aws · jonathan343 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -9,6 +9,8 @@ updates:
     ignore:
       - dependency-name: "*"
         update-types: ["version-update:semver-patch"]
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "github-actions"
     directory: "/"
@@ -19,6 +21,8 @@ updates:
     ignore:
       - dependency-name: "*"
         update-types: ["version-update:semver-patch"]
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "pip"
     directory: "/"
@@ -44,6 +48,8 @@ updates:
       - dependency-name: "jmespath"
       - dependency-name: "urllib3"
       - dependency-name: "wheel"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "pip"
     directory: "/"
@@ -61,6 +67,8 @@ updates:
       - dependency-name: "pyyaml"
       - dependency-name: "wheel"
       - dependency-name: "rsa"
+    cooldown:
+      default-days: 7
 
   - package-ecosystem: "pip"
     directory: "/"
@@ -79,3 +87,5 @@ updates:
       - dependency-name: "sphinx-lint" 
       - dependency-name: "sphinx-copybutton"
       - dependency-name: "sphinx-inline-tabs"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/closed-issue-update.yml b/.github/workflows/closed-issue-update.yml
@@ -3,15 +3,16 @@ name: Closed Issue Update
 on:
   issues:
     types: [closed]
-permissions:
-  issues: write
+permissions: {}
 
 jobs:
   unlabel:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     if: contains(toJson(github.event.issue.labels), 'needs-triage')
     steps:
-    - uses: actions/github-script@v8
+    - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
       with:
         script: |
           github.rest.issues.removeLabel({
@@ -22,8 +23,10 @@ jobs:
           })      
   auto_comment:
     runs-on: ubuntu-latest
+    permissions:
+      issues: write
     steps:
-    - uses: aws-actions/closed-issue-message@v2
+    - uses: aws-actions/closed-issue-message@10aaf6366131b673a7c8b7742f8b3849f1d44f18 # v2
       with:
         # These inputs are both required
         repo-token: "${{ secrets.GITHUB_TOKEN }}"

diff --git a/.github/workflows/doc-pr-cherry-pick.yml b/.github/workflows/doc-pr-cherry-pick.yml
@@ -20,6 +20,7 @@ jobs:
         uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # 4.2.2
         with:
           fetch-depth: 0
+          persist-credentials: false
 
       - name: Configure Git
         run: |

diff --git a/.github/workflows/handle-stale-discussions.yml b/.github/workflows/handle-stale-discussions.yml
@@ -14,7 +14,7 @@ jobs:
       discussions: write
     steps:
       - name: Stale discussions action
-        uses: aws-github-ops/handle-stale-discussions@v1
+        uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 # v1
         with:
           # This will close stale-discussions as outdated instead of answered
           close-stale-as-answered: false

diff --git a/.github/workflows/issue-regression-labeler.yml b/.github/workflows/issue-regression-labeler.yml
@@ -25,8 +25,9 @@ jobs:
     - name: Manage regression label
       env:
         GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        STEPS_CHECK_REGRESSION_OUTPUTS_IS_REGRESSION: ${{ steps.check_regression.outputs.is_regression }}
       run: |
-        if [ "${{ steps.check_regression.outputs.is_regression }}" == "true" ]; then
+        if [ "${STEPS_CHECK_REGRESSION_OUTPUTS_IS_REGRESSION}" == "true" ]; then
           gh issue edit ${{ github.event.issue.number }} --add-label "potential-regression" -R ${{ github.repository }}
         else
           gh issue edit ${{ github.event.issue.number }} --remove-label "potential-regression" -R ${{ github.repository }}

diff --git a/.github/workflows/run-bundle-test.yml b/.github/workflows/run-bundle-test.yml
@@ -20,9 +20,11 @@ jobs:
         python-version: ["3.9", "3.10", "3.11", "3.12", "3.13", "3.14"]
         os: [ubuntu-latest, macOS-latest]
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies

diff --git a/.github/workflows/run-dep-tests.yml b/.github/workflows/run-dep-tests.yml
@@ -20,6 +20,8 @@ jobs:
 
     steps:
     - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
       uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c
       with:

diff --git a/.github/workflows/run-tests.yml b/.github/workflows/run-tests.yml
@@ -19,9 +19,11 @@ jobs:
         os: [ubuntu-latest, macOS-latest, windows-latest]
 
     steps:
-    - uses: actions/checkout@v6.0.1
+    - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      with:
+        persist-credentials: false
     - name: Set up Python ${{ matrix.python-version }}
-      uses: actions/setup-python@v6
+      uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
       with:
         python-version: ${{ matrix.python-version }}
     - name: Install dependencies
@@ -33,6 +35,6 @@ jobs:
     - name: Run checks
       run: python scripts/ci/run-check
     - name: codecov
-      uses: codecov/codecov-action@v6
+      uses: codecov/codecov-action@57e3a136b779b570ffcdbf80b3bdc90e7fab3de2 # v6
       with:
         directory: tests
diff --git a/.github/workflows/stale_community_prs.yml b/.github/workflows/stale_community_prs.yml
@@ -1,12 +1,13 @@
 name: 'Check stale community PRs.'
 on: workflow_dispatch
 
-permissions:
-  pull-requests: write
+permissions: {}
 
 jobs:
   stale-implementation-stage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
         with:
@@ -27,6 +28,8 @@ jobs:
           close-pr-label: closed-for-staleness
   stale-review-stage:
     runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
     steps:
       - uses: actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f
         with:
@@ -61,4 +64,4 @@ jobs:
           days-before-issue-stale: -1
           only-pr-labels: community,review,response-requested,stale
           close-pr-label: DONTUSE
-          ignore-updates: true # Even if there are comments added, maintainers will need to reset labels to resume processing.
+          ignore-updates: true # Even if there are comments added, maintainers will need to reset labels to resume processing.
diff --git a/.github/workflows/stale_issue.yml b/.github/workflows/stale_issue.yml
@@ -15,7 +15,7 @@ jobs:
     runs-on: ubuntu-latest
     name: Stale issue job
     steps:
-    - uses: aws-actions/stale-issue-cleanup@v6
+    - uses: aws-actions/stale-issue-cleanup@7de35968489e4142233d2a6812519a82e68b5c38 # v6
       with:
         issue-types: issues
         stale-issue-message: Greetings! It looks like this issue hasn’t been active in longer than five days. We encourage you to check if this is still an issue in the latest release. In the absence of more information, we will be closing this issue soon. If you find that this is still a problem, please feel free to provide a comment or upvote with a reaction on the initial post to prevent automatic closure. If the issue is already closed, please feel free to open a new one.

diff --git a/.github/workflows/update-lockfiles.yml b/.github/workflows/update-lockfiles.yml
@@ -34,11 +34,12 @@ jobs:
         os: [macOS-latest, windows-latest]
 
     steps:
-      - uses: actions/checkout@v6.0.1
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           ref: ${{ github.event.inputs.ref }}
+          persist-credentials: false
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v6
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -78,11 +79,12 @@ jobs:
           echo "PLATFORMS=macOS and Linux" >> $GITHUB_ENV
       - name: git commit and push updated lock files
         if: github.event.inputs.dry-run == 'no' && env.CHANGES
+        shell: bash
         run: |
           git config --global user.name "Github Actions"
           git config --global user.email "<>"
           git fetch
           git add requirements
-          git commit -m "Regenerate lock files for ${{ env.PLATFORMS }}"
+          git commit -m "Regenerate lock files for ${PLATFORMS}"
           git pull --rebase
           git push
diff --git a/.github/workflows/zizmor.yml b/.github/workflows/zizmor.yml
@@ -0,0 +1,23 @@
+name: GitHub Actions Security Analysis with zizmor 🌈
+
+on:
+  push:
+    branches: ["develop"]
+  pull_request:
+    branches: ["develop"]
+
+permissions: {}
+
+jobs:
+  zizmor:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run zizmor 🌈
+        uses: zizmorcore/zizmor-action@71321a20a9ded102f6e9ce5718a2fcec2c4f70d8 # v0.5.2