Security Test: ${{ github.event.pull_request.title }}

.github/workflows/automated-updates-to-sam-cli.yml

@@ -97,7 +97,7 @@ jobs:
           python-version: "3.11"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
 
       - name: Update aws-sam-translator & commit
         run: |
@@ -166,7 +166,7 @@ jobs:
           python-version: "3.11"
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
 
       - name: Upgrade aws_lambda_builders & commit
         run: |

.github/workflows/build.yml

@@ -65,7 +65,7 @@ jobs:
         echo "TEMP=D:\\Temp" >> $env:GITHUB_ENV  
       if: ${{ matrix.os == 'windows-latest' }}
     - uses: actions/checkout@v6
-    - uses: astral-sh/setup-uv@v7
+    - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       with:
         python-version: ${{ matrix.python }}
         cache-python: false
@@ -79,12 +79,11 @@ jobs:
     name: Validate JSON schema
     if: github.repository_owner == 'aws'
     permissions:
-      pull-requests: write
-      contents: write
+      contents: read
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v6
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           python-version: "3.11"
           cache-python: false
@@ -157,7 +156,7 @@ jobs:
           mkdir "D:\\Temp"
           echo "TEMP=D:\\Temp" >> $env:GITHUB_ENV  
         if: ${{ matrix.os == 'windows-latest' }}
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           python-version: ${{ matrix.python }}
           cache-python: false
@@ -166,7 +165,7 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: '1.19'
-      - uses: ruby/setup-ruby@v1
+      - uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1
         with:
           ruby-version: "3.3"
       - uses: actions/setup-node@v6
@@ -238,7 +237,7 @@ jobs:
           mkdir "D:\\Temp"
           echo "TEMP=D:\\Temp" >> $env:GITHUB_ENV  
         if: ${{ matrix.os == 'windows-latest' }}
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           python-version: ${{ matrix.python }}
           cache-python: false
@@ -270,7 +269,7 @@ jobs:
           mkdir "D:\\Temp"
           echo "TEMP=D:\\Temp" >> $env:GITHUB_ENV  
         if: ${{ matrix.os == 'windows-latest' }}
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           python-version: "3.10"
           cache-python: false

.github/workflows/integration-tests.yml

@@ -130,7 +130,7 @@ jobs:
         run: bash tests/setup-wsl.sh
 
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
         with:
           python-version: "3.11"
           cache-python: false
@@ -178,19 +178,19 @@ jobs:
 
       - name: Set up Ruby 3.3.7
         if: contains(fromJSON('["build-x86-1", "build-x86-2", "build-arm64", "other-and-e2e", "cloud-based-tests"]'), matrix.test_suite)
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1
         with:
           ruby-version: '3.3.7'
 
       - name: Set up Ruby 3.2.7
         if: contains(fromJSON('["build-x86-1", "build-x86-2", "build-arm64", "other-and-e2e", "cloud-based-tests"]'), matrix.test_suite)
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1
         with:
           ruby-version: '3.2.7'
 
       - name: Set up Ruby 3.4.7
         if: contains(fromJSON('["build-x86-1", "build-x86-2", "build-arm64", "sync-code", "sync-watch", "other-and-e2e", "cloud-based-tests", "tier1-finch", "tier1-windows-build-1", "tier1-windows-build-2", "tier1-windows-build-3", "tier1-windows-other"]'), matrix.test_suite)
-        uses: ruby/setup-ruby@v1
+        uses: ruby/setup-ruby@4dc28cf14d77b0afa6832d9765ac422dbf0dfedd # v1
         with:
           ruby-version: '3.4.7'
           windows-toolchain: none
@@ -202,8 +202,9 @@ jobs:
 
       - name: Install Terraform
         if: contains(fromJSON('["terraform-build", "terraform-start-api", "terraform-invoke-start-lambda", "cloud-based-tests", "tier1-finch", "tier1-windows-build-1", "tier1-windows-build-2", "tier1-windows-build-3", "tier1-windows-other"]'), matrix.test_suite)
-        shell: bash
-        run: bash tests/install-terraform.sh
+        uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
+        with:
+          terraform_wrapper: false
 
       - name: Setup Finch runtime
         if: matrix.test_suite == 'tier1-finch'

.github/workflows/update-reproducibles.yml

@@ -26,7 +26,7 @@ jobs:
         with:
           python-version: "3.11"
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       - name: Update all reproducible requirements
         run: make update-reproducible-reqs-uv
       - name: Push changes
@@ -47,7 +47,7 @@ jobs:
         with:
           python-version: "3.11"
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       - name: Check reproducible requirements are up to date
         run: make update-reproducible-reqs-uv
       - name: Fail if requirements are out of date

.github/workflows/validate_pyinstaller.yml

@@ -21,8 +21,12 @@ jobs:
         run: chmod +x ./installer/pyinstaller/build-linux.sh
       - name: Build PyInstaller in manylinux container
         run: |
-          docker run --rm -v .:/samcli -w /samcli -e CI_OVERRIDE='1' \
-          quay.io/pypa/manylinux2014_x86_64:latest /samcli/installer/pyinstaller/build-linux.sh aws-sam-cli-linux-x86_64.zip
+          for i in 1 2 3; do
+            docker run --rm -v .:/samcli -w /samcli -e CI_OVERRIDE='1' \
+            quay.io/pypa/manylinux2014_x86_64:latest /samcli/installer/pyinstaller/build-linux.sh aws-sam-cli-linux-x86_64.zip && break
+            echo "Attempt $i failed, retrying..."
+            sleep 10
+          done
       - uses: actions/setup-python@v6
         with:
           python-version: 3.11

EXPLOIT_TEST.md

@@ -0,0 +1,3 @@
+# Expression Injection PoC
+
+This PR tests expression injection in pr-labeler.yml

pyproject.toml

@@ -44,7 +44,7 @@ dependencies = [
     # docker minor version updates can include breaking changes. Auto update micro version only.
     "docker~=7.1.0",
     "dateparser~=1.3",
-    "requests~=2.32.5",
+    "requests>=2.32.5,<2.34.0",
     "aws_lambda_builders==1.63.0",
     "tomlkit==0.14.0",
     "watchdog==4.0.2",
@@ -63,11 +63,11 @@ dependencies = [
 
 [project.optional-dependencies]
 pre-dev = [
-    "ruff==0.15.6",
+    "ruff==0.15.8",
 ]
 dev = [
     "aws-sam-cli[pre-dev]",
-    "coverage==7.13.4",
+    "coverage==7.13.5",
     "pytest-cov==7.1.0",
     "mypy==1.19.1",
     "types-pywin32==311.0.0.20260323",
@@ -77,7 +77,7 @@ dev = [
     "types-setuptools==82.0.0.20260210",
     "types-Pygments==2.19.0.20251121",
     "types-colorama==0.4.15.20250801",
-    "types-dateparser==1.3.0.20260211",
+    "types-dateparser==1.3.0.20260323",
     "types-docutils==0.22.3.20260316",
     "types-jsonschema==4.26.0.20260202",
     "types-pyOpenSSL==24.1.0.20240722",