From ba9d3788e41756554f71500303a39dbea535b6ef Mon Sep 17 00:00:00 2001
From: Jon Janego <jonjanego@github.com>
Date: Tue, 6 Feb 2024 12:55:25 -0600
Subject: [PATCH 01/25] Changing default behavior to include comment summary in
 PR

also gave the workflow the appropriate permissions required, pull-requests: write
---
 code-scanning/dependency-review.yml | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml
index 14255a917e..74e66ed205 100644
--- a/code-scanning/dependency-review.yml
+++ b/code-scanning/dependency-review.yml
@@ -20,8 +20,8 @@ on:
 # https://docs.github.com/en/enterprise-cloud@latest/code-security/supply-chain-security/understanding-your-software-supply-chain/using-the-dependency-submission-api
 permissions:
   contents: read
-  # Required if `comment-summary-in-pr: true` is uncommented below
-  # pull-requests: write
+  # Write permissions for pull-requests are required for using the `comment-summary-in-pr` option, comment out if you aren't using this option
+  pull-requests: write
 
 jobs:
   dependency-review:
@@ -32,8 +32,8 @@ jobs:
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@v4
         # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
-        # with:
+        with:
+          comment-summary-in-pr: always
         #   fail-on-severity: moderate
-        #   deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later
-        #   comment-summary-in-pr: true
+        #   deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later        
         #   retry-on-snapshot-warnings: true

From 8aab15dd49a9ff76eca0fc91767e173f5d0f15d9 Mon Sep 17 00:00:00 2001
From: Jon Janego <jonjanego@github.com>
Date: Wed, 7 Feb 2024 09:06:01 -0600
Subject: [PATCH 02/25] Update code-scanning/dependency-review.yml

begone, whitespace

Co-authored-by: Chad Bentz <1760475+felickz@users.noreply.github.com>
---
 code-scanning/dependency-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/code-scanning/dependency-review.yml b/code-scanning/dependency-review.yml
index 74e66ed205..14d335c5e8 100644
--- a/code-scanning/dependency-review.yml
+++ b/code-scanning/dependency-review.yml
@@ -35,5 +35,5 @@ jobs:
         with:
           comment-summary-in-pr: always
         #   fail-on-severity: moderate
-        #   deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later        
+        #   deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later
         #   retry-on-snapshot-warnings: true

From c4f5db626001352990a0a12dc2e89f4716e9e2a0 Mon Sep 17 00:00:00 2001
From: Sam Partington <sampart@github.com>
Date: Wed, 7 Feb 2024 17:33:08 +0000
Subject: [PATCH 03/25] Code Scanning shouldn't own `dependency-review.yml`

---
 CODEOWNERS | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CODEOWNERS b/CODEOWNERS
index 4389365353..2ed2e33dcf 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,4 +1,5 @@
 * @actions/actions-workflow-development-reviewers
 
 /code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph
+/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph
 /pages/ @actions/pages @actions/actions-workflow-development-reviewers

From d303234ad7a0c432ed79bc98259043570ea64012 Mon Sep 17 00:00:00 2001
From: daz <daz@gradle.com>
Date: Tue, 13 Feb 2024 14:00:27 -0700
Subject: [PATCH 04/25] Update for `gradle/actions@v3.1.0` release

- Bump version hashes to use `gradle/actions/setup-gradle@v3.1.0`
- Bump version hash to use `gradle/actions/dependency-submission@v3.1.0`
---
 ci/gradle-publish.yml | 2 +-
 ci/gradle.yml         | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ci/gradle-publish.yml b/ci/gradle-publish.yml
index 6cc37c34d5..2af46165be 100644
--- a/ci/gradle-publish.yml
+++ b/ci/gradle-publish.yml
@@ -30,7 +30,7 @@ jobs:
         settings-path: ${{ github.workspace }} # location for the settings.xml file
 
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0
+      uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
 
     - name: Build with Gradle
       run: ./gradlew build
diff --git a/ci/gradle.yml b/ci/gradle.yml
index 361a5d5777..65a332be61 100644
--- a/ci/gradle.yml
+++ b/ci/gradle.yml
@@ -31,7 +31,7 @@ jobs:
     # Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
     # See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
     - name: Setup Gradle
-      uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0
+      uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
 
     - name: Build with Gradle Wrapper
       run: ./gradlew build
@@ -40,7 +40,7 @@ jobs:
     # If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
     #
     # - name: Setup Gradle
-    #   uses: gradle/actions/setup-gradle@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0
+    #   uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
     #   with:
     #     gradle-version: '8.5'
     #
@@ -64,4 +64,4 @@ jobs:
     # Generates and submits a dependency graph, enabling Dependabot Alerts for all project dependencies.
     # See: https://github.com/gradle/actions/blob/main/dependency-submission/README.md
     - name: Generate and submit dependency graph
-      uses: gradle/actions/dependency-submission@ec92e829475ac0c2315ea8f9eced72db85bb337a # v3.0.0
+      uses: gradle/actions/dependency-submission@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0

From 05e45811599669cf3c0631d7980937988b31be11 Mon Sep 17 00:00:00 2001
From: Marco Gario <marcogario@github.com>
Date: Thu, 15 Feb 2024 09:01:39 +0100
Subject: [PATCH 05/25] Update codeql.yml with new build-mode

---
 code-scanning/codeql.yml | 37 +++++++++++++++++++------------------
 1 file changed, 19 insertions(+), 18 deletions(-)

diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 808449d6b0..d0df66c8ab 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -40,11 +40,12 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: [ $detected-codeql-languages ]
-        # CodeQL supports [ $supported-codeql-languages ]
-        # Use only 'java-kotlin' to analyze code written in Java, Kotlin or both
-        # Use only 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
-        # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
+        $codeql-languages-matrix
+        # CodeQL supports the following values keywords for 'language': $supported-codeql-languages
+        # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
+        # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
+        # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
+        # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
 
     steps:
     - name: Checkout repository
@@ -55,6 +56,7 @@ jobs:
       uses: github/codeql-action/init@v3
       with:
         languages: ${{ matrix.language }}
+        build-mode: ${{ matrix.build-mode }}
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.
@@ -62,21 +64,20 @@ jobs:
         # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
         # queries: security-extended,security-and-quality
 
-
-    # Autobuild attempts to build any compiled languages (C/C++, C#, Go, Java, or Swift).
-    # If this step fails, then you should remove it and run the build manually (see below)
-    - name: Autobuild
-      uses: github/codeql-action/autobuild@v3
-
+    # If the analyze step fails for one of the languages you are analyzing with
+    # "We were unable to automatically build your code", modify the matrix above
+    # to set the build mode to "manual" for that language. Then modify this step
+    # to build your code.
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-
-    #   If the Autobuild fails above, remove it and uncomment the following three lines.
-    #   modify them (or add more) to build your code if your project, please refer to the EXAMPLE below for guidance.
-
-    # - run: |
-    #     echo "Run, Build Application using script"
-    #     ./location_of_script_within_repo/buildscript.sh
+    - if: ${{ matrix.build-mode == 'manual' }}
+      run: |
+        echo 'If you are using a "manual" build mode for one or more of the' \
+          'languages you are analyzing, replace this with the commands to build' \
+          'your code, for example:'
+        echo '  make bootstrap'
+        echo '  make release'
+        exit 1
 
     - name: Perform CodeQL Analysis
       uses: github/codeql-action/analyze@v3

From 8a973982d129261906540b29fc80512a1fd3ec81 Mon Sep 17 00:00:00 2001
From: Marco Gario <marcogario@github.com>
Date: Mon, 19 Feb 2024 15:54:06 +0100
Subject: [PATCH 06/25] Update code-scanning/codeql.yml

Co-authored-by: Henry Mercer <henrymercer@github.com>
---
 code-scanning/codeql.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index d0df66c8ab..00ef183d5b 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -42,6 +42,7 @@ jobs:
       matrix:
         $codeql-languages-matrix
         # CodeQL supports the following values keywords for 'language': $supported-codeql-languages
+        # Use `c-cpp` to analyze code written in C, C++ or both
         # Use 'java-kotlin' to analyze code written in Java, Kotlin or both
         # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
         # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,

From 4a8c4e08b0b97c465318cc670fc212b94cfcbaba Mon Sep 17 00:00:00 2001
From: Marco Gario <marcogario@github.com>
Date: Mon, 19 Feb 2024 15:57:02 +0100
Subject: [PATCH 07/25] Update code-scanning/codeql.yml

Co-authored-by: Henry Mercer <henrymercer@github.com>
---
 code-scanning/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 00ef183d5b..1d23be1ea7 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -71,7 +71,7 @@ jobs:
     # to build your code.
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun
-    - if: ${{ matrix.build-mode == 'manual' }}
+    - if: matrix.build-mode == 'manual'
       run: |
         echo 'If you are using a "manual" build mode for one or more of the' \
           'languages you are analyzing, replace this with the commands to build' \

From 03277899f01de35a7544217d1b02c1031bae1102 Mon Sep 17 00:00:00 2001
From: Chad Bentz <1760475+felickz@users.noreply.github.com>
Date: Wed, 6 Mar 2024 16:46:46 -0500
Subject: [PATCH 08/25] tfsec latest v0.1.4 (#2318)

---
 code-scanning/tfsec.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/code-scanning/tfsec.yml b/code-scanning/tfsec.yml
index 48ee4d2243..706c8be1a6 100644
--- a/code-scanning/tfsec.yml
+++ b/code-scanning/tfsec.yml
@@ -27,7 +27,7 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Run tfsec
-        uses: aquasecurity/tfsec-sarif-action@9a83b5c3524f825c020e356335855741fd02745f
+        uses: aquasecurity/tfsec-sarif-action@21ded20e8ca120cd9d3d6ab04ef746477542a608
         with:
           sarif_file: tfsec.sarif
 

From 3fb9f82449706d5e8e6605bf7cb839b690359cdc Mon Sep 17 00:00:00 2001
From: Tim Heuer <tim@timheuer.com>
Date: Tue, 12 Mar 2024 12:08:25 -0700
Subject: [PATCH 09/25] Updating dotnet CI starter workflows (#2333)

* Update dotnet.yml

Updating versions

* Update dotnet-desktop.yml

Bumping versions

* Update ci/dotnet-desktop.yml

Co-authored-by: Alexis Abril <alexisabril@github.com>

---------

Co-authored-by: Alexis Abril <alexisabril@github.com>
---
 ci/dotnet-desktop.yml | 8 ++++----
 ci/dotnet.yml         | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/ci/dotnet-desktop.yml b/ci/dotnet-desktop.yml
index fd82a3962d..ad99b56b9b 100644
--- a/ci/dotnet-desktop.yml
+++ b/ci/dotnet-desktop.yml
@@ -63,19 +63,19 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
       with:
         fetch-depth: 0
 
     # Install the .NET Core workload
     - name: Install .NET Core
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 6.0.x
+        dotnet-version: 8.0.x
 
     # Add  MSBuild to the PATH: https://github.com/microsoft/setup-msbuild
     - name: Setup MSBuild.exe
-      uses: microsoft/setup-msbuild@v1.0.2
+      uses: microsoft/setup-msbuild@v2
 
     # Execute all unit tests in the solution
     - name: Execute unit tests
diff --git a/ci/dotnet.yml b/ci/dotnet.yml
index f11f05069d..b869d6ef84 100644
--- a/ci/dotnet.yml
+++ b/ci/dotnet.yml
@@ -15,11 +15,11 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-    - uses: actions/checkout@v3
+    - uses: actions/checkout@v4
     - name: Setup .NET
-      uses: actions/setup-dotnet@v3
+      uses: actions/setup-dotnet@v4
       with:
-        dotnet-version: 6.0.x
+        dotnet-version: 8.0.x
     - name: Restore dependencies
       run: dotnet restore
     - name: Build

From 0f4d22325b4bd42a10be5b295f57866f7c78b2bb Mon Sep 17 00:00:00 2001
From: cclin <cclinet@outlook.com>
Date: Mon, 25 Mar 2024 16:05:58 +0800
Subject: [PATCH 10/25] Update astro.yml for yarn based project

---
 pages/astro.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/pages/astro.yml b/pages/astro.yml
index 0929af5655..03044be19e 100644
--- a/pages/astro.yml
+++ b/pages/astro.yml
@@ -42,11 +42,13 @@ jobs:
             echo "manager=yarn" >> $GITHUB_OUTPUT
             echo "command=install" >> $GITHUB_OUTPUT
             echo "runner=yarn" >> $GITHUB_OUTPUT
+            echo "lockfile=yarn.lock" >> $GITHUB_OUTPUT
             exit 0
           elif [ -f "${{ github.workspace }}/package.json" ]; then
             echo "manager=npm" >> $GITHUB_OUTPUT
             echo "command=ci" >> $GITHUB_OUTPUT
             echo "runner=npx --no-install" >> $GITHUB_OUTPUT
+            echo "lockfile=package-lock.json" >> $GITHUB_OUTPUT
             exit 0
           else
             echo "Unable to determine package manager"
@@ -57,7 +59,7 @@ jobs:
         with:
           node-version: "20"
           cache: ${{ steps.detect-package-manager.outputs.manager }}
-          cache-dependency-path: ${{ env.BUILD_PATH }}/package-lock.json
+          cache-dependency-path: ${{ env.BUILD_PATH }}/${{ steps.detect-package-manager.outputs.lockfile }}
       - name: Setup Pages
         id: pages
         uses: actions/configure-pages@v4

From 61cdce264d9ad8045eee8229857b814e0c0510a8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=EC=B9=B4=EA=B8=B0=EC=9E=90=ED=8C=90?= <tyu_mom@yahoo.co.jp>
Date: Tue, 26 Mar 2024 08:26:55 +0900
Subject: [PATCH 11/25] Updating nextjs.yml for Next.js 14 Support (#2204)

* Update nextjs.yml

* Update nextjs.yml

---------

Co-authored-by: Alexis Abril <alexisabril@github.com>
---
 pages/nextjs.yml | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/pages/nextjs.yml b/pages/nextjs.yml
index f91a07d80a..74e57fceb5 100644
--- a/pages/nextjs.yml
+++ b/pages/nextjs.yml
@@ -73,10 +73,8 @@ jobs:
             ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-
       - name: Install dependencies
         run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
-      - name: Build with Next.js
+      - name: Build and Static HTML export with Next.js
         run: ${{ steps.detect-package-manager.outputs.runner }} next build
-      - name: Static HTML export with Next.js
-        run: ${{ steps.detect-package-manager.outputs.runner }} next export
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:

From aad92724382fbe4be3a7880224fb9c1cacd3b7b2 Mon Sep 17 00:00:00 2001
From: Marco Gario <marcogario@github.com>
Date: Tue, 26 Mar 2024 13:18:17 +0100
Subject: [PATCH 12/25] Update codeql.yml

Limit matrix information in the job name to language by default
---
 code-scanning/codeql.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index 1d23be1ea7..dd1406acb0 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -21,7 +21,7 @@ on:
 
 jobs:
   analyze:
-    name: Analyze
+    name: Analyze (${{ matrix.language }})
     # Runner size impacts CodeQL analysis time. To learn more, please see:
     #   - https://gh.io/recommended-hardware-resources-for-running-codeql
     #   - https://gh.io/supported-runners-and-hardware-resources

From fdbad9c74f2ddbd29ef69cedd91184c4552c7360 Mon Sep 17 00:00:00 2001
From: Marco Gario <marcogario@github.com>
Date: Tue, 26 Mar 2024 13:41:53 +0100
Subject: [PATCH 13/25] Update codeql.yml

links to docs
---
 code-scanning/codeql.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index dd1406acb0..cb883a9bb7 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -47,7 +47,8 @@ jobs:
         # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both
         # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis,
         # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning.
-
+        # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how
+        # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages
     steps:
     - name: Checkout repository
       uses: actions/checkout@v4

From 831e9cb8e41cb47e2ffdabda6c3f268a057ffae5 Mon Sep 17 00:00:00 2001
From: Andreas Deininger <andreas@deininger.net>
Date: Wed, 27 Mar 2024 18:51:41 +0100
Subject: [PATCH 14/25] Bump workflow actions of various starter files (#2210)

---
 code-scanning/detekt.yml      | 2 +-
 code-scanning/endorlabs.yml   | 2 +-
 code-scanning/rust-clippy.yml | 4 ++--
 deployments/alibabacloud.yml  | 4 ++--
 pages/hugo.yml                | 2 +-
 5 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/code-scanning/detekt.yml b/code-scanning/detekt.yml
index 15aeb45524..502c66e8be 100644
--- a/code-scanning/detekt.yml
+++ b/code-scanning/detekt.yml
@@ -13,7 +13,7 @@
 # 4. Manually, on demand, via the "workflow_dispatch" event
 #
 # The workflow should work with no modifications, but you might like to use a
-# later version of the Detekt CLI by modifing the $DETEKT_RELEASE_TAG
+# later version of the Detekt CLI by modifying the $DETEKT_RELEASE_TAG
 # environment variable.
 name: Scan with Detekt
 
diff --git a/code-scanning/endorlabs.yml b/code-scanning/endorlabs.yml
index 1ad0e2609b..5633a6bc16 100644
--- a/code-scanning/endorlabs.yml
+++ b/code-scanning/endorlabs.yml
@@ -24,7 +24,7 @@ jobs:
       uses: actions/checkout@v3
     #### Package Build Instructions
     ### Use this section to define the build steps used by your software package.
-    ### Endor Labs builds your software for you where possible but the required build tools must be made availible.
+    ### Endor Labs builds your software for you where possible but the required build tools must be made available.
     # - name: Setup Java
     #   uses: actions/setup-java@v3
     #   with:
diff --git a/code-scanning/rust-clippy.yml b/code-scanning/rust-clippy.yml
index 90583f342f..4f50c3e203 100644
--- a/code-scanning/rust-clippy.yml
+++ b/code-scanning/rust-clippy.yml
@@ -28,7 +28,7 @@ jobs:
       actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Install Rust toolchain
         uses: actions-rs/toolchain@16499b5e05bf2e26879000db0c1d13f7e13fa3af #@v1
@@ -52,4 +52,4 @@ jobs:
         uses: github/codeql-action/upload-sarif@v1
         with:
           sarif_file: rust-clippy-results.sarif
-          wait-for-processing: true
\ No newline at end of file
+          wait-for-processing: true
diff --git a/deployments/alibabacloud.yml b/deployments/alibabacloud.yml
index 96d5d3865d..74dd7f63ef 100644
--- a/deployments/alibabacloud.yml
+++ b/deployments/alibabacloud.yml
@@ -49,7 +49,7 @@ jobs:
 
     steps:
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
 
     # 1.1 Login to ACR
     - name: Login to ACR with the AccessKey pair
@@ -59,7 +59,7 @@ jobs:
         access-key-id: "${{ secrets.ACCESS_KEY_ID }}"
         access-key-secret: "${{ secrets.ACCESS_KEY_SECRET }}"
 
-    # 1.2 Buid and push image to ACR
+    # 1.2 Build and push image to ACR
     - name: Build and push image to ACR
       run: |
         docker build --tag "$REGISTRY/$NAMESPACE/$IMAGE:$TAG" .
diff --git a/pages/hugo.yml b/pages/hugo.yml
index 6e40b040b0..1061a74bd7 100644
--- a/pages/hugo.yml
+++ b/pages/hugo.yml
@@ -31,7 +31,7 @@ jobs:
   build:
     runs-on: ubuntu-latest
     env:
-      HUGO_VERSION: 0.120.4
+      HUGO_VERSION: 0.124.1
     steps:
       - name: Install Hugo CLI
         run: |

From 4620c76b38f478f21a88b354ce6794dcfacba755 Mon Sep 17 00:00:00 2001
From: Spencer Schrock <sschrock@google.com>
Date: Wed, 27 Mar 2024 13:25:03 -0700
Subject: [PATCH 15/25] update Scorecard Action hashes and version comments
 (#2348)

* update action hashes and version comments

ossf/scorecard-action v2.1.2 is old and doesnt work after a Sigstore
change. https://blog.sigstore.dev/tuf-root-update/

Signed-off-by: Spencer Schrock <sschrock@google.com>

* downgrade actions/upload-artifact to node20 version of v3

dependabot will suggest upgrade to v4.3.1 for repos that can upgrade.
note: v3.pre.node20 is how dependabot refers to the pinned hash, so
use that so it can upgrade the comment

Signed-off-by: Spencer Schrock <sschrock@google.com>

* upgrade github/codeql-action/upload-sarif to v3.24.9

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
Co-authored-by: Alexis Abril <alexisabril@github.com>
---
 code-scanning/scorecard.yml | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/code-scanning/scorecard.yml b/code-scanning/scorecard.yml
index 19b9b00f29..162c788bbd 100644
--- a/code-scanning/scorecard.yml
+++ b/code-scanning/scorecard.yml
@@ -32,19 +32,19 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:
           persist-credentials: false
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
         with:
           results_file: results.sarif
           results_format: sarif
           # (Optional) "write" PAT token. Uncomment the `repo_token` line below if:
           # - you want to enable the Branch-Protection check on a *public* repository, or
           # - you are installing Scorecard on a *private* repository
-          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action#authentication-with-pat.
+          # To create the PAT, follow the steps in https://github.com/ossf/scorecard-action?tab=readme-ov-file#authentication-with-fine-grained-pat-optional.
           # repo_token: ${{ secrets.SCORECARD_TOKEN }}
 
           # Public repositories:
@@ -59,14 +59,15 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@3cea5372237819ed00197afe530f5a7ea3e805c8 # v3.1.0
+        uses: actions/upload-artifact@97a0fba1372883ab732affbe8f94b823f91727db # v3.pre.node20
         with:
           name: SARIF file
           path: results.sarif
           retention-days: 5
 
-      # Upload the results to GitHub's code scanning dashboard.
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@17573ee1cc1b9d061760f3a006fc4aac4f944fd5 # v2.2.4
+        uses: github/codeql-action/upload-sarif@1b1aada464948af03b950897e5eb522f92603cc2 # v3.24.9
         with:
           sarif_file: results.sarif

From 4ca845b387fb6f8d1b8ba86e6b2d3b345cd862b7 Mon Sep 17 00:00:00 2001
From: Alexis Abril <alexisabril@github.com>
Date: Fri, 29 Mar 2024 13:23:28 -0700
Subject: [PATCH 16/25] Update CODEOWNERS

Simplifying the CODEOWNERS file to allow respective teams the capabilities to manage PRs as responsibilities have been updated recently. In the short term, this will add notifications to folks for each team.
---
 CODEOWNERS | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/CODEOWNERS b/CODEOWNERS
index 2ed2e33dcf..7580ac67a5 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,5 +1,5 @@
+* @actions/advanced-security-code-scanning
+* @actions/advanced-security-dependency-graph
+* @actions/pages
 * @actions/actions-workflow-development-reviewers
-
-/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph
-/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph
-/pages/ @actions/pages @actions/actions-workflow-development-reviewers
+* @actions/starter-workflows

From 87efe4c91d3d86b0f544d36ceaae0dc8be94f080 Mon Sep 17 00:00:00 2001
From: Alexis Abril <alexisabril@github.com>
Date: Fri, 29 Mar 2024 15:20:42 -0700
Subject: [PATCH 17/25] Update CODEOWNERS

Adding @actions/starter-workflows to each category to minimize notification pollution.
---
 CODEOWNERS | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/CODEOWNERS b/CODEOWNERS
index 7580ac67a5..50abb26484 100644
--- a/CODEOWNERS
+++ b/CODEOWNERS
@@ -1,5 +1,5 @@
-* @actions/advanced-security-code-scanning
-* @actions/advanced-security-dependency-graph
-* @actions/pages
-* @actions/actions-workflow-development-reviewers
-* @actions/starter-workflows
+* @actions/actions-workflow-development-reviewers @actions/starter-workflows
+
+/code-scanning/ @actions/advanced-security-code-scanning @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows
+/code-scanning/dependency-review.yml @actions/actions-workflow-development-reviewers @actions/advanced-security-dependency-graph @actions/starter-workflows
+/pages/ @actions/pages @actions/actions-workflow-development-reviewers @actions/starter-workflows

From c9a0122a593db43660edaf37cf6cae081c2f45d9 Mon Sep 17 00:00:00 2001
From: "James M. Greene" <JamesMGreene@github.com>
Date: Fri, 29 Mar 2024 19:57:20 -0500
Subject: [PATCH 18/25] Update all Pages workflows to use
 actions/configure-pages@v5

---
 pages/astro.yml           | 2 +-
 pages/gatsby.yml          | 2 +-
 pages/hugo.yml            | 2 +-
 pages/jekyll-gh-pages.yml | 2 +-
 pages/jekyll.yml          | 2 +-
 pages/mdbook.yml          | 2 +-
 pages/nextjs.yml          | 2 +-
 pages/nuxtjs.yml          | 2 +-
 pages/static.yml          | 2 +-
 9 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/pages/astro.yml b/pages/astro.yml
index 03044be19e..25db103f04 100644
--- a/pages/astro.yml
+++ b/pages/astro.yml
@@ -62,7 +62,7 @@ jobs:
           cache-dependency-path: ${{ env.BUILD_PATH }}/${{ steps.detect-package-manager.outputs.lockfile }}
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
       - name: Install dependencies
         run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
         working-directory: ${{ env.BUILD_PATH }}
diff --git a/pages/gatsby.yml b/pages/gatsby.yml
index c82a2f7aa3..1bcc667f5b 100644
--- a/pages/gatsby.yml
+++ b/pages/gatsby.yml
@@ -58,7 +58,7 @@ jobs:
           cache: ${{ steps.detect-package-manager.outputs.manager }}
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
         with:
           # Automatically inject pathPrefix in your Gatsby configuration file.
           #
diff --git a/pages/hugo.yml b/pages/hugo.yml
index 1061a74bd7..141ad91a5a 100644
--- a/pages/hugo.yml
+++ b/pages/hugo.yml
@@ -45,7 +45,7 @@ jobs:
           submodules: recursive
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
       - name: Install Node.js dependencies
         run: "[[ -f package-lock.json || -f npm-shrinkwrap.json ]] && npm ci || true"
       - name: Build with Hugo
diff --git a/pages/jekyll-gh-pages.yml b/pages/jekyll-gh-pages.yml
index 8d5586c325..2874cc0c98 100644
--- a/pages/jekyll-gh-pages.yml
+++ b/pages/jekyll-gh-pages.yml
@@ -29,7 +29,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
       - name: Build with Jekyll
         uses: actions/jekyll-build-pages@v1
         with:
diff --git a/pages/jekyll.yml b/pages/jekyll.yml
index 17fec3f9c8..f07bc39085 100644
--- a/pages/jekyll.yml
+++ b/pages/jekyll.yml
@@ -41,7 +41,7 @@ jobs:
           cache-version: 0 # Increment this number if you need to re-download cached gems
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
       - name: Build with Jekyll
         # Outputs to the './_site' directory by default
         run: bundle exec jekyll build --baseurl "${{ steps.pages.outputs.base_path }}"
diff --git a/pages/mdbook.yml b/pages/mdbook.yml
index 6ea654d37b..cf79f4e071 100644
--- a/pages/mdbook.yml
+++ b/pages/mdbook.yml
@@ -39,7 +39,7 @@ jobs:
           cargo install --version ${MDBOOK_VERSION} mdbook
       - name: Setup Pages
         id: pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
       - name: Build with mdBook
         run: mdbook build
       - name: Upload artifact
diff --git a/pages/nextjs.yml b/pages/nextjs.yml
index 74e57fceb5..ccde58d30c 100644
--- a/pages/nextjs.yml
+++ b/pages/nextjs.yml
@@ -54,7 +54,7 @@ jobs:
           node-version: "20"
           cache: ${{ steps.detect-package-manager.outputs.manager }}
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
         with:
           # Automatically inject basePath in your Next.js configuration file and disable
           # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized).
diff --git a/pages/nuxtjs.yml b/pages/nuxtjs.yml
index 5ceb0e8d81..25a6862718 100644
--- a/pages/nuxtjs.yml
+++ b/pages/nuxtjs.yml
@@ -52,7 +52,7 @@ jobs:
           node-version: "20"
           cache: ${{ steps.detect-package-manager.outputs.manager }}
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
         with:
           # Automatically inject router.base in your Nuxt configuration file and set
           # target to static (https://nuxtjs.org/docs/configuration-glossary/configuration-target/).
diff --git a/pages/static.yml b/pages/static.yml
index 819974a2c2..5640380712 100644
--- a/pages/static.yml
+++ b/pages/static.yml
@@ -32,7 +32,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@v5
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3
         with:

From e4837fa7681a5ff12fe8500675c47c7f6a296f98 Mon Sep 17 00:00:00 2001
From: "James M. Greene" <JamesMGreene@github.com>
Date: Fri, 29 Mar 2024 20:19:30 -0500
Subject: [PATCH 19/25] Improve step name for Next.js build

---
 pages/nextjs.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pages/nextjs.yml b/pages/nextjs.yml
index ccde58d30c..e2c9ab62a2 100644
--- a/pages/nextjs.yml
+++ b/pages/nextjs.yml
@@ -73,7 +73,7 @@ jobs:
             ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-
       - name: Install dependencies
         run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
-      - name: Build and Static HTML export with Next.js
+      - name: Build with Next.js
         run: ${{ steps.detect-package-manager.outputs.runner }} next build
       - name: Upload artifact
         uses: actions/upload-pages-artifact@v3

From efd31e5f0f3f40497cbbd7d3991ddac4da4037ca Mon Sep 17 00:00:00 2001
From: SOOS-GSteen <gsteen@soos.io>
Date: Mon, 1 Apr 2024 16:11:05 -0400
Subject: [PATCH 20/25] update soos dash action commit hash / sarif action
 version / logo (#2317)

* Update soos-dast-scan.yml

* Update soos-dast-scan.yml

* Update soos.svg

* Update code-scanning/soos-dast-scan.yml

Co-authored-by: Alexis Abril <alexisabril@github.com>

---------

Co-authored-by: Alexis Abril <alexisabril@github.com>
---
 code-scanning/soos-dast-scan.yml |  6 +++---
 icons/soos.svg                   | 18 +-----------------
 2 files changed, 4 insertions(+), 20 deletions(-)

diff --git a/code-scanning/soos-dast-scan.yml b/code-scanning/soos-dast-scan.yml
index 335aa03dae..b3e470e98f 100644
--- a/code-scanning/soos-dast-scan.yml
+++ b/code-scanning/soos-dast-scan.yml
@@ -36,7 +36,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Run SOOS DAST Analysis
-        uses: soos-io/soos-dast-github-action@d0ee0d8feb02c1881e6a1d785bf2078662631150
+        uses: soos-io/soos-dast-github-action@a7f2cb2dfd143cb3224712d902ca0a1da0198ea9
         with:
           client_id: ${{ secrets.SOOS_CLIENT_ID }}
           api_key: ${{ secrets.SOOS_API_KEY }}
@@ -45,6 +45,6 @@ jobs:
           target_url: "https://www.example.com/"
           output_format: "sarif"
       - name: Upload SOOS DAST SARIF Report
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
-          sarif_file: results.sarif
\ No newline at end of file
+          sarif_file: results.sarif
diff --git a/icons/soos.svg b/icons/soos.svg
index 17a31fcb08..7480560df9 100644
--- a/icons/soos.svg
+++ b/icons/soos.svg
@@ -1,17 +1 @@
-<?xml version="1.0" encoding="utf-8"?>
-<!-- Generator: Adobe Illustrator 25.3.1, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
-<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
-	 viewBox="0 0 600 600" style="enable-background:new 0 0 600 600;" xml:space="preserve">
-<style type="text/css">
-	.st0{fill:#FF2B55;}
-	.st1{fill:#001267;}
-</style>
-<g id="Layer_2_1_">
-	<g id="Layer_1-2">
-		<path class="st0" d="M231.4,411.4H48v-34.6h183.4c21.2,0.1,41.2-9.6,54.4-26.1l98.6-123c19.7-24.8,49.7-39.2,81.4-39.1H552v34.6
-			h-86.3c-21.2,0-41.2,9.6-54.4,26.1l-98.6,123C293,397.1,263,411.5,231.4,411.4z"/>
-		<path class="st1" d="M134.3,411.4H48v-34.6h86.3c21.2,0,41.2-9.6,54.4-26.1l98.6-123c19.7-24.8,49.7-39.2,81.4-39.1H552v34.6
-			H368.6c-21.2-0.1-41.2,9.6-54.4,26.1l-98.6,123C195.9,397.1,165.9,411.5,134.3,411.4z"/>
-	</g>
-</g>
-</svg>
+<?xml version="1.0" encoding="UTF-8"?><svg id="Layer_2" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 207 234"><defs><style>.cls-1{opacity:.2;}.cls-1,.cls-2,.cls-3,.cls-4,.cls-5,.cls-6,.cls-7,.cls-8,.cls-9{stroke-width:0px;}.cls-1,.cls-5{fill:#242b5a;}.cls-2{fill:#26265d;}.cls-3{fill:#4161aa;}.cls-4{fill:#244583;}.cls-6{fill:#cc2348;}.cls-7{fill:#fff;}.cls-8{fill:#e73e64;}.cls-9{fill:#001369;}</style></defs><path class="cls-7" d="M84.29,111.96c.54.08,1.08.17,1.62.24,0-.02.02-.03.03-.05l-1.65-.2Z"/><path class="cls-7" d="M130.26,137.53c.28.57.55,1.15.79,1.77,1.47,3.78,3.13,9.55,1.53,14.55-1.88-1.58-3.54-2.74-5.06-3.6-.95,3.06-2.7,6.27-5.92,8.39-1.49.98-2.7,2.42-3.66,3.9,2.02,7.99,6.7,19.4,16.24,28.24,5.99,5.55,4.67,11.15.62,16.02.42,2.68-.12,5.6-2.39,8.59,6.1-1.84,11.95-4.27,17.49-7.2-8.03-25.59-12.76-54.55-15.37-75.34-.94,1.81-2.34,3.32-4.25,4.68Z"/><path class="cls-7" d="M134.51,132.84c-.1-.82-.2-1.62-.3-2.41-1.76,1.61-3.91,2.8-6.32,3.41.9,1.09,1.69,2.32,2.37,3.68,1.91-1.37,3.31-2.87,4.25-4.68Z"/><path class="cls-1" d="M134.51,132.84c-.1-.82-.2-1.62-.3-2.41-1.76,1.61-3.91,2.8-6.32,3.41.9,1.09,1.69,2.32,2.37,3.68,1.91-1.37,3.31-2.87,4.25-4.68Z"/><path class="cls-7" d="M84.09,120.58h-.02c-.8,9.95,1.92,14.04,10.64,18.11.42-1.35,1.02-2.88,1.84-4.4-6.73-1.11-11.95-6.75-12.46-13.71Z"/><path class="cls-1" d="M84.09,120.58h-.02c-.8,9.95,1.92,14.04,10.64,18.11.42-1.35,1.02-2.88,1.84-4.4-6.73-1.11-11.95-6.75-12.46-13.71Z"/><path class="cls-7" d="M112.16,101.32s-11.68-12.84-22.61-14c-7.21-.76-9.86,6.58-10.44,12.69,4.34-16,33.05,1.31,33.05,1.31Z"/><path class="cls-1" d="M112.16,101.32s-11.68-12.84-22.61-14c-7.21-.76-9.86,6.58-10.44,12.69,4.34-16,33.05,1.31,33.05,1.31Z"/><path class="cls-2" d="M133.85,106.22c-.73-.69-1.55-1.26-2.19-1.64l2.19,1.64Z"/><path class="cls-2" d="M134.22,130.44c.1.79.2,1.59.3,2.41,2.62,20.79,7.34,49.74,15.37,75.34,2.25-1.19,4.45-2.47,6.6-3.83-6.78-14.78-13-37.89-18.44-79.42-.85,2.11-2.17,3.99-3.83,5.5Z"/><path class="cls-8" d="M97.96,84.07c8.38,3.92,15.76,10.91,15.78,10.94-.97-1.06-7.94-7.4-15.78-10.94Z"/><path class="cls-7" d="M113.87,119.47c0,2.32-.54,4.51-1.47,6.47.39.04.77.08,1.18.14,4.62.72,9.6,2.75,13.31,6.63,6.78-1.35,11.57-7.73,10.84-14.81-.17-1.67-.65-3.24-1.35-4.66-.66.39-1.33.65-1.98.85-.93.28-1.85.44-2.76.55-.76.09-1.51.14-2.25.17,1.1,1.22,1.78,2.83,1.8,4.6.04,3.84-3.01,6.99-6.82,7.03-3.81.04-6.93-3.04-6.97-6.88-.01-.99.19-1.93.55-2.79-.41-.45-.68-1.04-.68-1.7,0-.39.09-.76.24-1.1-.52-.08-1.05-.15-1.57-.23-.65-.1-1.29-.23-1.94-.34-.38.25-.76.45-1.15.63.65,1.69,1.03,3.52,1.03,5.44Z"/><path class="cls-2" d="M136.37,113.24c.7,1.42,1.18,2.99,1.35,4.66.73,7.08-4.06,13.46-10.84,14.81.35.36.68.74,1.01,1.14,2.41-.61,4.56-1.8,6.32-3.41,1.66-1.52,2.98-3.39,3.83-5.5.89-2.2,1.27-4.64,1.01-7.16-.2-1.93-.76-3.73-1.6-5.35-.09.08-.17.18-.25.25-.28.22-.56.4-.84.57Z"/><path class="cls-2" d="M119.81,117.59c-.74,0-1.4-.31-1.87-.81-.36.86-.56,1.8-.55,2.79.04,3.84,3.16,6.92,6.97,6.88,3.81-.04,6.86-3.19,6.82-7.03-.02-1.78-.7-3.39-1.8-4.6-1.04.04-2.06.04-3.09,0-1.36-.05-2.7-.15-4.04-.27.03.15.05.31.05.47.02,1.4-1.1,2.56-2.49,2.57Z"/><path class="cls-7" d="M117.94,116.77c.47.5,1.13.82,1.87.81,1.39-.01,2.51-1.17,2.49-2.57,0-.16-.02-.32-.05-.47-1.59-.15-3.18-.34-4.75-.57-.15.33-.25.7-.24,1.1,0,.66.27,1.25.68,1.7Z"/><path class="cls-7" d="M134.79,206.8c-4.08,4.9-10.93,9.05-15.89,11.64,4.59-.71,9.08-1.72,13.44-3.03.02,0,.04-.01.06-.02,2.27-2.99,2.81-5.91,2.39-8.59Z"/><path class="cls-1" d="M134.79,206.8c-4.08,4.9-10.93,9.05-15.89,11.64,4.59-.71,9.08-1.72,13.44-3.03.02,0,.04-.01.06-.02,2.27-2.99,2.81-5.91,2.39-8.59Z"/><path class="cls-7" d="M91.58,188.9c-2.95,8.65-3.19,19.48,14.93,18.15l3.17,12.36c.94-.06,1.88-.12,2.82-.21l-3.11-18.8s-16.42,2.78-17.81-11.5Z"/><path class="cls-1" d="M91.58,188.9c-2.95,8.65-3.19,19.48,14.93,18.15l3.17,12.36c.94-.06,1.88-.12,2.82-.21l-3.11-18.8s-16.42,2.78-17.81-11.5Z"/><path class="cls-2" d="M134.79,206.8c4.05-4.87,5.37-10.47-.62-16.02-9.53-8.83-14.22-20.25-16.24-28.24-.62.96-1.14,1.93-1.55,2.81,2.03,7.3,7.28,20.15,14.79,28.15.62.66,1.26,1.29,1.91,1.88,6.14,5.54-15.69,17.77-15.69,17.77l-3.71-15.61c2.2-2.49,3.45-4.72,4.04-6.7,2.36-7.89-5.79-11.75-6.02-11.85.18.19,4.4,4.56,3.63,9.65-.12.81-.37,1.64-.78,2.47-3.05,6.18-17.62,1.25-16.86-12.8.44-8.14,3.9-12.84,6.75-15.36.35-.31.68-.57,1-.82-1.21-1.01-2.29-2.02-3.26-3.02-4.26,5.69-10.2,15.54-10.68,26.77-.05,1.08-.02,2.08.07,3.01,1.38,14.28,17.81,11.5,17.81,11.5l3.11,18.8c2.15-.19,4.29-.44,6.4-.76,4.96-2.59,11.81-6.74,15.89-11.64Z"/><path class="cls-8" d="M105.45,162.14c-.32.24-.65.51-1,.82h0s-11.25,22.94,10.89,25.69c.77-5.09-3.44-9.47-3.63-9.65.23.1,8.38,3.96,6.02,11.85,3.01,9.53,13.27,8.02,13.44,2.65-7.51-7.99-12.76-20.85-14.79-28.15-.84,1.78-1.24,3.15-1.24,3.15-3.9-2.03-7.08-4.19-9.69-6.36Z"/><path class="cls-6" d="M104.45,162.95h0c-2.84,2.52-6.31,7.22-6.75,15.35-.77,14.05,13.81,18.98,16.86,12.8.41-.83.66-1.66.78-2.47-22.13-2.75-10.89-25.69-10.89-25.69Z"/><path class="cls-2" d="M119.13,156.16c-1.21.54-2.24,1.59-3.07,2.76-1.61,2.26-2.46,4.93-2.46,4.93-7.97-3.81-11.89-9.59-13.79-13.75-.85-1.88-1.29-3.43-1.5-4.32-1.43-.72-2.94-1.57-4.6-2.61,0,0,.36,7.64,8.47,15.96.97,1,2.05,2.01,3.26,3.02,2.61,2.17,5.8,4.33,9.69,6.36,0,0,.41-1.37,1.24-3.15.41-.88.93-1.85,1.55-2.81.96-1.48,2.17-2.92,3.66-3.9,3.22-2.13,4.98-5.34,5.92-8.39-1.16-.65-2.23-1.12-3.23-1.45-.94,2.69-2.61,6.24-5.16,7.37Z"/><path class="cls-3" d="M99.81,150.09c1.89,4.16,5.82,9.94,13.79,13.75,0,0,.86-2.67,2.46-4.93.83-1.16,1.85-2.22,3.07-2.76-1.21.54-12.06.38-19.32-6.06Z"/><path class="cls-4" d="M119.13,156.16c2.54-1.13,4.22-4.67,5.16-7.37-8.19-2.68-12.28,3.9-25.97-3.02.21.89.65,2.44,1.5,4.32,7.26,6.44,18.1,6.6,19.32,6.06Z"/><path class="cls-2" d="M113.57,126.09c-.4-.06-.79-.1-1.18-.14-.35.73-.74,1.42-1.19,2.08,5.4.03,17.65,3.64,18.69,20.65,0,0-5.35-5.17-13.14-3.76-7.8,1.41-11.07,1.75-18.79-2.96,0,0,.23-3.86,2.24-7.51-.41.03-.82.06-1.24.06-.82,0-1.62-.08-2.4-.21-.82,1.52-1.42,3.05-1.84,4.4-.8,2.56-1,4.47-1,4.47,1.65,1.04,3.17,1.89,4.6,2.61,13.69,6.92,17.79.34,25.97,3.02,1.01.33,2.08.8,3.23,1.45,1.52.86,3.18,2.02,5.06,3.6,1.6-5-.06-10.77-1.53-14.55-.24-.62-.51-1.2-.79-1.77-.68-1.36-1.47-2.58-2.37-3.68-.32-.4-.66-.77-1.01-1.14-3.72-3.88-8.7-5.91-13.31-6.63Z"/><path class="cls-3" d="M100.2,134.44c-2.01,3.65-2.24,7.51-2.24,7.51,7.72,4.7,10.99,4.37,18.79,2.96,7.8-1.41,13.14,3.76,13.14,3.76-1.04-17-13.29-20.62-18.69-20.65-2.47,3.59-6.45,6.03-11,6.42Z"/><path class="cls-7" d="M88.52,112.46s-.06.02-.09.03c.64.07,1.27.16,1.91.22l-.31-.07-1.5-.18Z"/><path class="cls-7" d="M85.38,119.47c0,7.55,6.09,13.69,13.58,13.69s13.57-6.14,13.57-13.69c0-1.76-.34-3.43-.94-4.98-1.7.53-3.37.71-5.01.8-.59.03-1.17.02-1.75.02.92,1.18,1.47,2.66,1.47,4.28,0,3.84-3.09,6.95-6.9,6.95s-6.9-3.11-6.9-6.95c0-.99.21-1.93.58-2.78-.41-.45-.67-1.05-.67-1.71,0-.37.08-.71.22-1.03-.6-.11-1.2-.21-1.79-.32-1.21-.23-2.4-.5-3.6-.76-.13.06-.23.11-.31.15-.99,1.9-1.54,4.05-1.54,6.33Z"/><path class="cls-2" d="M85.93,112.15s-.02.03-.03.05c.08.01.17.02.26.03l-.03-.06-.19-.02Z"/><path class="cls-2" d="M96.55,134.29c.78.13,1.58.21,2.4.21.42,0,.83-.03,1.24-.06,4.55-.38,8.53-2.83,11-6.42.45-.66.85-1.35,1.19-2.08.94-1.96,1.47-4.15,1.47-6.47,0-1.92-.37-3.75-1.03-5.44-.26.12-.51.22-.77.31-.17.06-.33.09-.49.15.6,1.54.94,3.22.94,4.98,0,7.55-6.09,13.69-13.57,13.69s-13.58-6.14-13.58-13.69c0-2.28.55-4.43,1.54-6.33-.1.06-.16.09-.17.09l-.23-.39c-.28-.06-.57-.12-.85-.18-1.04,2.05-1.64,4.36-1.64,6.81,0,.37.03.74.06,1.11.51,6.96,5.73,12.6,12.46,13.71Z"/><path class="cls-2" d="M94.93,117.65c-.74,0-1.4-.32-1.86-.83-.37.85-.58,1.79-.58,2.78,0,3.84,3.09,6.95,6.9,6.95s6.9-3.11,6.9-6.95c0-1.62-.55-3.1-1.47-4.28-1.2,0-2.4-.03-3.59-.12-1.28-.1-2.55-.24-3.81-.39.01.1.03.2.03.3,0,1.4-1.13,2.54-2.52,2.54Z"/><path class="cls-7" d="M93.07,116.81c.46.51,1.12.83,1.86.83,1.39,0,2.52-1.14,2.52-2.54,0-.1-.02-.2-.03-.3-1.61-.2-3.21-.45-4.79-.73-.14.32-.22.66-.22,1.03,0,.66.26,1.26.67,1.71Z"/><path class="cls-5" d="M86.13,112.18l.03.06c.76.1,1.51.17,2.27.26.03-.01.06-.02.09-.03l-2.39-.28Z"/><path class="cls-5" d="M86.92,113.14c.08-.04.18-.09.31-.15-.24-.05-.48-.1-.71-.15l.23.39s.06-.03.17-.09Z"/><path class="cls-6" d="M117.73,190.84c-.59,1.98-1.84,4.21-4.04,6.7l3.71,15.61s21.83-12.22,15.69-17.77c-.65-.59-1.29-1.22-1.91-1.88-.17,5.37-10.44,6.88-13.44-2.65Z"/><path class="cls-7" d="M80.67,113.17l2.9-1.04c-.82-.2-1.65-.4-2.46-.62l-.44,1.66Z"/><path class="cls-7" d="M133.85,106.22l-2.19-1.64c-.32-4.8-.91-6.83-1.62-9.32-.64-2.28-1.43-3.99-1.45-4.05,0,0-9.07,7.79-16.43,10.11,0,0-28.71-17.31-33.05-1.31,0,0,0,0,0,.01h0s-3.79,57.99-9.94,113.32c10.78,4.04,22.44,6.25,34.63,6.25,1.97,0,3.93-.07,5.87-.19l-3.17-12.36c-18.12,1.33-17.87-9.49-14.93-18.15-.09-.93-.12-1.93-.07-3.01.48-11.23,6.42-21.08,10.68-26.77-8.11-8.32-8.47-15.96-8.47-15.96,0,0,.19-1.92,1-4.47-8.72-4.07-11.44-8.16-10.64-18.12h.02c-.03-.36-.06-.72-.06-1.1,0-2.45.6-4.76,1.64-6.81-.71-.16-1.4-.35-2.1-.53l-2.9,1.04.44-1.66c-.14-.04-.29-.07-.44-.11.15.03.3.04.45.07,1.05.18,2.11.33,3.17.49l1.65.2.19.02,2.39.28,1.5.18.31.07c.21.02.42.05.63.07,3.44.33,6.89.53,10.31.46,1.71-.03,3.41-.14,5.06-.37,1.64-.24,3.27-.6,4.63-1.23.67-.32,1.26-.71,1.66-1.14.38-.45.6-.88.64-1.4.12-1.04-.45-2.44-1.24-3.74l1.34-.72,2.08-1.13c.42.88.79,1.8,1.05,2.82.25,1.02.37,2.17.12,3.36-.17.91-.62,1.77-1.2,2.46.23.02.46.05.69.07,3.4.27,6.81.42,10.17.27,1.68-.07,3.34-.23,4.93-.54.79-.16,1.56-.36,2.25-.63.69-.27,1.3-.62,1.69-1,.38-.4.49-.71.48-1.15-.13-1.12-.89-2.14-1.78-2.98Z"/><path class="cls-2" d="M116.63,109.7c.25-1.2.13-2.35-.12-3.36-.25-1.02-.63-1.95-1.05-2.82l-2.08,1.13-1.34.72c.79,1.3,1.35,2.7,1.24,3.74-.04.52-.26.96-.64,1.4-.4.43-.99.82-1.66,1.14-1.36.63-2.99.99-4.63,1.23-1.65.23-3.35.34-5.06.37-3.42.07-6.87-.14-10.31-.46-.21-.02-.42-.05-.63-.07-.64-.06-1.27-.15-1.91-.22-.76-.09-1.51-.16-2.27-.26-.09-.01-.17-.02-.26-.03-.54-.07-1.08-.17-1.62-.24-1.06-.15-2.11-.31-3.17-.49-.15-.03-.3-.04-.45-.07.14.04.29.07.44.11.82.22,1.64.41,2.46.62.7.17,1.4.37,2.1.53.28.06.57.12.85.18.24.05.48.1.71.15,1.2.26,2.39.53,3.6.76.6.11,1.19.22,1.79.32,1.59.28,3.19.52,4.79.73,1.26.16,2.53.3,3.81.39,1.19.09,2.38.12,3.59.12.58,0,1.16,0,1.75-.02,1.64-.09,3.31-.28,5.01-.8.16-.05.33-.09.49-.15.26-.09.51-.2.77-.31.39-.17.77-.38,1.15-.63.28-.18.56-.38.83-.62.21-.19.41-.4.6-.63.58-.69,1.03-1.56,1.2-2.46Z"/><path class="cls-2" d="M136.78,103.51c-.37-.53-.76-1.03-1.15-1.51-.73-5.42-1.81-10.76-3.46-13.77,16.62-17.59,22.06-51.07-8.39-51.42-21.43.21-33.27,2.37-49.25,0,0,0-7.71-.29-17.06-3.01-.17.09-.34.19-.51.28-10.18-2.84-22.06-8.7-28.5-19.97,0,0-2.42,19.51,2.08,40.72,0,0-.01.01-.02.02,4.29,21.22,15.54,44,43.36,50.63-2.56,30.78-7.16,71.06-11.49,105.04,2.22,1.03,4.48,1.97,6.78,2.84,6.15-55.33,9.94-113.31,9.94-113.31h0s0-.02,0-.02c.58-6.11,3.23-13.45,10.44-12.69,10.93,1.16,22.61,14,22.61,14,7.36-2.32,16.43-10.11,16.43-10.11.03.06.81,1.77,1.45,4.05.7,2.49,1.3,4.51,1.62,9.32.63.38,1.45.95,2.19,1.64.89.84,1.66,1.85,1.78,2.98.01.44-.1.75-.48,1.15-.39.38-1,.73-1.69,1-.69.27-1.46.47-2.25.63-1.58.31-3.25.47-4.93.54-3.36.14-6.77,0-10.17-.27-.23-.02-.46-.05-.69-.07-.19.23-.39.44-.6.63-.27.23-.55.43-.83.62.65.11,1.29.24,1.94.34.52.08,1.05.15,1.57.23,1.57.23,3.16.42,4.75.57,1.34.13,2.69.23,4.04.27,1.02.03,2.05.03,3.09,0,.75-.03,1.49-.08,2.25-.17.91-.11,1.82-.27,2.76-.55.65-.2,1.32-.46,1.98-.85.28-.17.56-.35.84-.57.09-.08.17-.17.25-.25.35-.34.69-.72.94-1.2.3-.59.5-1.26.53-1.89.08-1.29-.29-2.35-.69-3.29-.41-.94-.92-1.76-1.46-2.53ZM113.74,95.01s-7.4-7.02-15.78-10.94c-9.64-4.34-20.6-4.43-23.33,14.85,0,0-20.64-1.74-32.47-27.41-2.76-5.2-4.57-13.96-5.72-21.99.01-.01.02-.02.03-.03-1.48-9.5-2.03-17.85-2.03-17.85,0,0,3.93,6.35,14.38,7.61,4.59,1.55,10.4,2.67,17.96,3.34,24.59,2.18,32.3,24.32,32.43,24.73.13.41-1.52-19.76-13.35-23.86,0,0,24.98,2.73,35.13,21.56-.14-.48-4.83-15.97-13.94-21.63,0,0,25.02-3.55,30.75,5.1,5.2,7.84,2.4,31.97-24.06,46.51Z"/><path class="cls-8" d="M137.8,48.49c-5.74-8.66-30.75-5.1-30.75-5.1,9.11,5.66,13.8,21.15,13.94,21.63-10.15-18.82-35.13-21.56-35.13-21.56,11.83,4.11,13.48,24.27,13.35,23.86-.13-.41-7.85-22.55-32.43-24.73-7.7-.68-13.65-1.97-18.22-3.43,0,0,0,0,0,0-10.6-3.31-14.11-7.51-14.11-7.51,0,0,.65,7.02,3.91,16.07.02-.02.05-.04.07-.06,4.66,13.15,14.76,28.88,36.22,25.72,35.41-5.2,37.11,17.89,39.09,21.63,26.45-14.55,29.25-38.67,24.06-46.51Z"/><path class="cls-6" d="M74.65,73.38c-21.73,3.19-31.54-12.88-36.34-26.11-.02.02,0-.04-.02-.02-3-8.43-3.85-15.61-3.85-15.61,0,0,.49,7.96,1.91,17.21,0,0,.02.05.01.06,1.14,8.2,2.97,17.27,5.81,22.6,11.83,25.67,32.47,27.41,32.47,27.41,2.73-19.28,13.99-19.08,23.33-14.85,7.86,3.56,12.35,9.05,15.78,10.94-1.98-3.73-3.69-26.82-39.09-21.63Z"/><path class="cls-9" d="M122.87,36.96c30.58.35,25.12,33.98,8.43,51.64,1.65,3.02,2.73,8.38,3.47,13.82.4.49.79.99,1.16,1.53.54.77,1.05,1.6,1.47,2.54.4.94.77,2.01.69,3.31-.02.64-.23,1.31-.53,1.9-.25.48-.58.87-.93,1.21.84,1.63,1.4,3.44,1.59,5.37.26,2.54-.12,4.99-1.01,7.2,5.43,41.39,11.61,64.56,18.37,79.42,27.67-17.49,46.05-48.36,46.05-83.51,0-54.53-44.21-98.74-98.74-98.74-16.67,0-32.38,4.14-46.15,11.44,9.19,2.62,16.69,2.89,16.69,2.89,16.05,2.37,27.94.2,49.45,0Z"/><path class="cls-9" d="M30.59,55.14C14.94,72.62,5.41,95.69,5.41,121c0,39.67,23.4,73.88,57.15,89.57,4.33-34.02,8.97-74.61,11.53-105.39-27.74-6.61-39.13-28.86-43.51-50.04Z"/></svg>
\ No newline at end of file

From b53d05e4b0dde7cdaeda60476acfcaaa1713f8cc Mon Sep 17 00:00:00 2001
From: Charly Garcia <155784995+cgarciagarcia@users.noreply.github.com>
Date: Mon, 1 Apr 2024 17:12:02 -0300
Subject: [PATCH 21/25] ci: use artisan command to run test, because this
 ci/laravel.yml does not work properly in laravel when uses Pest instead of
 PHPUnit (#2284)

Co-authored-by: Alexis Abril <alexisabril@github.com>
---
 ci/laravel.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ci/laravel.yml b/ci/laravel.yml
index e778d7b313..fc30f21321 100644
--- a/ci/laravel.yml
+++ b/ci/laravel.yml
@@ -28,8 +28,8 @@ jobs:
       run: |
         mkdir -p database
         touch database/database.sqlite
-    - name: Execute tests (Unit and Feature tests) via PHPUnit
+    - name: Execute tests (Unit and Feature tests) via PHPUnit/Pest
       env:
         DB_CONNECTION: sqlite
         DB_DATABASE: database/database.sqlite
-      run: vendor/bin/phpunit
+      run: php artisan test

From 31a3e00dab4440b64f47b6b9d92f8d330e1b6f00 Mon Sep 17 00:00:00 2001
From: Issy Long <issyl0@github.com>
Date: Wed, 3 Apr 2024 10:23:11 +0100
Subject: [PATCH 22/25] codeql: Clarify that hosted larger runners only exist
 on GHEC

- Part of https://github.com/github/code-scanning/issues/13748.
---
 code-scanning/codeql.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index cb883a9bb7..d24240d0d4 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -25,8 +25,8 @@ jobs:
     # Runner size impacts CodeQL analysis time. To learn more, please see:
     #   - https://gh.io/recommended-hardware-resources-for-running-codeql
     #   - https://gh.io/supported-runners-and-hardware-resources
-    #   - https://gh.io/using-larger-runners
-    # Consider using larger runners for possible analysis time improvements.
+    #   - https://gh.io/using-larger-runners (GitHub.com only)
+    # Consider using larger runners or machines with greater resources for possible analysis time improvements.
     runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }}
     timeout-minutes: ${{ (matrix.language == 'swift' && 120) || 360 }}
     permissions:

From ca5bcdc6930fe44fae60c9e0a60f5c1f56b2d449 Mon Sep 17 00:00:00 2001
From: Rex P <106129829+another-rex@users.noreply.github.com>
Date: Wed, 10 Apr 2024 13:21:33 +1000
Subject: [PATCH 23/25] Add OSV-Scanner code scanning workflow (#2350)

* Add OSV-Scanner code scanning workflow

* Update code-scanning/osv-scanner.yml

Co-authored-by: Alexis Abril <alexisabril@github.com>

---------

Co-authored-by: Alexis Abril <alexisabril@github.com>
---
 code-scanning/osv-scanner.yml                 | 48 +++++++++++++++++++
 .../properties/osv-scanner.properties.json    |  7 +++
 icons/osv.svg                                 | 29 +++++++++++
 3 files changed, 84 insertions(+)
 create mode 100644 code-scanning/osv-scanner.yml
 create mode 100644 code-scanning/properties/osv-scanner.properties.json
 create mode 100644 icons/osv.svg

diff --git a/code-scanning/osv-scanner.yml b/code-scanning/osv-scanner.yml
new file mode 100644
index 0000000000..2aa7150659
--- /dev/null
+++ b/code-scanning/osv-scanner.yml
@@ -0,0 +1,48 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# A sample workflow which sets up periodic OSV-Scanner scanning for vulnerabilities,
+# in addition to a PR check which fails if new vulnerabilities are introduced.
+#
+# For more examples and options, including how to ignore specific vulnerabilities,
+# see https://google.github.io/osv-scanner/github-action/
+
+name: OSV-Scanner
+
+on:
+  pull_request:
+    branches: [ $default-branch, $protected-branches ]
+  merge_group:
+    branches: [ $default-branch, $protected-branches ]
+  schedule:
+    - cron: $cron-weekly
+  push:
+    branches: [ $default-branch, $protected-branches ]
+
+permissions:
+  # Require writing security events to upload SARIF file to security tab
+  security-events: write
+  # Read commit contents
+  contents: read
+
+jobs:
+  scan-scheduled:
+    if: ${{ github.event_name == 'push' || github.event_name == 'schedule' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    with:
+      # Example of specifying custom arguments
+      scan-args: |-
+        -r
+        --skip-git
+        ./
+  scan-pr:
+    if: ${{ github.event_name == 'pull_request' || github.event_name == 'merge_group' }}
+    uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable-pr.yml@1f1242919d8a60496dd1874b24b62b2370ed4c78" # v1.7.1
+    with:
+      # Example of specifying custom arguments
+      scan-args: |-
+        -r
+        --skip-git
+        ./
diff --git a/code-scanning/properties/osv-scanner.properties.json b/code-scanning/properties/osv-scanner.properties.json
new file mode 100644
index 0000000000..2ea1d36d03
--- /dev/null
+++ b/code-scanning/properties/osv-scanner.properties.json
@@ -0,0 +1,7 @@
+{
+    "name": "OSV Scanner",
+    "creator": "Google",
+    "description": "Vulnerability scanner for your dependencies using data provided by https://osv.dev",
+    "iconName": "osv",
+    "categories": ["Code Scanning", "JavaScript", "Python", "Java", "PHP", "C#", "R", "Ruby", "Rust", "Swift", "Go", "TypeScript"]
+}
diff --git a/icons/osv.svg b/icons/osv.svg
new file mode 100644
index 0000000000..c01aeee446
--- /dev/null
+++ b/icons/osv.svg
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   version="1.1"
+   id="svg58"
+   width="640"
+   height="640"
+   viewBox="0 0 640 640"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs62" />
+  <g
+     id="g64">
+    <g
+       id="g287"
+       transform="translate(-5.0923359e-7,0.5000001)">
+      <path
+         style="fill:#e52028;stroke-width:0.32"
+         d="M 313.12,401.39149 C 297.62072,399.57334 286.53076,395.72131 275.1055,388.18733 268.27614,383.68394 260.47246,376.49453 255.62471,370.24 244.37124,355.7208 238.4,338.30426 238.4,320 c 0,-18.33454 5.94129,-35.66116 17.22728,-50.24 2.89844,-3.74411 9.16676,-10.10888 13.01272,-13.21295 10.19834,-8.23107 22.00787,-13.84062 34.72,-16.49208 6.03993,-1.25979 8.65766,-1.49497 16.64,-1.49497 11.57219,0 19.5936,1.44452 29.70125,5.34868 9.95651,3.84579 19.13997,9.81125 27.21385,17.67778 11.09898,10.8139 18.34391,23.28766 22.12535,38.09354 2.05869,8.06074 2.39472,10.98688 2.37014,20.64 -0.0195,7.70205 -0.0986,8.90566 -0.8608,13.12 -2.54761,14.08522 -7.74435,25.90691 -16.17705,36.8 -2.89847,3.74413 -9.16679,10.10886 -13.01274,13.21296 -14.86269,11.99565 -32.82352,18.26662 -51.83804,18.0991 -2.99308,-0.0262 -5.87396,-0.0986 -6.40196,-0.16057 z m 16,-38.82029 c 8.07386,-2.15933 14.11382,-7.14243 16.17885,-13.34781 l 0.69833,-2.09849 2.26429,0.22313 c 3.96058,0.39027 5.52704,1.70995 6.27651,5.28781 0.46493,2.21965 1.03911,3.09555 2.19559,3.34957 2.26694,0.49792 3.832,-1.45072 3.43901,-4.28183 -0.304,-2.19024 -1.89338,-5.19846 -3.55652,-6.73148 -2.14822,-1.98016 -4.36147,-2.88269 -7.63571,-3.11376 L 346.24,341.66493 v -5.11872 -5.11875 l 2.12544,0.19846 c 3.80707,0.35552 5.46899,1.77594 6.15446,5.26013 0.44541,2.2639 0.84477,2.86643 2.14557,3.23715 2.52877,0.72067 4.06413,-1.50061 3.34736,-4.84285 -0.84016,-3.91741 -3.95731,-7.4327 -7.58425,-8.55296 -1.17799,-0.36384 -2.99223,-0.64739 -4.14228,-0.64739 H 346.24 v -3.47533 c 0,-1.91145 -0.0916,-4.14344 -0.20349,-4.96001 L 345.83302,316.16 h 2.13376 c 3.86909,0 5.53146,1.29816 6.55188,5.11648 0.69385,2.59638 1.45312,3.52352 2.8856,3.52352 4.62992,0 3.07612,-8.61475 -2.20743,-12.23862 -2.13107,-1.46165 -5.01504,-2.14786 -9.06041,-2.15582 l -2.82356,-0.006 -1.63235,-1.78605 c -3.82515,-4.18532 -10.34128,-7.16291 -17.44051,-7.96955 l -2,-0.22724 v 23.40597 23.40596 l -0.78544,0.78547 c -0.432,0.432 -1.08656,0.78544 -1.45456,0.78544 -0.368,0 -1.02254,-0.35344 -1.45454,-0.78544 L 317.76,347.22909 v -23.40595 -23.40598 l -2,0.22725 c -7.09922,0.80663 -13.61537,3.78422 -17.44052,7.96954 l -1.63234,1.78605 -2.82357,0.006 c -5.95011,0.0117 -9.59252,1.56325 -12.01418,5.11762 -1.56275,2.29371 -2.38116,5.38812 -1.87334,7.08309 0.41648,1.39008 1.38263,2.19373 2.63731,2.19373 1.41887,0 2.36621,-1.17699 2.951,-3.66633 0.8497,-3.61707 2.61413,-4.97368 6.46886,-4.97368 h 2.13377 l -0.2035,1.48466 c -0.11192,0.81657 -0.20349,3.04856 -0.20349,4.96001 v 3.4749 h -2.04629 c -1.15006,0 -2.96431,0.28355 -4.1423,0.64739 -3.62694,1.12026 -6.74409,4.63555 -7.58423,8.55296 -0.71677,3.34224 0.81858,5.56352 3.34735,4.84285 1.30081,-0.37072 1.70015,-0.97325 2.14555,-3.23715 0.68547,-3.48419 2.3474,-4.90461 6.15449,-5.26013 l 2.12543,-0.19846 v 5.11875 5.11872 l -2.78723,0.1967 c -4.74271,0.33469 -8.37683,2.73488 -10.17828,6.72234 -1.95828,4.33456 -0.7237,8.10333 2.42775,7.41113 1.20012,-0.26358 1.77053,-1.1191 2.23979,-3.35926 0.74946,-3.57786 2.31592,-4.89754 6.27651,-5.28781 l 2.26429,-0.22313 0.69833,2.09849 c 2.07201,6.22637 8.2988,11.34474 16.17884,13.29879 3.75328,0.93072 3.97538,0.94915 10.08,0.8368 4.47261,-0.0823 6.11536,-0.24093 8.16,-0.78778 z m -24.23201,-62.20621 c 4.80757,-2.40158 8.6863,-3.23082 15.11201,-3.23082 6.42854,0 10.29405,0.82566 15.16141,3.23846 1.21075,0.60019 2.23526,1.04988 2.2767,0.99931 0.0414,-0.0506 -0.11776,-1.01947 -0.35379,-2.15312 -0.81187,-3.89998 -2.88445,-7.066 -5.90826,-9.02534 -1.47814,-0.95781 -1.58432,-1.11112 -1.39552,-2.01508 0.33658,-1.61156 1.39885,-3.80104 2.30138,-4.7435 1.10669,-1.15566 2.91104,-1.62034 5.2415,-1.34986 1.77748,0.2063 1.90941,0.17135 2.83047,-0.74971 1.23638,-1.23637 1.27945,-2.53472 0.12246,-3.69169 -0.464,-0.464 -0.932,-0.84991 -1.04,-0.85758 -0.108,-0.008 -0.84131,-0.13835 -1.6296,-0.29042 -2.87897,-0.55539 -6.89238,0.66453 -9.38435,2.85249 -1.24298,1.09135 -2.78947,3.85946 -3.58221,6.41187 l -0.54662,1.76 H 320 315.90644 l -0.54663,-1.76 c -0.79274,-2.55241 -2.33924,-5.32052 -3.58221,-6.41187 -2.49196,-2.18796 -6.50536,-3.40788 -9.38436,-2.85249 -0.78828,0.15207 -1.5216,0.28276 -1.6296,0.29042 -0.108,0.008 -0.576,0.39358 -1.04,0.85758 -1.06392,1.06391 -1.08992,2.35438 -0.0713,3.53852 0.74001,0.86025 0.89311,0.89784 3.65646,0.89784 2.42508,0 3.02791,0.10654 3.78765,0.66942 1.28735,0.95378 2.28082,2.5363 2.87469,4.57915 0.48398,1.66482 0.48097,1.78825 -0.0512,2.1001 -2.80997,1.64661 -5.19673,4.38841 -6.26303,7.19468 -0.55832,1.46937 -1.28468,4.81665 -1.04522,4.81665 0.0684,0 1.09271,-0.48376 2.27632,-1.07501 z"
+         id="path291" />
+      <path
+         style="fill:#1c1718;stroke-width:0.32"
+         d="m 308,495.0017 c -23.4946,-1.6353 -47.41628,-8.27952 -68.04692,-18.89997 l -3.72692,-1.91856 -19.63308,0.66301 c -10.79819,0.36467 -20.85708,0.73993 -22.35308,0.83395 l -2.72,0.17094 31.01322,-31.01936 31.01322,-31.01939 2.26678,1.52416 c 15.39314,10.35011 32.73802,16.69053 51.86678,18.95987 4.64212,0.55072 19.99789,0.55072 24.64,0 22.3479,-2.65126 42.07514,-10.78163 59.26902,-24.4271 5.24586,-4.16323 14.117,-13.03437 18.28023,-18.28023 13.64547,-17.19388 21.77584,-36.92112 24.4271,-59.26902 0.248,-2.0905 0.4176,-7.09379 0.4176,-12.32 0,-11.33661 -0.75526,-17.89053 -3.1927,-27.70552 -4.3408,-17.47935 -12.89175,-33.94997 -24.66861,-47.51607 -3.5144,-4.04834 -10.73616,-11.04015 -14.63664,-14.17054 -16.9513,-13.60461 -35.93318,-21.65778 -58.296,-24.73241 -5.92845,-0.8151 -21.91155,-0.8151 -27.84,0 -13.65291,1.87712 -24.30427,5.02893 -35.98683,10.64877 -16.50302,7.93871 -31.0553,19.9276 -42.18383,34.75317 -10.67061,14.21549 -18.27117,31.91088 -21.16699,49.28031 -1.08125,6.48544 -1.33557,9.33741 -1.5197,17.04229 -0.56989,23.84653 6.12797,46.78726 19.44099,66.58694 l 1.52425,2.26695 -21.56639,21.56461 c -13.42472,13.42361 -21.67524,21.447 -21.85473,21.25305 -0.15859,-0.17136 -1.44752,-1.84771 -2.86428,-3.72525 -17.61873,-23.3486 -29.17085,-51.03913 -33.48603,-80.2663 -2.06594,-13.99277 -2.30805,-31.1865 -0.64212,-45.6 6.45298,-55.83069 39.54217,-105.34444 88.81159,-132.89521 19.9618,-11.16236 42.2012,-18.34961 65.01215,-21.0104 14.69605,-1.71422 32.2752,-1.41255 46.80192,0.80315 20.7032,3.15776 40.8784,10.06604 59.01408,20.20725 49.27539,27.55412 82.35782,77.05773 88.81158,132.89521 1.66592,14.4135 1.42381,31.60723 -0.64211,45.6 -7.25635,49.14797 -34.62672,92.6056 -75.73414,120.24778 -25.86682,17.39382 -55.10183,27.34979 -86.64941,29.50841 -5.39699,0.36928 -17.6609,0.35104 -23.2,-0.0345 z"
+         id="path289" />
+    </g>
+  </g>
+</svg>

From a3194f5b4757a7bfb2324b17ccf11e28df2bc4f9 Mon Sep 17 00:00:00 2001
From: Marco Gario <marcogario@github.com>
Date: Thu, 11 Apr 2024 09:39:30 +0200
Subject: [PATCH 24/25] Update CodeQL workflow to use packages:read permission.

Co-authored-by: Anders Starcke Henriksen <starcke@github.com>
---
 code-scanning/codeql.yml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/code-scanning/codeql.yml b/code-scanning/codeql.yml
index d24240d0d4..6fdadb163d 100644
--- a/code-scanning/codeql.yml
+++ b/code-scanning/codeql.yml
@@ -33,6 +33,9 @@ jobs:
       # required for all workflows
       security-events: write
 
+      # required to fetch internal or private CodeQL packs
+      packages: read
+
       # only required for workflows in private repositories
       actions: read
       contents: read

From ac9c407320899c9ddcb5054890deec998e9a20bb Mon Sep 17 00:00:00 2001
From: mponaws <157431286+mponaws@users.noreply.github.com>
Date: Thu, 18 Apr 2024 12:39:17 -0700
Subject: [PATCH 25/25] Add starter-workflows for Policy Validator (#2375)

* Add starter-workflows for Policy Validator

* Add starter-workflows for Policy Validator

* Add starter-workflows for Policy Validator, removed references to GitHub secrets & S3 to keep it simple
---
 code-scanning/policy-validator-cfn.yaml       | 84 ++++++++++++++++++
 code-scanning/policy-validator-tf.yaml        | 87 +++++++++++++++++++
 .../policy-validator-cfn.properties.json      |  7 ++
 .../policy-validator-tf.properties.json       |  7 ++
 4 files changed, 185 insertions(+)
 create mode 100644 code-scanning/policy-validator-cfn.yaml
 create mode 100644 code-scanning/policy-validator-tf.yaml
 create mode 100644 code-scanning/properties/policy-validator-cfn.properties.json
 create mode 100644 code-scanning/properties/policy-validator-tf.properties.json

diff --git a/code-scanning/policy-validator-cfn.yaml b/code-scanning/policy-validator-cfn.yaml
new file mode 100644
index 0000000000..b2cd163a9f
--- /dev/null
+++ b/code-scanning/policy-validator-cfn.yaml
@@ -0,0 +1,84 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will validate the IAM policies in the CloudFormation (CFN) templates with using the standard and custom checks in AWS IAM Access Analyzer
+# To use this workflow, you will need to complete the following set up steps before start using it:
+# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps. In the below workflow, ARN of such role is stored in the GitHub secrets with name `POLICY_VALIDATOR_ROLE`
+# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
+# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the given CFN templates.
+# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
+name: Validate AWS IAM policies in CloudFormation templates using Policy Validator
+on:
+  push:
+    branches: [$default-branch, $protected-branches]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [$default-branch]
+env:
+  AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
+  REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
+  TEMPLATE_PATH: FILE_PATH_TO_CFN_TEMPLATE # set to the file path to the CloudFormation template.
+  ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+  REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's file path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+  REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+jobs:
+  policy-validator:
+    runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable)
+    # https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
+    # https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
+    name: Policy Validator checks for AWS IAM policies
+    steps:
+      # checkout the repo for workflow to access the contents
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      # Configure AWS Credentials. More configuration details here - https://github.com/aws-actions/configure-aws-credentials
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.REGION }}
+      # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
+      - name: Run AWS AccessAnalyzer ValidatePolicy check
+        id: run-aws-validate-policy
+        uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
+        with:
+          policy-check-type: "VALIDATE_POLICY"
+          template-path: ${{ env.TEMPLATE_PATH}}
+          region: ${{ env.REGION }}
+      # Print result from VALIDATE_POLICY check
+      - name: Print the result for ValidatePolicy check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
+      # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
+      - name: Run AWS AccessAnalyzer CheckAccessNotGranted check
+        id: run-aws-check-access-not-granted
+        uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
+        with:
+          policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
+          template-path: ${{ env.TEMPLATE_PATH}}
+          actions: ${{ env.ACTIONS }}
+          region: ${{ env.REGION }}
+      # Print result from CHECK_ACCESS_NOT_GRANTED check
+      - name: Print the result for CheckAccessNotGranted check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}"
+      # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/cloudformation-aws-iam-policy-validator
+      # reference-policy is stored in GitHub secrets
+      - name: Run AWS AccessAnalyzer CheckNoNewAccess check
+        id: run-aws-check-no-new-access
+        uses: aws-actions/cloudformation-aws-iam-policy-validator@10479bdc0c8322ffb6f5eaa75d096195f97b798a #v1.0.0
+        with:
+          policy-check-type: "CHECK_NO_NEW_ACCESS"
+          template-path: ${{ env.TEMPLATE_PATH}}
+          reference-policy: ${{ env.REFERENCE }}
+          reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
+          region: ${{env.REGION }}
+      # Print result from CHECK_NO_NEW_ACCESS check
+      - name: Print the result for CheckNoNewAccess check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
diff --git a/code-scanning/policy-validator-tf.yaml b/code-scanning/policy-validator-tf.yaml
new file mode 100644
index 0000000000..1ca77b5f95
--- /dev/null
+++ b/code-scanning/policy-validator-tf.yaml
@@ -0,0 +1,87 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+# This workflow will validate the IAM policies in the terraform (TF) templates with using the standard and custom checks in AWS IAM Access Analyzer
+# To use this workflow, you will need to complete the following set up steps before start using it:
+# 1. Configure an AWS IAM role to use the Access Analyzer's ValidatePolicy, CheckNoNewAccess and CheckAccessNotGranted. This IAM role must be configured to call from the GitHub Actions, use the following [doc](https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/) for steps.
+# 2. If you're using CHECK_NO_NEW_ACCESS policy-check-type, you need to create a reference policy. Use the guide [here](https://github.com/aws-samples/iam-access-analyzer-custom-policy-check-samples?tab=readme-ov-file#how-do-i-write-my-own-reference-policies) and store it your GitHub repo.
+# 3. If you're using the CHECK_ACCESS_NOT_GRANTED policy-check-type, identify the list of critical actions that shouldn't be granted access by the policies in the TF templates.
+# 4. Start using the GitHub actions by generating the GitHub events matching the defined criteria in your workflow.
+
+name: Validate AWS IAM policies in Terraform templates using Policy Validator
+on:
+  push:
+    branches: [$default-branch, $protected-branches]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [$default-branch]
+env:
+  AWS_ROLE: MY_ROLE # set this with the role ARN which has permissions to invoke access-analyzer:ValidatePolicy,access-analyzer:CheckNoNewAccess, access-analyzer:CheckAccessNotGranted and can be used in GitHub actions
+  REGION: MY_AWS_REGION # set this to your preferred AWS region where you plan to deploy your policies, e.g. us-west-1
+  TEMPLATE_PATH: FILE_PATH_TO_THE_TF_PLAN # set this to the file path to the terraform plan in JSON
+  ACTIONS: MY_LIST_OF_ACTIONS # set to pass list of actions in the format action1, action2,.. This is required if you are using `CHECK_ACCESS_NOT_GRANTED` policy-check-type.
+  REFERENCE_POLICY: REFERENCE_POLICY # set to pass a JSON formatted file that specifies the path to the reference policy that is used for a permissions comparison. For example, if you stored such path in a GitHub secret with name REFERENCE_IDENTITY_POLICY , you can pass ${{ secrets.REFERENCE_IDENTITY_POLICY }}. If not you have the reference policy in the repository, you can directly pass it's path. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+  REFERENCE_POLICY_TYPE: TYPE_OF_REFERENCE_POLICY # set to pass the policy type associated with the IAM policy under analysis and the reference policy. This is required if you are using `CHECK_NO_NEW_ACCESS_CHECK` policy-check-type.
+
+jobs:
+  policy-validator:
+    runs-on: ubuntu-latest # Virtual machine to run the workflow (configurable)
+    #https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-amazon-web-services#updating-your-github-actions-workflow
+    #https://aws.amazon.com/blogs/security/use-iam-roles-to-connect-github-actions-to-actions-in-aws/
+    permissions:
+      id-token: write # This is required for requesting the JWT
+      contents: read # This is required for actions/checkout
+    # https://docs.github.com/en/actions/using-github-hosted-runners/about-github-hosted-runners/about-github-hosted-runners
+    name: Policy Validator checks for AWS IAM policies
+    steps:
+      # checkout the repo for workflow to access the contents
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      # Configure AWS Credentials. More configuration details here- https://github.com/aws-actions/configure-aws-credentials
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502
+        with:
+          role-to-assume: ${{ env.AWS_ROLE }}
+          aws-region: ${{ env.REGION }}
+      # Run the VALIDATE_POLICY check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+      - name: Run AWS AccessAnalyzer ValidatePolicy check
+        id: run-aws-validate-policy
+        uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
+        with:
+          policy-check-type: "VALIDATE_POLICY"
+          template-path: ${{ env.TEMPLATE_PATH }}
+          region: ${{ env.REGION }}
+      # Print result from VALIDATE_POLICY check
+      - name: Print the result for ValidatePolicy check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-validate-policy.outputs.result }}"
+      # Run the CHECK_ACCESS_NOT_GRANTED check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+      - name: Run AWS AccessAnalyzer CheckAccessNotGranted check
+        id: run-aws-check-access-not-granted
+        uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
+        with:
+          policy-check-type: "CHECK_ACCESS_NOT_GRANTED"
+          template-path: ${{ env.TEMPLATE_PATH }}
+          actions: ${{ env.ACTIONS }}
+          region: ${{ env.REGION }}
+      # Print result from CHECK_ACCESS_NOT_GRANTED check
+      - name: Print the result for CheckAccessNotGranted check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-check-access-not-granted.outputs.result }}"
+      # Run the CHECK_NO_NEW_ACCESS check. More configuration details here - https://github.com/aws-actions/terraform-aws-iam-policy-validator
+      # reference-policy is stored in GitHub secrets
+      - name: Run AWS AccessAnalyzer CheckNoNewAccess check
+        id: run-aws-check-no-new-access
+        uses: aws-actions/terraform-aws-iam-policy-validator@3e527234ccf8ca494450942c4a91d54b291b013e #v1.0.0
+        with:
+          policy-check-type: "CHECK_NO_NEW_ACCESS"
+          template-path: ${{ env.TEMPLATE_PATH }}
+          reference-policy: ${{ env.REFERENCE_POLICY }}
+          reference-policy-type: ${{ env.REFERENCE_POLICY_TYPE }}
+          region: ${{ env.REGION }}
+      # Print result from CHECK_NO_NEW_ACCESS check
+      - name: Print the result CheckNoNewAccess check
+        if: success() || failure()
+        run: echo "${{ steps.run-aws-check-no-new-access.outputs.result }}"
diff --git a/code-scanning/properties/policy-validator-cfn.properties.json b/code-scanning/properties/policy-validator-cfn.properties.json
new file mode 100644
index 0000000000..496b36856c
--- /dev/null
+++ b/code-scanning/properties/policy-validator-cfn.properties.json
@@ -0,0 +1,7 @@
+{
+  "name": "Policy Validator for CloudFormation",
+  "creator": "Amazon Web Services",
+  "description": "Validate AWS IAM Policies in CloudFormation Templates powered IAM Access Analyzer",
+  "iconName": "aws",
+  "categories": ["Code Scanning", "AWS", "Python"]
+}
diff --git a/code-scanning/properties/policy-validator-tf.properties.json b/code-scanning/properties/policy-validator-tf.properties.json
new file mode 100644
index 0000000000..f683f49c1e
--- /dev/null
+++ b/code-scanning/properties/policy-validator-tf.properties.json
@@ -0,0 +1,7 @@
+{
+  "name": "Policy Validator for Terraform",
+  "creator": "Amazon Web Services",
+  "description": "Validate AWS IAM Policies in Terraform Templates powered IAM Access Analyzer",
+  "iconName": "aws",
+  "categories": ["Code Scanning", "AWS", "Python"]
+}