases</a>.</em></p> <blockquote> <h2>v2.3.3</h2> <p>This updates OSV-Scanner to v2.3.3.</p> <h2>What's Changed</h2> <ul> <li>chore(deps): update github/codeql-action action to v4.31.10 by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/google/osv-scanner-action/pull/115">google/osv-scanner-action#115</a></li> <li>Update to v2.3.3 by <a href="https://github.com/Ly-Joey"><code>@Ly-Joey</code></a> in <a href="https://redirect.github.com/google/osv-scanner-action/pull/118">google/osv-scanner-action#118</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Ly-Joey"><code>@Ly-Joey</code></a> made their first contribution in <a href="https://redirect.github.com/google/osv-scanner-action/pull/118">google/osv-scanner-action#118</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/google/osv-scanner-action/compare/v2.3.2...v2.3.3">https://github.com/google/osv-scanner-action/compare/v2.3.2...v2.3.3</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/google/osv-scanner-action/commit/c5996e0193a3df57d695c1b8a1dec2a4c62e8730"><code>c5996e0</code></a> Merge pull request <a href="https://redirect.github.com/google/osv-scanner-action/issues/118">#118</a> from google/update-to-v2.3.3</li> <li><a href="https://github.com/google/osv-scanner-action/commit/f4fac926054e3236b87692fa58d351da22518991"><code>f4fac92</code></a> Update unified workflow example to point to v2.3.3 reusable workflows</li> <li><a href="https://github.com/google/osv-scanner-action/commit/8ae4be80636b94886b3c271caad730985ce0611c"><code>8ae4be8</code></a> Update reusable workflows to point to v2.3.3 actions</li> <li><a href="https://github.com/google/osv-scanner-action/commit/8018483926dd235b3013d8c88023e644b9f8e09e"><code>8018483</code></a> "Update actions to use v2.3.3 osv-scanner image"</li> <li><a href="https://github.com/google/osv-scanner-action/commit/2c222dbe8cbd6baffa4929823c8e5c3ab481d4d0"><code>2c222db</code></a> Merge pull request <a href="https://redirect.github.com/google/osv-scanner-action/issues/115">#115</a> from renovate-bot/renovate/workflows</li> <li><a href="https://github.com/google/osv-scanner-action/commit/115472d53545bb5e00eab96c82d23b16922bc73f"><code>115472d</code></a> chore(deps): update github/codeql-action action to v4.31.10</li> <li>See full diff in <a href="https://github.com/google/osv-scanner-action/compare/2a387edfbe02a11d856b89172f6e978100177eb4...c5996e0193a3df57d695c1b8a1dec2a4c62e8730">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml&package-manager=github_actions&previous-version=2.3.2&new-version=2.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ithub-aws-runners#5041) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.0 to 2.14.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.14.2</h2> <h2>What's Changed</h2> <p>Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See <a href="https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq">GHSA-cpmj-h4f6-r6pq</a> for details.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.14.1...v2.14.2">https://github.com/step-security/harden-runner/compare/v2.14.1...v2.14.2</a></p> <h2>v2.14.1</h2> <h2>What's Changed</h2> <ol> <li> <p>In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.</p> </li> <li> <p>Fixed npm audit vulnerabilities</p> </li> </ol> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.14.0...v2.14.1">https://github.com/step-security/harden-runner/compare/v2.14.0...v2.14.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/step-security/harden-runner/commit/5ef0c079ce82195b2a36a210272d6b661572d83e"><code>5ef0c07</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/635">#635</a> from step-security/rc-34</li> <li><a href="https://github.com/step-security/harden-runner/commit/eb43c7b3fd5a30c42ff1ab84b494f1cc6c7cc3b6"><code>eb43c7b</code></a> update agent</li> <li><a href="https://github.com/step-security/harden-runner/commit/e3f713f2d8f53843e71c69a996d56f51aa9adfb9"><code>e3f713f</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/631">#631</a> from step-security/rc-31</li> <li><a href="https://github.com/step-security/harden-runner/commit/423acdda6fd4f75f197b7c305a3f2e3d700dc00b"><code>423acdd</code></a> chore: fix npm audit vulnerabilities</li> <li><a href="https://github.com/step-security/harden-runner/commit/0ddb86cf0353b79dbed5bb8cef4103700cea70a7"><code>0ddb86c</code></a> update agent</li> <li>See full diff in <a href="https://github.com/step-security/harden-runner/compare/20cf305ff2072d973412fa9b1e3a4f227bda3c76...5ef0c079ce82195b2a36a210272d6b661572d83e">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=step-security/harden-runner&package-manager=github_actions&previous-version=2.14.0&new-version=2.14.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…kflows/mkdocs in the python-deps group (github-aws-runners#5051) Bumps the python-deps group in /.github/workflows/mkdocs with 1 update: [mkdocs-material](https://github.com/squidfunk/mkdocs-material). Updates `mkdocs-material` from 9.7.1 to 9.7.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/squidfunk/mkdocs-material/releases">mkdocs-material's releases</a>.</em></p> <blockquote> <h2>mkdocs-material-9.7.2</h2> <blockquote> <p>[!WARNING]</p> <p><strong>Material for MkDocs is in maintenance mode</strong></p> <p>Going forward, the Material for MkDocs team focuses on <a href="https://zensical.org">Zensical</a>, a next-gen static site generator built from first principles. We will provide critical bug fixes and security updates for Material for MkDocs until November 2026.</p> <p><a href="https://squidfunk.github.io/mkdocs-material/blog/2025/11/05/zensical/">Read the full announcement on our blog</a></p> </blockquote> <h2>Changes</h2> <ul> <li>Opened up version ranges of optional dependencies for forward-compatibility</li> <li>Added warning to <code>mkdocs build</code> about impending MkDocs 2.0 incompatibility (doesn't affect strict mode)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG">mkdocs-material's changelog</a>.</em></p> <blockquote> <p>mkdocs-material-9.7.3 (2026-02-24)</p> <ul> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/8567">#8567</a>: Print MkDocs 2.0 incompatibility warning to stderr</li> </ul> <p>mkdocs-material-9.7.2 (2026-02-18)</p> <ul> <li>Opened up version ranges of optional dependencies for forward-compatibility</li> <li>Added warning to 'mkdocs build' about impending MkDocs 2.0 incompatibility</li> </ul> <p>mkdocs-material-9.7.1 (2025-12-18)</p> <ul> <li>Updated requests to 2.30+ to mitigate CVE in urllib</li> <li>Fixed privacy plugin not picking up protocol-relative URLs</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/8542">#8542</a>: false positives and negatives captured in privacy plugin</li> </ul> <p>mkdocs-material-9.7.0 (2025-11-11)</p> <p>⚠️ Material for MkDocs is now in maintenance mode</p> <p>This is the last release of Material for MkDocs that will receive new features. Going forward, the Material for MkDocs team focuses on Zensical, a next-gen static site generator built from first principles. We will provide critical bug fixes and security updates for Material for MkDocs for 12 months at least.</p> <p>Read the full announcement on our blog: <a href="https://squidfunk.github.io/mkdocs-material/blog/2025/11/05/zensical/">https://squidfunk.github.io/mkdocs-material/blog/2025/11/05/zensical/</a></p> <p>This release includes all features that were previously exclusive to the Insiders edition. These features are now freely available to everyone.</p> <p>Note on deprecated plugins: The projects and typeset plugins are included in this release, but must be considered deprecated. Both plugins proved unsustainable to maintain and represent architectural dead ends. They are provided as-is without ongoing support.</p> <p>Changes:</p> <ul> <li>Added support for pinned blog posts and author profiles</li> <li>Added support for customizing pagination for blog index pages</li> <li>Added support for customizing blog category sort order</li> <li>Added support for staying on page when switching languages</li> <li>Added support for disabling tags in table of contents</li> <li>Added support for nested tags and shadow tags</li> <li>Added support for footnote tooltips</li> <li>Added support for instant previews</li> <li>Added support for instant prefetching</li> <li>Added support for custom social card layouts</li> <li>Added support for custom social card background images</li> <li>Added support for selectable rangs in code blocks</li> <li>Added support for custom selectors for code annotations</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/e21a119e38f7bca184e469eaeefa3d5535e5022b"><code>e21a119</code></a> Updated changelog</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/d5654b500a7021625d3c78f59842805c45e7b65a"><code>d5654b5</code></a> Prepare 9.7.2 release</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/b18af2f74a98e0d54f7f11b4e029d7ea29166df3"><code>b18af2f</code></a> Opened up version ranges in optional dependencies</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/39cdfbd87c80079cd06a6d2a953cd53f531db61d"><code>39cdfbd</code></a> Added social card for blog post</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/09ee7b1913eab1988ff3a81982c39634915336e1"><code>09ee7b1</code></a> Added blog post on MkDocs 2.0 (<a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/8564">#8564</a>)</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/0d11a2d01174a0ab3bec97300c4432da44128253"><code>0d11a2d</code></a> Documentation (<a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/8560">#8560</a>)</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/8fc61b5cb00845825179d6fd3e331c789f83187b"><code>8fc61b5</code></a> Updated dependencies</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/3f0eaca8da7e06db5bbb8ca41febb78459baf650"><code>3f0eaca</code></a> Documentation</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/eaba2dc24f196ecbf8e9aa87f8982be4e154920b"><code>eaba2dc</code></a> Re-enable publishing</li> <li>See full diff in <a href="https://github.com/squidfunk/mkdocs-material/compare/9.7.1...9.7.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mkdocs-material&package-manager=pip&previous-version=9.7.1&new-version=9.7.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ithub-aws-runners#5058) Bumps the github group with 4 updates in the / directory: [actions/upload-artifact](https://github.com/actions/upload-artifact), [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance), [actions/stale](https://github.com/actions/stale) and [actions/cache](https://github.com/actions/cache). Updates `actions/upload-artifact` from 6.0.0 to 7.0.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>v7 What's new</h2> <h3>Direct Uploads</h3> <p>Adds support for uploading single files directly (unzipped). Callers can set the new <code>archive</code> parameter to <code>false</code> to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The <code>name</code> parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.</p> <h3>ESM</h3> <p>To support new versions of the <code>@actions/*</code> packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Add proxy integration test by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> <li>Upgrade the module to ESM and bump dependencies by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li> <li>Support direct file uploads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Link"><code>@Link</code></a>- made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a> Support direct file uploads (<a href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a> Upgrade the module to ESM and bump dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a> from actions/Link-/add-proxy-integration-tests</li> <li><a href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a> Add proxy integration test</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f">compare view</a></li> </ul> </details> <br /> Updates `actions/attest-build-provenance` from 3.1.0 to 4.1.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/attest-build-provenance/releases">actions/attest-build-provenance's releases</a>.</em></p> <blockquote> <h2>v4.1.0</h2> <blockquote> <p>[!NOTE] As of version 4, <code>actions/attest-build-provenance</code> is simply a wrapper on top of <a href="https://github.com/actions/attest"><code>actions/attest</code></a>.</p> <p>Existing applications may continue to use the <code>attest-build-provenance</code> action, but new implementations should use <code>actions/attest</code> instead.</p> </blockquote> <h2>What's Changed</h2> <ul> <li>Update RELEASE.md docs by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/836">actions/attest-build-provenance#836</a></li> <li>Bump <code>actions/attest</code> from 4.0.0 to 4.1.0 by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/838">actions/attest-build-provenance#838</a> <ul> <li>Bump <code>@actions/attest</code> from 3.0.0 to 3.1.0 by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest/pull/362">actions/attest#362</a></li> <li>Bump <code>@actions/attest</code> from 3.1.0 to 3.2.0 by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest/pull/365">actions/attest#365</a></li> <li>Add new <code>subject-version</code> input for inclusion in storage record by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest/pull/364">actions/attest#364</a></li> <li>Add storage record content to README by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest/pull/366">actions/attest#366</a></li> </ul> </li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0">https://github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0</a></p> <h2>v4.0.0</h2> <blockquote> <p>[!NOTE] As of version 4, <code>actions/attest-build-provenance</code> is simply a wrapper on top of <a href="https://github.com/actions/attest"><code>actions/attest</code></a>.</p> <p>Existing applications may continue to use the <code>attest-build-provenance</code> action, but new implementations should use <code>actions/attest</code> instead.</p> </blockquote> <h2>What's Changed</h2> <ul> <li>Prepare v4 release by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/835">actions/attest-build-provenance#835</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0">https://github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0</a></p> <h2>v3.2.0</h2> <h2>What's Changed</h2> <ul> <li>Bump <code>@actions/core</code> from 1.11.1 to 2.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/776">actions/attest-build-provenance#776</a></li> <li>Add more documentation on Artifact Metadata Storage Records by <a href="https://github.com/malancas"><code>@malancas</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/797">actions/attest-build-provenance#797</a></li> <li>Update actions/attest to latest version v3.2.0 by <a href="https://github.com/malancas"><code>@malancas</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/812">actions/attest-build-provenance#812</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/attest-build-provenance/compare/v3.1.0...v3.2.0">https://github.com/actions/attest-build-provenance/compare/v3.1.0...v3.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/attest-build-provenance/commit/a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32"><code>a2bbfa2</code></a> bump actions/attest from 4.0.0 to 4.1.0 (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/838">#838</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/0856891a35570e4ac506b510f0358a4308f82385"><code>0856891</code></a> update RELEASE.md docs (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/836">#836</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/e4d4f7c39adfa4c260fb5c147f0622000aa14b99"><code>e4d4f7c</code></a> prepare v4 release (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/835">#835</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/02a49bdc410a809733602220c6f6275925d6b578"><code>02a49bd</code></a> Bump github/codeql-action in the actions-minor group (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/824">#824</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/7c757df4145fcd233331998e58b20b422c833a00"><code>7c757df</code></a> Bump the npm-development group with 2 updates (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/825">#825</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/c44148e5bf178192efd8947e07a0d439a356c60b"><code>c44148e</code></a> Bump github/codeql-action in the actions-minor group (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/818">#818</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/32343527f2ec94583cf7b31280de0f60dc9f0bf9"><code>3234352</code></a> Bump <code>@types/node</code> from 25.0.10 to 25.2.0 in the npm-development group (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/819">#819</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/18db12979d4cecda10c1cf295bcb159f3e59866d"><code>18db129</code></a> Bump tar from 7.5.6 to 7.5.7 (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/816">#816</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/90fadfae6ba2e2ef59f8d38e61ec3cf16443a18e"><code>90fadfa</code></a> Bump <code>@actions/core</code> from 2.0.1 to 2.0.2 in the npm-production group (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/799">#799</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/57db8ba356515a4c8608990f2aa27a6972235ccc"><code>57db8ba</code></a> Bump the npm-development group across 1 directory with 3 updates (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/808">#808</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/attest-build-provenance/compare/00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8...a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32">compare view</a></li> </ul> </details> <br /> Updates `actions/stale` from 10.1.1 to 10.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/stale/releases">actions/stale's releases</a>.</em></p> <blockquote> <h2>v10.2.0</h2> <h2>What's Changed</h2> <h3>Bug Fix</h3> <ul> <li>Fix checking state cache (fix <a href="https://redirect.github.com/actions/stale/issues/1136">#1136</a>) and switch to Octokit helper methods by <a href="https://github.com/itchyny"><code>@itchyny</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1152">actions/stale#1152</a></li> </ul> <h3>Dependency Updates</h3> <ul> <li>Upgrade js-yaml from 4.1.0 to 4.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1304">actions/stale#1304</a></li> <li>Upgrade lodash from 4.17.21 to 4.17.23 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1313">actions/stale#1313</a></li> <li>Upgrade actions/cache from 4.0.3 to 5.0.2 and actions/github from 5.1.1 to 7.0.0 by <a href="https://github.com/chiranjib-swain"><code>@chiranjib-swain</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1312">actions/stale#1312</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/itchyny"><code>@itchyny</code></a> made their first contribution in <a href="https://redirect.github.com/actions/stale/pull/1152">actions/stale#1152</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/stale/compare/v10...v10.2.0">https://github.com/actions/stale/compare/v10...v10.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/stale/commit/b5d41d4e1d5dceea10e7104786b73624c18a190f"><code>b5d41d4</code></a> build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (<a href="https://redirect.github.com/actions/stale/issues/1313">#1313</a>)</li> <li><a href="https://github.com/actions/stale/commit/dcd2b9469d2220b7e8d08aedc00c105d277fd46b"><code>dcd2b94</code></a> Fix punycode and url.parse Deprecation Warnings (<a href="https://redirect.github.com/actions/stale/issues/1312">#1312</a>)</li> <li><a href="https://github.com/actions/stale/commit/d6f8a33132340b15a7006f552936e4b9b39c00ec"><code>d6f8a33</code></a> build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (<a href="https://redirect.github.com/actions/stale/issues/1304">#1304</a>)</li> <li><a href="https://github.com/actions/stale/commit/a21a0816299b11691f9592ef0d63d08e02f06d9d"><code>a21a081</code></a> Fix checking state cache (fix <a href="https://redirect.github.com/actions/stale/issues/1136">#1136</a>), also switch to octokit methods (<a href="https://redirect.github.com/actions/stale/issues/1152">#1152</a>)</li> <li>See full diff in <a href="https://github.com/actions/stale/compare/997185467fa4f803885201cee163a9f38240193d...b5d41d4e1d5dceea10e7104786b73624c18a190f">compare view</a></li> </ul> </details> <br /> Updates `actions/cache` from 5.0.1 to 5.0.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v5.0.3</h2> <h2>What's Changed</h2> <ul> <li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li> <li>Bump <code>@actions/core</code> to v2.0.3</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v5...v5.0.3">https://github.com/actions/cache/compare/v5...v5.0.3</a></p> <h2>v.5.0.2</h2> <h1>v5.0.2</h1> <h2>What's Changed</h2> <p>When creating cache entries, 429s returned from the cache service will not be retried.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h2>How to prepare a release</h2> <blockquote> <p>[!NOTE]<br /> Relevant for maintainers with write access only.</p> </blockquote> <ol> <li>Switch to a new branch from <code>main</code>.</li> <li>Run <code>npm test</code> to ensure all tests are passing.</li> <li>Update the version in <a href="https://github.com/actions/cache/blob/main/package.json"><code>https://github.com/actions/cache/blob/main/package.json</code></a>.</li> <li>Run <code>npm run build</code> to update the compiled files.</li> <li>Update this <a href="https://github.com/actions/cache/blob/main/RELEASES.md"><code>https://github.com/actions/cache/blob/main/RELEASES.md</code></a> with the new version and changes in the <code>## Changelog</code> section.</li> <li>Run <code>licensed cache</code> to update the license report.</li> <li>Run <code>licensed status</code> and resolve any warnings by updating the <a href="https://github.com/actions/cache/blob/main/.licensed.yml"><code>https://github.com/actions/cache/blob/main/.licensed.yml</code></a> file with the exceptions.</li> <li>Commit your changes and push your branch upstream.</li> <li>Open a pull request against <code>main</code> and get it reviewed and merged.</li> <li>Draft a new release <a href="https://github.com/actions/cache/releases">https://github.com/actions/cache/releases</a> use the same version number used in <code>package.json</code> <ol> <li>Create a new tag with the version number.</li> <li>Auto generate release notes and update them to match the changes you made in <code>RELEASES.md</code>.</li> <li>Toggle the set as the latest release option.</li> <li>Publish the release.</li> </ol> </li> <li>Navigate to <a href="https://github.com/actions/cache/actions/workflows/release-new-action-version.yml">https://github.com/actions/cache/actions/workflows/release-new-action-version.yml</a> <ol> <li>There should be a workflow run queued with the same version number.</li> <li>Approve the run to publish the new version and update the major tags for this action.</li> </ol> </li> </ol> <h2>Changelog</h2> <h3>5.0.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li> <li>Bump <code>@actions/core</code> to v2.0.3</li> </ul> <h3>5.0.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.3 <a href="https://redirect.github.com/actions/cache/pull/1692">#1692</a></li> </ul> <h3>5.0.1</h3> <ul> <li>Update <code>@azure/storage-blob</code> to <code>^12.29.1</code> via <code>@actions/cache@5.0.1</code> <a href="https://redirect.github.com/actions/cache/pull/1685">#1685</a></li> </ul> <h3>5.0.0</h3> <blockquote> <p>[!IMPORTANT] <code>actions/cache@v5</code> runs on the Node.js 24 runtime and requires a minimum Actions Runner version of <code>2.327.1</code>. If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <h3>4.3.0</h3> <ul> <li>Bump <code>@actions/cache</code> to <a href="https://redirect.github.com/actions/toolkit/pull/2132">v4.1.0</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/cache/commit/cdf6c1fa76f9f475f3d7449005a359c84ca0f306"><code>cdf6c1f</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1695">#1695</a> from actions/Link-/prepare-5.0.3</li> <li><a href="https://github.com/actions/cache/commit/a1bee22673bee4afb9ce4e0a1dc3da1c44060b7d"><code>a1bee22</code></a> Add review for the <code>@actions/http-client</code> license</li> <li><a href="https://github.com/actions/cache/commit/46957638dc5c5ff0c34c0143f443c07d3a7c769f"><code>4695763</code></a> Add licensed output</li> <li><a href="https://github.com/actions/cache/commit/dc73bb9f7bf74a733c05ccd2edfd1f2ac9e5f502"><code>dc73bb9</code></a> Upgrade dependencies and address security warnings</li> <li><a href="https://github.com/actions/cache/commit/345d5c2f761565bace4b6da356737147e9041e3a"><code>345d5c2</code></a> Add 5.0.3 builds</li> <li><a href="https://github.com/actions/cache/commit/8b402f58fbc84540c8b491a91e594a4576fec3d7"><code>8b402f5</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1692">#1692</a> from GhadimiR/main</li> <li><a href="https://github.com/actions/cache/commit/304ab5a0701ee61908ccb4b5822347949a2e2002"><code>304ab5a</code></a> license for httpclient</li> <li><a href="https://github.com/actions/cache/commit/609fc19e67cd310e97eb36af42355843ffcb35be"><code>609fc19</code></a> Update licensed record for cache</li> <li><a href="https://github.com/actions/cache/commit/b22231e43df11a67538c05e88835f1fa097599c5"><code>b22231e</code></a> Build</li> <li><a href="https://github.com/actions/cache/commit/93150cdfb36a9d84d4e8628c8870bec84aedcf8a"><code>93150cd</code></a> Add PR link to releases</li> <li>Additional commits viewable in <a href="https://github.com/actions/cache/compare/9255dc7a253b0ccc959486e2bca901246202afeb...cdf6c1fa76f9f475f3d7449005a359c84ca0f306">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…github-aws-runners#5044) Bumps the aws-powertools group in /lambdas with 4 updates: [@aws-lambda-powertools/parameters](https://github.com/aws-powertools/powertools-lambda-typescript), [@aws-lambda-powertools/logger](https://github.com/aws-powertools/powertools-lambda-typescript), [@aws-lambda-powertools/metrics](https://github.com/aws-powertools/powertools-lambda-typescript) and [@aws-lambda-powertools/tracer](https://github.com/aws-powertools/powertools-lambda-typescript). Updates `@aws-lambda-powertools/parameters` from 2.30.2 to 2.31.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/releases"><code>@aws-lambda-powertools/parameters</code>'s releases</a>.</em></p> <blockquote> <h2>v2.31.0</h2> <h2>Summary</h2> <p>In this release we are pleased to announce Tracer middleware for the HTTP event handler, which allows users to enable distributed tracing for their HTTP routes with minimal boilerplate code.</p> <p>In addition, the metric utility now supports a fluent interface, allowing you to chain multiple methods in a single statement.</p> <p>We have also fixed a bug in the HTTP event handler that caused parameterized headers to be handled incorrectly.</p> <p>⭐ Special thanks to <a href="https://github.com/nateiler"><code>@nateiler</code></a> and <a href="https://github.com/dothomson"><code>@dothomson</code></a> for their first PR merged in the project, and to <a href="https://github.com/arnabrahman"><code>@arnabrahman</code></a>! for another great contribution 🎉</p> <h2>Tracer Middleware</h2> <p>You can now use the Tracer utility with the HTTP event handler to gain observability over your routes. The middleware:</p> <ul> <li>Creates a subsegment for each HTTP route with the format <code>METHOD /path</code> (e.g., <code>GET /users</code>)</li> <li>Adds <code>ColdStart</code> and <code>Service</code> annotations</li> <li>Optionally captures JSON response bodies as metadata</li> <li>Captures errors as metadata when exceptions occur</li> </ul> <pre lang="ts"><code>import { Router } from '@aws-lambda-powertools/event-handler/http'; import { tracer as tracerMiddleware } from '@aws-lambda-powertools/event-handler/http/middleware/tracer'; import { Tracer } from '@aws-lambda-powertools/tracer'; import type { Context } from 'aws-lambda'; <p>const tracer = new Tracer({ serviceName: 'my-api' }); const app = new Router();</p> <p>app.get( '/users/cards', [tracerMiddleware(tracer, { captureResponse: false })], ({ params }) => { return { id: params.id, secret: 'sensitive-data' }; } );</p> <p>export const handler = async (event: unknown, context: Context) => app.resolve(event, context); </code></pre></p> <h2>Metrics Fluent Interface</h2> <p>All mutation methods (with the exception of <code>clear*</code>) now return the metric instance that was mutated, allowing you to chain multiple metrics operations in a single statement.</p> <pre lang="ts"><code>import { Metrics} from '@aws-lambda-powertools/metrics'; <p>const metrics = new Metrics();</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/blob/main/CHANGELOG.md"><code>@aws-lambda-powertools/parameters</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">2.31.0</a> (2026-02-10)</h2> <h3>Features</h3> <ul> <li><strong>metrics</strong> return metrics instance from metrics functions (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4930">#4930</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/e7aa2e2b5efbdca197602ef5611ac14e58519d6b">e7aa2e2</a>)</li> <li><strong>parameters</strong> pass underlying SDK error as cause to <code>GetParameterError</code> (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4936">#4936</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/b3499dbfe29adc8f7fa07e5b8f3b4718e4525fa7">b3499db</a>)</li> <li><strong>event-handler</strong> add tracer middleware for HTTP routes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4982">#4982</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8be61577451c32fdea2db8bcb93f8acba9e44423">8be6157</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>event-handler</strong> handle set-cookie header values with multiple attributes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4990">#4990</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a">42317fe</a>)</li> <li><strong>kafka</strong> handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7">04c3236</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/54d1fa3b290684ec987854b8266eac5094f4c178"><code>54d1fa3</code></a> chore(ci): bump version to 2.31.0 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5007">#5007</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a"><code>42317fe</code></a> fix(event-handler): handle set-cookie header values with multiple attributes ...</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e4da8a4ce4b7c57de14be04baf84444ee89f8c7"><code>8e4da8a</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5004">#5004</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/ddf54e09ec0c61a803b4d9f8edecd62ccc374555"><code>ddf54e0</code></a> chore(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4998">#4998</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/769207180080d45a72f8aca332c200239d3be06e"><code>7692071</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.1 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4999">#4999</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/d8dfadc63a59e0445b23a98eae9f9cd26fdb2e14"><code>d8dfadc</code></a> chore: manually upgrade dependency tree (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5002">#5002</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/60b6ce1b2c93346cccd0b7a1c43020934037b5c7"><code>60b6ce1</code></a> ci: switch npm auth to OIDC (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4997">#4997</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7"><code>04c3236</code></a> fix(kafka): handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e1359e1954f65215fe5c1884e4f0479eda95508"><code>8e1359e</code></a> chore(deps): bump the aws-cdk group across 1 directory with 3 updates (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4985">#4985</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/4c6657aee26e501dde0211da0810e52b441c5913"><code>4c6657a</code></a> test: extract DF idempotency e2e tests (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4994">#4994</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">compare view</a></li> </ul> </details> <br /> Updates `@aws-lambda-powertools/logger` from 2.30.2 to 2.31.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/releases"><code>@aws-lambda-powertools/logger</code>'s releases</a>.</em></p> <blockquote> <h2>v2.31.0</h2> <h2>Summary</h2> <p>In this release we are pleased to announce Tracer middleware for the HTTP event handler, which allows users to enable distributed tracing for their HTTP routes with minimal boilerplate code.</p> <p>In addition, the metric utility now supports a fluent interface, allowing you to chain multiple methods in a single statement.</p> <p>We have also fixed a bug in the HTTP event handler that caused parameterized headers to be handled incorrectly.</p> <p>⭐ Special thanks to <a href="https://github.com/nateiler"><code>@nateiler</code></a> and <a href="https://github.com/dothomson"><code>@dothomson</code></a> for their first PR merged in the project, and to <a href="https://github.com/arnabrahman"><code>@arnabrahman</code></a>! for another great contribution 🎉</p> <h2>Tracer Middleware</h2> <p>You can now use the Tracer utility with the HTTP event handler to gain observability over your routes. The middleware:</p> <ul> <li>Creates a subsegment for each HTTP route with the format <code>METHOD /path</code> (e.g., <code>GET /users</code>)</li> <li>Adds <code>ColdStart</code> and <code>Service</code> annotations</li> <li>Optionally captures JSON response bodies as metadata</li> <li>Captures errors as metadata when exceptions occur</li> </ul> <pre lang="ts"><code>import { Router } from '@aws-lambda-powertools/event-handler/http'; import { tracer as tracerMiddleware } from '@aws-lambda-powertools/event-handler/http/middleware/tracer'; import { Tracer } from '@aws-lambda-powertools/tracer'; import type { Context } from 'aws-lambda'; <p>const tracer = new Tracer({ serviceName: 'my-api' }); const app = new Router();</p> <p>app.get( '/users/cards', [tracerMiddleware(tracer, { captureResponse: false })], ({ params }) => { return { id: params.id, secret: 'sensitive-data' }; } );</p> <p>export const handler = async (event: unknown, context: Context) => app.resolve(event, context); </code></pre></p> <h2>Metrics Fluent Interface</h2> <p>All mutation methods (with the exception of <code>clear*</code>) now return the metric instance that was mutated, allowing you to chain multiple metrics operations in a single statement.</p> <pre lang="ts"><code>import { Metrics} from '@aws-lambda-powertools/metrics'; <p>const metrics = new Metrics();</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/blob/main/CHANGELOG.md"><code>@aws-lambda-powertools/logger</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">2.31.0</a> (2026-02-10)</h2> <h3>Features</h3> <ul> <li><strong>metrics</strong> return metrics instance from metrics functions (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4930">#4930</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/e7aa2e2b5efbdca197602ef5611ac14e58519d6b">e7aa2e2</a>)</li> <li><strong>parameters</strong> pass underlying SDK error as cause to <code>GetParameterError</code> (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4936">#4936</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/b3499dbfe29adc8f7fa07e5b8f3b4718e4525fa7">b3499db</a>)</li> <li><strong>event-handler</strong> add tracer middleware for HTTP routes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4982">#4982</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8be61577451c32fdea2db8bcb93f8acba9e44423">8be6157</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>event-handler</strong> handle set-cookie header values with multiple attributes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4990">#4990</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a">42317fe</a>)</li> <li><strong>kafka</strong> handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7">04c3236</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/54d1fa3b290684ec987854b8266eac5094f4c178"><code>54d1fa3</code></a> chore(ci): bump version to 2.31.0 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5007">#5007</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a"><code>42317fe</code></a> fix(event-handler): handle set-cookie header values with multiple attributes ...</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e4da8a4ce4b7c57de14be04baf84444ee89f8c7"><code>8e4da8a</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5004">#5004</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/ddf54e09ec0c61a803b4d9f8edecd62ccc374555"><code>ddf54e0</code></a> chore(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4998">#4998</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/769207180080d45a72f8aca332c200239d3be06e"><code>7692071</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.1 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4999">#4999</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/d8dfadc63a59e0445b23a98eae9f9cd26fdb2e14"><code>d8dfadc</code></a> chore: manually upgrade dependency tree (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5002">#5002</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/60b6ce1b2c93346cccd0b7a1c43020934037b5c7"><code>60b6ce1</code></a> ci: switch npm auth to OIDC (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4997">#4997</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7"><code>04c3236</code></a> fix(kafka): handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e1359e1954f65215fe5c1884e4f0479eda95508"><code>8e1359e</code></a> chore(deps): bump the aws-cdk group across 1 directory with 3 updates (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4985">#4985</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/4c6657aee26e501dde0211da0810e52b441c5913"><code>4c6657a</code></a> test: extract DF idempotency e2e tests (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4994">#4994</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">compare view</a></li> </ul> </details> <br /> Updates `@aws-lambda-powertools/metrics` from 2.30.2 to 2.31.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/releases"><code>@aws-lambda-powertools/metrics</code>'s releases</a>.</em></p> <blockquote> <h2>v2.31.0</h2> <h2>Summary</h2> <p>In this release we are pleased to announce Tracer middleware for the HTTP event handler, which allows users to enable distributed tracing for their HTTP routes with minimal boilerplate code.</p> <p>In addition, the metric utility now supports a fluent interface, allowing you to chain multiple methods in a single statement.</p> <p>We have also fixed a bug in the HTTP event handler that caused parameterized headers to be handled incorrectly.</p> <p>⭐ Special thanks to <a href="https://github.com/nateiler"><code>@nateiler</code></a> and <a href="https://github.com/dothomson"><code>@dothomson</code></a> for their first PR merged in the project, and to <a href="https://github.com/arnabrahman"><code>@arnabrahman</code></a>! for another great contribution 🎉</p> <h2>Tracer Middleware</h2> <p>You can now use the Tracer utility with the HTTP event handler to gain observability over your routes. The middleware:</p> <ul> <li>Creates a subsegment for each HTTP route with the format <code>METHOD /path</code> (e.g., <code>GET /users</code>)</li> <li>Adds <code>ColdStart</code> and <code>Service</code> annotations</li> <li>Optionally captures JSON response bodies as metadata</li> <li>Captures errors as metadata when exceptions occur</li> </ul> <pre lang="ts"><code>import { Router } from '@aws-lambda-powertools/event-handler/http'; import { tracer as tracerMiddleware } from '@aws-lambda-powertools/event-handler/http/middleware/tracer'; import { Tracer } from '@aws-lambda-powertools/tracer'; import type { Context } from 'aws-lambda'; <p>const tracer = new Tracer({ serviceName: 'my-api' }); const app = new Router();</p> <p>app.get( '/users/cards', [tracerMiddleware(tracer, { captureResponse: false })], ({ params }) => { return { id: params.id, secret: 'sensitive-data' }; } );</p> <p>export const handler = async (event: unknown, context: Context) => app.resolve(event, context); </code></pre></p> <h2>Metrics Fluent Interface</h2> <p>All mutation methods (with the exception of <code>clear*</code>) now return the metric instance that was mutated, allowing you to chain multiple metrics operations in a single statement.</p> <pre lang="ts"><code>import { Metrics} from '@aws-lambda-powertools/metrics'; <p>const metrics = new Metrics();</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/blob/main/CHANGELOG.md"><code>@aws-lambda-powertools/metrics</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">2.31.0</a> (2026-02-10)</h2> <h3>Features</h3> <ul> <li><strong>metrics</strong> return metrics instance from metrics functions (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4930">#4930</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/e7aa2e2b5efbdca197602ef5611ac14e58519d6b">e7aa2e2</a>)</li> <li><strong>parameters</strong> pass underlying SDK error as cause to <code>GetParameterError</code> (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4936">#4936</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/b3499dbfe29adc8f7fa07e5b8f3b4718e4525fa7">b3499db</a>)</li> <li><strong>event-handler</strong> add tracer middleware for HTTP routes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4982">#4982</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8be61577451c32fdea2db8bcb93f8acba9e44423">8be6157</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>event-handler</strong> handle set-cookie header values with multiple attributes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4990">#4990</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a">42317fe</a>)</li> <li><strong>kafka</strong> handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7">04c3236</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/54d1fa3b290684ec987854b8266eac5094f4c178"><code>54d1fa3</code></a> chore(ci): bump version to 2.31.0 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5007">#5007</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a"><code>42317fe</code></a> fix(event-handler): handle set-cookie header values with multiple attributes ...</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e4da8a4ce4b7c57de14be04baf84444ee89f8c7"><code>8e4da8a</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5004">#5004</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/ddf54e09ec0c61a803b4d9f8edecd62ccc374555"><code>ddf54e0</code></a> chore(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4998">#4998</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/769207180080d45a72f8aca332c200239d3be06e"><code>7692071</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.1 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4999">#4999</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/d8dfadc63a59e0445b23a98eae9f9cd26fdb2e14"><code>d8dfadc</code></a> chore: manually upgrade dependency tree (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5002">#5002</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/60b6ce1b2c93346cccd0b7a1c43020934037b5c7"><code>60b6ce1</code></a> ci: switch npm auth to OIDC (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4997">#4997</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7"><code>04c3236</code></a> fix(kafka): handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e1359e1954f65215fe5c1884e4f0479eda95508"><code>8e1359e</code></a> chore(deps): bump the aws-cdk group across 1 directory with 3 updates (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4985">#4985</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/4c6657aee26e501dde0211da0810e52b441c5913"><code>4c6657a</code></a> test: extract DF idempotency e2e tests (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4994">#4994</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">compare view</a></li> </ul> </details> <br /> Updates `@aws-lambda-powertools/tracer` from 2.30.2 to 2.31.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/releases"><code>@aws-lambda-powertools/tracer</code>'s releases</a>.</em></p> <blockquote> <h2>v2.31.0</h2> <h2>Summary</h2> <p>In this release we are pleased to announce Tracer middleware for the HTTP event handler, which allows users to enable distributed tracing for their HTTP routes with minimal boilerplate code.</p> <p>In addition, the metric utility now supports a fluent interface, allowing you to chain multiple methods in a single statement.</p> <p>We have also fixed a bug in the HTTP event handler that caused parameterized headers to be handled incorrectly.</p> <p>⭐ Special thanks to <a href="https://github.com/nateiler"><code>@nateiler</code></a> and <a href="https://github.com/dothomson"><code>@dothomson</code></a> for their first PR merged in the project, and to <a href="https://github.com/arnabrahman"><code>@arnabrahman</code></a>! for another great contribution 🎉</p> <h2>Tracer Middleware</h2> <p>You can now use the Tracer utility with the HTTP event handler to gain observability over your routes. The middleware:</p> <ul> <li>Creates a subsegment for each HTTP route with the format <code>METHOD /path</code> (e.g., <code>GET /users</code>)</li> <li>Adds <code>ColdStart</code> and <code>Service</code> annotations</li> <li>Optionally captures JSON response bodies as metadata</li> <li>Captures errors as metadata when exceptions occur</li> </ul> <pre lang="ts"><code>import { Router } from '@aws-lambda-powertools/event-handler/http'; import { tracer as tracerMiddleware } from '@aws-lambda-powertools/event-handler/http/middleware/tracer'; import { Tracer } from '@aws-lambda-powertools/tracer'; import type { Context } from 'aws-lambda'; <p>const tracer = new Tracer({ serviceName: 'my-api' }); const app = new Router();</p> <p>app.get( '/users/cards', [tracerMiddleware(tracer, { captureResponse: false })], ({ params }) => { return { id: params.id, secret: 'sensitive-data' }; } );</p> <p>export const handler = async (event: unknown, context: Context) => app.resolve(event, context); </code></pre></p> <h2>Metrics Fluent Interface</h2> <p>All mutation methods (with the exception of <code>clear*</code>) now return the metric instance that was mutated, allowing you to chain multiple metrics operations in a single statement.</p> <pre lang="ts"><code>import { Metrics} from '@aws-lambda-powertools/metrics'; <p>const metrics = new Metrics();</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/blob/main/CHANGELOG.md"><code>@aws-lambda-powertools/tracer</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">2.31.0</a> (2026-02-10)</h2> <h3>Features</h3> <ul> <li><strong>metrics</strong> return metrics instance from metrics functions (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4930">#4930</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/e7aa2e2b5efbdca197602ef5611ac14e58519d6b">e7aa2e2</a>)</li> <li><strong>parameters</strong> pass underlying SDK error as cause to <code>GetParameterError</code> (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4936">#4936</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/b3499dbfe29adc8f7fa07e5b8f3b4718e4525fa7">b3499db</a>)</li> <li><strong>event-handler</strong> add tracer middleware for HTTP routes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4982">#4982</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8be61577451c32fdea2db8bcb93f8acba9e44423">8be6157</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>event-handler</strong> handle set-cookie header values with multiple attributes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4990">#4990</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a">42317fe</a>)</li> <li><strong>kafka</strong> handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7">04c3236</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/54d1fa3b290684ec987854b8266eac5094f4c178"><code>54d1fa3</code></a> chore(ci): bump version to 2.31.0 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5007">#5007</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a"><code>42317fe</code></a> fix(event-handler): handle set-cookie header values with multiple attributes ...</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e4da8a4ce4b7c57de14be04baf84444ee89f8c7"><code>8e4da8a</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5004">#5004</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/ddf54e09ec0c61a803b4d9f8edecd62ccc374555"><code>ddf54e0</code></a> chore(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4998">#4998</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/769207180080d45a72f8aca332c200239d3be06e"><code>7692071</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.1 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4999">#4999</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/d8dfadc63a59e0445b23a98eae9f9cd26fdb2e14"><code>d8dfadc</code></a> chore: manually upgrade dependency tree (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5002">#5002</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/60b6ce1b2c93346cccd0b7a1c43020934037b5c7"><code>60b6ce1</code></a> ci: switch npm auth to OIDC (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4997">#4997</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7"><code>04c3236</code></a> fix(kafka): handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e1359e1954f65215fe5c1884e4f0479eda95508"><code>8e1359e</code></a> chore(deps): bump the aws-cdk group across 1 directory with 3 updates (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4985">#4985</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/4c6657aee26e501dde0211da0810e52b441c5913"><code>4c6657a</code></a> test: extract DF idempotency e2e tests (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4994">#4994</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…ithub-aws-runners#5057) This PR adds a small pull request template that should make it easier for maintainers to test new changes as they come in.

🤖 I have created a release *beep* *boop* --- ## [7.4.1](github-aws-runners/terraform-aws-github-runner@v7.4.0...v7.4.1) (2026-03-09) ### Bug Fixes * gracefully handle JIT config failures and terminate unconfigured instance ([github-aws-runners#4990](github-aws-runners#4990)) ([c171550](github-aws-runners@c171550)) * **install-runner.sh:** support Debian ([github-aws-runners#5027](github-aws-runners#5027)) ([7755b7f](github-aws-runners@7755b7f)) * **lambda:** add jti claim to GitHub App JWTs to prevent concurrent collisions ([github-aws-runners#5056](github-aws-runners#5056)) ([07bd193](github-aws-runners@07bd193)), closes [github-aws-runners#5025](github-aws-runners#5025) * **lambda:** bump @octokit/auth-app from 8.1.2 to 8.2.0 in /lambdas in the octokit group ([github-aws-runners#5035](github-aws-runners#5035)) ([1c8083e](github-aws-runners@1c8083e)) * **lambda:** bump axios from 1.13.2 to 1.13.5 in /lambdas ([github-aws-runners#5028](github-aws-runners#5028)) ([0335e3a](github-aws-runners@0335e3a)) * **lambda:** bump qs from 6.14.1 to 6.14.2 in /lambdas ([github-aws-runners#5032](github-aws-runners#5032)) ([6dc97d5](github-aws-runners@6dc97d5)) * **lambda:** bump rollup from 4.46.2 to 4.59.0 in /lambdas ([github-aws-runners#5052](github-aws-runners#5052)) ([1e798b1](github-aws-runners@1e798b1)) * **lambda:** bump the aws group in /lambdas with 7 updates ([github-aws-runners#5021](github-aws-runners#5021)) ([c3c158d](github-aws-runners@c3c158d)) * **lambda:** bump the aws-powertools group in /lambdas with 4 updates ([github-aws-runners#5022](github-aws-runners#5022)) ([e8369cf](github-aws-runners@e8369cf)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com>

sekhar-isovalent · 2026-03-10T00:42:06Z

Could you upstream this change ?

sekhar-isovalent

Lets try and research open issues upstream and fix that if found and we can sync the change to our module.

brilong · 2026-03-10T13:06:46Z

FYI, in the spirit of upstreaming changes, my upstream PR for nested virtualization is almost approved. Working on one more tweak.

brilong · 2026-03-10T13:38:53Z

Also, upstream recently released v7.4.1. We might want to compare and integrate their changes into our fork until we can get our upstream tweaks included.

shivdesh · 2026-03-10T16:50:28Z

upstream change: github-aws-runners#5061
@sekhar-isovalent @brilong

## Summary Update `publishOnEventBridge` to use the existing `readEvent` helper instead of directly reading the `x-github-event` header and calling `checkEventIsSupported`. Only `eventType` is destructured from `readEvent`, since the parsed event object isn’t needed. ## Why This makes the EventBridge path consistent with `publishForRunners`, ensuring persistent logging fields (repository, action, workflow job name, status, etc.) are added to the logger in both code paths. ## Impact * No functional changes * Consistent logging behavior * Removes duplicate event parsing logic

…ithub-aws-runners#5017) This PR intends to reduce SSM AWS API calls by doing the following: Add `getParameters()` function to aws-ssm-util that fetches multiple SSM parameters in a single API call with automatic chunking (max 10 per call per AWS API limits). Apply batch fetching to: - auth.ts: fetch App ID and Private Key in one call (2 calls → 1) - ConfigLoader.ts: fetch multiple matcher config paths in one call - ami.ts: batch resolve SSM parameter values for AMI lookups Also remove redundant appId SSM fetch in scale-up.ts that was only used for logging. --------- Co-authored-by: Brend Smits <brend.smits@philips.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

…ion (github-aws-runners#5036) This pull request updates the logging configuration by introducing support for the `log_class` property, allowing log groups to be created with either the `STANDARD` or `INFREQUENT_ACCESS` class. The change is applied throughout the configuration to ensure log groups and log files can specify their class, defaulting to `STANDARD` if not set. **Logging configuration enhancements:** * Added a `log_class` property (defaulting to `"STANDARD"`) to the `runner_log_files` and `multi_runner_config` variables in `variables.tf`, `modules/runners/variables.tf`, and `modules/multi-runner/variables.tf` to allow specifying the log group class. [[1]](diffhunk://#diff-05b5a57c136b6ff596500bcbfdcff145ef6cddea2a0e86d184d9daa9a65a288eR494) [[2]](diffhunk://#diff-23e8f44c0f21971190244acdb8a35eaa21af7578ed5f1b97bef83f1a566d979cL398-R404) [[3]](diffhunk://#diff-52d0673ff466b6445542e17038ea73a1cf41b8112f49ee57da4cebf8f0cb99c5R155) * Updated the local log file definitions in `modules/runners/logging.tf` to include the `log_class` property for each log file, defaulting to `"STANDARD"`. * Modified the CloudWatch log group resource in `modules/runners/logging.tf` to use the specified `log_class` when creating log groups, and refactored the logic to group log files by both name and class. **Documentation improvements:** * Enhanced the description of the `runner_log_files` variable to document the new `log_class` property and its valid values. --------- Signed-off-by: Brend Smits <brend.smits@philips.com> Co-authored-by: github-aws-runners-pr|bot <github-aws-runners-pr[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [7.5.0](github-aws-runners/terraform-aws-github-runner@v7.4.1...v7.5.0) (2026-03-11) ### Features * **lambdas:** add batch SSM parameter fetching to reduce API calls ([github-aws-runners#5017](github-aws-runners#5017)) ([24857c2](github-aws-runners@24857c2)) * **logging:** add log_class parameter to runner log files configuration ([github-aws-runners#5036](github-aws-runners#5036)) ([3509d4c](github-aws-runners@3509d4c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com>

When the scale-down Lambda fails to de-register a runner from GitHub (even after automatic retries via @octokit/plugin-retry), the EC2 instance should NOT be terminated. This prevents stale runner entries in GitHub org settings. This change complements PR github-aws-runners#4990 which added @octokit/plugin-retry for automatic retries. While that handles transient failures, this ensures that if de-registration ultimately fails, we don't leave orphaned GitHub runner entries by terminating the EC2 instance prematurely. Key changes: - Extract deleteGitHubRunner() helper that catches errors per-runner - Only terminate EC2 instance if ALL GitHub de-registrations succeed - If any de-registration fails, leave instance running for next cycle - Rename githubAppClient to githubInstallationClient for clarity - Refactor to split owner/repo once instead of multiple times - Fix error logging to handle non-Error objects properly The @octokit/plugin-retry (added in github-aws-runners#4990) handles automatic retries at the client level, so no custom retry logic is needed here. Tests: - Add test verifying EC2 is NOT terminated when de-registration fails

jensenbox and others added 8 commits March 6, 2026 13:48

shivdesh force-pushed the fix/scale-down-retry-logic branch from cc9ce66 to a4416d7 Compare March 9, 2026 20:47

dependabot bot and others added 6 commits March 9, 2026 22:07

chore: add pull request template for better contribution guidelines (g…

585bbe2

…ithub-aws-runners#5057) This PR adds a small pull request template that should make it easier for maintainers to test new changes as they come in.

sekhar-isovalent self-requested a review March 10, 2026 00:42

sekhar-isovalent requested changes Mar 10, 2026

View reviewed changes

shivdesh force-pushed the fix/scale-down-retry-logic branch from a4416d7 to 8b5e8ef Compare March 10, 2026 16:46

shivdesh force-pushed the fix/scale-down-retry-logic branch from 8b5e8ef to a5b332f Compare March 10, 2026 18:12

thomasnemer and others added 3 commits March 11, 2026 15:53

shivdesh force-pushed the fix/scale-down-retry-logic branch 3 times, most recently from 6bab611 to aa2e75b Compare March 13, 2026 18:46

shivdesh force-pushed the fix/scale-down-retry-logic branch from aa2e75b to 1f66402 Compare March 13, 2026 21:07

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: add retry logic for GitHub API calls in scale-down Lambda#1

fix: add retry logic for GitHub API calls in scale-down Lambda#1
shivdesh wants to merge 19 commits intoisovalent:pr/bl/nested-virtfrom
shivdesh:fix/scale-down-retry-logic

shivdesh commented Mar 9, 2026

Uh oh!

sekhar-isovalent commented Mar 10, 2026

Uh oh!

sekhar-isovalent left a comment

Uh oh!

brilong commented Mar 10, 2026 •

edited

Loading

Uh oh!

brilong commented Mar 10, 2026

Uh oh!

shivdesh commented Mar 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

Conversation

shivdesh commented Mar 9, 2026

Summary

Problem

Solution

Changes

Testing

Uh oh!

sekhar-isovalent commented Mar 10, 2026

Uh oh!

sekhar-isovalent left a comment

Choose a reason for hiding this comment

Uh oh!

brilong commented Mar 10, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

brilong commented Mar 10, 2026

Uh oh!

shivdesh commented Mar 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

8 participants

brilong commented Mar 10, 2026 •

edited

Loading