Merge branch 'fix/security-and-pipeline-fix' into 'develop'

fix: security findings and pipeline BDA cleanup

See merge request genaiic-reusable-assets/engagement-artifacts/genaiic-idp-accelerator!594

Author: rstrahan

.github/workflows/developer-tests.yml

@@ -28,7 +28,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5  # v4.3.1
         with:
           fetch-depth: 0 # Fetch all history for git diff in typecheck-pr
 
@@ -89,7 +89,7 @@ jobs:
         continue-on-error: false
 
       - name: Upload coverage reports
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2
         if: always() && steps.run-tests.outcome != 'skipped'
         with:
           name: test-reports
@@ -99,15 +99,15 @@ jobs:
           retention-days: 7
 
       - name: Publish test results
-        uses: EnricoMi/publish-unit-test-result-action@v2
+        uses: EnricoMi/publish-unit-test-result-action@c950f6fb443cb5af20a377fd0dfaa78838901040  # v2.23.0
         if: always() && hashFiles('lib/idp_common_pkg/test-reports/test-results.xml') != ''
         with:
           files: lib/idp_common_pkg/test-reports/test-results.xml
           check_name: Test Results
           comment_mode: off  # Disable PR comments to avoid permission issues on fork PRs
 
       - name: Code Coverage Report
-        uses: irongut/CodeCoverageSummary@v1.3.0
+        uses: irongut/CodeCoverageSummary@51cc3a756ddcd398d447c044c02cb6aa83fdae95  # v1.3.0
         if: always() && hashFiles('lib/idp_common_pkg/test-reports/coverage.xml') != ''
         with:
           filename: lib/idp_common_pkg/test-reports/coverage.xml

Makefile

@@ -371,10 +371,7 @@ docs-deploy: docs-build ## Deploy docs to GitHub Pages (from local build)
 
 ##@ Security (DSR)
 dsr: ## Run full DSR workflow (setup → scan → optional fix)
-	@if [ ! -f .dsr/dsr ]; then \
-		echo "DSR not found, running setup..."; \
-		$(MAKE) dsr-setup; \
-	fi
+	@$(MAKE) dsr-setup
 	@$(MAKE) dsr-scan
 	@echo ""
 	@echo "Do you want to run DSR fix? (y/N):"

lib/idp_sdk/idp_sdk/_core/stack.py

@@ -1982,14 +1982,34 @@ def is_resource_orphaned(check_stack_name: str) -> bool:
             except Exception as e:
                 logger.warning(f"Failed to cleanup IAM custom policies: {e}")
 
-            # Clean up BDA blueprints associated with this stack
+            # Clean up BDA projects and blueprints associated with this stack
             try:
                 bda_client = boto3.client(
                     "bedrock-data-automation", region_name=self.region
                 )
+
+                # Delete BDA projects first (blueprints are referenced by projects)
+                try:
+                    for p in bda_client.list_data_automation_projects().get(
+                        "projects", []
+                    ):
+                        if p.get("projectName", "").startswith(f"{stack_name}-"):
+                            try:
+                                bda_client.delete_data_automation_project(
+                                    projectArn=p["projectArn"]
+                                )
+                                logger.info(f"Deleted BDA project: {p['projectName']}")
+                            except Exception as proj_error:
+                                logger.warning(
+                                    f"Failed to delete BDA project {p['projectName']}: {proj_error}"
+                                )
+                except Exception as e:
+                    logger.warning(f"Failed to cleanup BDA projects: {e}")
+
+                # Delete blueprints (versions first, then base)
                 paginator = bda_client.get_paginator("list_blueprints")
                 deleted_count = 0
-                for page in paginator.paginate(blueprintStage="LIVE"):
+                for page in paginator.paginate(blueprintStageFilter="LIVE"):
                     for blueprint in page.get("blueprints", []):
                         bp_name = blueprint.get("blueprintName", "")
                         bp_arn = blueprint.get("blueprintArn", "")
@@ -1998,6 +2018,12 @@ def is_resource_orphaned(check_stack_name: str) -> bool:
                             continue
                         if bp_name.startswith(f"{stack_name}-"):
                             try:
+                                try:
+                                    bda_client.delete_blueprint(
+                                        blueprintArn=bp_arn, blueprintVersion="1"
+                                    )
+                                except Exception:
+                                    pass
                                 bda_client.delete_blueprint(blueprintArn=bp_arn)
                                 deleted_count += 1
                                 logger.info(f"Deleted BDA blueprint: {bp_name}")