diff --git a/.github/workflows/approve-override.yml b/.github/workflows/approve-override.yml index f78e832..b8eeba3 100644 --- a/.github/workflows/approve-override.yml +++ b/.github/workflows/approve-override.yml @@ -37,12 +37,12 @@ jobs: runs-on: ubuntu-latest environment: override-approval steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: sparse-checkout: scripts - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-override-approver aws-region: ${{ env.AWS_REGION }} diff --git a/.github/workflows/build-jvm.yml b/.github/workflows/build-jvm.yml index c055236..fb62d5c 100644 --- a/.github/workflows/build-jvm.yml +++ b/.github/workflows/build-jvm.yml @@ -16,7 +16,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: actions/setup-java@v4 with: @@ -29,7 +29,7 @@ jobs: - name: Upload test results if: always() - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: test-results path: "**/target/surefire-reports/*.xml" diff --git a/.github/workflows/build-ts.yml b/.github/workflows/build-ts.yml index ac1e7e7..c03e08d 100644 --- a/.github/workflows/build-ts.yml +++ b/.github/workflows/build-ts.yml @@ -16,7 +16,7 @@ jobs: build: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - uses: pnpm/action-setup@v4 with: diff --git a/.github/workflows/commit-terraform.yml b/.github/workflows/commit-terraform.yml index 875c19c..ec726bc 100644 --- a/.github/workflows/commit-terraform.yml +++ b/.github/workflows/commit-terraform.yml @@ -27,7 +27,7 @@ jobs: commit: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: ref: ${{ github.ref }} @@ -35,7 +35,7 @@ jobs: id: check run: echo "has_yaml=$(test -f app.yaml && echo true || echo false)" >> "$GITHUB_OUTPUT" - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 if: steps.check.outputs.has_yaml == 'true' with: terraform_version: "1.7" @@ -52,7 +52,7 @@ jobs: - name: Checkout platform scripts if: steps.check.outputs.has_yaml == 'true' - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/detect.yml b/.github/workflows/detect.yml index 0c81571..20bfccd 100644 --- a/.github/workflows/detect.yml +++ b/.github/workflows/detect.yml @@ -41,7 +41,7 @@ jobs: has_cdk: ${{ steps.check.outputs.has_cdk }} app_name: ${{ steps.check.outputs.app_name }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Detect repo contents id: check diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index d2239a4..28127da 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -38,10 +38,10 @@ jobs: image_uri: ${{ steps.push.outputs.image_uri }} image_tag: ${{ steps.tags.outputs.primary_tag }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-deploy-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/eb-deploy.yml b/.github/workflows/eb-deploy.yml index 473a326..e319f2d 100644 --- a/.github/workflows/eb-deploy.yml +++ b/.github/workflows/eb-deploy.yml @@ -27,10 +27,10 @@ jobs: deploy: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-deploy-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/ecs-deploy.yml b/.github/workflows/ecs-deploy.yml index 8879ba7..c1280cb 100644 --- a/.github/workflows/ecs-deploy.yml +++ b/.github/workflows/ecs-deploy.yml @@ -41,7 +41,7 @@ jobs: owner: javaBin - name: Checkout platform scripts - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} @@ -50,7 +50,7 @@ jobs: path: .platform - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-deploy-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/expand-terraform.yml b/.github/workflows/expand-terraform.yml index 9e8610f..aaded55 100644 --- a/.github/workflows/expand-terraform.yml +++ b/.github/workflows/expand-terraform.yml @@ -27,7 +27,7 @@ jobs: expand: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: ref: ${{ github.ref }} @@ -40,7 +40,7 @@ jobs: owner: javaBin - name: Checkout platform scripts - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} diff --git a/.github/workflows/plan-review.yml b/.github/workflows/plan-review.yml index 29670bf..6cd48b2 100644 --- a/.github/workflows/plan-review.yml +++ b/.github/workflows/plan-review.yml @@ -41,7 +41,7 @@ jobs: private-key: ${{ secrets.PLATFORM_APP_PRIVATE_KEY }} owner: javaBin - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} @@ -50,7 +50,7 @@ jobs: path: platform - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/platform-ci.yml b/.github/workflows/platform-ci.yml index f32a518..788d64e 100644 --- a/.github/workflows/platform-ci.yml +++ b/.github/workflows/platform-ci.yml @@ -7,11 +7,13 @@ on: - 'terraform/platform/**' - 'terraform/lambda-src/**' - 'scripts/**' + - '.github/workflows/**' pull_request: paths: - 'terraform/platform/**' - 'terraform/lambda-src/**' - 'scripts/**' + - '.github/workflows/**' schedule: # Drift detection — Monday 06:00 UTC - cron: '0 6 * * 1' @@ -45,15 +47,15 @@ jobs: plan_text_key: ${{ steps.upload.outputs.plan_text_key }} plan_sha256: ${{ steps.upload.outputs.plan_sha256 }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} @@ -82,7 +84,7 @@ jobs: - name: Upload Lambda ZIPs as artifact if: steps.plan.outputs.has_changes == 'true' - uses: actions/upload-artifact@v4 + uses: actions/upload-artifact@v6 with: name: lambda-zips path: ${{ env.TF_ROOT }}/lambdas/builds/ @@ -106,9 +108,9 @@ jobs: outputs: risk_level: ${{ steps.review.outputs.risk_level }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} @@ -147,14 +149,14 @@ jobs: needs.plan.outputs.has_changes == 'true' environment: production steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} @@ -166,7 +168,7 @@ jobs: run: sh scripts/check-risk-block.sh "$RISK" /javabin/slack/platform-override-alerts-webhook "https://github.com/${{ github.repository }}/actions/workflows/approve-override.yml" - name: Download Lambda ZIPs from artifact - uses: actions/download-artifact@v4 + uses: actions/download-artifact@v5 with: name: lambda-zips path: ${{ env.TF_ROOT }}/lambdas/builds/ @@ -195,14 +197,14 @@ jobs: runs-on: ubuntu-latest if: github.event_name == 'schedule' steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false - - uses: aws-actions/configure-aws-credentials@v4 + - uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ env.AWS_ACCOUNT_ID }}:role/javabin-ci-infra aws-region: ${{ env.AWS_REGION }} diff --git a/.github/workflows/tf-apply.yml b/.github/workflows/tf-apply.yml index bced35c..1489001 100644 --- a/.github/workflows/tf-apply.yml +++ b/.github/workflows/tf-apply.yml @@ -34,9 +34,9 @@ jobs: env: PLAN_BUCKET: javabin-ci-plan-artifacts-${{ inputs.aws_account_id }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false @@ -50,7 +50,7 @@ jobs: owner: javaBin - name: Checkout platform scripts - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }} @@ -59,7 +59,7 @@ jobs: # Step 1: Lightweight OIDC role — can only invoke gate Lambda + read S3 - name: Configure gate credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-apply-gate aws-region: ${{ inputs.aws_region }} diff --git a/.github/workflows/tf-plan.yml b/.github/workflows/tf-plan.yml index 3fab0d8..1d05fd0 100644 --- a/.github/workflows/tf-plan.yml +++ b/.github/workflows/tf-plan.yml @@ -41,15 +41,15 @@ jobs: env: PLAN_BUCKET: javabin-ci-plan-artifacts-${{ inputs.aws_account_id }} steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@v5 - - uses: hashicorp/setup-terraform@v3 + - uses: hashicorp/setup-terraform@v4 with: terraform_version: "1.7" terraform_wrapper: false - name: Configure AWS credentials via OIDC - uses: aws-actions/configure-aws-credentials@v4 + uses: aws-actions/configure-aws-credentials@v5 with: role-to-assume: arn:aws:iam::${{ inputs.aws_account_id }}:role/javabin-ci-app-${{ github.event.repository.name }} aws-region: ${{ inputs.aws_region }} @@ -63,7 +63,7 @@ jobs: owner: javaBin - name: Checkout platform scripts - uses: actions/checkout@v4 + uses: actions/checkout@v5 with: repository: javaBin/platform token: ${{ steps.app-token.outputs.token }}