Skip to content

Bump aws-actions/configure-aws-credentials from 6.1.1 to 6.1.3#369

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.3
Open

Bump aws-actions/configure-aws-credentials from 6.1.1 to 6.1.3#369
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/github_actions/aws-actions/configure-aws-credentials-6.1.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026
edited by cursor Bot
Loading

Bumps aws-actions/configure-aws-credentials from 6.1.1 to 6.1.3.

Release notes

Sourced from aws-actions/configure-aws-credentials's releases.

v6.1.3

6.1.3 (2026-05-27)

Bug Fixes

v6.1.2

6.1.2 (2026-05-26)

Bug Fixes

Changelog

Sourced from aws-actions/configure-aws-credentials's changelog.

6.1.3 (2026-05-28)

Bug Fixes

  • fix: allow kubelet token symlink in #1805

6.1.2 (2026-05-26)

Bug Fixes

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Single Dependabot pin bump on a GitHub Action; no changes to IAM role, secrets, or upload logic in this repo.

Overview
Updates the release upload job in build-riscv64.yml so the Configure AWS credentials step uses aws-actions/configure-aws-credentials@v6.1.3 instead of v6.1.1. The assumed IAM role and region are unchanged; only the action version moves forward (upstream patch fixes for credential/filesystem handling).

Reviewed by Cursor Bugbot for commit a64fdb2. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump aws-actions/configure-aws-credentials from 6.1.1 to 6.1.3
a64fdb2 
Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 6.1.1 to 6.1.3.
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](aws-actions/configure-aws-credentials@v6.1.1...v6.1.3)

---
updated-dependencies:
- dependency-name: aws-actions/configure-aws-credentials
  dependency-version: 6.1.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code labels Jun 4, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Jun 4, 2026

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Reviewing how the action is used in this repo and inspecting upstream changes between 6.1.1 and 6.1.3.
Verdict: benign

This is a routine patch bump of the official AWS-maintained action. The PR only changes the version pin in .github/workflows/build-riscv64.yml (6.1.16.1.3).

Upstream changes (v6.1.1 → v6.1.3) are security hardening, not compromise indicators

  • 6.1.2: Adds symlink-aware file I/O (readFileUtf8, writeFileUtf8, mkdir) with O_NOFOLLOW to block symlink-based credential/profile reads.
  • 6.1.3: Adds a narrow allowlist for Kubernetes kubelet projected service-account token paths (/var/run/secrets/*/serviceaccount/token), where symlinks are expected.
  • Changes are covered by unit tests in test/helpers.test.ts (symlink refusal, kubelet allowlist, path normalization).
  • No new preinstall/postinstall/install scripts in package.json; runtime scripts remain build/lint/test only.

Checklist — no malicious signals

Category Result
Obfuscation (eval, exec, base64 payloads, shell spawn) None in src/
Unexpected network/exfil hosts None added; action still talks to AWS STS as designed
Unicode/GlassWorm Scanner: 0 unicode, 0 confusable, 0 IOC
Typosquatting Legitimate aws-actions/configure-aws-credentials repo with matching tags v6.1.1v6.1.3
Suspicious lifecycle scripts None
Unexpected workflow changes in consumer PR Only the version pin in build-riscv64.yml

Malware scanner (warn) — false positives

The scanner’s 945 heuristic hits disagree with a malicious interpretation:

  • codepoint_decoder on charCodeAt() in bundled dist/*.js — normal HTTP/URL parsing in esbuild output, not hidden payload assembly.
  • credential_exfil_indicator on CHANGELOG lines like “kubelet token symlink” — keyword + GitHub URL false match.
  • maintainer_drift on 6.1.1→6.1.3 — expected for any version bump of an official action.

Dependency integrity

  • Patch semver within v6; tags resolve correctly (d979d5b = v6.1.1, 99214aa = v6.1.3).
  • Lockfile changes are routine @aws-sdk/* and dev-tool bumps; large dist/index.js churn is expected for this bundled action.
  • Publisher remains AWS (Amazon.com, Inc. or its affiliates).

Recommendation: Approve from a supply-chain perspective. The update hardens filesystem handling and is appropriate for your release workflow that assumes an AWS role via OIDC. CI passing on build-riscv64.yml is sufficient validation for this consumer repo.

Compatibility Analysis

I'll locate every use of configure-aws-credentials in this repo and compare it to what changed upstream between 6.1.1 and 6.1.3.

Compatibility & adoption analysis

1) Where it’s used

Single usage site in this repo (excluding vendored .upstream-dependency):

File Version Context
.github/workflows/build-riscv64.yml 6.1.16.1.3 upload job, release-only AWS auth before S3 wheel upload 
      - name: Configure AWS credentials
        if: env.RELEASE == 'true'
        uses: aws-actions/configure-aws-credentials@v6.1.3
        with:
          role-to-assume: arn:aws:iam::${{ secrets.CHIA_AWS_ACCOUNT_ID }}:role/installer-upload
          aws-region: us-west-2

No other .github/workflows/* files reference this action. Not used in application/library code.

Usage pattern: GitHub OIDC (permissions: id-token: write) + role-to-assume. No web-identity-token-file, aws-profile, static keys, or role chaining.

2) Intersection with upstream changes (6.1.1 → 6.1.3)

Release Change Touches your usage?
6.1.2 Symlink-aware file I/O (O_NOFOLLOW) in readFileUtf8 / writeFileUtf8 / mkdir for credential/profile/token file reads No — OIDC token comes from GitHub Actions, not filesystem
6.1.3 Allowlist for kubelet projected SA token symlinks at /var/run/secrets/*/serviceaccount/token No — not EKS/kubelet; standard GHA runner

Upstream diff shows no changes to action.yml inputs or the main OIDC entry path between these tags. Changed files: src/helpers.ts, src/assumeRole.ts (web-identity-token-file path only), src/profileManager.ts.

3) Risks / unknowns

  • Low functional risk: Patch bump; your inputs are unchanged; changed code paths are not exercised by this workflow.
  • Validation gap: The AWS step runs only when env.RELEASE == 'true'. PR CI will not hit it unless a release is published — merge confidence rests on upstream tests + unchanged OIDC contract.
  • Security upside: 6.1.2 hardens against symlink-based credential reads; neutral for your OIDC flow.
  • No build impact: CI-only dependency; no effect on chiavdf wheels/binaries.

4) Recommendation: merge

Routine patch bump of the official AWS-maintained action. Single-line pin change, no API/input changes, and your OIDC + role-to-assume usage does not intersect the filesystem/kubelet fixes. Safe to merge; optional post-merge check on the next release publish that the upload job completes S3 upload successfully.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 14
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 1
  • Resolved upstream range: d979d5b3a71173a29b74b5b88418bfda9437d885..99214aa6889fcddfa57764031d71add364327e59
  • Resolved refs: from=d979d5b3a71173a29b74b5b88418bfda9437d885 to=99214aa6889fcddfa57764031d71add364327e59
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 945

Top findings

  • dist/cleanup/index.js:844 codepoint_decoder :: const code = this.code = key.charCodeAt(index);
  • dist/cleanup/index.js:866 codepoint_decoder :: const code = key.charCodeAt(index);
  • dist/cleanup/index.js:1350 codepoint_decoder :: if (!isTokenCharCode(characters.charCodeAt(i))) {
  • dist/cleanup/index.js:2814 codepoint_decoder :: for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {
  • dist/cleanup/index.js:3420 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
  • dist/cleanup/index.js:3422 codepoint_decoder :: if (data.charCodeAt(dataLength - 1) === 61) {
  • dist/cleanup/index.js:3502 codepoint_decoder :: while (lead < str.length && predicate(str.charCodeAt(lead))) lead++;
  • dist/cleanup/index.js:3505 codepoint_decoder :: while (trail > 0 && predicate(str.charCodeAt(trail))) trail--;
  • dist/cleanup/index.js:3869 codepoint_decoder :: if (x.charCodeAt(index) > 255) {
  • dist/cleanup/index.js:3871 codepoint_decoder :: Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.
  • dist/cleanup/index.js:4043 codepoint_decoder :: const code = url.charCodeAt(i);
  • dist/cleanup/index.js:4069 codepoint_decoder :: const c = statusText.charCodeAt(i);
  • dist/cleanup/index.js:4623 codepoint_decoder :: if (data.charCodeAt(position.position) !== 61) {
  • dist/cleanup/index.js:4636 codepoint_decoder :: const code = char.charCodeAt(0);
  • dist/cleanup/index.js:4650 codepoint_decoder :: if (data.charCodeAt(position.position) !== 45) {
  • dist/cleanup/index.js:4663 codepoint_decoder :: const code = char.charCodeAt(0);
  • dist/cleanup/index.js:4762 codepoint_decoder :: if (input.charCodeAt(position.position) === 34) {
  • dist/cleanup/index.js:4771 codepoint_decoder :: assert(input.charCodeAt(position.position) === 44);
  • dist/cleanup/index.js:5110 codepoint_decoder :: if ((chars.charCodeAt(i) & ~127) !== 0) {
  • dist/cleanup/index.js:5122 codepoint_decoder :: const cp = boundary.charCodeAt(i);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file github_actions Pull requests that update Github_actions code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants