CopilotKit · jpr5 · May 15, 2026 · May 15, 2026 · May 15, 2026 · May 15, 2026
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -27,14 +27,35 @@ updates:
       prefix: 'chore'
       include: 'scope'
     open-pull-requests-limit: 10
+    cooldown:
+      default-days: 1
 
   - package-ecosystem: 'github-actions'
     directory: '/'
     schedule:
-      interval: 'weekly'
+      interval: 'daily'
     groups:
-      github-actions:
+      minor-and-patch:
+        patterns:
+          - '*'
+        update-types:
+          - 'minor'
+          - 'patch'
+      # Workaround for dependabot/dependabot-core#14202: without an explicit
+      # major group, major updates matching the minor-and-patch pattern are
+      # silently suppressed. Remove this group when #14202 is fixed to get
+      # individual (ungrouped) PRs per major bump instead.
+      major:
         patterns:
           - '*'
+        update-types:
+          - 'major'
+    labels:
+      - 'dependencies'
+      - 'github-actions'
     commit-message:
       prefix: 'ci'
+      include: 'scope'
+    open-pull-requests-limit: 10
+    cooldown:
+      default-days: 1
diff --git a/.github/workflows/agent-restricted.yml b/.github/workflows/agent-restricted.yml
@@ -56,15 +56,17 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Check authorization
+        env:
+          AUTHORIZED_USERS: ${{ secrets.AUTHORIZED_USERS }}
+          ACTOR: ${{ github.actor }}
         run: |
-          AUTHORIZED_USERS="${{ secrets.AUTHORIZED_USERS }}"
-          if [[ ",$AUTHORIZED_USERS," != *",${{ github.actor }},"* ]]; then
-            echo "❌ User ${{ github.actor }} is NOT authorized"
+          if [[ ",$AUTHORIZED_USERS," != *",$ACTOR,"* ]]; then
+            echo "❌ User $ACTOR is NOT authorized"
             exit 1
           fi
-          echo "✅ User ${{ github.actor }} is authorized"
+          echo "✅ User $ACTOR is authorized"
 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run Strands Agent
         uses: ./.github/actions/strands-action

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
@@ -25,9 +25,11 @@ jobs:
         node-version: [20.x, 22.x, 24.x]
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Use Node.js ${{ matrix.node-version }}
-        uses: actions/setup-node@v6
+        uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: ${{ matrix.node-version }}
           cache: 'npm'
@@ -36,14 +38,14 @@ jobs:
           git config --global user.email "bedrock-agentcore-npm+ci@amazon.com"
           git config --global user.name "CI"
       - name: Install uv
-        uses: astral-sh/setup-uv@v7
+        uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       - run: npm ci
       - run: npm run build --if-present
       - run: npm run test:unit
       - run: npm run test:integ
       - name: Upload coverage artifact
         if: matrix.node-version == '20.x'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: coverage-report
           path: coverage/
@@ -61,7 +63,7 @@ jobs:
           test -f sanitytest/agentcore/agentcore.json
       - name: Upload tarball artifact
         if: matrix.node-version == '20.x'
-        uses: actions/upload-artifact@v7
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
         with:
           name: tarball
           path: '*.tgz'
@@ -75,14 +77,16 @@ jobs:
       pull-requests: write
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Download coverage artifact
-        uses: actions/download-artifact@v8
+        uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
         with:
           name: coverage-report
           path: coverage/
       - name: Coverage Report
-        uses: davelosert/vitest-coverage-report-action@v2
+        uses: davelosert/vitest-coverage-report-action@02f3c2e641286b7fa308cd3e430783103ce6103b # v2
         with:
           json-summary-path: coverage/coverage-summary.json
           json-final-path: coverage/coverage-final.json

diff --git a/.github/workflows/cleanup-pr-tarballs.yml b/.github/workflows/cleanup-pr-tarballs.yml
@@ -14,7 +14,9 @@ jobs:
     runs-on: ubuntu-latest
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
       - name: Delete PR tarball releases older than 7 days
         env:
           GH_TOKEN: ${{ github.token }}

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -8,6 +8,9 @@ on:
   pull_request_target:
     branches: ['main']
 
+permissions:
+  contents: read
+
 # Cancel in-progress runs for PRs; never cancel runs on main (merges should not abort each other)
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
@@ -23,12 +26,14 @@ jobs:
       contents: read
 
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v4
+        uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
         with:
           languages: javascript-typescript
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v4
+        uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
diff --git a/.github/workflows/dependabot-auto-merge.yml b/.github/workflows/dependabot-auto-merge.yml
@@ -0,0 +1,32 @@
+name: Dependabot Auto-Merge (Minor/Patch)
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  auto-merge:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Auto-approve and merge minor/patch github-actions updates
+        if: >-
+          steps.metadata.outputs.package-ecosystem == 'github_actions' && (steps.metadata.outputs.update-type ==
+          'version-update:semver-minor' ||
+           steps.metadata.outputs.update-type == 'version-update:semver-patch')
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+        run: |
+          gh pr review "$PR_URL" --approve
+          gh pr merge "$PR_URL" --auto --merge
diff --git a/.github/workflows/dependabot-major-analysis.yml b/.github/workflows/dependabot-major-analysis.yml
@@ -0,0 +1,144 @@
+name: Dependabot Major Version Analysis
+
+on:
+  pull_request_target:
+    types: [opened]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  analyze-major:
+    runs-on: ubuntu-latest
+    if: github.event.pull_request.user.login == 'dependabot[bot]'
+    steps:
+      - name: Fetch Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Analyze major version bump
+        if: >-
+          steps.metadata.outputs.package-ecosystem == 'github_actions' && steps.metadata.outputs.update-type ==
+          'version-update:semver-major'
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
+        env:
+          DEP_NAME: ${{ steps.metadata.outputs.dependency-names }}
+          PREV_VERSION: ${{ steps.metadata.outputs.previous-version }}
+          NEW_VERSION: ${{ steps.metadata.outputs.new-version }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const depName = process.env.DEP_NAME;
+            const prevVersion = process.env.PREV_VERSION;
+            const newVersion = process.env.NEW_VERSION;
+            const parts = depName.split('/');
+            const owner = parts[0];
+            const repo = parts[1];
+            const repoSlug = `${owner}/${repo}`;
+
+            let releases = [];
+            try {
+              const { data } = await github.rest.repos.listReleases({ owner, repo, per_page: 50 });
+              releases = data;
+            } catch (err) {
+              core.warning(`Could not fetch releases for ${repoSlug}: ${err.message}`);
+            }
+
+            const prevMajor = parseInt(prevVersion.replace(/^v/, ''), 10);
+            const newMajor = parseInt(newVersion.replace(/^v/, ''), 10);
+
+            const relevantReleases = releases.filter(r => {
+              const major = parseInt(r.tag_name.replace(/^v/, ''), 10);
+              return major > prevMajor && major <= newMajor;
+            });
+
+            let releaseNotesSummary = '';
+            let breakingChanges = '';
+
+            if (relevantReleases.length === 0) {
+              releaseNotesSummary = '_No releases found between these versions._';
+              breakingChanges = `_Unable to determine breaking changes automatically. Please review the [full changelog](https://github.com/${repoSlug}/releases)._`;
+            } else {
+              for (const release of relevantReleases.slice(0, 10)) {
+                const body = release.body || '_No release notes._';
+                releaseNotesSummary += `### ${release.tag_name}${release.name && release.name !== release.tag_name ? ' — ' + release.name : ''}\n\n`;
+                releaseNotesSummary += body.substring(0, 2000);
+                if (body.length > 2000) releaseNotesSummary += '\n\n_...truncated_';
+                releaseNotesSummary += '\n\n---\n\n';
+                const lines = body.split('\n');
+                for (const line of lines) {
+                  if (/breaking|BREAKING|removed|deprecated|incompatible|migration/i.test(line)) {
+                    breakingChanges += `- ${line.trim()}\n`;
+                  }
+                }
+              }
+            }
+
+            if (!breakingChanges) {
+              breakingChanges = '_No explicit breaking changes detected in release notes. Manual review recommended._';
+            }
+
+            let commentBody = `## :warning: Major Version Update — Manual Review Required
+
+            | Field | Value |
+            |-------|-------|
+            | **Action** | [\`${depName}\`](https://github.com/${repoSlug}) |
+            | **Previous** | \`v${prevVersion}\` |
+            | **New** | \`v${newVersion}\` |
+            | **Type** | Major (\`v${prevMajor}\` → \`v${newMajor}\`) |
+
+            ### Breaking Changes
+
+            ${breakingChanges}
+
+            ### Release Notes (v${prevMajor + 1} → v${newMajor})
+
+            ${releaseNotesSummary}
+
+            ### Next Steps
+
+            1. Review breaking changes above
+            2. Check if workflow inputs/outputs changed
+            3. Verify compatibility with your CI/CD configuration
+
+            > Full changelog: https://github.com/${repoSlug}/releases
+
+            ---
+            _Generated automatically for Dependabot major version PRs._`.replace(/^            /gm, '');
+
+            if (commentBody.length > 64000) {
+              commentBody = commentBody.substring(0, 63900) + '\n\n_...comment truncated due to size limit._';
+            }
+
+            await github.rest.issues.createComment({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.payload.pull_request.number,
+              body: commentBody,
+            });
+
+            try {
+              const labelsToAdd = ['major-update', 'needs-review'];
+              for (const label of labelsToAdd) {
+                try {
+                  await github.rest.issues.getLabel({ owner: context.repo.owner, repo: context.repo.repo, name: label });
+                } catch {
+                  const colors = { 'major-update': 'B60205', 'needs-review': 'FBCA04' };
+                  await github.rest.issues.createLabel({
+                    owner: context.repo.owner, repo: context.repo.repo,
+                    name: label, color: colors[label] || 'EDEDED',
+                  });
+                }
+              }
+              await github.rest.issues.addLabels({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                issue_number: context.payload.pull_request.number,
+                labels: labelsToAdd,
+              });
+            } catch (err) {
+              core.warning(`Could not add labels: ${err.message}`);
+            }
diff --git a/.github/workflows/e2e-tests-full.yml b/.github/workflows/e2e-tests-full.yml
@@ -28,28 +28,29 @@ jobs:
       matrix:
         cdk-source: [npm, main]
     steps:
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || 'main' }}
-      - uses: actions/setup-node@v6
+          persist-credentials: false
+      - uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
         with:
           node-version: '20.x'
           cache: 'npm'
       - name: Configure git
         run: |
           git config --global user.email "ci@amazon.com"
           git config --global user.name "CI"
-      - uses: astral-sh/setup-uv@v7
+      - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@v6
+        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6
         with:
           role-to-assume: ${{ secrets.E2E_AWS_ROLE_ARN }}
           aws-region: ${{ inputs.aws_region || 'us-east-1' }}
       - name: Get AWS Account ID
         id: aws
         run: echo "account_id=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_OUTPUT"
       - name: Get API keys from Secrets Manager
-        uses: aws-actions/aws-secretsmanager-get-secrets@v3
+        uses: aws-actions/aws-secretsmanager-get-secrets@2cb1a461cbd4865ac4299648312e4704c646cd53 # v3
         with:
           secret-ids: |
             E2E,${{ secrets.E2E_SECRET_ARN }}