feat: add bidirectionalLabelMatch option and deprecate exactMatch by Brend-Smits · Pull Request #5031 · github-aws-runners/terraform-aws-github-runner

Brend-Smits · 2026-02-13T14:41:13Z

Summary

Introduce a new bidirectionalLabelMatch option that performs strict two-way label matching (runner labels must equal workflow labels as a set). This preserves the existing exactMatch behavior (unidirectional subset check) to avoid breaking changes.

Problem

The bidirectionalLabelMatch option for runner label matching requires labels to be identical in both directions. Previously, a runner with labels [A, B, C, D] would match a job requesting [A, B, C] when exactMatch was true. Now, bidirectionalLabelMatch=true requires the labels to be exactly identical — the runner will only match if the job requests exactly [A, B, C, D].

This change affects users who have runners with extra labels (e.g., on-demand) that were previously matching jobs not explicitly requesting those labels. After this change, such runners will only be used when jobs explicitly request all of the runner's labels.

Before: Job [A,B,C] + Runner [A,B,C,D] + exactMatch=true       → Match
After:  Job [A,B,C] + Runner [A,B,C,D] + bidirectionalLabelMatch=true → No Match

exactMatch was supposed to have this behavior, but to avoid breaking changes, the variable will be deprecated to give users time to migrate.

Changes

Add bidirectionalLabelMatch to MatcherConfig interface (optional, defaults to false)
Update canRunJob to support bidirectional matching when enabled
Deprecate exactMatch in Terraform variables with migration guidance
Add bidirectionalLabelMatch to multi-runner and webhook variable types
Add new root variable enable_runner_bidirectional_label_match
Add comprehensive test coverage for bidirectional matching

Migration

To migrate, use bidirectionalLabelMatch instead of exactMatch in your runner configs. Then either:

Remove extra labels from runner configurations, or
Add the extra labels to your workflow job runs-on

Co-authored-by: Stuart Pearson stuart.pearson@philips.com

github-actions · 2026-02-13T14:41:30Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA 91aaf17.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Scanned Files

None

Introduce a new bidirectionalLabelMatch option that performs strict two-way label matching (runner labels must equal workflow labels as a set). This preserves the existing exactMatch behavior (unidirectional subset check) to avoid breaking changes. The bidirectionalLabelMatch option for runner label matching requires labels to be identical in both directions. Previously, a runner with labels [A, B, C, D] would match a job requesting [A, B, C] when exactMatch was true. Now, bidirectionalLabelMatch=true requires the labels to be exactly identical - the runner will only match if the job requests exactly [A, B, C, D]. This change affects users who have runners with extra labels (e.g., on-demand) that were previously matching jobs not explicitly requesting those labels. After this change, such runners will only be used when jobs explicitly request all of the runner labels. Before: Job [A,B,C] + Runner [A,B,C,D] + exactMatch=true -> Match After: Job [A,B,C] + Runner [A,B,C,D] + exactMatch=true -> No Match ExactMatch was suppose to have this behaviour, but the avoid breaking changes, the variable will be deprecated to give users time to migrate. To migrate, use bidirectionalLabelMatch instead of exactMatch in your runner configs. Then either: 1. Remove extra labels from runner configurations, or 2. Add the extra labels to your workflow job runs-on Signed-off-by: Brend Smits <brend.smits@philips.com> Co-authored-by: Stuart Pearson <stuart.pearson@philips.com>

Currently, when using the Debian OS, the existing `install-runner.sh` script will take an additional 25s during start up as the script attempts to install `libicu` via `dnf` This PR adds support for the `debian` OS which is listed as a supported OS in the GitHub docs: https://docs.github.com/en/actions/reference/runners/self-hosted-runners#linux

… instance (#4990) This pull request enhances the robustness and reliability of the GitHub Actions runner scaling logic by improving error handling and retry mechanisms for GitHub API calls. It introduces the `@octokit/plugin-retry` plugin to automatically retry failed API requests, adds detailed logging for retry attempts, and ensures that failures in creating JIT configs for individual runner instances do not halt the entire scaling process. Additionally, new tests are added to verify handling of various API failure scenarios. **GitHub API client improvements:** * Added `@octokit/plugin-retry` to dependencies (`package.json`) and integrated it into the Octokit client initialization to enable automatic retries for failed GitHub API requests. [[1]](diffhunk://#diff-37d09418dae74ded5678eabfa3b60993ee491e2fd9e49e11142f639b078ac9b2R41) [[2]](diffhunk://#diff-cf7cdd79fe0ed0e3a2e8928c0c7667a096c47c47abdb2354ddadee67e80a226dR21) [[3]](diffhunk://#diff-cf7cdd79fe0ed0e3a2e8928c0c7667a096c47c47abdb2354ddadee67e80a226dL29-R30) * Configured the retry plugin to log detailed warnings on each retry attempt, including the HTTP method, URL, error message, and status code. **Error handling and resilience in JIT config creation:** * Updated `createJitConfig` in `scale-up.ts` to catch and log errors for individual runner instances when creating JIT configs, allowing the process to continue for remaining instances and logging a summary of failed attempts at the end. [[1]](diffhunk://#diff-fbc68af2a40bf14ad13a80b13958c0b52d1d0fde5f0009416a693fb4b691ceaeR537-R542) [[2]](diffhunk://#diff-fbc68af2a40bf14ad13a80b13958c0b52d1d0fde5f0009416a693fb4b691ceaeR582-R596) * Instances that failed to generate a configuration, will now be terminated to avoid generating waste. **Testing improvements:** * Added comprehensive tests to `scale-up.test.ts` to verify correct behavior when GitHub API calls fail for some instances, including retryable errors (e.g., 5xx), non-retryable errors (e.g., 4xx), and partial failures, ensuring only successful JIT configs are stored.

Bumps [zizmorcore/zizmor-action](https://github.com/zizmorcore/zizmor-action) from 0.4.1 to 0.5.0. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/zizmorcore/zizmor-action/releases">zizmorcore/zizmor-action's releases</a>.</em></p> <blockquote> <h2>v0.5.0</h2> <h2>What's Changed</h2> <ul> <li>Expose <code>output-file</code> as an output when <code>advanced-security: true</code> by <a href="https://github.com/unlobito"><code>@unlobito</code></a> in <a href="https://redirect.github.com/zizmorcore/zizmor-action/pull/87">zizmorcore/zizmor-action#87</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/unlobito"><code>@unlobito</code></a> made their first contribution in <a href="https://redirect.github.com/zizmorcore/zizmor-action/pull/87">zizmorcore/zizmor-action#87</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/zizmorcore/zizmor-action/compare/v0.4.1...v0.5.0">https://github.com/zizmorcore/zizmor-action/compare/v0.4.1...v0.5.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/zizmorcore/zizmor-action/commit/0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d"><code>0dce257</code></a> chore(deps): bump peter-evans/create-pull-request (<a href="https://redirect.github.com/zizmorcore/zizmor-action/issues/88">#88</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor-action/commit/fb9497493b591ad90176d3ecac5ca4aeff8c9faf"><code>fb94974</code></a> Expose <code>output-file</code> as an output when <code>advanced-security: true</code> (<a href="https://redirect.github.com/zizmorcore/zizmor-action/issues/87">#87</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor-action/commit/867562a69bb7adcc63dd1e8c003600a58b5f70e2"><code>867562a</code></a> chore(deps): bump the github-actions group with 2 updates (<a href="https://redirect.github.com/zizmorcore/zizmor-action/issues/85">#85</a>)</li> <li><a href="https://github.com/zizmorcore/zizmor-action/commit/7462f075f718787753331c6d98ca9ef8eb41e735"><code>7462f07</code></a> Bump pins in README (<a href="https://redirect.github.com/zizmorcore/zizmor-action/issues/84">#84</a>)</li> <li>See full diff in <a href="https://github.com/zizmorcore/zizmor-action/compare/135698455da5c3b3e55f73f4419e481ab68cdd95...0dce2577a4760a2749d8cfb7a84b7d5585ebcb7d">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=zizmorcore/zizmor-action&package-manager=github_actions&previous-version=0.4.1&new-version=0.5.0)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…5002) Bumps [@types/express](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express) from 5.0.3 to 5.0.6. <details> <summary>Commits</summary> <ul> <li>See full diff in <a href="https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=@types/express&package-manager=npm_and_yarn&previous-version=5.0.3&new-version=5.0.6)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) You can trigger a rebase of this PR by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> > **Note** > Automatic rebases have been disabled on this pull request as it has been open for over 30 days. Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 4.31.9 to 4.32.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/releases">github/codeql-action's releases</a>.</em></p> <blockquote> <h2>v4.32.4</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li> <li>Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. <a href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li> <li>When the CodeQL Action is run <a href="https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup">with debugging enabled in Default Setup</a> and <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. <a href="https://redirect.github.com/github/codeql-action/pull/3486">#3486</a></li> <li>Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3485">#3485</a></li> <li>Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a <a href="https://github.com/dsp-testing/codeql-cli-nightlies">nightly CodeQL CLI release</a> instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3484">#3484</a></li> </ul> <h2>v4.32.3</h2> <ul> <li>Added experimental support for testing connections to <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a>. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. <a href="https://redirect.github.com/github/codeql-action/pull/3466">#3466</a></li> </ul> <h2>v4.32.2</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1">2.24.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3460">#3460</a></li> </ul> <h2>v4.32.1</h2> <ul> <li>A warning is now shown in Default Setup workflow logs if a <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registry is configured</a> using a GitHub Personal Access Token (PAT), but no username is configured. <a href="https://redirect.github.com/github/codeql-action/pull/3422">#3422</a></li> <li>Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. <a href="https://redirect.github.com/github/codeql-action/pull/3421">#3421</a></li> </ul> <h2>v4.32.0</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0">2.24.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3425">#3425</a></li> </ul> <h2>v4.31.11</h2> <ul> <li>When running a Default Setup workflow with <a href="https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging">Actions debugging enabled</a>, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. <a href="https://redirect.github.com/github/codeql-action/pull/3409">#3409</a></li> <li>Improved error handling throughout the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3415">#3415</a></li> <li>Added experimental support for automatically excluding <a href="https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github">generated files</a> from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3318">#3318</a></li> <li>The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. <a href="https://redirect.github.com/github/codeql-action/pull/3403">#3403</a></li> </ul> <h2>v4.31.10</h2> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>4.31.10 - 12 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to 2.23.9. <a href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li> </ul> <p>See the full <a href="https://github.com/github/codeql-action/blob/v4.31.10/CHANGELOG.md">CHANGELOG.md</a> for more information.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's changelog</a>.</em></p> <blockquote> <h1>CodeQL Action Changelog</h1> <p>See the <a href="https://github.com/github/codeql-action/releases">releases page</a> for the relevant changes to the CodeQL CLI and language packs.</p> <h2>[UNRELEASED]</h2> <p>No user facing changes.</p> <h2>4.32.4 - 20 Feb 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.2">2.24.2</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3493">#3493</a></li> <li>Added an experimental change which improves how certificates are generated for the authentication proxy that is used by the CodeQL Action in Default Setup when <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>. This is expected to generate more widely compatible certificates and should have no impact on analyses which are working correctly already. We expect to roll this change out to everyone in February. <a href="https://redirect.github.com/github/codeql-action/pull/3473">#3473</a></li> <li>When the CodeQL Action is run <a href="https://docs.github.com/en/code-security/how-tos/scan-code-for-vulnerabilities/troubleshooting/troubleshooting-analysis-errors/logs-not-detailed-enough#creating-codeql-debugging-artifacts-for-codeql-default-setup">with debugging enabled in Default Setup</a> and <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries are configured</a>, the "Setup proxy for registries" step will output additional diagnostic information that can be used for troubleshooting. <a href="https://redirect.github.com/github/codeql-action/pull/3486">#3486</a></li> <li>Added a setting which allows the CodeQL Action to enable network debugging for Java programs. This will help GitHub staff support customers with troubleshooting issues in GitHub-managed CodeQL workflows, such as Default Setup. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3485">#3485</a></li> <li>Added a setting which enables GitHub-managed workflows, such as Default Setup, to use a <a href="https://github.com/dsp-testing/codeql-cli-nightlies">nightly CodeQL CLI release</a> instead of the latest, stable release that is used by default. This will help GitHub staff support customers whose analyses for a given repository or organization require early access to a change in an upcoming CodeQL CLI release. This setting can only be enabled by GitHub staff. <a href="https://redirect.github.com/github/codeql-action/pull/3484">#3484</a></li> </ul> <h2>4.32.3 - 13 Feb 2026</h2> <ul> <li>Added experimental support for testing connections to <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registries</a>. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for Default Setup. <a href="https://redirect.github.com/github/codeql-action/pull/3466">#3466</a></li> </ul> <h2>4.32.2 - 05 Feb 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.1">2.24.1</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3460">#3460</a></li> </ul> <h2>4.32.1 - 02 Feb 2026</h2> <ul> <li>A warning is now shown in Default Setup workflow logs if a <a href="https://docs.github.com/en/code-security/how-tos/secure-at-scale/configure-organization-security/manage-usage-and-access/giving-org-access-private-registries">private package registry is configured</a> using a GitHub Personal Access Token (PAT), but no username is configured. <a href="https://redirect.github.com/github/codeql-action/pull/3422">#3422</a></li> <li>Fixed a bug which caused the CodeQL Action to fail when repository properties cannot successfully be retrieved. <a href="https://redirect.github.com/github/codeql-action/pull/3421">#3421</a></li> </ul> <h2>4.32.0 - 26 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to <a href="https://github.com/github/codeql-action/releases/tag/codeql-bundle-v2.24.0">2.24.0</a>. <a href="https://redirect.github.com/github/codeql-action/pull/3425">#3425</a></li> </ul> <h2>4.31.11 - 23 Jan 2026</h2> <ul> <li>When running a Default Setup workflow with <a href="https://docs.github.com/en/actions/how-tos/monitor-workflows/enable-debug-logging">Actions debugging enabled</a>, the CodeQL Action will now use more unique names when uploading logs from the Dependabot authentication proxy as workflow artifacts. This ensures that the artifact names do not clash between multiple jobs in a build matrix. <a href="https://redirect.github.com/github/codeql-action/pull/3409">#3409</a></li> <li>Improved error handling throughout the CodeQL Action. <a href="https://redirect.github.com/github/codeql-action/pull/3415">#3415</a></li> <li>Added experimental support for automatically excluding <a href="https://docs.github.com/en/repositories/working-with-files/managing-files/customizing-how-changed-files-appear-on-github">generated files</a> from the analysis. This feature is not currently enabled for any analysis. In the future, it may be enabled by default for some GitHub-managed analyses. <a href="https://redirect.github.com/github/codeql-action/pull/3318">#3318</a></li> <li>The changelog extracts that are included with releases of the CodeQL Action are now shorter to avoid duplicated information from appearing in Dependabot PRs. <a href="https://redirect.github.com/github/codeql-action/pull/3403">#3403</a></li> </ul> <h2>4.31.10 - 12 Jan 2026</h2> <ul> <li>Update default CodeQL bundle version to 2.23.9. <a href="https://redirect.github.com/github/codeql-action/pull/3393">#3393</a></li> </ul> <h2>4.31.9 - 16 Dec 2025</h2> <p>No user facing changes.</p> <h2>4.31.8 - 11 Dec 2025</h2>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/github/codeql-action/commit/89a39a4e59826350b863aa6b6252a07ad50cf83e"><code>89a39a4</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3494">#3494</a> from github/update-v4.32.4-39ba80c47</li> <li><a href="https://github.com/github/codeql-action/commit/e5d84c885c00d506f7816d26a298534dbbffac6d"><code>e5d84c8</code></a> Apply remaining review suggestions</li> <li><a href="https://github.com/github/codeql-action/commit/0c202097b5de484e2a3725d4467f9cb7e3107881"><code>0c20209</code></a> Apply suggestions from code review</li> <li><a href="https://github.com/github/codeql-action/commit/314172e5a1e1691ba4ad232b3d0230ceaf3d9239"><code>314172e</code></a> Fix typo</li> <li><a href="https://github.com/github/codeql-action/commit/cdda72d36b93310932b0afe1784acd0209d190dd"><code>cdda72d</code></a> Add changelog entries</li> <li><a href="https://github.com/github/codeql-action/commit/cfda84cc5509282e2adc1570c3cf29c3167ae87f"><code>cfda84c</code></a> Update changelog for v4.32.4</li> <li><a href="https://github.com/github/codeql-action/commit/39ba80c47550c834104c0f222b502461ac312c29"><code>39ba80c</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3493">#3493</a> from github/update-bundle/codeql-bundle-v2.24.2</li> <li><a href="https://github.com/github/codeql-action/commit/00150dad957fc9c1cba52bdab82e458ae5c09fe5"><code>00150da</code></a> Add changelog note</li> <li><a href="https://github.com/github/codeql-action/commit/d97dce6561ae3dd4e4db9bfa95479f7572bd7566"><code>d97dce6</code></a> Update default bundle to codeql-bundle-v2.24.2</li> <li><a href="https://github.com/github/codeql-action/commit/50fdbb9ec845c41d6d3509d794e3a28af7032c59"><code>50fdbb9</code></a> Merge pull request <a href="https://redirect.github.com/github/codeql-action/issues/3492">#3492</a> from github/henrymercer/new-repository-properties-ff</li> <li>Additional commits viewable in <a href="https://github.com/github/codeql-action/compare/5d4e8d1aca955e8d8589aabd499c5cae939e33c7...89a39a4e59826350b863aa6b6252a07ad50cf83e">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=github/codeql-action&package-manager=github_actions&previous-version=4.31.9&new-version=4.32.4)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…nner-reusable-pr.yml from 2.3.2 to 2.3.3 (#5043) Bumps [google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml](https://github.com/google/osv-scanner-action) from 2.3.2 to 2.3.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/google/osv-scanner-action/releases">google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml's releases</a>.</em></p> <blockquote> <h2>v2.3.3</h2> <p>This updates OSV-Scanner to v2.3.3.</p> <h2>What's Changed</h2> <ul> <li>chore(deps): update github/codeql-action action to v4.31.10 by <a href="https://github.com/renovate-bot"><code>@renovate-bot</code></a> in <a href="https://redirect.github.com/google/osv-scanner-action/pull/115">google/osv-scanner-action#115</a></li> <li>Update to v2.3.3 by <a href="https://github.com/Ly-Joey"><code>@Ly-Joey</code></a> in <a href="https://redirect.github.com/google/osv-scanner-action/pull/118">google/osv-scanner-action#118</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Ly-Joey"><code>@Ly-Joey</code></a> made their first contribution in <a href="https://redirect.github.com/google/osv-scanner-action/pull/118">google/osv-scanner-action#118</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/google/osv-scanner-action/compare/v2.3.2...v2.3.3">https://github.com/google/osv-scanner-action/compare/v2.3.2...v2.3.3</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/google/osv-scanner-action/commit/c5996e0193a3df57d695c1b8a1dec2a4c62e8730"><code>c5996e0</code></a> Merge pull request <a href="https://redirect.github.com/google/osv-scanner-action/issues/118">#118</a> from google/update-to-v2.3.3</li> <li><a href="https://github.com/google/osv-scanner-action/commit/f4fac926054e3236b87692fa58d351da22518991"><code>f4fac92</code></a> Update unified workflow example to point to v2.3.3 reusable workflows</li> <li><a href="https://github.com/google/osv-scanner-action/commit/8ae4be80636b94886b3c271caad730985ce0611c"><code>8ae4be8</code></a> Update reusable workflows to point to v2.3.3 actions</li> <li><a href="https://github.com/google/osv-scanner-action/commit/8018483926dd235b3013d8c88023e644b9f8e09e"><code>8018483</code></a> "Update actions to use v2.3.3 osv-scanner image"</li> <li><a href="https://github.com/google/osv-scanner-action/commit/2c222dbe8cbd6baffa4929823c8e5c3ab481d4d0"><code>2c222db</code></a> Merge pull request <a href="https://redirect.github.com/google/osv-scanner-action/issues/115">#115</a> from renovate-bot/renovate/workflows</li> <li><a href="https://github.com/google/osv-scanner-action/commit/115472d53545bb5e00eab96c82d23b16922bc73f"><code>115472d</code></a> chore(deps): update github/codeql-action action to v4.31.10</li> <li>See full diff in <a href="https://github.com/google/osv-scanner-action/compare/2a387edfbe02a11d856b89172f6e978100177eb4...c5996e0193a3df57d695c1b8a1dec2a4c62e8730">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml&package-manager=github_actions&previous-version=2.3.2&new-version=2.3.3)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…5041) Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.0 to 2.14.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/step-security/harden-runner/releases">step-security/harden-runner's releases</a>.</em></p> <blockquote> <h2>v2.14.2</h2> <h2>What's Changed</h2> <p>Security fix: Fixed a medium severity vulnerability where outbound network connections using sendto, sendmsg, and sendmmsg socket system calls could bypass audit logging when using egress-policy: audit. This issue only affects the Community Tier in audit mode; block mode and Enterprise Tier were not affected. See <a href="https://github.com/step-security/harden-runner/security/advisories/GHSA-cpmj-h4f6-r6pq">GHSA-cpmj-h4f6-r6pq</a> for details.</p> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.14.1...v2.14.2">https://github.com/step-security/harden-runner/compare/v2.14.1...v2.14.2</a></p> <h2>v2.14.1</h2> <h2>What's Changed</h2> <ol> <li> <p>In some self-hosted environments, the agent could briefly fall back to public DNS resolvers during startup if the system DNS was not yet available. This behavior was unintended for GitHub-hosted runners and has now been fixed to prevent any use of public DNS resolvers.</p> </li> <li> <p>Fixed npm audit vulnerabilities</p> </li> </ol> <p><strong>Full Changelog</strong>: <a href="https://github.com/step-security/harden-runner/compare/v2.14.0...v2.14.1">https://github.com/step-security/harden-runner/compare/v2.14.0...v2.14.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/step-security/harden-runner/commit/5ef0c079ce82195b2a36a210272d6b661572d83e"><code>5ef0c07</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/635">#635</a> from step-security/rc-34</li> <li><a href="https://github.com/step-security/harden-runner/commit/eb43c7b3fd5a30c42ff1ab84b494f1cc6c7cc3b6"><code>eb43c7b</code></a> update agent</li> <li><a href="https://github.com/step-security/harden-runner/commit/e3f713f2d8f53843e71c69a996d56f51aa9adfb9"><code>e3f713f</code></a> Merge pull request <a href="https://redirect.github.com/step-security/harden-runner/issues/631">#631</a> from step-security/rc-31</li> <li><a href="https://github.com/step-security/harden-runner/commit/423acdda6fd4f75f197b7c305a3f2e3d700dc00b"><code>423acdd</code></a> chore: fix npm audit vulnerabilities</li> <li><a href="https://github.com/step-security/harden-runner/commit/0ddb86cf0353b79dbed5bb8cef4103700cea70a7"><code>0ddb86c</code></a> update agent</li> <li>See full diff in <a href="https://github.com/step-security/harden-runner/compare/20cf305ff2072d973412fa9b1e3a4f227bda3c76...5ef0c079ce82195b2a36a210272d6b661572d83e">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=step-security/harden-runner&package-manager=github_actions&previous-version=2.14.0&new-version=2.14.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…kflows/mkdocs in the python-deps group (#5051) Bumps the python-deps group in /.github/workflows/mkdocs with 1 update: [mkdocs-material](https://github.com/squidfunk/mkdocs-material). Updates `mkdocs-material` from 9.7.1 to 9.7.2 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/squidfunk/mkdocs-material/releases">mkdocs-material's releases</a>.</em></p> <blockquote> <h2>mkdocs-material-9.7.2</h2> <blockquote> <p>[!WARNING]</p> <p><strong>Material for MkDocs is in maintenance mode</strong></p> <p>Going forward, the Material for MkDocs team focuses on <a href="https://zensical.org">Zensical</a>, a next-gen static site generator built from first principles. We will provide critical bug fixes and security updates for Material for MkDocs until November 2026.</p> <p><a href="https://squidfunk.github.io/mkdocs-material/blog/2025/11/05/zensical/">Read the full announcement on our blog</a></p> </blockquote> <h2>Changes</h2> <ul> <li>Opened up version ranges of optional dependencies for forward-compatibility</li> <li>Added warning to <code>mkdocs build</code> about impending MkDocs 2.0 incompatibility (doesn't affect strict mode)</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/squidfunk/mkdocs-material/blob/master/CHANGELOG">mkdocs-material's changelog</a>.</em></p> <blockquote> <p>mkdocs-material-9.7.3 (2026-02-24)</p> <ul> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/8567">#8567</a>: Print MkDocs 2.0 incompatibility warning to stderr</li> </ul> <p>mkdocs-material-9.7.2 (2026-02-18)</p> <ul> <li>Opened up version ranges of optional dependencies for forward-compatibility</li> <li>Added warning to 'mkdocs build' about impending MkDocs 2.0 incompatibility</li> </ul> <p>mkdocs-material-9.7.1 (2025-12-18)</p> <ul> <li>Updated requests to 2.30+ to mitigate CVE in urllib</li> <li>Fixed privacy plugin not picking up protocol-relative URLs</li> <li>Fixed <a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/8542">#8542</a>: false positives and negatives captured in privacy plugin</li> </ul> <p>mkdocs-material-9.7.0 (2025-11-11)</p> <p>⚠️ Material for MkDocs is now in maintenance mode</p> <p>This is the last release of Material for MkDocs that will receive new features. Going forward, the Material for MkDocs team focuses on Zensical, a next-gen static site generator built from first principles. We will provide critical bug fixes and security updates for Material for MkDocs for 12 months at least.</p> <p>Read the full announcement on our blog: <a href="https://squidfunk.github.io/mkdocs-material/blog/2025/11/05/zensical/">https://squidfunk.github.io/mkdocs-material/blog/2025/11/05/zensical/</a></p> <p>This release includes all features that were previously exclusive to the Insiders edition. These features are now freely available to everyone.</p> <p>Note on deprecated plugins: The projects and typeset plugins are included in this release, but must be considered deprecated. Both plugins proved unsustainable to maintain and represent architectural dead ends. They are provided as-is without ongoing support.</p> <p>Changes:</p> <ul> <li>Added support for pinned blog posts and author profiles</li> <li>Added support for customizing pagination for blog index pages</li> <li>Added support for customizing blog category sort order</li> <li>Added support for staying on page when switching languages</li> <li>Added support for disabling tags in table of contents</li> <li>Added support for nested tags and shadow tags</li> <li>Added support for footnote tooltips</li> <li>Added support for instant previews</li> <li>Added support for instant prefetching</li> <li>Added support for custom social card layouts</li> <li>Added support for custom social card background images</li> <li>Added support for selectable rangs in code blocks</li> <li>Added support for custom selectors for code annotations</li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/e21a119e38f7bca184e469eaeefa3d5535e5022b"><code>e21a119</code></a> Updated changelog</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/d5654b500a7021625d3c78f59842805c45e7b65a"><code>d5654b5</code></a> Prepare 9.7.2 release</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/b18af2f74a98e0d54f7f11b4e029d7ea29166df3"><code>b18af2f</code></a> Opened up version ranges in optional dependencies</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/39cdfbd87c80079cd06a6d2a953cd53f531db61d"><code>39cdfbd</code></a> Added social card for blog post</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/09ee7b1913eab1988ff3a81982c39634915336e1"><code>09ee7b1</code></a> Added blog post on MkDocs 2.0 (<a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/8564">#8564</a>)</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/0d11a2d01174a0ab3bec97300c4432da44128253"><code>0d11a2d</code></a> Documentation (<a href="https://redirect.github.com/squidfunk/mkdocs-material/issues/8560">#8560</a>)</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/8fc61b5cb00845825179d6fd3e331c789f83187b"><code>8fc61b5</code></a> Updated dependencies</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/3f0eaca8da7e06db5bbb8ca41febb78459baf650"><code>3f0eaca</code></a> Documentation</li> <li><a href="https://github.com/squidfunk/mkdocs-material/commit/eaba2dc24f196ecbf8e9aa87f8982be4e154920b"><code>eaba2dc</code></a> Re-enable publishing</li> <li>See full diff in <a href="https://github.com/squidfunk/mkdocs-material/compare/9.7.1...9.7.2">compare view</a></li> </ul> </details> <br /> [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=mkdocs-material&package-manager=pip&previous-version=9.7.1&new-version=9.7.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…5058) Bumps the github group with 4 updates in the / directory: [actions/upload-artifact](https://github.com/actions/upload-artifact), [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance), [actions/stale](https://github.com/actions/stale) and [actions/cache](https://github.com/actions/cache). Updates `actions/upload-artifact` from 6.0.0 to 7.0.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's releases</a>.</em></p> <blockquote> <h2>v7.0.0</h2> <h2>v7 What's new</h2> <h3>Direct Uploads</h3> <p>Adds support for uploading single files directly (unzipped). Callers can set the new <code>archive</code> parameter to <code>false</code> to skip zipping the file during upload. Right now, we only support single files. The action will fail if the glob passed resolves to multiple files. The <code>name</code> parameter is also ignored with this setting. Instead, the name of the artifact will be the name of the uploaded file.</p> <h3>ESM</h3> <p>To support new versions of the <code>@actions/*</code> packages, we've upgraded the package to ESM.</p> <h2>What's Changed</h2> <ul> <li>Add proxy integration test by <a href="https://github.com/Link"><code>@Link</code></a>- in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> <li>Upgrade the module to ESM and bump dependencies by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/762">actions/upload-artifact#762</a></li> <li>Support direct file uploads by <a href="https://github.com/danwkennedy"><code>@danwkennedy</code></a> in <a href="https://redirect.github.com/actions/upload-artifact/pull/764">actions/upload-artifact#764</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Link"><code>@Link</code></a>- made their first contribution in <a href="https://redirect.github.com/actions/upload-artifact/pull/754">actions/upload-artifact#754</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/upload-artifact/compare/v6...v7.0.0">https://github.com/actions/upload-artifact/compare/v6...v7.0.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/upload-artifact/commit/bbbca2ddaa5d8feaa63e36b76fdaad77386f024f"><code>bbbca2d</code></a> Support direct file uploads (<a href="https://redirect.github.com/actions/upload-artifact/issues/764">#764</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/589182c5a4cec8920b8c1bce3e2fab1c97a02296"><code>589182c</code></a> Upgrade the module to ESM and bump dependencies (<a href="https://redirect.github.com/actions/upload-artifact/issues/762">#762</a>)</li> <li><a href="https://github.com/actions/upload-artifact/commit/47309c993abb98030a35d55ef7ff34b7fa1074b5"><code>47309c9</code></a> Merge pull request <a href="https://redirect.github.com/actions/upload-artifact/issues/754">#754</a> from actions/Link-/add-proxy-integration-tests</li> <li><a href="https://github.com/actions/upload-artifact/commit/02a8460834e70dab0ce194c64360c59dc1475ef0"><code>02a8460</code></a> Add proxy integration test</li> <li>See full diff in <a href="https://github.com/actions/upload-artifact/compare/b7c566a772e6b6bfb58ed0dc250532a479d7789f...bbbca2ddaa5d8feaa63e36b76fdaad77386f024f">compare view</a></li> </ul> </details> <br /> Updates `actions/attest-build-provenance` from 3.1.0 to 4.1.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/attest-build-provenance/releases">actions/attest-build-provenance's releases</a>.</em></p> <blockquote> <h2>v4.1.0</h2> <blockquote> <p>[!NOTE] As of version 4, <code>actions/attest-build-provenance</code> is simply a wrapper on top of <a href="https://github.com/actions/attest"><code>actions/attest</code></a>.</p> <p>Existing applications may continue to use the <code>attest-build-provenance</code> action, but new implementations should use <code>actions/attest</code> instead.</p> </blockquote> <h2>What's Changed</h2> <ul> <li>Update RELEASE.md docs by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/836">actions/attest-build-provenance#836</a></li> <li>Bump <code>actions/attest</code> from 4.0.0 to 4.1.0 by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/838">actions/attest-build-provenance#838</a> <ul> <li>Bump <code>@actions/attest</code> from 3.0.0 to 3.1.0 by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest/pull/362">actions/attest#362</a></li> <li>Bump <code>@actions/attest</code> from 3.1.0 to 3.2.0 by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest/pull/365">actions/attest#365</a></li> <li>Add new <code>subject-version</code> input for inclusion in storage record by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest/pull/364">actions/attest#364</a></li> <li>Add storage record content to README by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest/pull/366">actions/attest#366</a></li> </ul> </li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0">https://github.com/actions/attest-build-provenance/compare/v4.0.0...v4.1.0</a></p> <h2>v4.0.0</h2> <blockquote> <p>[!NOTE] As of version 4, <code>actions/attest-build-provenance</code> is simply a wrapper on top of <a href="https://github.com/actions/attest"><code>actions/attest</code></a>.</p> <p>Existing applications may continue to use the <code>attest-build-provenance</code> action, but new implementations should use <code>actions/attest</code> instead.</p> </blockquote> <h2>What's Changed</h2> <ul> <li>Prepare v4 release by <a href="https://github.com/bdehamer"><code>@bdehamer</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/835">actions/attest-build-provenance#835</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0">https://github.com/actions/attest-build-provenance/compare/v3.2.0...v4.0.0</a></p> <h2>v3.2.0</h2> <h2>What's Changed</h2> <ul> <li>Bump <code>@actions/core</code> from 1.11.1 to 2.0.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/776">actions/attest-build-provenance#776</a></li> <li>Add more documentation on Artifact Metadata Storage Records by <a href="https://github.com/malancas"><code>@malancas</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/797">actions/attest-build-provenance#797</a></li> <li>Update actions/attest to latest version v3.2.0 by <a href="https://github.com/malancas"><code>@malancas</code></a> in <a href="https://redirect.github.com/actions/attest-build-provenance/pull/812">actions/attest-build-provenance#812</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/attest-build-provenance/compare/v3.1.0...v3.2.0">https://github.com/actions/attest-build-provenance/compare/v3.1.0...v3.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/attest-build-provenance/commit/a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32"><code>a2bbfa2</code></a> bump actions/attest from 4.0.0 to 4.1.0 (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/838">#838</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/0856891a35570e4ac506b510f0358a4308f82385"><code>0856891</code></a> update RELEASE.md docs (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/836">#836</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/e4d4f7c39adfa4c260fb5c147f0622000aa14b99"><code>e4d4f7c</code></a> prepare v4 release (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/835">#835</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/02a49bdc410a809733602220c6f6275925d6b578"><code>02a49bd</code></a> Bump github/codeql-action in the actions-minor group (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/824">#824</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/7c757df4145fcd233331998e58b20b422c833a00"><code>7c757df</code></a> Bump the npm-development group with 2 updates (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/825">#825</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/c44148e5bf178192efd8947e07a0d439a356c60b"><code>c44148e</code></a> Bump github/codeql-action in the actions-minor group (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/818">#818</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/32343527f2ec94583cf7b31280de0f60dc9f0bf9"><code>3234352</code></a> Bump <code>@types/node</code> from 25.0.10 to 25.2.0 in the npm-development group (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/819">#819</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/18db12979d4cecda10c1cf295bcb159f3e59866d"><code>18db129</code></a> Bump tar from 7.5.6 to 7.5.7 (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/816">#816</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/90fadfae6ba2e2ef59f8d38e61ec3cf16443a18e"><code>90fadfa</code></a> Bump <code>@actions/core</code> from 2.0.1 to 2.0.2 in the npm-production group (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/799">#799</a>)</li> <li><a href="https://github.com/actions/attest-build-provenance/commit/57db8ba356515a4c8608990f2aa27a6972235ccc"><code>57db8ba</code></a> Bump the npm-development group across 1 directory with 3 updates (<a href="https://redirect.github.com/actions/attest-build-provenance/issues/808">#808</a>)</li> <li>Additional commits viewable in <a href="https://github.com/actions/attest-build-provenance/compare/00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8...a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32">compare view</a></li> </ul> </details> <br /> Updates `actions/stale` from 10.1.1 to 10.2.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/stale/releases">actions/stale's releases</a>.</em></p> <blockquote> <h2>v10.2.0</h2> <h2>What's Changed</h2> <h3>Bug Fix</h3> <ul> <li>Fix checking state cache (fix <a href="https://redirect.github.com/actions/stale/issues/1136">#1136</a>) and switch to Octokit helper methods by <a href="https://github.com/itchyny"><code>@itchyny</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1152">actions/stale#1152</a></li> </ul> <h3>Dependency Updates</h3> <ul> <li>Upgrade js-yaml from 4.1.0 to 4.1.1 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1304">actions/stale#1304</a></li> <li>Upgrade lodash from 4.17.21 to 4.17.23 by <a href="https://github.com/dependabot"><code>@dependabot</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1313">actions/stale#1313</a></li> <li>Upgrade actions/cache from 4.0.3 to 5.0.2 and actions/github from 5.1.1 to 7.0.0 by <a href="https://github.com/chiranjib-swain"><code>@chiranjib-swain</code></a> in <a href="https://redirect.github.com/actions/stale/pull/1312">actions/stale#1312</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/itchyny"><code>@itchyny</code></a> made their first contribution in <a href="https://redirect.github.com/actions/stale/pull/1152">actions/stale#1152</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/stale/compare/v10...v10.2.0">https://github.com/actions/stale/compare/v10...v10.2.0</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/stale/commit/b5d41d4e1d5dceea10e7104786b73624c18a190f"><code>b5d41d4</code></a> build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (<a href="https://redirect.github.com/actions/stale/issues/1313">#1313</a>)</li> <li><a href="https://github.com/actions/stale/commit/dcd2b9469d2220b7e8d08aedc00c105d277fd46b"><code>dcd2b94</code></a> Fix punycode and url.parse Deprecation Warnings (<a href="https://redirect.github.com/actions/stale/issues/1312">#1312</a>)</li> <li><a href="https://github.com/actions/stale/commit/d6f8a33132340b15a7006f552936e4b9b39c00ec"><code>d6f8a33</code></a> build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (<a href="https://redirect.github.com/actions/stale/issues/1304">#1304</a>)</li> <li><a href="https://github.com/actions/stale/commit/a21a0816299b11691f9592ef0d63d08e02f06d9d"><code>a21a081</code></a> Fix checking state cache (fix <a href="https://redirect.github.com/actions/stale/issues/1136">#1136</a>), also switch to octokit methods (<a href="https://redirect.github.com/actions/stale/issues/1152">#1152</a>)</li> <li>See full diff in <a href="https://github.com/actions/stale/compare/997185467fa4f803885201cee163a9f38240193d...b5d41d4e1d5dceea10e7104786b73624c18a190f">compare view</a></li> </ul> </details> <br /> Updates `actions/cache` from 5.0.1 to 5.0.3 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/releases">actions/cache's releases</a>.</em></p> <blockquote> <h2>v5.0.3</h2> <h2>What's Changed</h2> <ul> <li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li> <li>Bump <code>@actions/core</code> to v2.0.3</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/actions/cache/compare/v5...v5.0.3">https://github.com/actions/cache/compare/v5...v5.0.3</a></p> <h2>v.5.0.2</h2> <h1>v5.0.2</h1> <h2>What's Changed</h2> <p>When creating cache entries, 429s returned from the cache service will not be retried.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/actions/cache/blob/main/RELEASES.md">actions/cache's changelog</a>.</em></p> <blockquote> <h1>Releases</h1> <h2>How to prepare a release</h2> <blockquote> <p>[!NOTE]<br /> Relevant for maintainers with write access only.</p> </blockquote> <ol> <li>Switch to a new branch from <code>main</code>.</li> <li>Run <code>npm test</code> to ensure all tests are passing.</li> <li>Update the version in <a href="https://github.com/actions/cache/blob/main/package.json"><code>https://github.com/actions/cache/blob/main/package.json</code></a>.</li> <li>Run <code>npm run build</code> to update the compiled files.</li> <li>Update this <a href="https://github.com/actions/cache/blob/main/RELEASES.md"><code>https://github.com/actions/cache/blob/main/RELEASES.md</code></a> with the new version and changes in the <code>## Changelog</code> section.</li> <li>Run <code>licensed cache</code> to update the license report.</li> <li>Run <code>licensed status</code> and resolve any warnings by updating the <a href="https://github.com/actions/cache/blob/main/.licensed.yml"><code>https://github.com/actions/cache/blob/main/.licensed.yml</code></a> file with the exceptions.</li> <li>Commit your changes and push your branch upstream.</li> <li>Open a pull request against <code>main</code> and get it reviewed and merged.</li> <li>Draft a new release <a href="https://github.com/actions/cache/releases">https://github.com/actions/cache/releases</a> use the same version number used in <code>package.json</code> <ol> <li>Create a new tag with the version number.</li> <li>Auto generate release notes and update them to match the changes you made in <code>RELEASES.md</code>.</li> <li>Toggle the set as the latest release option.</li> <li>Publish the release.</li> </ol> </li> <li>Navigate to <a href="https://github.com/actions/cache/actions/workflows/release-new-action-version.yml">https://github.com/actions/cache/actions/workflows/release-new-action-version.yml</a> <ol> <li>There should be a workflow run queued with the same version number.</li> <li>Approve the run to publish the new version and update the major tags for this action.</li> </ol> </li> </ol> <h2>Changelog</h2> <h3>5.0.3</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.5 (Resolves: <a href="https://github.com/actions/cache/security/dependabot/33">https://github.com/actions/cache/security/dependabot/33</a>)</li> <li>Bump <code>@actions/core</code> to v2.0.3</li> </ul> <h3>5.0.2</h3> <ul> <li>Bump <code>@actions/cache</code> to v5.0.3 <a href="https://redirect.github.com/actions/cache/pull/1692">#1692</a></li> </ul> <h3>5.0.1</h3> <ul> <li>Update <code>@azure/storage-blob</code> to <code>^12.29.1</code> via <code>@actions/cache@5.0.1</code> <a href="https://redirect.github.com/actions/cache/pull/1685">#1685</a></li> </ul> <h3>5.0.0</h3> <blockquote> <p>[!IMPORTANT] <code>actions/cache@v5</code> runs on the Node.js 24 runtime and requires a minimum Actions Runner version of <code>2.327.1</code>. If you are using self-hosted runners, ensure they are updated before upgrading.</p> </blockquote> <h3>4.3.0</h3> <ul> <li>Bump <code>@actions/cache</code> to <a href="https://redirect.github.com/actions/toolkit/pull/2132">v4.1.0</a></li> </ul>  </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/actions/cache/commit/cdf6c1fa76f9f475f3d7449005a359c84ca0f306"><code>cdf6c1f</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1695">#1695</a> from actions/Link-/prepare-5.0.3</li> <li><a href="https://github.com/actions/cache/commit/a1bee22673bee4afb9ce4e0a1dc3da1c44060b7d"><code>a1bee22</code></a> Add review for the <code>@actions/http-client</code> license</li> <li><a href="https://github.com/actions/cache/commit/46957638dc5c5ff0c34c0143f443c07d3a7c769f"><code>4695763</code></a> Add licensed output</li> <li><a href="https://github.com/actions/cache/commit/dc73bb9f7bf74a733c05ccd2edfd1f2ac9e5f502"><code>dc73bb9</code></a> Upgrade dependencies and address security warnings</li> <li><a href="https://github.com/actions/cache/commit/345d5c2f761565bace4b6da356737147e9041e3a"><code>345d5c2</code></a> Add 5.0.3 builds</li> <li><a href="https://github.com/actions/cache/commit/8b402f58fbc84540c8b491a91e594a4576fec3d7"><code>8b402f5</code></a> Merge pull request <a href="https://redirect.github.com/actions/cache/issues/1692">#1692</a> from GhadimiR/main</li> <li><a href="https://github.com/actions/cache/commit/304ab5a0701ee61908ccb4b5822347949a2e2002"><code>304ab5a</code></a> license for httpclient</li> <li><a href="https://github.com/actions/cache/commit/609fc19e67cd310e97eb36af42355843ffcb35be"><code>609fc19</code></a> Update licensed record for cache</li> <li><a href="https://github.com/actions/cache/commit/b22231e43df11a67538c05e88835f1fa097599c5"><code>b22231e</code></a> Build</li> <li><a href="https://github.com/actions/cache/commit/93150cdfb36a9d84d4e8628c8870bec84aedcf8a"><code>93150cd</code></a> Add PR link to releases</li> <li>Additional commits viewable in <a href="https://github.com/actions/cache/compare/9255dc7a253b0ccc959486e2bca901246202afeb...cdf6c1fa76f9f475f3d7449005a359c84ca0f306">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…#5044) Bumps the aws-powertools group in /lambdas with 4 updates: [@aws-lambda-powertools/parameters](https://github.com/aws-powertools/powertools-lambda-typescript), [@aws-lambda-powertools/logger](https://github.com/aws-powertools/powertools-lambda-typescript), [@aws-lambda-powertools/metrics](https://github.com/aws-powertools/powertools-lambda-typescript) and [@aws-lambda-powertools/tracer](https://github.com/aws-powertools/powertools-lambda-typescript). Updates `@aws-lambda-powertools/parameters` from 2.30.2 to 2.31.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/releases"><code>@aws-lambda-powertools/parameters</code>'s releases</a>.</em></p> <blockquote> <h2>v2.31.0</h2> <h2>Summary</h2> <p>In this release we are pleased to announce Tracer middleware for the HTTP event handler, which allows users to enable distributed tracing for their HTTP routes with minimal boilerplate code.</p> <p>In addition, the metric utility now supports a fluent interface, allowing you to chain multiple methods in a single statement.</p> <p>We have also fixed a bug in the HTTP event handler that caused parameterized headers to be handled incorrectly.</p> <p>⭐ Special thanks to <a href="https://github.com/nateiler"><code>@nateiler</code></a> and <a href="https://github.com/dothomson"><code>@dothomson</code></a> for their first PR merged in the project, and to <a href="https://github.com/arnabrahman"><code>@arnabrahman</code></a>! for another great contribution 🎉</p> <h2>Tracer Middleware</h2> <p>You can now use the Tracer utility with the HTTP event handler to gain observability over your routes. The middleware:</p> <ul> <li>Creates a subsegment for each HTTP route with the format <code>METHOD /path</code> (e.g., <code>GET /users</code>)</li> <li>Adds <code>ColdStart</code> and <code>Service</code> annotations</li> <li>Optionally captures JSON response bodies as metadata</li> <li>Captures errors as metadata when exceptions occur</li> </ul> <pre lang="ts"><code>import { Router } from '@aws-lambda-powertools/event-handler/http'; import { tracer as tracerMiddleware } from '@aws-lambda-powertools/event-handler/http/middleware/tracer'; import { Tracer } from '@aws-lambda-powertools/tracer'; import type { Context } from 'aws-lambda'; <p>const tracer = new Tracer({ serviceName: 'my-api' }); const app = new Router();</p> <p>app.get( '/users/cards', [tracerMiddleware(tracer, { captureResponse: false })], ({ params }) => { return { id: params.id, secret: 'sensitive-data' }; } );</p> <p>export const handler = async (event: unknown, context: Context) => app.resolve(event, context); </code></pre></p> <h2>Metrics Fluent Interface</h2> <p>All mutation methods (with the exception of <code>clear*</code>) now return the metric instance that was mutated, allowing you to chain multiple metrics operations in a single statement.</p> <pre lang="ts"><code>import { Metrics} from '@aws-lambda-powertools/metrics'; <p>const metrics = new Metrics();</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/blob/main/CHANGELOG.md"><code>@aws-lambda-powertools/parameters</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">2.31.0</a> (2026-02-10)</h2> <h3>Features</h3> <ul> <li><strong>metrics</strong> return metrics instance from metrics functions (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4930">#4930</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/e7aa2e2b5efbdca197602ef5611ac14e58519d6b">e7aa2e2</a>)</li> <li><strong>parameters</strong> pass underlying SDK error as cause to <code>GetParameterError</code> (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4936">#4936</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/b3499dbfe29adc8f7fa07e5b8f3b4718e4525fa7">b3499db</a>)</li> <li><strong>event-handler</strong> add tracer middleware for HTTP routes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4982">#4982</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8be61577451c32fdea2db8bcb93f8acba9e44423">8be6157</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>event-handler</strong> handle set-cookie header values with multiple attributes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4990">#4990</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a">42317fe</a>)</li> <li><strong>kafka</strong> handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7">04c3236</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/54d1fa3b290684ec987854b8266eac5094f4c178"><code>54d1fa3</code></a> chore(ci): bump version to 2.31.0 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5007">#5007</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a"><code>42317fe</code></a> fix(event-handler): handle set-cookie header values with multiple attributes ...</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e4da8a4ce4b7c57de14be04baf84444ee89f8c7"><code>8e4da8a</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5004">#5004</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/ddf54e09ec0c61a803b4d9f8edecd62ccc374555"><code>ddf54e0</code></a> chore(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4998">#4998</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/769207180080d45a72f8aca332c200239d3be06e"><code>7692071</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.1 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4999">#4999</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/d8dfadc63a59e0445b23a98eae9f9cd26fdb2e14"><code>d8dfadc</code></a> chore: manually upgrade dependency tree (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5002">#5002</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/60b6ce1b2c93346cccd0b7a1c43020934037b5c7"><code>60b6ce1</code></a> ci: switch npm auth to OIDC (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4997">#4997</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7"><code>04c3236</code></a> fix(kafka): handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e1359e1954f65215fe5c1884e4f0479eda95508"><code>8e1359e</code></a> chore(deps): bump the aws-cdk group across 1 directory with 3 updates (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4985">#4985</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/4c6657aee26e501dde0211da0810e52b441c5913"><code>4c6657a</code></a> test: extract DF idempotency e2e tests (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4994">#4994</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">compare view</a></li> </ul> </details> <br /> Updates `@aws-lambda-powertools/logger` from 2.30.2 to 2.31.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/releases"><code>@aws-lambda-powertools/logger</code>'s releases</a>.</em></p> <blockquote> <h2>v2.31.0</h2> <h2>Summary</h2> <p>In this release we are pleased to announce Tracer middleware for the HTTP event handler, which allows users to enable distributed tracing for their HTTP routes with minimal boilerplate code.</p> <p>In addition, the metric utility now supports a fluent interface, allowing you to chain multiple methods in a single statement.</p> <p>We have also fixed a bug in the HTTP event handler that caused parameterized headers to be handled incorrectly.</p> <p>⭐ Special thanks to <a href="https://github.com/nateiler"><code>@nateiler</code></a> and <a href="https://github.com/dothomson"><code>@dothomson</code></a> for their first PR merged in the project, and to <a href="https://github.com/arnabrahman"><code>@arnabrahman</code></a>! for another great contribution 🎉</p> <h2>Tracer Middleware</h2> <p>You can now use the Tracer utility with the HTTP event handler to gain observability over your routes. The middleware:</p> <ul> <li>Creates a subsegment for each HTTP route with the format <code>METHOD /path</code> (e.g., <code>GET /users</code>)</li> <li>Adds <code>ColdStart</code> and <code>Service</code> annotations</li> <li>Optionally captures JSON response bodies as metadata</li> <li>Captures errors as metadata when exceptions occur</li> </ul> <pre lang="ts"><code>import { Router } from '@aws-lambda-powertools/event-handler/http'; import { tracer as tracerMiddleware } from '@aws-lambda-powertools/event-handler/http/middleware/tracer'; import { Tracer } from '@aws-lambda-powertools/tracer'; import type { Context } from 'aws-lambda'; <p>const tracer = new Tracer({ serviceName: 'my-api' }); const app = new Router();</p> <p>app.get( '/users/cards', [tracerMiddleware(tracer, { captureResponse: false })], ({ params }) => { return { id: params.id, secret: 'sensitive-data' }; } );</p> <p>export const handler = async (event: unknown, context: Context) => app.resolve(event, context); </code></pre></p> <h2>Metrics Fluent Interface</h2> <p>All mutation methods (with the exception of <code>clear*</code>) now return the metric instance that was mutated, allowing you to chain multiple metrics operations in a single statement.</p> <pre lang="ts"><code>import { Metrics} from '@aws-lambda-powertools/metrics'; <p>const metrics = new Metrics();</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/blob/main/CHANGELOG.md"><code>@aws-lambda-powertools/logger</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">2.31.0</a> (2026-02-10)</h2> <h3>Features</h3> <ul> <li><strong>metrics</strong> return metrics instance from metrics functions (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4930">#4930</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/e7aa2e2b5efbdca197602ef5611ac14e58519d6b">e7aa2e2</a>)</li> <li><strong>parameters</strong> pass underlying SDK error as cause to <code>GetParameterError</code> (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4936">#4936</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/b3499dbfe29adc8f7fa07e5b8f3b4718e4525fa7">b3499db</a>)</li> <li><strong>event-handler</strong> add tracer middleware for HTTP routes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4982">#4982</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8be61577451c32fdea2db8bcb93f8acba9e44423">8be6157</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>event-handler</strong> handle set-cookie header values with multiple attributes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4990">#4990</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a">42317fe</a>)</li> <li><strong>kafka</strong> handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7">04c3236</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/54d1fa3b290684ec987854b8266eac5094f4c178"><code>54d1fa3</code></a> chore(ci): bump version to 2.31.0 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5007">#5007</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a"><code>42317fe</code></a> fix(event-handler): handle set-cookie header values with multiple attributes ...</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e4da8a4ce4b7c57de14be04baf84444ee89f8c7"><code>8e4da8a</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5004">#5004</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/ddf54e09ec0c61a803b4d9f8edecd62ccc374555"><code>ddf54e0</code></a> chore(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4998">#4998</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/769207180080d45a72f8aca332c200239d3be06e"><code>7692071</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.1 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4999">#4999</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/d8dfadc63a59e0445b23a98eae9f9cd26fdb2e14"><code>d8dfadc</code></a> chore: manually upgrade dependency tree (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5002">#5002</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/60b6ce1b2c93346cccd0b7a1c43020934037b5c7"><code>60b6ce1</code></a> ci: switch npm auth to OIDC (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4997">#4997</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7"><code>04c3236</code></a> fix(kafka): handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e1359e1954f65215fe5c1884e4f0479eda95508"><code>8e1359e</code></a> chore(deps): bump the aws-cdk group across 1 directory with 3 updates (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4985">#4985</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/4c6657aee26e501dde0211da0810e52b441c5913"><code>4c6657a</code></a> test: extract DF idempotency e2e tests (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4994">#4994</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">compare view</a></li> </ul> </details> <br /> Updates `@aws-lambda-powertools/metrics` from 2.30.2 to 2.31.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/releases"><code>@aws-lambda-powertools/metrics</code>'s releases</a>.</em></p> <blockquote> <h2>v2.31.0</h2> <h2>Summary</h2> <p>In this release we are pleased to announce Tracer middleware for the HTTP event handler, which allows users to enable distributed tracing for their HTTP routes with minimal boilerplate code.</p> <p>In addition, the metric utility now supports a fluent interface, allowing you to chain multiple methods in a single statement.</p> <p>We have also fixed a bug in the HTTP event handler that caused parameterized headers to be handled incorrectly.</p> <p>⭐ Special thanks to <a href="https://github.com/nateiler"><code>@nateiler</code></a> and <a href="https://github.com/dothomson"><code>@dothomson</code></a> for their first PR merged in the project, and to <a href="https://github.com/arnabrahman"><code>@arnabrahman</code></a>! for another great contribution 🎉</p> <h2>Tracer Middleware</h2> <p>You can now use the Tracer utility with the HTTP event handler to gain observability over your routes. The middleware:</p> <ul> <li>Creates a subsegment for each HTTP route with the format <code>METHOD /path</code> (e.g., <code>GET /users</code>)</li> <li>Adds <code>ColdStart</code> and <code>Service</code> annotations</li> <li>Optionally captures JSON response bodies as metadata</li> <li>Captures errors as metadata when exceptions occur</li> </ul> <pre lang="ts"><code>import { Router } from '@aws-lambda-powertools/event-handler/http'; import { tracer as tracerMiddleware } from '@aws-lambda-powertools/event-handler/http/middleware/tracer'; import { Tracer } from '@aws-lambda-powertools/tracer'; import type { Context } from 'aws-lambda'; <p>const tracer = new Tracer({ serviceName: 'my-api' }); const app = new Router();</p> <p>app.get( '/users/cards', [tracerMiddleware(tracer, { captureResponse: false })], ({ params }) => { return { id: params.id, secret: 'sensitive-data' }; } );</p> <p>export const handler = async (event: unknown, context: Context) => app.resolve(event, context); </code></pre></p> <h2>Metrics Fluent Interface</h2> <p>All mutation methods (with the exception of <code>clear*</code>) now return the metric instance that was mutated, allowing you to chain multiple metrics operations in a single statement.</p> <pre lang="ts"><code>import { Metrics} from '@aws-lambda-powertools/metrics'; <p>const metrics = new Metrics();</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/blob/main/CHANGELOG.md"><code>@aws-lambda-powertools/metrics</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">2.31.0</a> (2026-02-10)</h2> <h3>Features</h3> <ul> <li><strong>metrics</strong> return metrics instance from metrics functions (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4930">#4930</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/e7aa2e2b5efbdca197602ef5611ac14e58519d6b">e7aa2e2</a>)</li> <li><strong>parameters</strong> pass underlying SDK error as cause to <code>GetParameterError</code> (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4936">#4936</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/b3499dbfe29adc8f7fa07e5b8f3b4718e4525fa7">b3499db</a>)</li> <li><strong>event-handler</strong> add tracer middleware for HTTP routes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4982">#4982</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8be61577451c32fdea2db8bcb93f8acba9e44423">8be6157</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>event-handler</strong> handle set-cookie header values with multiple attributes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4990">#4990</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a">42317fe</a>)</li> <li><strong>kafka</strong> handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7">04c3236</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/54d1fa3b290684ec987854b8266eac5094f4c178"><code>54d1fa3</code></a> chore(ci): bump version to 2.31.0 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5007">#5007</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a"><code>42317fe</code></a> fix(event-handler): handle set-cookie header values with multiple attributes ...</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e4da8a4ce4b7c57de14be04baf84444ee89f8c7"><code>8e4da8a</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5004">#5004</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/ddf54e09ec0c61a803b4d9f8edecd62ccc374555"><code>ddf54e0</code></a> chore(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4998">#4998</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/769207180080d45a72f8aca332c200239d3be06e"><code>7692071</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.1 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4999">#4999</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/d8dfadc63a59e0445b23a98eae9f9cd26fdb2e14"><code>d8dfadc</code></a> chore: manually upgrade dependency tree (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5002">#5002</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/60b6ce1b2c93346cccd0b7a1c43020934037b5c7"><code>60b6ce1</code></a> ci: switch npm auth to OIDC (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4997">#4997</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7"><code>04c3236</code></a> fix(kafka): handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e1359e1954f65215fe5c1884e4f0479eda95508"><code>8e1359e</code></a> chore(deps): bump the aws-cdk group across 1 directory with 3 updates (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4985">#4985</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/4c6657aee26e501dde0211da0810e52b441c5913"><code>4c6657a</code></a> test: extract DF idempotency e2e tests (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4994">#4994</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">compare view</a></li> </ul> </details> <br /> Updates `@aws-lambda-powertools/tracer` from 2.30.2 to 2.31.0 <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/releases"><code>@aws-lambda-powertools/tracer</code>'s releases</a>.</em></p> <blockquote> <h2>v2.31.0</h2> <h2>Summary</h2> <p>In this release we are pleased to announce Tracer middleware for the HTTP event handler, which allows users to enable distributed tracing for their HTTP routes with minimal boilerplate code.</p> <p>In addition, the metric utility now supports a fluent interface, allowing you to chain multiple methods in a single statement.</p> <p>We have also fixed a bug in the HTTP event handler that caused parameterized headers to be handled incorrectly.</p> <p>⭐ Special thanks to <a href="https://github.com/nateiler"><code>@nateiler</code></a> and <a href="https://github.com/dothomson"><code>@dothomson</code></a> for their first PR merged in the project, and to <a href="https://github.com/arnabrahman"><code>@arnabrahman</code></a>! for another great contribution 🎉</p> <h2>Tracer Middleware</h2> <p>You can now use the Tracer utility with the HTTP event handler to gain observability over your routes. The middleware:</p> <ul> <li>Creates a subsegment for each HTTP route with the format <code>METHOD /path</code> (e.g., <code>GET /users</code>)</li> <li>Adds <code>ColdStart</code> and <code>Service</code> annotations</li> <li>Optionally captures JSON response bodies as metadata</li> <li>Captures errors as metadata when exceptions occur</li> </ul> <pre lang="ts"><code>import { Router } from '@aws-lambda-powertools/event-handler/http'; import { tracer as tracerMiddleware } from '@aws-lambda-powertools/event-handler/http/middleware/tracer'; import { Tracer } from '@aws-lambda-powertools/tracer'; import type { Context } from 'aws-lambda'; <p>const tracer = new Tracer({ serviceName: 'my-api' }); const app = new Router();</p> <p>app.get( '/users/cards', [tracerMiddleware(tracer, { captureResponse: false })], ({ params }) => { return { id: params.id, secret: 'sensitive-data' }; } );</p> <p>export const handler = async (event: unknown, context: Context) => app.resolve(event, context); </code></pre></p> <h2>Metrics Fluent Interface</h2> <p>All mutation methods (with the exception of <code>clear*</code>) now return the metric instance that was mutated, allowing you to chain multiple metrics operations in a single statement.</p> <pre lang="ts"><code>import { Metrics} from '@aws-lambda-powertools/metrics'; <p>const metrics = new Metrics();</p> <p></tr></table> </code></pre></p> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/aws-powertools/powertools-lambda-typescript/blob/main/CHANGELOG.md"><code>@aws-lambda-powertools/tracer</code>'s changelog</a>.</em></p> <blockquote> <h2><a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">2.31.0</a> (2026-02-10)</h2> <h3>Features</h3> <ul> <li><strong>metrics</strong> return metrics instance from metrics functions (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4930">#4930</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/e7aa2e2b5efbdca197602ef5611ac14e58519d6b">e7aa2e2</a>)</li> <li><strong>parameters</strong> pass underlying SDK error as cause to <code>GetParameterError</code> (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4936">#4936</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/b3499dbfe29adc8f7fa07e5b8f3b4718e4525fa7">b3499db</a>)</li> <li><strong>event-handler</strong> add tracer middleware for HTTP routes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4982">#4982</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8be61577451c32fdea2db8bcb93f8acba9e44423">8be6157</a>)</li> </ul> <h3>Bug Fixes</h3> <ul> <li><strong>event-handler</strong> handle set-cookie header values with multiple attributes (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4990">#4990</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a">42317fe</a>)</li> <li><strong>kafka</strong> handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>) (<a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7">04c3236</a>)</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/54d1fa3b290684ec987854b8266eac5094f4c178"><code>54d1fa3</code></a> chore(ci): bump version to 2.31.0 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5007">#5007</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/42317fe15b90536fab40c15a70f967faf116011a"><code>42317fe</code></a> fix(event-handler): handle set-cookie header values with multiple attributes ...</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e4da8a4ce4b7c57de14be04baf84444ee89f8c7"><code>8e4da8a</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5004">#5004</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/ddf54e09ec0c61a803b4d9f8edecd62ccc374555"><code>ddf54e0</code></a> chore(deps): bump github/codeql-action from 4.32.1 to 4.32.2 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4998">#4998</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/769207180080d45a72f8aca332c200239d3be06e"><code>7692071</code></a> chore(deps): bump <code>@types/node</code> from 25.2.0 to 25.2.1 (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4999">#4999</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/d8dfadc63a59e0445b23a98eae9f9cd26fdb2e14"><code>d8dfadc</code></a> chore: manually upgrade dependency tree (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/5002">#5002</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/60b6ce1b2c93346cccd0b7a1c43020934037b5c7"><code>60b6ce1</code></a> ci: switch npm auth to OIDC (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4997">#4997</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/04c32360c972aff984c69cce3eae6e95007e79b7"><code>04c3236</code></a> fix(kafka): handle tombstone events (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4991">#4991</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/8e1359e1954f65215fe5c1884e4f0479eda95508"><code>8e1359e</code></a> chore(deps): bump the aws-cdk group across 1 directory with 3 updates (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4985">#4985</a>)</li> <li><a href="https://github.com/aws-powertools/powertools-lambda-typescript/commit/4c6657aee26e501dde0211da0810e52b441c5913"><code>4c6657a</code></a> test: extract DF idempotency e2e tests (<a href="https://redirect.github.com/aws-powertools/powertools-lambda-typescript/issues/4994">#4994</a>)</li> <li>Additional commits viewable in <a href="https://github.com/aws-powertools/powertools-lambda-typescript/compare/v2.30.2...v2.31.0">compare view</a></li> </ul> </details> <br /> Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore <dependency name> major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself) - `@dependabot ignore <dependency name> minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself) - `@dependabot ignore <dependency name>` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself) - `@dependabot unignore <dependency name>` will remove all of the ignore conditions of the specified dependency - `@dependabot unignore <dependency name> <ignore condition>` will remove the ignore condition of the specified dependency and ignore conditions </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…5057) This PR adds a small pull request template that should make it easier for maintainers to test new changes as they come in.

🤖 I have created a release *beep* *boop* --- ## [7.4.1](v7.4.0...v7.4.1) (2026-03-09) ### Bug Fixes * gracefully handle JIT config failures and terminate unconfigured instance ([#4990](#4990)) ([c171550](c171550)) * **install-runner.sh:** support Debian ([#5027](#5027)) ([7755b7f](7755b7f)) * **lambda:** add jti claim to GitHub App JWTs to prevent concurrent collisions ([#5056](#5056)) ([07bd193](07bd193)), closes [#5025](#5025) * **lambda:** bump @octokit/auth-app from 8.1.2 to 8.2.0 in /lambdas in the octokit group ([#5035](#5035)) ([1c8083e](1c8083e)) * **lambda:** bump axios from 1.13.2 to 1.13.5 in /lambdas ([#5028](#5028)) ([0335e3a](0335e3a)) * **lambda:** bump qs from 6.14.1 to 6.14.2 in /lambdas ([#5032](#5032)) ([6dc97d5](6dc97d5)) * **lambda:** bump rollup from 4.46.2 to 4.59.0 in /lambdas ([#5052](#5052)) ([1e798b1](1e798b1)) * **lambda:** bump the aws group in /lambdas with 7 updates ([#5021](#5021)) ([c3c158d](c3c158d)) * **lambda:** bump the aws-powertools group in /lambdas with 4 updates ([#5022](#5022)) ([e8369cf](e8369cf)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com>

## Summary Update `publishOnEventBridge` to use the existing `readEvent` helper instead of directly reading the `x-github-event` header and calling `checkEventIsSupported`. Only `eventType` is destructured from `readEvent`, since the parsed event object isn’t needed. ## Why This makes the EventBridge path consistent with `publishForRunners`, ensuring persistent logging fields (repository, action, workflow job name, status, etc.) are added to the logger in both code paths. ## Impact * No functional changes * Consistent logging behavior * Removes duplicate event parsing logic

…5017) This PR intends to reduce SSM AWS API calls by doing the following: Add `getParameters()` function to aws-ssm-util that fetches multiple SSM parameters in a single API call with automatic chunking (max 10 per call per AWS API limits). Apply batch fetching to: - auth.ts: fetch App ID and Private Key in one call (2 calls → 1) - ConfigLoader.ts: fetch multiple matcher config paths in one call - ami.ts: batch resolve SSM parameter values for AMI lookups Also remove redundant appId SSM fetch in scale-up.ts that was only used for logging. --------- Co-authored-by: Brend Smits <brend.smits@philips.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

…ion (#5036) This pull request updates the logging configuration by introducing support for the `log_class` property, allowing log groups to be created with either the `STANDARD` or `INFREQUENT_ACCESS` class. The change is applied throughout the configuration to ensure log groups and log files can specify their class, defaulting to `STANDARD` if not set. **Logging configuration enhancements:** * Added a `log_class` property (defaulting to `"STANDARD"`) to the `runner_log_files` and `multi_runner_config` variables in `variables.tf`, `modules/runners/variables.tf`, and `modules/multi-runner/variables.tf` to allow specifying the log group class. [[1]](diffhunk://#diff-05b5a57c136b6ff596500bcbfdcff145ef6cddea2a0e86d184d9daa9a65a288eR494) [[2]](diffhunk://#diff-23e8f44c0f21971190244acdb8a35eaa21af7578ed5f1b97bef83f1a566d979cL398-R404) [[3]](diffhunk://#diff-52d0673ff466b6445542e17038ea73a1cf41b8112f49ee57da4cebf8f0cb99c5R155) * Updated the local log file definitions in `modules/runners/logging.tf` to include the `log_class` property for each log file, defaulting to `"STANDARD"`. * Modified the CloudWatch log group resource in `modules/runners/logging.tf` to use the specified `log_class` when creating log groups, and refactored the logic to group log files by both name and class. **Documentation improvements:** * Enhanced the description of the `runner_log_files` variable to document the new `log_class` property and its valid values. --------- Signed-off-by: Brend Smits <brend.smits@philips.com> Co-authored-by: github-aws-runners-pr|bot <github-aws-runners-pr[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [7.5.0](v7.4.1...v7.5.0) (2026-03-11) ### Features * **lambdas:** add batch SSM parameter fetching to reduce API calls ([#5017](#5017)) ([24857c2](24857c2)) * **logging:** add log_class parameter to runner log files configuration ([#5036](#5036)) ([3509d4c](3509d4c)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: runners-releaser[bot] <194412594+runners-releaser[bot]@users.noreply.github.com>

… configuration (#5073) ### Description CloudWatch agent config stored in SSM used log_class inside each collect_list entry. The agent’s JSON schema only allows log_group_class there, so validation failed with “Additional property log_class is not allowed” and runner user-data exited before the GitHub runner started ([issue #5065](#5065)). This PR maps the Terraform log_class value to log_group_class in the serialized logfiles blob passed to cloudwatch_config.json, and updates loggroups_classes to read log_group_class from local.logfiles so aws_cloudwatch_log_group behavior stays aligned. ## Related Issues Fixes [#5065](#5065)

…d pool lambda (#5054)

…tial-exact

Upstream-PR: github-aws-runners#5031 Signed-off-by: Brend Smits <brend.smits@philips.com>

Brend-Smits requested a review from a team as a code owner February 13, 2026 14:41

Brend-Smits force-pushed the fix/exact-match-was-not-really-exact-but-partial-exact branch from 34b7069 to f597650 Compare February 13, 2026 14:44

Brend-Smits force-pushed the fix/exact-match-was-not-really-exact-but-partial-exact branch from f86dfa0 to 7a14043 Compare March 9, 2026 09:33

Brend-Smits requested a review from a team as a code owner March 9, 2026 09:33

Brend-Smits force-pushed the fix/exact-match-was-not-really-exact-but-partial-exact branch from 187cc9d to 8018959 Compare March 9, 2026 09:39

Brend-Smits changed the title ~~fix!: make exactMatch truly bidirectional for label matching~~ feat: add bidirectionalLabelMatch option and deprecate exactMatch Mar 9, 2026

Brend-Smits force-pushed the fix/exact-match-was-not-really-exact-but-partial-exact branch from 8018959 to e61882b Compare March 9, 2026 09:43

Brend-Smits force-pushed the fix/exact-match-was-not-really-exact-but-partial-exact branch from f793d18 to e61882b Compare April 1, 2026 13:20

gmccue and others added 20 commits April 1, 2026 15:21

chore: add pull request template for better contribution guidelines (#…

0882f61

…5057) This PR adds a small pull request template that should make it easier for maintainers to test new changes as they come in.

feat(runner): add source parameter to distinguish between scale-up an…

6a63b36

…d pool lambda (#5054)

docs: auto update terraform docs

5bd3128

Brend-Smits and others added 3 commits April 1, 2026 15:23

Merge branch 'main' into fix/exact-match-was-not-really-exact-but-par…

818af81

…tial-exact

docs: auto update terraform docs

3195ee1

Merge branch 'main' into fix/exact-match-was-not-really-exact-but-par…

91aaf17

…tial-exact

Brend-Smits added a commit to philips-forks/terraform-aws-github-runner that referenced this pull request Apr 14, 2026

feat: add bidirectionalLabelMatch option and deprecate exactMatch

50f7431

Upstream-PR: github-aws-runners#5031 Signed-off-by: Brend Smits <brend.smits@philips.com>

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: add bidirectionalLabelMatch option and deprecate exactMatch#5031

feat: add bidirectionalLabelMatch option and deprecate exactMatch#5031
Brend-Smits wants to merge 24 commits intomainfrom
fix/exact-match-was-not-really-exact-but-partial-exact

Brend-Smits commented Feb 13, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Feb 13, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

Brend-Smits commented Feb 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary

Problem

Changes

Migration

Uh oh!

github-actions Bot commented Feb 13, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Dependency Review

Snapshot Warnings

Scanned Files

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Brend-Smits commented Feb 13, 2026 •

edited

Loading

github-actions Bot commented Feb 13, 2026 •

edited

Loading