-
-
Notifications
You must be signed in to change notification settings - Fork 620
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce Official Bandit Images #1088
Conversation
Folks are using various bandit images kindly built by others, but we should really start providing one of our that builds directly from source (the others use pip install). Should a different container image be subjected to some sort of attack (maintainer take over), this could lead to some serious problems for those using Bandit. This PR includes an action to build, publish and sign the image using sigstore cosign. This way (should they wish) users can verify the source of origin for these images were the offcial repo. You can see an example of this below, where I tested the action in my own test fork (bandit-test): https://search.sigstore.dev/?logIndex=61918446 Signed-off-by: Luke Hinds <[email protected]>
Signed-off-by: Luke Hinds <[email protected]>
Signed-off-by: Luke Hinds <[email protected]>
README.rst
Outdated
* 3.8 (py38-amd64) | ||
* 3.9 (py39-amd64) | ||
* 3.10 (py310-amd64) | ||
* 3.11 (py311-amd64) | ||
* 3.12 (py312-amd64) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
tl;dr:
- We should list supported versions without tag names or with both tag names
- I would prefer we provide one version of Python (until we have an overwhelming demand for more versions) and it only be latest 3.12
- I think we need a way to manually rebuild an image with the latest version of the base image to ensure security vulnerabilities are updated/patched in the image. So we'd need something like
<bandit-version>-<image-version-starting-at-0-or-1>-py<ver>-<arch>
for best effort of providing a secure image to users
Above we say arm64
and amd64
but here we're only listing the x86 versions.
Further, why do we want to do this for all the different versions of Python? That seems... unnecessary. I know the AST, standard-library, etc. are all different across things but the AST isn't so radically backwards incompatible that only providing an image against 3.12 would be bad.
Finally, my last concern here is that by having this many images, imagine the scenario where someone discloses a CPython vulnerability that affects everything before 3.12.(latest). If we genuinely care about what we're providing, we should be able to republish against the latest versions of the alpine images with patched CPython, but I don't think we have a good way of doing that today with this setup.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am good with just providing 3.12
How about I remove everything save 3.12 as amd64 / arm64 arch builds?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, just py3.12 is a nice choice. As for architectures, we never had to be concerned with it before, but now would need to with the base image. I guess now we might be excluding other architectures (https://wiki.alpinelinux.org/wiki/Architecture). That's probably okay, but who knows, there might be users on PPC64.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There are very few people on ppc64 for the usecase we're carrying about here (CI/CD that relies primarily on container images). The ppc64 people are also usually very hostile (and have harassed people out of the python community) so I'm not inclined to support them anyway.
README.rst
Outdated
* 3.8 (py38-amd64) | ||
* 3.9 (py39-amd64) | ||
* 3.10 (py310-amd64) | ||
* 3.11 (py311-amd64) | ||
* 3.12 (py312-amd64) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, just py3.12 is a nice choice. As for architectures, we never had to be concerned with it before, but now would need to with the base image. I guess now we might be excluding other architectures (https://wiki.alpinelinux.org/wiki/Architecture). That's probably okay, but who knows, there might be users on PPC64.
Thanks for the review points @sigmavirus24 / @ericwb I will round everything up in a commit tomorrow. |
FYI, I believe this PR also satisfies #697 |
Signed-off-by: Luke Hinds <[email protected]>
Signed-off-by: Luke Hinds <[email protected]>
Round up on: 9e97dd2
I also had a brain fart and pushed changes over two commits, so 475408c covers the above as well. |
push: true | ||
tags: ghcr.io/${{ github.repository }}/bandit:py${{ matrix.python-version }}-${{ matrix.architecture }} | ||
platforms: linux/${{ matrix.architecture }} | ||
tags: ghcr.io/${{ github.repository }}/bandit:latest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We can specify a list here, do we want to try to do that?
For example, we could do use the current date too so that we're tagging both latest and the current date, e.g., 2024-01-08
to help with folks wanting stable-ish tags.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also don't see us including the version of Bandit here but maybe that's because we are using the same action on a schedule and for releases?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, also, if we're doing this on a schedule like this, does that mean we're publishing the head of main
every week? Do we want to ensure we're only publishing the last released version with the new image?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is actually a very good point, with a schedule we end up pushing main and not a release (I am not at my best this morning!). Let me dwell on if there is a better method for this (I am not sure there is) unless we get into trying to predict what the last release was
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I also thought it best to not use bandit releases, latest should always be usable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder, also if we want to add labels here to the image, e.g., git_commit=...
and version=...
and maybe org.pycqa.bandit.version=...
equivalents?
If we're running a schedule, could we find the latest tag, check that out and rebuild? I assume the scheduled rebuild is to address vulnerabilities in the base image like I raised as a concern?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Getting back on to this , apologies for the haitus.
If we're running a schedule, could we find the latest tag, check that out and rebuild? I assume the scheduled rebuild is to address vulnerabilities in the base image like I raised as a concern?
Yes, this rebuild the entire image every sunday at midnight. This covers off any CVEs in the base image that have collected since our last release.
I am going to push another commit now with a workflow_dispatch. this will allow us to manually start the action if anything particular comes out nasty between the scheduled runs.
Signed-off-by: Luke Hinds <[email protected]>
Signed-off-by: Luke Hinds <[email protected]>
Signed-off-by: Luke Hinds <[email protected]>
Start a new comment thread for 50ce0c9 👁️ @sigmavirus24 / @ericwb This now has the following logic.
This way someone users can always take I recommend for anyone who wants to stick to a certain version, they pin to the container digest. |
run: | | ||
TAG=$(curl -s https://api.github.com/repos/${{ github.repository }}/releases/latest | jq -r .tag_name) | ||
echo "Latest tag is $TAG" | ||
echo "RELEASE_TAG=$TAG" >> $GITHUB_ENV |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I've never seen this construct before, is it possible that GITHUB_ENV
does not have a terminating \n
in it? Is that potentially something someone could exploit to publish unreleased code?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's a pretty standard approach for setting key values in actions:
https://github.com/lukehinds/testrepo/actions/runs/7612691776/job/20730842060
https://github.com/lukehinds/testrepo/blob/main/.github/workflows/test-termination.yml
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Log in to GitHub Container Registry | ||
uses: docker/login-action@v3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we use hashes here? I believe the OSSF score card prefers those and dependabot will still properly send updates for them.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, I will pass https://github.com/stacklok/frizbee against this
I was planning on introducing https://github.com/stacklok/minder at some point too, but we can discuss that on discord. With minder, we replace tags with digests as a remediation step.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
- name: Check out the repo | ||
uses: actions/checkout@v4 | ||
with: | ||
ref: ${{ github.event_name == 'release' && github.ref || env.RELEASE_TAG }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder if after this we should set something up for adding to the docker image as a label. But we can probably do that as a fast follow to this change
jobs: | ||
build-and-publish: | ||
runs-on: ubuntu-latest | ||
permissions: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we also want to do this in a specific environment for the project to make it harder for untrusted folks to publish? https://github.com/urllib3/urllib3/blob/8beb3502cf6c945485174d96d90f2f5e5929bcbd/.github/workflows/publish.yml#L15-L16 I believe urllib3 has it such that only a handful of the core maintainers can actually publish a release. I need to see if I can find Seth's blog post on the benefits
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good
Could we take this as a follow up?
OK to merge @ericwb ? |
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [SQLAlchemy](https://www.sqlalchemy.org) ([changelog](https://docs.sqlalchemy.org/en/latest/changelog/)) | `2.0.25` -> `2.0.27` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/SQLAlchemy/2.0.27?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/SQLAlchemy/2.0.27?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/SQLAlchemy/2.0.25/2.0.27?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/SQLAlchemy/2.0.25/2.0.27?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [bandit](https://bandit.readthedocs.io/) ([source](https://togithub.com/PyCQA/bandit), [changelog](https://togithub.com/PyCQA/bandit/releases)) | `1.7.6` -> `1.7.7` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/bandit/1.7.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/bandit/1.7.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/bandit/1.7.6/1.7.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/bandit/1.7.6/1.7.7?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [boto3](https://togithub.com/boto/boto3) | `1.34.23` -> `1.34.50` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/boto3/1.34.50?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/boto3/1.34.50?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/boto3/1.34.23/1.34.50?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/boto3/1.34.23/1.34.50?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [botocore](https://togithub.com/boto/botocore) | `1.34.23` -> `1.34.50` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/botocore/1.34.50?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/botocore/1.34.50?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/botocore/1.34.23/1.34.50?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/botocore/1.34.23/1.34.50?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [coverage](https://togithub.com/nedbat/coveragepy) | `7.4.0` -> `7.4.3` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/coverage/7.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/coverage/7.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/coverage/7.4.0/7.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/coverage/7.4.0/7.4.3?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [marshmallow](https://togithub.com/marshmallow-code/marshmallow) ([changelog](https://marshmallow.readthedocs.io/en/latest/changelog.html)) | `3.20.2` -> `3.21.0` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/marshmallow/3.21.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/marshmallow/3.21.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/marshmallow/3.20.2/3.21.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/marshmallow/3.20.2/3.21.0?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [moto](https://togithub.com/getmoto/moto) ([changelog](https://togithub.com/getmoto/moto/blob/master/CHANGELOG.md)) | `4.2.13` -> `4.2.14` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/moto/4.2.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/moto/4.2.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/moto/4.2.13/4.2.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/moto/4.2.13/4.2.14?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [psycopg](https://psycopg.org/psycopg3/) ([source](https://togithub.com/psycopg/psycopg), [changelog](https://psycopg.org/psycopg3/docs/news.html)) | `3.1.17` -> `3.1.18` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/psycopg/3.1.18?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/psycopg/3.1.18?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/psycopg/3.1.17/3.1.18?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/psycopg/3.1.17/3.1.18?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [pydantic](https://togithub.com/pydantic/pydantic) ([changelog](https://docs.pydantic.dev/latest/changelog/)) | `2.5.3` -> `2.6.2` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/pydantic/2.6.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/pydantic/2.6.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/pydantic/2.5.3/2.6.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pydantic/2.5.3/2.6.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [pydantic-settings](https://togithub.com/pydantic/pydantic-settings) ([changelog](https://togithub.com/pydantic/pydantic-settings/releases)) | `2.1.0` -> `2.2.1` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/pydantic-settings/2.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/pydantic-settings/2.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/pydantic-settings/2.1.0/2.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/pydantic-settings/2.1.0/2.2.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | | [python-dotenv](https://togithub.com/theskumar/python-dotenv) | `1.0.0` -> `1.0.1` | [![age](https://developer.mend.io/api/mc/badges/age/pypi/python-dotenv/1.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/pypi/python-dotenv/1.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/pypi/python-dotenv/1.0.0/1.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/pypi/python-dotenv/1.0.0/1.0.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>PyCQA/bandit (bandit)</summary> ### [`v1.7.7`](https://togithub.com/PyCQA/bandit/releases/tag/1.7.7) [Compare Source](https://togithub.com/PyCQA/bandit/compare/1.7.6...1.7.7) #### What's Changed - Add the new release to bandit versions of bug template by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1075](https://togithub.com/PyCQA/bandit/pull/1075) - Bump actions/setup-python from 4 to 5 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/PyCQA/bandit/pull/1076](https://togithub.com/PyCQA/bandit/pull/1076) - Handle variant in how policy is passed in paramiko by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1078](https://togithub.com/PyCQA/bandit/pull/1078) - Flag str.replace as possible sql injection by [@​costaparas](https://togithub.com/costaparas) in [https://github.com/PyCQA/bandit/pull/1044](https://togithub.com/PyCQA/bandit/pull/1044) - defusedxml: Show correct module name by [@​kajinamit](https://togithub.com/kajinamit) in [https://github.com/PyCQA/bandit/pull/1081](https://togithub.com/PyCQA/bandit/pull/1081) - Add tidelift to the sponsor funding list by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1089](https://togithub.com/PyCQA/bandit/pull/1089) - Create a security policy by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1091](https://togithub.com/PyCQA/bandit/pull/1091) - Fix up issues found running Bandit on itself by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1093](https://togithub.com/PyCQA/bandit/pull/1093) - Add random.randbytes to blacklist calls by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1096](https://togithub.com/PyCQA/bandit/pull/1096) - Prepend ./ for files specified as CLI args by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1094](https://togithub.com/PyCQA/bandit/pull/1094) - Rework GitPython dependency to be an extra for bandit-baseline by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1099](https://togithub.com/PyCQA/bandit/pull/1099) - Bump actions/dependency-review-action from 3 to 4 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/PyCQA/bandit/pull/1101](https://togithub.com/PyCQA/bandit/pull/1101) - Introduce Official Bandit Images by [@​lukehinds](https://togithub.com/lukehinds) in [https://github.com/PyCQA/bandit/pull/1088](https://togithub.com/PyCQA/bandit/pull/1088) - Remove markdown formatting in reStructuredText formatted README by [@​ericwb](https://togithub.com/ericwb) in [https://github.com/PyCQA/bandit/pull/1103](https://togithub.com/PyCQA/bandit/pull/1103) - Downsize the org:repo name by [@​lukehinds](https://togithub.com/lukehinds) in [https://github.com/PyCQA/bandit/pull/1104](https://togithub.com/PyCQA/bandit/pull/1104) #### New Contributors - [@​kajinamit](https://togithub.com/kajinamit) made their first contribution in [https://github.com/PyCQA/bandit/pull/1081](https://togithub.com/PyCQA/bandit/pull/1081) **Full Changelog**: https://github.com/PyCQA/bandit/compare/1.7.6...1.7.7 </details> <details> <summary>boto/boto3 (boto3)</summary> ### [`v1.34.50`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13450) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.49...1.34.50) \======= - api-change:`apigateway`: \[`botocore`] Documentation updates for Amazon API Gateway. - api-change:`drs`: \[`botocore`] Added volume status to DescribeSourceServer replicated volumes. - api-change:`kafkaconnect`: \[`botocore`] Adds support for tagging, with new TagResource, UntagResource and ListTagsForResource APIs to manage tags and updates to existing APIs to allow tag on create. This release also adds support for the new DeleteWorkerConfiguration API. - api-change:`rds`: \[`botocore`] This release adds support for gp3 data volumes for Multi-AZ DB Clusters. ### [`v1.34.49`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13449) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.48...1.34.49) \======= - api-change:`appsync`: \[`botocore`] Documentation only updates for AppSync - api-change:`qldb`: \[`botocore`] Clarify possible values for KmsKeyArn and EncryptionDescription. - api-change:`rds`: \[`botocore`] Add pattern and length based validations for DBShardGroupIdentifier - api-change:`rum`: \[`botocore`] Doc-only update for new RUM metrics that were added ### [`v1.34.48`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13448) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.47...1.34.48) \======= - api-change:`internetmonitor`: \[`botocore`] This release adds IPv4 prefixes to health events - api-change:`kinesisvideo`: \[`botocore`] Increasing NextToken parameter length restriction for List APIs from 512 to 1024. ### [`v1.34.47`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13447) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.46...1.34.47) \======= - api-change:`iotevents`: \[`botocore`] Increase the maximum length of descriptions for Inputs, Detector Models, and Alarm Models - api-change:`lookoutequipment`: \[`botocore`] This release adds a field exposing model quality to read APIs for models. It also adds a model quality field to the API response when creating an inference scheduler. - api-change:`medialive`: \[`botocore`] MediaLive now supports the ability to restart pipelines in a running channel. - api-change:`ssm`: \[`botocore`] This release adds support for sharing Systems Manager parameters with other AWS accounts. ### [`v1.34.46`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13446) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.45...1.34.46) \======= - api-change:`dynamodb`: \[`botocore`] Publishing quick fix for doc only update. - api-change:`firehose`: \[`botocore`] This release updates a few Firehose related APIs. - api-change:`lambda`: \[`botocore`] Add .NET 8 (dotnet8) Runtime support to AWS Lambda. ### [`v1.34.45`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13445) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.44...1.34.45) \======= - api-change:`amplify`: \[`botocore`] This release contains API changes that enable users to configure their Amplify domains with their own custom SSL/TLS certificate. - api-change:`chatbot`: \[`botocore`] This release adds support for AWS Chatbot. You can now monitor, operate, and troubleshoot your AWS resources with interactive ChatOps using the AWS SDK. - api-change:`config`: \[`botocore`] Documentation updates for the AWS Config CLI - api-change:`ivs`: \[`botocore`] Changed description for latencyMode in Create/UpdateChannel and Channel/ChannelSummary. - api-change:`keyspaces`: \[`botocore`] Documentation updates for Amazon Keyspaces - api-change:`mediatailor`: \[`botocore`] MediaTailor: marking #AdBreak.OffsetMillis as required. ### [`v1.34.44`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13444) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.43...1.34.44) \======= - api-change:`connectparticipant`: \[`botocore`] Doc only update to GetTranscript API reference guide to inform users about presence of events in the chat transcript. - api-change:`emr`: \[`botocore`] adds fine grained control over Unhealthy Node Replacement to Amazon ElasticMapReduce - api-change:`firehose`: \[`botocore`] This release adds support for Data Message Extraction for decompressed CloudWatch logs, and to use a custom file extension or time zone for S3 destinations. - api-change:`lambda`: \[`botocore`] Documentation-only updates for Lambda to clarify a number of existing actions and properties. - api-change:`rds`: \[`botocore`] Doc only update for a valid option in DB parameter group - api-change:`sns`: \[`botocore`] This release marks phone numbers as sensitive inputs. ### [`v1.34.43`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13443) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.42...1.34.43) \======= - api-change:`artifact`: \[`botocore`] This is the initial SDK release for AWS Artifact. AWS Artifact provides on-demand access to compliance and third-party compliance reports. This release includes access to List and Get reports, along with their metadata. This release also includes access to AWS Artifact notifications settings. - api-change:`codepipeline`: \[`botocore`] Add ability to override timeout on action level. - api-change:`detective`: \[`botocore`] Doc only updates for content enhancement - api-change:`guardduty`: \[`botocore`] Marked fields IpAddressV4, PrivateIpAddress, Email as Sensitive. - api-change:`healthlake`: \[`botocore`] This release adds a new response parameter, JobProgressReport, to the DescribeFHIRImportJob and ListFHIRImportJobs API operation. JobProgressReport provides details on the progress of the import job on the server. - api-change:`opensearch`: \[`botocore`] Adds additional supported instance types. - api-change:`polly`: \[`botocore`] Amazon Polly adds 1 new voice - Burcu (tr-TR) - api-change:`sagemaker`: \[`botocore`] This release adds a new API UpdateClusterSoftware for SageMaker HyperPod. This API allows users to patch HyperPod clusters with latest platform softwares. - api-change:`secretsmanager`: \[`botocore`] Doc only update for Secrets Manager - api-change:`endpoint-rules`: \[`botocore`] Update endpoint-rules client to latest version ### [`v1.34.42`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13442) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.41...1.34.42) \======= - api-change:`controltower`: \[`botocore`] Adds support for new Baseline and EnabledBaseline APIs for automating multi-account governance. - api-change:`lookoutequipment`: \[`botocore`] This feature allows customers to see pointwise model diagnostics results for their models. - api-change:`qbusiness`: \[`botocore`] This release adds the metadata-boosting feature, which allows customers to easily fine-tune the underlying ranking of retrieved RAG passages in order to optimize Q\&A answer relevance. It also adds new feedback reasons for the PutFeedback API. ### [`v1.34.41`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13441) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.40...1.34.41) \======= - bugfix:ContainerProvider: \[`botocore`] Properly refreshes token from file from EKS in ContainerProvider - api-change:`lightsail`: \[`botocore`] This release adds support to upgrade the major version of a database. - api-change:`marketplace-catalog`: \[`botocore`] AWS Marketplace Catalog API now supports setting intent on requests - api-change:`resource-explorer-2`: \[`botocore`] Resource Explorer now uses newly supported IPv4 'amazonaws.com' endpoints by default. - api-change:`securitylake`: \[`botocore`] Documentation updates for Security Lake - api-change:`endpoint-rules`: \[`botocore`] Update endpoint-rules client to latest version ### [`v1.34.40`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13440) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.39...1.34.40) \======= - api-change:`appsync`: \[`botocore`] Adds support for new options on GraphqlAPIs, Resolvers and Data Sources for emitting Amazon CloudWatch metrics for enhanced monitoring of AppSync APIs. - api-change:`cloudwatch`: \[`botocore`] Update cloudwatch client to latest version - api-change:`neptune-graph`: \[`botocore`] Adding a new option "parameters" for data plane api ExecuteQuery to support running parameterized query via SDK. - api-change:`route53domains`: \[`botocore`] This release adds bill contact support for RegisterDomain, TransferDomain, UpdateDomainContact and GetDomainDetail API. ### [`v1.34.39`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13439) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.38...1.34.39) \======= - api-change:`amp`: \[`botocore`] Overall documentation updates. - api-change:`batch`: \[`botocore`] This feature allows Batch to support configuration of repository credentials for jobs running on ECS - api-change:`braket`: \[`botocore`] Creating a job will result in DeviceOfflineException when using an offline device, and DeviceRetiredException when using a retired device. - api-change:`cost-optimization-hub`: \[`botocore`] Adding includeMemberAccounts field to the response of ListEnrollmentStatuses API. - api-change:`ecs`: \[`botocore`] Documentation only update for Amazon ECS. - api-change:`iot`: \[`botocore`] This release allows AWS IoT Core users to enable Online Certificate Status Protocol (OCSP) Stapling for TLS X.509 Server Certificates when creating and updating AWS IoT Domain Configurations with Custom Domain. - api-change:`pricing`: \[`botocore`] Add Throttling Exception to all APIs. ### [`v1.34.38`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13438) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.37...1.34.38) \======= - api-change:`codepipeline`: \[`botocore`] Add ability to execute pipelines with new parallel & queued execution modes and add support for triggers with filtering on branches and file paths. - api-change:`quicksight`: \[`botocore`] General Interactions for Visuals; Waterfall Chart Color Configuration; Documentation Update - api-change:`workspaces`: \[`botocore`] This release introduces User-Decoupling feature. This feature allows Workspaces Core customers to provision workspaces without providing users. CreateWorkspaces and DescribeWorkspaces APIs will now take a new optional parameter "WorkspaceName". ### [`v1.34.37`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13437) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.36...1.34.37) \======= - api-change:`datasync`: \[`botocore`] AWS DataSync now supports manifests for specifying files or objects to transfer. - api-change:`lexv2-models`: \[`botocore`] Update lexv2-models client to latest version - api-change:`redshift`: \[`botocore`] LisRecommendations API to fetch Amazon Redshift Advisor recommendations. ### [`v1.34.36`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13436) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.35...1.34.36) \======= - api-change:`appsync`: \[`botocore`] Support for environment variables in AppSync GraphQL APIs - api-change:`ecs`: \[`botocore`] This release is a documentation only update to address customer issues. - api-change:`es`: \[`botocore`] This release adds clear visibility to the customers on the changes that they make on the domain. - api-change:`logs`: \[`botocore`] This release adds a new field, logGroupArn, to the response of the logs:DescribeLogGroups action. - api-change:`opensearch`: \[`botocore`] This release adds clear visibility to the customers on the changes that they make on the domain. - api-change:`wafv2`: \[`botocore`] You can now delete an API key that you've created for use with your CAPTCHA JavaScript integration API. ### [`v1.34.35`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13435) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.34...1.34.35) \======= - api-change:`glue`: \[`botocore`] Introduce Catalog Encryption Role within Glue Data Catalog Settings. Introduce SASL/PLAIN as an authentication method for Glue Kafka connections - api-change:`workspaces`: \[`botocore`] Added definitions of various WorkSpace states ### [`v1.34.34`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13434) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.33...1.34.34) \======= - api-change:`dynamodb`: \[`botocore`] Any number of users can execute up to 50 concurrent restores (any type of restore) in a given account. - api-change:`sagemaker`: \[`botocore`] Amazon SageMaker Canvas adds GenerativeAiSettings support for CanvasAppSettings. - api-change:`endpoint-rules`: \[`botocore`] Update endpoint-rules client to latest version ### [`v1.34.33`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13433) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.32...1.34.33) \======= - api-change:`cognito-idp`: \[`botocore`] Added CreateIdentityProvider and UpdateIdentityProvider details for new SAML IdP features - api-change:`ivs`: \[`botocore`] This release introduces a new resource Playback Restriction Policy which can be used to geo-restrict or domain-restrict channel stream playback when associated with a channel. New APIs to support this resource were introduced in the form of Create/Delete/Get/Update/List. - api-change:`managedblockchain-query`: \[`botocore`] This release adds support for transactions that have not reached finality. It also removes support for the status property from the response of the GetTransaction operation. You can use the confirmationStatus and executionStatus properties to determine the status of the transaction. - api-change:`mediaconvert`: \[`botocore`] This release includes support for broadcast-mixed audio description tracks. - api-change:`neptune-graph`: \[`botocore`] Adding new APIs in SDK for Amazon Neptune Analytics. These APIs include operations to execute, cancel, list queries and get the graph summary. ### [`v1.34.32`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13432) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.31...1.34.32) \======= - api-change:`cloudformation`: \[`botocore`] CloudFormation IaC generator allows you to scan existing resources in your account and select resources to generate a template for a new or existing CloudFormation stack. - api-change:`elbv2`: \[`botocore`] Update elbv2 client to latest version - api-change:`glue`: \[`botocore`] Update page size limits for GetJobRuns and GetTriggers APIs. - api-change:`ssm`: \[`botocore`] This release adds an optional Duration parameter to StateManager Associations. This allows customers to specify how long an apply-only-on-cron association execution should run. Once the specified Duration is out all the ongoing cancellable commands or automations are cancelled. ### [`v1.34.31`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13431) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.30...1.34.31) \======= - api-change:`datazone`: \[`botocore`] Add new skipDeletionCheck to DeleteDomain. Add new skipDeletionCheck to DeleteProject which also automatically deletes dependent objects - api-change:`route53`: \[`botocore`] Update the SDKs for text changes in the APIs. ### [`v1.34.30`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13430) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.29...1.34.30) \======= - api-change:`autoscaling`: \[`botocore`] EC2 Auto Scaling customers who use attribute based instance-type selection can now intuitively define their Spot instances price protection limit as a percentage of the lowest priced On-Demand instance type. - api-change:`comprehend`: \[`botocore`] Comprehend PII analysis now supports Spanish input documents. - api-change:`ec2`: \[`botocore`] EC2 Fleet customers who use attribute based instance-type selection can now intuitively define their Spot instances price protection limit as a percentage of the lowest priced On-Demand instance type. - api-change:`mwaa`: \[`botocore`] This release adds MAINTENANCE environment status for Amazon MWAA environments. - api-change:`rds`: \[`botocore`] Introduced support for the InsufficientDBInstanceCapacityFault error in the RDS RestoreDBClusterFromSnapshot and RestoreDBClusterToPointInTime API methods. This provides enhanced error handling, ensuring a more robust experience. - api-change:`snowball`: \[`botocore`] Modified description of createaddress to include direction to add path when providing a JSON file. ### [`v1.34.29`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13429) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.28...1.34.29) \======= - api-change:`connect`: \[`botocore`] Update list and string length limits for predefined attributes. - api-change:`inspector2`: \[`botocore`] This release adds ECR container image scanning based on their lastRecordedPullTime. - api-change:`sagemaker`: \[`botocore`] Amazon SageMaker Automatic Model Tuning now provides an API to programmatically delete tuning jobs. ### [`v1.34.28`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13428) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.27...1.34.28) \======= - api-change:`acm-pca`: \[`botocore`] AWS Private CA now supports an option to omit the CDP extension from issued certificates, when CRL revocation is enabled. - api-change:`lightsail`: \[`botocore`] This release adds support for IPv6-only instance plans. ### [`v1.34.27`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13427) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.26...1.34.27) \======= - api-change:`ec2`: \[`botocore`] Introduced a new clientToken request parameter on CreateNetworkAcl and CreateRouteTable APIs. The clientToken parameter allows idempotent operations on the APIs. - api-change:`ecs`: \[`botocore`] Documentation updates for Amazon ECS. - api-change:`outposts`: \[`botocore`] DeviceSerialNumber parameter is now optional in StartConnection API - api-change:`rds`: \[`botocore`] This release adds support for Aurora Limitless Database. - api-change:`storagegateway`: \[`botocore`] Add DeprecationDate and SoftwareVersion to response of ListGateways. ### [`v1.34.26`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13426) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.25...1.34.26) \======= - api-change:`inspector2`: \[`botocore`] This release adds support for CIS scans on EC2 instances. ### [`v1.34.25`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13425) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.24...1.34.25) \======= - enhancement:documentation: \[`botocore`] Updates the GitHub issue creation link in our README ### [`v1.34.24`](https://togithub.com/boto/boto3/blob/HEAD/CHANGELOG.rst#13424) [Compare Source](https://togithub.com/boto/boto3/compare/1.34.23...1.34.24) \======= - api-change:`appconfigdata`: \[`botocore`] Fix FIPS Endpoints in aws-us-gov. - api-change:`cloud9`: \[`botocore`] Doc-only update around removing AL1 from list of available AMIs for Cloud9 - api-change:`cloudfront-keyvaluestore`: \[`botocore`] This release improves upon the DescribeKeyValueStore API by returning two additional fields, Status of the KeyValueStore and the FailureReason in case of failures during creation of KeyValueStore. - api-change:`connectcases`: \[`botocore`] This release adds the ability to view audit history on a case and introduces a new parameter, performedBy, for CreateCase and UpdateCase API's. - api-change:`ec2`: \[`botocore`] Documentation updates for Amazon EC2. - api-change:`ecs`: \[`botocore`] This release adds support for Transport Layer Security (TLS) and Configurable Timeout to ECS Service Connect. TLS facilitates privacy and data security for inter-service communications, while Configurable Timeout allows customized per-request timeout and idle timeout for Service Connect services. - api-change:`finspace`: \[`botocore`] Allow customer to set zip default through command line arguments. - api-change:`organizations`: \[`botocore`] Doc only update for quota increase change - api-change:`rds`: \[`botocore`] Introduced support for the InsufficientDBInstanceCapacityFault error in the RDS CreateDBCluster API method. This provides enhanced error handling, ensuring a more robust experience when creating database clusters with insufficient instance capacity. - api-change:`endpoint-rules`: \[`botocore`] Update endpoint-rules client to latest version </details> <details> <summary>boto/botocore (botocore)</summary> ### [`v1.34.50`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13450) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.49...1.34.50) \======= - api-change:`apigateway`: Documentation updates for Amazon API Gateway. - api-change:`drs`: Added volume status to DescribeSourceServer replicated volumes. - api-change:`kafkaconnect`: Adds support for tagging, with new TagResource, UntagResource and ListTagsForResource APIs to manage tags and updates to existing APIs to allow tag on create. This release also adds support for the new DeleteWorkerConfiguration API. - api-change:`rds`: This release adds support for gp3 data volumes for Multi-AZ DB Clusters. ### [`v1.34.49`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13449) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.48...1.34.49) \======= - api-change:`appsync`: Documentation only updates for AppSync - api-change:`qldb`: Clarify possible values for KmsKeyArn and EncryptionDescription. - api-change:`rds`: Add pattern and length based validations for DBShardGroupIdentifier - api-change:`rum`: Doc-only update for new RUM metrics that were added ### [`v1.34.48`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13448) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.47...1.34.48) \======= - api-change:`internetmonitor`: This release adds IPv4 prefixes to health events - api-change:`kinesisvideo`: Increasing NextToken parameter length restriction for List APIs from 512 to 1024. ### [`v1.34.47`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13447) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.46...1.34.47) \======= - api-change:`iotevents`: Increase the maximum length of descriptions for Inputs, Detector Models, and Alarm Models - api-change:`lookoutequipment`: This release adds a field exposing model quality to read APIs for models. It also adds a model quality field to the API response when creating an inference scheduler. - api-change:`medialive`: MediaLive now supports the ability to restart pipelines in a running channel. - api-change:`ssm`: This release adds support for sharing Systems Manager parameters with other AWS accounts. ### [`v1.34.46`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13446) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.45...1.34.46) \======= - api-change:`dynamodb`: Publishing quick fix for doc only update. - api-change:`firehose`: This release updates a few Firehose related APIs. - api-change:`lambda`: Add .NET 8 (dotnet8) Runtime support to AWS Lambda. ### [`v1.34.45`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13445) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.44...1.34.45) \======= - api-change:`amplify`: This release contains API changes that enable users to configure their Amplify domains with their own custom SSL/TLS certificate. - api-change:`chatbot`: This release adds support for AWS Chatbot. You can now monitor, operate, and troubleshoot your AWS resources with interactive ChatOps using the AWS SDK. - api-change:`config`: Documentation updates for the AWS Config CLI - api-change:`ivs`: Changed description for latencyMode in Create/UpdateChannel and Channel/ChannelSummary. - api-change:`keyspaces`: Documentation updates for Amazon Keyspaces - api-change:`mediatailor`: MediaTailor: marking #AdBreak.OffsetMillis as required. ### [`v1.34.44`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13444) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.43...1.34.44) \======= - api-change:`connectparticipant`: Doc only update to GetTranscript API reference guide to inform users about presence of events in the chat transcript. - api-change:`emr`: adds fine grained control over Unhealthy Node Replacement to Amazon ElasticMapReduce - api-change:`firehose`: This release adds support for Data Message Extraction for decompressed CloudWatch logs, and to use a custom file extension or time zone for S3 destinations. - api-change:`lambda`: Documentation-only updates for Lambda to clarify a number of existing actions and properties. - api-change:`rds`: Doc only update for a valid option in DB parameter group - api-change:`sns`: This release marks phone numbers as sensitive inputs. ### [`v1.34.43`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13443) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.42...1.34.43) \======= - api-change:`artifact`: This is the initial SDK release for AWS Artifact. AWS Artifact provides on-demand access to compliance and third-party compliance reports. This release includes access to List and Get reports, along with their metadata. This release also includes access to AWS Artifact notifications settings. - api-change:`codepipeline`: Add ability to override timeout on action level. - api-change:`detective`: Doc only updates for content enhancement - api-change:`guardduty`: Marked fields IpAddressV4, PrivateIpAddress, Email as Sensitive. - api-change:`healthlake`: This release adds a new response parameter, JobProgressReport, to the DescribeFHIRImportJob and ListFHIRImportJobs API operation. JobProgressReport provides details on the progress of the import job on the server. - api-change:`opensearch`: Adds additional supported instance types. - api-change:`polly`: Amazon Polly adds 1 new voice - Burcu (tr-TR) - api-change:`sagemaker`: This release adds a new API UpdateClusterSoftware for SageMaker HyperPod. This API allows users to patch HyperPod clusters with latest platform softwares. - api-change:`secretsmanager`: Doc only update for Secrets Manager - api-change:`endpoint-rules`: Update endpoint-rules client to latest version ### [`v1.34.42`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13442) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.41...1.34.42) \======= - api-change:`controltower`: Adds support for new Baseline and EnabledBaseline APIs for automating multi-account governance. - api-change:`lookoutequipment`: This feature allows customers to see pointwise model diagnostics results for their models. - api-change:`qbusiness`: This release adds the metadata-boosting feature, which allows customers to easily fine-tune the underlying ranking of retrieved RAG passages in order to optimize Q\&A answer relevance. It also adds new feedback reasons for the PutFeedback API. ### [`v1.34.41`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13441) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.40...1.34.41) \======= - bugfix:ContainerProvider: Properly refreshes token from file from EKS in ContainerProvider - api-change:`lightsail`: This release adds support to upgrade the major version of a database. - api-change:`marketplace-catalog`: AWS Marketplace Catalog API now supports setting intent on requests - api-change:`resource-explorer-2`: Resource Explorer now uses newly supported IPv4 'amazonaws.com' endpoints by default. - api-change:`securitylake`: Documentation updates for Security Lake - api-change:`endpoint-rules`: Update endpoint-rules client to latest version ### [`v1.34.40`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13440) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.39...1.34.40) \======= - api-change:`appsync`: Adds support for new options on GraphqlAPIs, Resolvers and Data Sources for emitting Amazon CloudWatch metrics for enhanced monitoring of AppSync APIs. - api-change:`cloudwatch`: Update cloudwatch client to latest version - api-change:`neptune-graph`: Adding a new option "parameters" for data plane api ExecuteQuery to support running parameterized query via SDK. - api-change:`route53domains`: This release adds bill contact support for RegisterDomain, TransferDomain, UpdateDomainContact and GetDomainDetail API. ### [`v1.34.39`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13439) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.38...1.34.39) \======= - api-change:`amp`: Overall documentation updates. - api-change:`batch`: This feature allows Batch to support configuration of repository credentials for jobs running on ECS - api-change:`braket`: Creating a job will result in DeviceOfflineException when using an offline device, and DeviceRetiredException when using a retired device. - api-change:`cost-optimization-hub`: Adding includeMemberAccounts field to the response of ListEnrollmentStatuses API. - api-change:`ecs`: Documentation only update for Amazon ECS. - api-change:`iot`: This release allows AWS IoT Core users to enable Online Certificate Status Protocol (OCSP) Stapling for TLS X.509 Server Certificates when creating and updating AWS IoT Domain Configurations with Custom Domain. - api-change:`pricing`: Add Throttling Exception to all APIs. ### [`v1.34.38`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13438) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.37...1.34.38) \======= - api-change:`codepipeline`: Add ability to execute pipelines with new parallel & queued execution modes and add support for triggers with filtering on branches and file paths. - api-change:`quicksight`: General Interactions for Visuals; Waterfall Chart Color Configuration; Documentation Update - api-change:`workspaces`: This release introduces User-Decoupling feature. This feature allows Workspaces Core customers to provision workspaces without providing users. CreateWorkspaces and DescribeWorkspaces APIs will now take a new optional parameter "WorkspaceName". ### [`v1.34.37`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13437) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.36...1.34.37) \======= - api-change:`datasync`: AWS DataSync now supports manifests for specifying files or objects to transfer. - api-change:`lexv2-models`: Update lexv2-models client to latest version - api-change:`redshift`: LisRecommendations API to fetch Amazon Redshift Advisor recommendations. ### [`v1.34.36`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13436) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.35...1.34.36) \======= - api-change:`appsync`: Support for environment variables in AppSync GraphQL APIs - api-change:`ecs`: This release is a documentation only update to address customer issues. - api-change:`es`: This release adds clear visibility to the customers on the changes that they make on the domain. - api-change:`logs`: This release adds a new field, logGroupArn, to the response of the logs:DescribeLogGroups action. - api-change:`opensearch`: This release adds clear visibility to the customers on the changes that they make on the domain. - api-change:`wafv2`: You can now delete an API key that you've created for use with your CAPTCHA JavaScript integration API. ### [`v1.34.35`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13435) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.34...1.34.35) \======= - api-change:`glue`: Introduce Catalog Encryption Role within Glue Data Catalog Settings. Introduce SASL/PLAIN as an authentication method for Glue Kafka connections - api-change:`workspaces`: Added definitions of various WorkSpace states ### [`v1.34.34`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13434) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.33...1.34.34) \======= - api-change:`dynamodb`: Any number of users can execute up to 50 concurrent restores (any type of restore) in a given account. - api-change:`sagemaker`: Amazon SageMaker Canvas adds GenerativeAiSettings support for CanvasAppSettings. - api-change:`endpoint-rules`: Update endpoint-rules client to latest version ### [`v1.34.33`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13433) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.32...1.34.33) \======= - api-change:`cognito-idp`: Added CreateIdentityProvider and UpdateIdentityProvider details for new SAML IdP features - api-change:`ivs`: This release introduces a new resource Playback Restriction Policy which can be used to geo-restrict or domain-restrict channel stream playback when associated with a channel. New APIs to support this resource were introduced in the form of Create/Delete/Get/Update/List. - api-change:`managedblockchain-query`: This release adds support for transactions that have not reached finality. It also removes support for the status property from the response of the GetTransaction operation. You can use the confirmationStatus and executionStatus properties to determine the status of the transaction. - api-change:`mediaconvert`: This release includes support for broadcast-mixed audio description tracks. - api-change:`neptune-graph`: Adding new APIs in SDK for Amazon Neptune Analytics. These APIs include operations to execute, cancel, list queries and get the graph summary. ### [`v1.34.32`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13432) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.31...1.34.32) \======= - api-change:`cloudformation`: CloudFormation IaC generator allows you to scan existing resources in your account and select resources to generate a template for a new or existing CloudFormation stack. - api-change:`elbv2`: Update elbv2 client to latest version - api-change:`glue`: Update page size limits for GetJobRuns and GetTriggers APIs. - api-change:`ssm`: This release adds an optional Duration parameter to StateManager Associations. This allows customers to specify how long an apply-only-on-cron association execution should run. Once the specified Duration is out all the ongoing cancellable commands or automations are cancelled. ### [`v1.34.31`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13431) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.30...1.34.31) \======= - api-change:`datazone`: Add new skipDeletionCheck to DeleteDomain. Add new skipDeletionCheck to DeleteProject which also automatically deletes dependent objects - api-change:`route53`: Update the SDKs for text changes in the APIs. ### [`v1.34.30`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13430) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.29...1.34.30) \======= - api-change:`autoscaling`: EC2 Auto Scaling customers who use attribute based instance-type selection can now intuitively define their Spot instances price protection limit as a percentage of the lowest priced On-Demand instance type. - api-change:`comprehend`: Comprehend PII analysis now supports Spanish input documents. - api-change:`ec2`: EC2 Fleet customers who use attribute based instance-type selection can now intuitively define their Spot instances price protection limit as a percentage of the lowest priced On-Demand instance type. - api-change:`mwaa`: This release adds MAINTENANCE environment status for Amazon MWAA environments. - api-change:`rds`: Introduced support for the InsufficientDBInstanceCapacityFault error in the RDS RestoreDBClusterFromSnapshot and RestoreDBClusterToPointInTime API methods. This provides enhanced error handling, ensuring a more robust experience. - api-change:`snowball`: Modified description of createaddress to include direction to add path when providing a JSON file. ### [`v1.34.29`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13429) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.28...1.34.29) \======= - api-change:`connect`: Update list and string length limits for predefined attributes. - api-change:`inspector2`: This release adds ECR container image scanning based on their lastRecordedPullTime. - api-change:`sagemaker`: Amazon SageMaker Automatic Model Tuning now provides an API to programmatically delete tuning jobs. ### [`v1.34.28`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13428) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.27...1.34.28) \======= - api-change:`acm-pca`: AWS Private CA now supports an option to omit the CDP extension from issued certificates, when CRL revocation is enabled. - api-change:`lightsail`: This release adds support for IPv6-only instance plans. ### [`v1.34.27`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13427) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.26...1.34.27) \======= - api-change:`ec2`: Introduced a new clientToken request parameter on CreateNetworkAcl and CreateRouteTable APIs. The clientToken parameter allows idempotent operations on the APIs. - api-change:`ecs`: Documentation updates for Amazon ECS. - api-change:`outposts`: DeviceSerialNumber parameter is now optional in StartConnection API - api-change:`rds`: This release adds support for Aurora Limitless Database. - api-change:`storagegateway`: Add DeprecationDate and SoftwareVersion to response of ListGateways. ### [`v1.34.26`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13426) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.25...1.34.26) \======= - api-change:`inspector2`: This release adds support for CIS scans on EC2 instances. ### [`v1.34.25`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13425) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.24...1.34.25) \======= - enhancement:documentation: Updates the GitHub issue creation link in our README ### [`v1.34.24`](https://togithub.com/boto/botocore/blob/HEAD/CHANGELOG.rst#13424) [Compare Source](https://togithub.com/boto/botocore/compare/1.34.23...1.34.24) \======= - api-change:`appconfigdata`: Fix FIPS Endpoints in aws-us-gov. - api-change:`cloud9`: Doc-only update around removing AL1 from list of available AMIs for Cloud9 - api-change:`cloudfront-keyvaluestore`: This release improves upon the DescribeKeyValueStore API by returning two additional fields, Status of the KeyValueStore and the FailureReason in case of failures during creation of KeyValueStore. - api-change:`connectcases`: This release adds the ability to view audit history on a case and introduces a new parameter, performedBy, for CreateCase and UpdateCase API's. - api-change:`ec2`: Documentation updates for Amazon EC2. - api-change:`ecs`: This release adds support for Transport Layer Security (TLS) and Configurable Timeout to ECS Service Connect. TLS facilitates privacy and data security for inter-service communications, while Configurable Timeout allows customized per-request timeout and idle timeout for Service Connect services. - api-change:`finspace`: Allow customer to set zip default through command line arguments. - api-change:`organizations`: Doc only update for quota increase change - api-change:`rds`: Introduced support for the InsufficientDBInstanceCapacityFault error in the RDS CreateDBCluster API method. This provides enhanced error handling, ensuring a more robust experience when creating database clusters with insufficient instance capacity. - api-change:`endpoint-rules`: Update endpoint-rules client to latest version </details> <details> <summary>nedbat/coveragepy (coverage)</summary> ### [`v7.4.3`](https://togithub.com/nedbat/coveragepy/blob/HEAD/CHANGES.rst#Version-743--2024-02-23) [Compare Source](https://togithub.com/nedbat/coveragepy/compare/7.4.2...7.4.3) - Fix: in some cases, coverage could fail with a RuntimeError: "Set changed size during iteration." This is now fixed, closing `issue 1733`\_. .. \_issue 1733:[https://github.com/nedbat/coveragepy/issues/1733](https://togithub.com/nedbat/coveragepy/issues/1733)3 .. \_changes\_7-4-2: ### [`v7.4.2`](https://togithub.com/nedbat/coveragepy/blob/HEAD/CHANGES.rst#Version-742--2024-02-20) [Compare Source](https://togithub.com/nedbat/coveragepy/compare/7.4.1...7.4.2) - Fix: setting `COVERAGE_CORE=sysmon` no longer errors on 3.11 and lower, thanks `Hugo van Kemenade <pull 1747_>`\_. It now issues a warning that sys.monitoring is not available and falls back to the default core instead. .. \_pull 1747:[https://github.com/nedbat/coveragepy/pull/1747](https://togithub.com/nedbat/coveragepy/pull/1747)7 .. \_changes\_7-4-1: ### [`v7.4.1`](https://togithub.com/nedbat/coveragepy/blob/HEAD/CHANGES.rst#Version-741--2024-01-26) [Compare Source](https://togithub.com/nedbat/coveragepy/compare/7.4.0...7.4.1) - Python 3.13.0a3 is supported. - Fix: the JSON report now includes an explicit format version number, closing `issue 1732`\_. .. \_issue 1732:[https://github.com/nedbat/coveragepy/issues/1732](https://togithub.com/nedbat/coveragepy/issues/1732)2 .. \_changes\_7-4-0: </details> <details> <summary>marshmallow-code/marshmallow (marshmallow)</summary> ### [`v3.21.0`](https://togithub.com/marshmallow-code/marshmallow/compare/3.20.2...3.21.0) [Compare Source](https://togithub.com/marshmallow-code/marshmallow/compare/3.20.2...3.21.0) </details> <details> <summary>getmoto/moto (moto)</summary> ### [`v4.2.14`](https://togithub.com/getmoto/moto/blob/HEAD/CHANGELOG.md#4214) [Compare Source](https://togithub.com/getmoto/moto/compare/4.2.13...4.2.14) Docker Digest for 4.2.14: *sha256:2fa10aa48e32f85c63c62a7d437b8a4b320a56a8494bc25d45ced370bc159c23* New Services: * Backup: * create_backup_plan() * create_backup_vault() * get_backup_plan() * describe_backup_vault() * delete_backup_plan() * list_backup_plans() * list_backup_vaults() * list_tags() * tag_resource() * untag_resource() New Methods: * RDS: * describe_db_cluster_snapshot_attributes() * describe_db_snapshot_attributes() * modify_db_cluster_snapshot_attribute() * modify_db_snapshot_attribute() * restore_db_instance_to_point_in_time() * SageMaker: * create_feature_group() * SageMakerRuntime: * invoke_endpoint_async() Miscellaneous: * Cognito: The ID-token now contains custom attributes * DynamoDB: query() now returns the correct ScannedCount * EC2: Security Group Rules now have tag support * LakeFormation: grant_permissions() now has better support for known principal-resource pairs * SNS: set_subscription_attributes() can now unset the FilterPolicy </details> <details> <summary>psycopg/psycopg (psycopg)</summary> ### [`v3.1.18`](https://togithub.com/psycopg/psycopg/compare/3.1.17...3.1.18) [Compare Source](https://togithub.com/psycopg/psycopg/compare/3.1.17...3.1.18) </details> <details> <summary>pydantic/pydantic (pydantic)</summary> ### [`v2.6.2`](https://togithub.com/pydantic/pydantic/blob/HEAD/HISTORY.md#v262-2024-02-23) [Compare Source](https://togithub.com/pydantic/pydantic/compare/v2.6.1...v2.6.2) [GitHub release](https://togithub.com/pydantic/pydantic/releases/tag/v2.6.2) ##### What's Changed ##### Packaging - Upgrade to `pydantic-core` 2.16.3 by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [#​8879](https://togithub.com/pydantic/pydantic/pull/8879) ##### Fixes - 'YYYY-MM-DD' date string coerced to datetime shouldn't infer timezone by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [pydantic/pydantic-core#1193](https://togithub.com/pydantic/pydantic-core/pull/1193) ### [`v2.6.1`](https://togithub.com/pydantic/pydantic/blob/HEAD/HISTORY.md#v261-2024-02-05) [Compare Source](https://togithub.com/pydantic/pydantic/compare/v2.6.0...v2.6.1) [GitHub release](https://togithub.com/pydantic/pydantic/releases/tag/v2.6.1) ##### What's Changed ##### Packaging - Upgrade to `pydantic-core` 2.16.2 by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [#​8717](https://togithub.com/pydantic/pydantic/pull/8717) ##### Fixes - Fix bug with `mypy` plugin and `no_strict_optional = True` by [@​dmontagu](https://togithub.com/dmontagu) in [#​8666](https://togithub.com/pydantic/pydantic/pull/8666) - Fix `ByteSize` error `type` change by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [#​8681](https://togithub.com/pydantic/pydantic/pull/8681) - Fix inheriting `Field` annotations in dataclasses by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [#​8679](https://togithub.com/pydantic/pydantic/pull/8679) - Fix regression in core schema generation for indirect definition references by [@​dmontagu](https://togithub.com/dmontagu) in [#​8702](https://togithub.com/pydantic/pydantic/pull/8702) - Fix unsupported types bug with `PlainValidator` by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [#​8710](https://togithub.com/pydantic/pydantic/pull/8710) - Reverting problematic fix from 2.6 release, fixing schema building bug by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [#​8718](https://togithub.com/pydantic/pydantic/pull/8718) - Fix warning for tuple of wrong size in `Union` by [@​davidhewitt](https://togithub.com/davidhewitt) in [pydantic/pydantic-core#1174](https://togithub.com/pydantic/pydantic-core/pull/1174) - Fix `computed_field` JSON serializer `exclude_none` behavior by [@​sydney-runkle](https://togithub.com/sydney-runkle) in [pydantic/pydantic-core#1187](https://togithub.com/pydantic/pydantic-core/pull/1187) ### [`v2.6.0`](https://togithub.com/pydantic/pydantic/blob/HEAD/HISTORY.md#v260-2024-01-23) [Compare Source](https://togithub.com/pydantic/pydantic/compare/v2.5.3...v2.6.0) [GitHub release](https://togithub.com/pydantic/pydantic/releases/tag/v2.6.0) The code released in v2.6.0 is practically identical to that of v2.6.0b1. ##### What's Changed ##### Packaging - Check for `email-validator` version >= 2.0 by [@​commonism](https://togithub.com/commonism) in [#​6033](https://togithub.com/pydantic/pydantic/pull/6033) - Upgrade \`ruff\`\` target version to Python 3.8 by [@​Elkiwa](https://togithub.com/Elkiwa) in [#​8341](https://togithub.com/pydantic/pydantic/pull/8341) - Update to `pydantic-extra-types==2. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "on the 2nd and 4th day instance on sunday after 9pm" in timezone America/New_York, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://togithub.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/HHS/simpler-grants-gov). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4xNTMuMiIsInVwZGF0ZWRJblZlciI6IjM3LjIxMi4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Folks are using various bandit images kindly built by others, but we should really start providing our own. Should a different container image hosted elsewhere be subjected to some sort of attack (maintainer takeover), this could lead to some serious problems for those using Bandit.
This PR includes an action to build, publish (to ghcr.io) and sign the image using sigstore cosign, upon a release of bandit (it will work alongside pip publish). Users can verify the source of origin for these images were the official repo via sigstore.
You can see an example of this below, where I tested the action in my own test fork (bandit-test):
https://search.sigstore.dev/?logIndex=61918446
Closes: #1087