diff --git a/.ds.baseline b/.ds.baseline index 5c3d3658a..77cb14ed7 100644 --- a/.ds.baseline +++ b/.ds.baseline @@ -133,7 +133,7 @@ "filename": ".github/workflows/checks.yml", "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", "is_verified": false, - "line_number": 28, + "line_number": 29, "is_secret": false }, { @@ -141,7 +141,7 @@ "filename": ".github/workflows/checks.yml", "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", "is_verified": false, - "line_number": 45, + "line_number": 46, "is_secret": false } ], @@ -151,7 +151,7 @@ "filename": ".github/workflows/daily_checks.yml", "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", "is_verified": false, - "line_number": 64, + "line_number": 66, "is_secret": false }, { @@ -159,7 +159,7 @@ "filename": ".github/workflows/daily_checks.yml", "hashed_secret": "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8", "is_verified": false, - "line_number": 80, + "line_number": 82, "is_secret": false } ], @@ -374,5 +374,5 @@ } ] }, - "generated_at": "2026-03-26T17:19:11Z" + "generated_at": "2026-06-02T14:59:28Z" } diff --git a/.github/actions/setup-project/action.yml b/.github/actions/setup-project/action.yml index 6e4ecd97f..0028b80aa 100644 --- a/.github/actions/setup-project/action.yml +++ b/.github/actions/setup-project/action.yml @@ -10,7 +10,7 @@ runs: && sudo apt-get install -y --no-install-recommends \ libcurl4-openssl-dev - name: Set up Python 3.13.2 - uses: actions/setup-python@v4 + uses: actions/setup-python@v6 with: python-version: "3.13.2" - name: Install poetry diff --git a/.github/workflows/adr-accepted.yml b/.github/workflows/adr-accepted.yml index 7faedc902..0f5d765e8 100644 --- a/.github/workflows/adr-accepted.yml +++ b/.github/workflows/adr-accepted.yml @@ -19,7 +19,7 @@ jobs: run: exit 0 - name: checkout main branch - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: main ssh-key: ${{ secrets.SSH_PRIVATE_KEY }} diff --git a/.github/workflows/checks.yml b/.github/workflows/checks.yml index d7d3e8a8b..f8f74d270 100644 --- a/.github/workflows/checks.yml +++ b/.github/workflows/checks.yml @@ -14,6 +14,7 @@ env: WERKZEUG_DEBUG_PIN: off REDIS_ENABLED: 0 AWS_US_TOLL_FREE_NUMBER: "+18556438890" + ACTIONS_ALLOW_USE_UNSECURE_NODE_VERSION: true jobs: @@ -37,7 +38,7 @@ jobs: - 5432:5432 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: ./.github/actions/setup-project - name: Install application dependencies run: make bootstrap @@ -70,7 +71,7 @@ jobs: runs-on: ubuntu-latest environment: staging steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: ./.github/actions/setup-project - name: Install poetry packages run: poetry install @@ -84,7 +85,7 @@ jobs: pip-audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: ./.github/actions/setup-project - name: Create requirements.txt run: poetry export --output requirements.txt @@ -98,7 +99,7 @@ jobs: static-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: ./.github/actions/setup-project - name: Install bandit run: pip install bandit @@ -123,7 +124,7 @@ jobs: # Maps tcp port 5432 on service container to the host - 5432:5432 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: ./.github/actions/setup-project - name: Install application dependencies run: make bootstrap diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 07063750b..5f18f0eaf 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -56,7 +56,7 @@ jobs: # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages steps: - name: Checkout repository - uses: actions/checkout@v4 + uses: actions/checkout@v6 # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL diff --git a/.github/workflows/daily_checks.yml b/.github/workflows/daily_checks.yml index 1777c99b8..5f5eefea2 100644 --- a/.github/workflows/daily_checks.yml +++ b/.github/workflows/daily_checks.yml @@ -19,11 +19,13 @@ env: REDIS_ENABLED: 0 AWS_US_TOLL_FREE_NUMBER: "+18556438890" + + jobs: pip-audit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: ./.github/actions/setup-project - name: Create requirements.txt run: poetry export --output requirements.txt @@ -34,7 +36,7 @@ jobs: PYSEC-2023-312 CVE-2026-4539 - name: Upload pip-audit artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: pip-audit-report path: /tmp/pip-audit-output.txt @@ -42,14 +44,14 @@ jobs: static-scan: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: ./.github/actions/setup-project - name: Install bandit run: pip install bandit - name: Run scan run: bandit -r app/ -f txt -o /tmp/bandit-output.txt --confidence-level medium - name: Upload bandit artifact - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v7 with: name: bandit-report path: /tmp/bandit-output.txt @@ -72,7 +74,7 @@ jobs: # Maps tcp port 5432 on service container to the host - 5432:5432 steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 - uses: ./.github/actions/setup-project - name: Install application dependencies run: make bootstrap diff --git a/.github/workflows/deploy-demo.yml b/.github/workflows/deploy-demo.yml index e11f4f4b6..74c9c0f1b 100644 --- a/.github/workflows/deploy-demo.yml +++ b/.github/workflows/deploy-demo.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest environment: demo steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 2 diff --git a/.github/workflows/deploy-prod.yml b/.github/workflows/deploy-prod.yml index a39ad8335..93345e816 100644 --- a/.github/workflows/deploy-prod.yml +++ b/.github/workflows/deploy-prod.yml @@ -16,7 +16,7 @@ jobs: runs-on: ubuntu-latest environment: production steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 2 diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 59bd2e1c0..1658f69c1 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -18,7 +18,7 @@ jobs: environment: staging steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v6 with: fetch-depth: 2 @@ -113,6 +113,6 @@ jobs: runs-on: ubuntu-latest if: ${{ github.event.workflow_run.conclusion == 'failure' }} steps: - - uses: actions/github-script@v7 + - uses: actions/github-script@v9 with: script: core.setFailed('Checks failed, not deploying') diff --git a/.github/workflows/drift.yml b/.github/workflows/drift.yml index 9c4db1927..54c0bd1c3 100644 --- a/.github/workflows/drift.yml +++ b/.github/workflows/drift.yml @@ -13,7 +13,7 @@ jobs: environment: staging steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 # Looks like we need to install Terraform ourselves now! # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348 @@ -50,7 +50,7 @@ jobs: # environment: demo # steps: # - name: Checkout - # uses: actions/checkout@v4 + # uses: actions/checkout@v6 # with: # ref: 'production' @@ -89,7 +89,7 @@ jobs: environment: production steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 with: ref: 'production' diff --git a/.github/workflows/terraform-demo.yml b/.github/workflows/terraform-demo.yml index 1910de574..d85bf189d 100644 --- a/.github/workflows/terraform-demo.yml +++ b/.github/workflows/terraform-demo.yml @@ -16,7 +16,7 @@ jobs: environment: demo steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 # Looks like we need to install Terraform ourselves now! # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348 @@ -59,7 +59,7 @@ jobs: # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow - name: Update PR - uses: actions/github-script@v7 + uses: actions/github-script@v9 # we would like to update the PR even when a prior step failed if: ${{ always() }} with: diff --git a/.github/workflows/terraform-production.yml b/.github/workflows/terraform-production.yml index 91b3a48b9..2dcf33778 100644 --- a/.github/workflows/terraform-production.yml +++ b/.github/workflows/terraform-production.yml @@ -16,7 +16,7 @@ jobs: environment: production steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 # Looks like we need to install Terraform ourselves now! # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348 @@ -59,7 +59,7 @@ jobs: # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow - name: Update PR - uses: actions/github-script@v7 + uses: actions/github-script@v9 # we would like to update the PR even when a prior step failed if: ${{ always() }} with: diff --git a/.github/workflows/terraform-staging.yml b/.github/workflows/terraform-staging.yml index c50a36946..297f89215 100644 --- a/.github/workflows/terraform-staging.yml +++ b/.github/workflows/terraform-staging.yml @@ -16,7 +16,7 @@ jobs: environment: staging steps: - name: Checkout - uses: actions/checkout@v4 + uses: actions/checkout@v6 # Looks like we need to install Terraform ourselves now! # https://github.com/actions/runner-images/issues/10796#issuecomment-2417064348 @@ -60,7 +60,7 @@ jobs: # inspiration: https://learn.hashicorp.com/tutorials/terraform/github-actions#review-actions-workflow - name: Update PR - uses: actions/github-script@v7 + uses: actions/github-script@v9 # we would like to update the PR even when a prior step failed if: ${{ always() }} with: