chore(deps): update all dependencies

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change	Age	Confidence
actions/checkout (changelog)	action	digest	de0fac2 → df4cb1c
actions/checkout	action	patch	v6.0.2 → v6.0.3
actions/stale (changelog)	action	digest	b5d41d4 → eb5cf3a
aws (source)	required_provider	minor	6.44.0 → 6.49.0
boto3		patch	==1.43.6 → ==1.43.25
botocore		patch	==1.43.6 → ==1.43.25
github/codeql-action	action	minor	v4.35.4 → v4.36.2
local (source)	required_provider	minor	2.8.0 → 2.9.0
oxsecurity/megalinter	action	minor	v9.4.0 → v9.5.0
random (source)	required_provider	minor	3.8.0 → 3.9.0
tls (source)	required_provider	minor	4.2.1 → 4.3.0

---

Release Notes

actions/checkout (actions/checkout)

v6.0.3

Compare Source

• Fix checkout init for SHA-256 repositories by @​yaananth in #​2439
• fix: expand merge commit SHA regex and add SHA-256 test cases by @​yaananth in #​2414

hashicorp/terraform-provider-aws (aws)

v6.49.0

Compare Source

ENHANCEMENTS:

• data-source/aws_opensearch_domain: Add advanced_security_options.jwt_options.jwks_url attribute (#​48146)
• data-source/aws_opensearchserverless_collection_group: Add generation attribute (#​48125)
• resource/aws_bedrockagentcore_gateway: Add protocol_configuration.mcp.session_configuration block (#​48179)
• resource/aws_bedrockagentcore_gateway: Add protocol_configuration.mcp.streaming_configuration block (#​48179)
• resource/aws_cloudfront_function: Add tags and tags_all arguments (#​47916)
• resource/aws_opensearch_domain: Add advanced_security_options.jwt_options.jwks_url argument (#​48146)
• resource/aws_opensearchserverless_collection_group: Add generation argument (#​48125)

BUG FIXES:

• resource/aws_bedrockagentcore_gateway_target: Fix runtime error: slice bounds out of range [1:0] panics when refreshing state. This fixes a regression introduced in v6.48.0 (#​48215)

v6.48.0

Compare Source

NOTES:

• resource/aws_bedrockagentcore_gateway_target: Because we cannot easily test the ``credential_provider_configuration.gateway_iam_role` SigV4 functionality, it is best effort and we ask for community help in testing (#​47626)

FEATURES:

• New Data Source: aws_ec2_hosts (#​47986)
• New List Resource: aws_cleanrooms_membership (#​48166)
• New List Resource: aws_pinpointsmsvoicev2_event_destination (#​48034)
• New Resource: aws_ec2_local_gateway_route_table (#​48013)
• New Resource: aws_ec2_local_gateway_route_table_virtual_interface_group_association (#​48014)
• New Resource: aws_pinpointsmsvoicev2_event_destination (#​48034)

ENHANCEMENTS:

• data-source/aws_ec2_host: Add state, allocation_time, release_time, host_maintenance, host_reservation_id, availability_zone_id, allows_multiple_instance_types, member_of_service_linked_resource_group, instances, and available_capacity attributes (#​47991)
• data-source/aws_kinesis_stream: Add warm_throughput attribute (#​48152)
• data-source/aws_lb: Add enable_prefix_for_ipv6_source_nat attribute (#​40431)
• data-source/aws_odb_network: Add computed ec2_placement_group_ids attribute. (#​47317)
• resource/aws_bedrockagentcore_gateway: Mark protocol_type as Optional. Omit it to create a gateway that routes traffic directly to HTTP targets (e.g. AgentCore Runtime) (#​47897)
• resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.caller_iam_credentials and credential_provider_configuration.jwt_passthrough arguments (#​47780)
• resource/aws_bedrockagentcore_gateway_target: Add credential_provider_configuration.gateway_iam_role.service and credential_provider_configuration.gateway_iam_role.region arguments to enable SigV4 signing of upstream requests for mcp_server targets pointing at AWS-hosted endpoints (#​47626)
• resource/aws_bedrockagentcore_gateway_target: Add target_configuration.http argument (#​47897)
• resource/aws_cleanrooms_membership: Add resource identity support (#​48166)
• resource/aws_datazone_asset_type: Add resource identity support (#​48136)
• resource/aws_datazone_domain: Add resource identity support (#​48136)
• resource/aws_datazone_environment: Add resource identity support (#​48136)
• resource/aws_datazone_environment_blueprint_configuration: Add global_parameters argument (#​44857)
• resource/aws_datazone_environment_blueprint_configuration: Add resource identity support (#​48136)
• resource/aws_datazone_environment_profile: Add resource identity support (#​48136)
• resource/aws_datazone_form_type: Add resource identity support (#​48136)
• resource/aws_datazone_glossary: Add resource identity support (#​48136)
• resource/aws_datazone_glossary_term: Add resource identity support (#​48136)
• resource/aws_datazone_project: Add resource identity support (#​48136)
• resource/aws_datazone_user_profile: Add resource identity support (#​48136)
• resource/aws_kinesis_firehose_delivery_stream: Add Resource Identity support (#​48186)
• resource/aws_kinesis_stream: Add Resource Identity support (#​48152)
• resource/aws_kinesis_stream: Add warm_throughput_mib_ps argument. This functionality requires the kinesis:UpdateStreamWarmThroughput IAM permission (#​48152)
• resource/aws_kinesis_stream: Add plan-time validation of shard_level_metrics (#​48152)
• resource/aws_kinesis_stream_consumer: Add Resource Identity support (#​48152)
• resource/aws_lb: Add enable_prefix_for_ipv6_source_nat argument (#​40431)
• resource/aws_observabilityadmin_telemetry_rule: Expand rule schema to cover the full SDK shape, including all_regions, allow_field_updates, regions, scope, selection_criteria, telemetry_source_types, and the full destination_configuration tree (cloudtrail_parameters, elb_load_balancer_logging_parameters, log_delivery_parameters, msk_monitoring_parameters, vpc_flow_log_parameters, waf_logging_parameters) (#​48072)
• resource/aws_observabilityadmin_telemetry_rule_for_organization: Expand rule schema to cover the full SDK shape, including all_regions, allow_field_updates, regions, scope, selection_criteria, telemetry_source_types, and the full destination_configuration tree (cloudtrail_parameters, elb_load_balancer_logging_parameters, log_delivery_parameters, msk_monitoring_parameters, vpc_flow_log_parameters, waf_logging_parameters) (#​48072)
• resource/aws_odb_network: Add computed ec2_placement_group_ids attribute. (#​47317)
• resource/aws_osis_pipeline: Adds resource identity (#​48155)
• resource/aws_vpc_ipam_pool_cidr_allocation: Add tagging support (#​48084)

BUG FIXES:

• resource/aws_api_gateway_rest_api: Fix OpenAPI body-managed x-amazon-apigateway-policy updates being overwritten by prior policy state (#​48118)
• resource/aws_bedrockagentcore_gateway: Fix ValidationException: Gateway with ID: ... has targets associated with it. Delete all targets before deleting the gateway errors on delete (#​47626)
• resource/aws_bedrockagentcore_gateway_target: Include FAILED and SYNCHRONIZING as pending states while a target is deleting (#​47626)
• resource/aws_db_instance_automated_backups_replication: Fix InvalidDBInstanceState: Cannot create a snapshot because the database instance ... is not currently in the available state errors on delete (#​46687)
• resource/aws_elasticache_replication_group: Fix CacheClusterNotFound when enabling snapshots after the primary cache cluster has been changed away from -001, and InvalidParameterCombination when enabling snapshots on cluster mode enabled groups (#​46326)
• resource/aws_kinesis_firehose_delivery_stream: Fix ValidationException: Unknown parameter: ExtendedS3DestinationConfiguration.CustomTimeZone errors in AWS partitions which do not yet support selecting a time zone for bucket prefixes (#​48186)
• resource/aws_lambda_alias: Fix plan drift caused by transient routing weights appearing in state after updating function_version (#​48116)
• resource/aws_lambda_provisioned_concurrency_config: Fix InvalidParameterValueException: Alias with weights can not be used with Provisioned Concurrency error when updating provisioned concurrency simultaneously with alias version change (#​48116)
• resource/aws_s3_bucket_versioning: Fix perpetual drift on versioning_configuration.mfa_delete when status is Disabled (#​48161)

v6.47.0

Compare Source

FEATURES:

• New List Resource: aws_bedrockagentcore_online_evaluation_config (#​47209)
• New List Resource: aws_bedrockagentcore_policy_engine (#​47108)
• New List Resource: aws_bedrockagentcore_resource_policy (#​46844)
• New List Resource: aws_s3control_multi_region_access_point (#​48081)
• New List Resource: aws_s3control_multi_region_access_point_routes (#​48081)
• New Resource: aws_bedrockagentcore_online_evaluation_config (#​47209)
• New Resource: aws_bedrockagentcore_policy_engine (#​47108)
• New Resource: aws_bedrockagentcore_resource_policy (#​46844)
• New Resource: aws_s3control_multi_region_access_point_routes (#​47994)

ENHANCEMENTS:

• data-source/aws_arn: Deprecates id in favor of arn (#​48036)
• data-source/aws_default_tags: Deprecates id (#​48036)
• data-source/aws_ip_ranges: Deprecates id (#​48036)
• data-source/aws_partition: Deprecates id in favor of partition (#​48036)
• data-source/aws_region: Deprecates id in favor of region (#​48036)
• data-source/aws_regions: Deprecates id (#​48036)
• data-source/aws_route: Add odb_network_arn attribute (#​48027)
• data-source/aws_route_table: Add routes.odb_network_arn attribute (#​48027)
• data-source/aws_secretsmanager_secret_version: Deprecates arn in favor of secret_arn. (#​48011)
• data-source/aws_secretsmanager_secret_versions: Deprecates arn in favor of secret_arn. (#​48033)
• data-source/aws_secretsmanager_secret_versions: Deprecates name in favor of secret_name. (#​48033)
• data-source/aws_service: Deprecates id in favor of reverse_dns_name (#​48036)
• data-source/aws_transfer_server: Add ip_address_type attribute (#​48039)
• resource/aws_acm_certificate: Add private_key_wo write-only argument and private_key_wo_version argument (#​44414)
• resource/aws_arcregionswitch_plan: Add step.rds_promote_read_replica_config, step.rds_create_cross_region_read_replica_config, and report_configuration arguments (#​46965)
• resource/aws_eks_cluster: Add CGNAT IP address ranges as valid private range (#​47988)
• resource/aws_eks_cluster: Make remote_node_networks field in remote_network_config optional (#​47988)
• resource/aws_eks_cluster: Remove conflict between outpost_config and remote_network_config (#​47988)
• resource/aws_msk_replicator: Add support for log_delivery configuration block (#​48054)
• resource/aws_quicksight_data_source: Add parameters.athena.role_arn argument to allow override an account-wide role for a specific Athena data source (#​44666)
• resource/aws_route: Add odb_network_arn argument (#​48027)
• resource/aws_route: Add plan-time validation of core_network_arn (#​48027)
• resource/aws_route_table: Add route.odb_network_arn argument (#​48027)
• resource/aws_route_table: Add plan-time validation of route.core_network_arn (#​48027)
• resource/aws_s3control_multi_region_access_point: Add resource identity support (#​48081)
• resource/aws_secretsmanager_secret_version: Deprecates arn in favor of secret_arn. (#​48011)
• resource/aws_ssm_resource_data_sync: Add s3_destination.destination_data_sharing argument (#​21996)
• resource/aws_transfer_server: Add ip_address_type argument (#​48039)

BUG FIXES:

• data-source/aws_secretsmanager_secret_versions: Polulates versions.*.last_accessed_date. (#​48033)
• provider: Fix lifecycle.ignore_changes for individual tags elements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#​48008)
• resource/aws_dynamodb_table: Ensure diffs are shown for GSI hash key type changes (#​47867)
• resource/aws_eks_cluster: Change securityGroupIds logic in flattenVPCConfigResponse() for Outpost clusters (#​47988)
• resource/aws_instance: Fix lifecycle.ignore_changes for individual tags elements being bypassed when another tag in the same map is updated to an empty string, to avoid overwriting any out-of-band changes the lifecycle block was meant to preserve. (#​48008)
• resource/aws_lb: Fix Provider produced inconsistent final plan errors and force resource recreation for Network Load Balancers when no security groups were initially configured and updated security groups are unknown at plan-time (#​46695)
• resource/aws_msk_replicator: Mark replication_info_list.consumer_group_replication.consumer_groups_to_exclude as Computed (#​48054)
• resource/aws_msk_replicator: Mark replication_info_list.topic_replication.topics_to_exclude as Computed (#​48054)

v6.46.0

Compare Source

NOTES:

• resource/aws_xray_resource_policy: Changes to policy_name now force resource recreation. Technically this is a breaking change but the resource did not function correctly previously; updating policy_name would leave an orphaned policy with the old name in AWS (#​47948)

FEATURES:

• New List Resource: aws_bedrockagentcore_harness (#​47725)
• New List Resource: aws_iam_access_key (#​47966)
• New List Resource: aws_observabilityadmin_telemetry_rule_for_organization (#​47920)
• New List Resource: aws_route53_vpc_association_authorization (#​47905)
• New List Resource: aws_route53_zone_association (#​47950)
• New List Resource: aws_securityhub_automation_rule_v2 (#​47677)
• New Resource: aws_bedrockagentcore_harness (#​47725)
• New Resource: aws_observabilityadmin_telemetry_rule_for_organization (#​47920)
• New Resource: aws_securityhub_automation_rule_v2 (#​47677)
• New Resource: aws_xray_indexing_rule (#​47975)
• New Resource: aws_xray_trace_segment_destination (#​47961)

ENHANCEMENTS:

• data-source/aws_ec2_local_gateway_virtual_interface: Add outpost_lag_id and local_gateway_virtual_interface_group_id attributes (#​47974)
• data-source/aws_opensearch_domain: Add jwt_options block to fix "Invalid address to set" error (#​47874)
• resource/aws_bedrockagent_agent: Increase maximum value of idle_session_ttl_in_seconds from 3600 to 5400 to match the AWS API limit (#​47890)
• resource/aws_bedrockagentcore_agent_runtime: Add filesystem_configuration argument for mounting session storage, Amazon S3 Files access points, or Amazon EFS access points into the agent runtime (#​47810)
• resource/aws_cloudfront_distribution: Add cache_tag_config configuration block (#​47872)
• resource/aws_iam_access_key: Add resource identity support (#​47966)
• resource/aws_route53_vpc_association_authorization: Add resource identity support (#​47905)
• resource/aws_route53_zone_association: Add resource identity support (#​47950)
• resource/aws_vpclattice_resource_gateway: Add resource_config_dns_resolution argument (#​47879)
• resource/aws_xray_resource_policy: Add Resource Identity support (#​47948)
• resource/aws_xray_sampling_rule: Add Resource Identity support (#​47948)

BUG FIXES:

• resource/aws_s3_bucket: Defer to the corresponding dedicated standalone resource for each deprecated nested attribute (acceleration_status, acl, cors_rule, grant, lifecycle_rule, logging, object_lock_configuration, policy, replication_configuration, request_payer, server_side_encryption_configuration, versioning, website) when the attribute is not set in configuration, preventing similar fights between the bucket resource and its standalone counterparts (#​47962)
• resource/aws_s3_bucket: Fix InvalidRequest: SourceSelectionCriteria cannot be empty errors on unrelated updates (e.g. tags) when replication is managed by the dedicated aws_s3_bucket_replication_configuration resource using replica_modifications (#​47962)
• resource/aws_xray_resource_policy: Fix Provider returned invalid result object after apply errors on Update (#​47948)
• resource/aws_xray_resource_policy: Mark policy_name as as ForceNew (#​47948)

v6.45.0

Compare Source

FEATURES:

• New List Resource: aws_observabilityadmin_telemetry_rule (#​47857)
• New List Resource: aws_securityhub_connector_v2 (#​47678)
• New Resource: aws_observabilityadmin_telemetry_evaluation (#​47799)
• New Resource: aws_observabilityadmin_telemetry_evaluation_for_organization (#​47808)
• New Resource: aws_observabilityadmin_telemetry_rule (#​47857)
• New Resource: aws_securityhub_aggregator_v2 (#​47651)
• New Resource: aws_securityhub_connector_v2 (#​47678)

ENHANCEMENTS:

• resource/aws_lambda_function: Add support for ruby4.0 as a runtime value (#​47841)
• resource/aws_lambda_function: Support mounting Amazon S3 buckets as file systems with S3 Files (#​47838)
• resource/aws_lambda_layer_version: Add support for ruby4.0 as a compatible_runtimes value (#​47841)
• resource/aws_secretsmanager_secret_version: Allow switching from secret_string to secret_string_wo without re-creating the resource. (#​47815)
• resource/aws_timestreaminfluxdb_db_instance: Add maintenance_schedule configuration block (#​47853)

BUG FIXES:

• resource/aws_elasticache_cluster: Fixed by removing valkey as an engine option to keep an alignment with aws sdk CreateCacheCluster (#​45017)
• resource/aws_elasticache_replication_group: Fix engine_version returning full patch version instead of minor version for Valkey engine (#​46109)
• resource/aws_elasticache_replication_group: Fix engine, engine_version, and parameter_group_name changes being ignored after disassociating from a global replication group (#​46109)
• resource/aws_grafana_workspace: Fix network_access_control regression causing ValidationException when only one of vpce_ids or prefix_list_ids is set (#​47646)

boto/boto3 (boto3)

v1.43.25

Compare Source

=======

• api-change:compute-optimizer: [botocore] Adds new Idle Recommendation Resource types in the AWS Compute Optimizer API
• api-change:cost-optimization-hub: [botocore] Adds new Idle Recommendation types in the Cost Optimization Hub API
• api-change:deadline: [botocore] Added optional identityCenterRegion parameter to AssociateMember APIs to allow managing memberships for users and groups in other regions.
• api-change:devops-agent: [botocore] Add Asset APIs for managing versioned assets and asset files in AWS DevOps Agent agent spaces.
• api-change:mediapackagev2: [botocore] Adds support for DASH Audio Timeline Patternization. This enables your DASH manifests to templatize the repeating patterns that emerge in audio segment timelines. This compacts the total timeline length, utilizing the repeat notation, such that manifests don't grow indefinitely long.
• api-change:mgn: [botocore] AWS Transform discovery tool now supported as network migration input source. You can now use the AWS Transform Discovery tool as a source for network migration alongside modelizeIT, enabling hybrid network migrations for environments running both VMware and non-VMware workloads.
• api-change:observabilityadmin: [botocore] CloudWatch Observability Admin extends CentralizationRuleForOrganization APIs to support metrics, enabling centralization of metrics across accounts and Regions alongside logs.
• api-change:omics: [botocore] StartRunBatch API - Add EngineSettings
• api-change:taxsettings: [botocore] Adds support for additional tax information fields for Philippines, Belgium, Chile, France, Poland, and Italy in the Tax Settings API.

v1.43.24

Compare Source

=======

• api-change:emr-serverless: [botocore] Adds support for updating max capacity and custom fields while application is started
• api-change:mediaconvert: [botocore] Adds support for configurable number of Clear Lead segments at the beginning of encrypted output. Adds support for multiple trickplay variants.
• api-change:payment-cryptography: [botocore] Adds CloudFormation support for resource-based policies on AWS Payment Cryptography keys.
• api-change:quicksight: [botocore] Adds support for Knowledge Base APIs and Index Capacity API
• api-change:sagemaker: [botocore] This release adds support for MLflow experiment tracking in SageMaker inference optimization. CreateAIRecommendationJob and CreateAIBenchmarkJob now accept an optional OutputConfig.MlflowConfig (MLflow App ARN, experiment, run name) to stream benchmark metrics and artifacts to your own MLflow App.

v1.43.23

Compare Source

=======

• api-change:appflow: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:appintegrations: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:auditmanager: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:chime-sdk-voice: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:cloudformation: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:config: [botocore] AWS Config now supports internal service-linked rules, allowing AWS service partners to deploy Config rules for customers and use the evaluation results to build enhanced features.
• api-change:connectparticipant: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:efs: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:emr: [botocore] Added support for Spark Connect interactive sessions on Amazon EMR on EC2 with new APIs - StartSession, GetSession, GetSessionEndpoint, ListSessions, and TerminateSession. Added sessionEnabled field in RunJobFlow and DescribeCluster to enable Spark Connect endpoints on EMR clusters.
• api-change:endpoint-rules: [botocore] Update endpoint-rules client to latest version
• api-change:glue: [botocore] AWS Glue Interactive Sessions now supports Apache Spark Connect, enabling remote Spark execution over gRPC with minimal client-side dependencies. Adds GetSessionEndpoint and GetDashboardUrl APIs. Modifies CreateSession now accepts SPARK CONNECT session type.
• api-change:guardduty: [botocore] Remove unsupported RDS field for filter
• api-change:ivs: [botocore] adds UpdateAdConfiguration operation to AWS IVS low-latency APIs
• api-change:kendra: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:sagemaker: [botocore] Adds the IncludedData parameter to DescribeModelCard and DescribeModelPackage. Set it to MetadataOnly to retrieve a model card without decrypt permission on the customer managed AWS KMS key (default AllData returns full content). Adds support for the MTRL Job resource in SageMaker Search.
• api-change:sns: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:wickr: [botocore] AWS Wickr now allows network administrators to configure a maximum session duration for non-SSO users in security groups, and display customizable consent popups to users at login for terms of use or compliance acknowledgements.
• api-change:workdocs: [botocore] Adding new BDD representation of endpoint ruleset
• api-change:workspaces: [botocore] Adding new BDD representation of endpoint ruleset

v1.43.22

Compare Source

=======

• api-change:arc-region-switch: [botocore] ARC Region Switch now supports three new execution blocks for multi-Region database workloads-Amazon Aurora Serverless scaling, Amazon Aurora Provisioned scaling, and Amazon Neptune Global Database failover.
• api-change:ce: [botocore] Added support for target-coverage-based Savings Plans purchase analysis. The StartCommitmentPurchaseAnalysis API now accepts a new TARGET AVERAGE COVERAGE value for AnalysisType, as well as an optional SavingsPlansTargetCoverage field in SavingsPlansPurchaseAnalysisConfiguration
• api-change:compute-optimizer: [botocore] This release lets customers extend the lookback period for Amazon EBS volume and Amazon ECS rightsizing recommendations to 32 days.
• api-change:connect: [botocore] SearchContacts Connect API now supports filtering contacts by the AI Agents involved in handling them
• api-change:inspector2: [botocore] Inspector support for enhanced scanning
• api-change:socialmessaging: [botocore] Adding support for WhatsApp flow APIs and adding AccessDeniedByMetaException for Template APIs

v1.43.21

Compare Source

=======

• api-change:endpoint-rules: [botocore] Update endpoint-rules client to latest version
• api-change:geo-routes: [botocore] Add "standardRegionalEndpoints" back to fix 'Could not connect to the endpoint URL'

v1.43.20

Compare Source

=======

• api-change:ec2: [botocore] Amazon EC2 now supports self-service cancellation of future-dated Capacity Reservations. A cancellation charge applies based on remaining commitment. Customers can generate a cancellation quote to review charges before confirming.
• api-change:elasticache: [botocore] Amazon ElastiCache for Valkey now supports durability. This new capability is enabled through a Multi-AZ transactional log, enabling fast recovery and restart during failures.
• api-change:endpoint-rules: [botocore] Update endpoint-rules client to latest version
• api-change:geo-routes: [botocore] Added Transit and Intermodal travel modes to CalculateRoutes. Plan routes using public transit (bus, subway, train, ferry) or combine transit with driving, taxi, and rental car segments in a single multi-modal route.
• api-change:guardduty: [botocore] Amazon GuardDuty Runtime Monitoring now supports 3 new SensitiveFileModified finding types (Persistence, PrivilegeEscalation, DefenseEvasion) that detect when security-sensitive system files are modified on EC2 instances or containers, indicating potential compromise through file tampering.
• api-change:iot: [botocore] Fleet indexing documentation update
• api-change:keyspacesstreams: [botocore] Added iterator description to the GetRecords API response for Amazon Keyspaces Change Data Capture (CDC) streams, enabling consumers to track their current position within the stream.
• api-change:lambda: [botocore] Adds configuration for tag propagation to Lambda-managed resources.
• api-change:sagemaker: [botocore] Amazon SageMaker Job is a new service to help you manage various workloads related to model fine tuning, evaluation etc. Two job categories are supported today, AgentRFT for multi-turn agentic reinforcement fine tuning, and AgentRFTEvaluation for evaluating base model or trained model from AgentRFT.
• api-change:sagemakerjobruntime: [botocore] Amazon SageMaker Job Runtime is a new service for managing trajectory data during multi-turn customization jobs. It provides APIs to send inference requests to models during job execution, mark rollouts as complete, and submit reward values for training trajectories.
• api-change:transcribe: [botocore] Release new Language locales including am-ET, es-MX, fa-AF, ht-HT, jv-ID, km-KH, my-MM, sq-AL, ne-NP. The commit shows past locales that have already been release which include cy-gb, ga-ie, gd-gb.

v1.43.19

Compare Source

=======

• api-change:cognito-idp: [botocore] Add support for multi-region replication, enabling synchronization of user data and configurations to a secondary user pool in a standby Region. Add support for customer managed keys (CMK) in AWS KMS for encrypting user pool data at rest.
• api-change:marketplace-agreement: [botocore] Adding Entitlements in SearchAgreements Response
• api-change:quicksight: [botocore] This release adds public APIs for Amazon QuickSight Spaces, Agents, and Flows. Spaces APIs enable management of curated resource collections. Agents APIs provide lifecycle control over AI-powered agents that leverage Spaces. Flows APIs add CRUDL APIs for automated workflows.

v1.43.18

Compare Source

=======

• api-change:bedrock: [botocore] Automated Reasoning checks - Added two build workflows for policies. Iterative Refine Policy uses AI to update policy definitions based on test results and feedback. Resolve Policy Ambiguities consolidates ambiguous variables in Automated Reasoning policies, a common source of ambiguous validation.
• api-change:bedrock-agentcore-control: [botocore] Reference your own AWS Secrets Manager secrets when configuring credential providers, giving you control over encryption, rotation, and access policies instead of using service-managed secrets.
• api-change:groundstation: [botocore] Adds support for Alpha-5 satellite number encoding in the Two-Line Element ephemeris format.
• api-change:omics: [botocore] Add engineSettings to StartRun and GetRun. Add profiles and profileParameterTemplates to GetWorkflow and GetWorkflowVersion.
• api-change:quicksight: [botocore] Adds support for creating, updating, describing, listing, and deleting an OAuthClientApplication resource, a new quicksight resource that allows customers to store OAuth configurations to connect to their databases via 3 Legged OAuth.
• api-change:rds-data: [botocore] RDS Data API arrays (longValues, doubleValues, stringValues, booleanValues) in ExecuteStatement responses now correctly support null elements. Runtime change for JS v3 and .NET. Compile-time change for C plus plus, .NET, Kotlin, Rust. No impact for Java, Python, Ruby, PHP, Go.
• api-change:route53resolver: [botocore] Added BatchCreateFirewallRule, BatchUpdateFirewallRule, BatchDeleteFirewallRule, and ListFirewallRuleTypes APIs. Added FirewallRuleType support to Firewall Rule APIs.
• api-change:sesv2: [botocore] This release introduces support for Tenant Suppression Lists

v1.43.17

Compare Source

=======

• api-change:appstream: [botocore] Amazon WorkSpaces Applications now supports BYOL (Bring Your Own License). This enables customers to import their own WorkSpaces images and use them in WorkSpaces Applications.
• api-change:bedrock: [botocore] Add support for ModelPackageArn in Bedrock's CreateCustomModel API
• api-change:bedrock-agentcore: [botocore] Added Harness support for LiteLLM model configuration for third-party model providers. Added S3 and Git skill source types. Added Responses API format for OpenAI and Bedrock models. Added runtimeUserId and runtimeClientError to InvokeHarness.
• api-change:bedrock-agentcore-control: [botocore] Added Harness support for LiteLLM model configuration for third-party model providers. Added S3 and Git skill source types. Added Responses API format for OpenAI and Bedrock models. Added runtimeUserId parameter to InvokeHarness for end-user identification.
• api-change:bedrock-runtime: [botocore] Support system role in message
• api-change:controlcatalog: [botocore] AWS Control Catalog - Added GovernedProviders response field and inclusion filter to GetControl and ListControls APIs to identify and filter by cloud provider. Added ParameterRequirementSummary response field indicating parameter requirements.
• api-change:customer-profiles: [botocore] BatchPutProfileObject API adds multiple profile objects to a domain of a given ObjectType in a single API call.
• api-change:deadline: [botocore] Added support for persistent storage on Service-Managed Fleets, allowing customers to configure persistent storage that preserves data across worker sessions which reduces job startup times for workloads with large software installations or asset caches.
• api-change:endpoint-rules: [botocore] Update endpoint-rules client to latest version
• api-change:iot: [botocore] Adds new connectivity-related fields to Fleet Indexing API requests and responses.
• api-change:iot-data: [botocore] Adding GetConnection, ListSubscriptions, and SendDirectMessage APIs to IoT Data Plane
• api-change:opensearchserverless: [botocore] Adds support for deletion protection on collections, ability to create NEXTGEN collection groups and autoscaling visibility for NEXTGEN collection groups
• api-change:pcs: [botocore] This release adds support for configuring scaleDownIdleTimeInSeconds at the compute node group level, allowing customers to set different idle timeouts per node group. Previously this setting was only available at the cluster level.
• api-change:resiliencehubv2: [botocore] This is the initial SDK release for the next generation of Resilience Hub.
• api-change:s3control: [botocore] Update the minimum value of MinStorageBytesPercentage in StorageLensPrefixLevel.SelectionCriteria from 0.1 to 1, aligning the model with the documented contract.

v1.43.16

Compare Source

=======

• api-change:bedrock-data-automation: [botocore] Matcher Fallback extends the CustomOutputConfiguration for the Document modality in DataAutomationProjects, enabling a fallback blueprint when no match is found. A FALLBACK match status is returned, improving the matching experience and guaranteeing customers always receive CustomOutputResults.
• api-change:ecs: [botocore] Add support for Neuron device resource requirements for Amazon ECS
• api-change:elementalinference: [botocore] Added support for smart subtitles in Elemental Inference, enabling automatic generation of subtitles for media content. Available in English, Spanish, French, German, Italian, and Portuguese.
• api-change:medialive: [botocore] AWS Elemental MediaLive now supports Smart Subtitles, a new caption source that uses AWS Elemental Inference to automatically generate WebVTT and TTML captions from source audio. Available in English, Spanish, French, German, Italian, and Portuguese.
• api-change:opensearch: [botocore] OpenSearch will now support multi-segment paths in JWKS URLs.
• api-change:organizations: [botocore] AWS Organizations now emits CloudTrail events (AccountJoinedOrganization, AccountDepartedOrganization) to the management account for membership changes, including join and departure method and timestamp.
• api-change:sagemaker: [botocore] Adds shared environment support for Restricted Instance Groups (RIGs) on SageMaker HyperPod, enabling cross-RIG workload scheduling and FSx sharing. This unlocks shared CPU-GPU environments needed for cost-efficient RL training (e.g., Nova Forge). Adds p6 instance support for recommendation jobs

v1.43.15

Compare Source

=======

• api-change:backup: [botocore] Launching S3 PITR malware scanning support for AWS Backup
• api-change:batch: [botocore] Increase the maximum value of jobExecutionTimeoutMinutes to support longer job timeouts during compute environment infrastructure updates.
• api-change:budgets: [botocore] AWS Budget Name Validation Documentation Updates.
• api-change:datazone: [botocore] Added resourceConfigurations and allowUserProvidedConfigurations fields to environment blueprint configuration APIs, enabling customers who migrated from V1 to V2 domains to update resource configurations (such as lineage schedules) programmatically via the SDK.
• api-change:guardduty: [botocore] Add malware scan support for Continuous Backups, also known as Point-In-Time Recovery Points (PITR).
• api-change:resourcegroupstaggingapi: [botocore] The GetResources API now returns MissingTagKeys in ComplianceDetails, listing tag keys defined as required in the ReportRequiredTagBlock block of the effective tag policy that are absent from the resource.

v1.43.14

Compare Source

=======

• api-change:datazone: [botocore] Add support for VPC connection
• api-change:ec2: [botocore] The ModifyInstanceAttribute API now supports modification of EnclaveOptions for the instance as a typed parameter.
• api-change:gameliftstreams: [botocore] Added new Gen6 stream classes based on the EC2 G6e instance family. These classes are designed for streaming high-fidelity, graphically demanding games and applications that benefit from additional GPU memory and performance.
• api-change:invoicing: [botocore] Adds support for idempotency with a new ClientToken field for the CreateInvoiceUnit, DeleteInvoiceUnit, UpdateInvoiceUnit, DeleteProcurementPortalPreference, PutProcurementPortalPreference, and UpdateProcurementPortalPreferenceStatus APIs.
• api-change:pi: [botocore] Added ListPerformanceAnalysisReportRecommendations API to retrieve recommendations for a performance analysis report. Added analysis configuration support to CreatePerformanceAnalysisReport for enhanced analysis types such as vacuum analysis.
• api-change:qconnect: [botocore] Added guardrail assessment results to inference spans in the ListSpans API. You can now see which AI Guardrail policies were evaluated, whether content was blocked or masked, and per-policy details for each Bedrock Converse call
• api-change:securityagent: [botocore] Adds support for verification scripts on penetration test findings. Customers can now download executable scripts to independently reproduce confirmed vulnerabilities, with instructions and required environment variables provided for each finding.
• enhancement:s3: [botocore] Improve caching of S3 endpoints, which should improve performance when working with multiple keys in the same bucket

v1.43.13

Compare Source

=======

• api-change:batch: [botocore] Clarified CreateComputeEnvironment parameter requirements - serviceRole is required for UNMANAGED compute environments, allocationStrategy is required for EKS compute environments, and compute environments must be created in the ENABLED state.
• api-change:bedrock-agentcore-control: [botocore] Adds dataset management APIs for creating, versioning, and managing evaluation datasets.
• api-change:cleanrooms: [botocore] Collaboration creators can update pay

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, only on Monday (* 0-3 * * 1)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Hey @renovate[bot]! 👋

Thank you for your contribution to the project. Please refer to the contribution rules for a quick overview of the process.

Make sure that this PR clearly explains:

• the problem being solved
• the best way a reviewer and you can test your changes

With submitting this PR you confirm that you hold the rights of the code added and agree that it will published under this LICENSE.

The following ChatOps commands are supported:

• /help: notifies a maintainer to help you out

Simply add a comment with the command in the first line. If you need to pass more information, separate it with a blank line from the command.

This message was generated automatically. You are welcome to improve it.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5		0	0	0.17s
❌ ACTION	zizmor	5	0	1	0	0.28s
❌ COPYPASTE	jscpd	yes		13	no	1.88s
✅ REPOSITORY	checkov	yes		no	no	37.65s
✅ REPOSITORY	dustilock	yes		no	no	0.24s
✅ REPOSITORY	gitleaks	yes		no	no	2.34s
✅ REPOSITORY	git_diff	yes		no	no	0.01s
✅ REPOSITORY	grype	yes		no	no	56.35s
✅ REPOSITORY	kingfisher	yes		no	no	11.39s
✅ REPOSITORY	osv-scanner	yes		no	no	1.08s
✅ REPOSITORY	secretlint	yes		no	no	1.18s
✅ REPOSITORY	syft	yes		no	no	2.63s
✅ REPOSITORY	trivy-sbom	yes		no	no	0.25s
✅ REPOSITORY	trufflehog	yes		no	no	5.27s
✅ SPELL	cspell	6		0	0	2.81s
✅ YAML	prettier	5	2	0	0	0.63s
✅ YAML	v8r	5		0	0	3.69s
✅ YAML	yamllint	5		0	0	0.61s

Detailed Issues

❌ COPYPASTE / jscpd - 13 errors

Clone found (hcl):
 - examples/runner-public/versions.tf [2:1 - 27:2] (25 lines, 140 tokens)
   examples/runner-windows/versions.tf [2:1 - 27:2]

Clone found (hcl):
 - examples/runner-fleeting-plugin/versions.tf [2:1 - 27:2] (25 lines, 140 tokens)
   examples/runner-windows/versions.tf [2:1 - 27:2]

Clone found (hcl):
 - examples/runner-fleeting-plugin/variables.tf [1:1 - 34:2] (33 lines, 158 tokens)
   examples/runner-windows/variables.tf [1:1 - 34:2]

Clone found (hcl):
 - examples/runner-fleeting-plugin/main.tf [1:1 - 59:9] (58 lines, 295 tokens)
   examples/runner-windows/main.tf [1:1 - 59:32]

Clone found (hcl):
 - examples/runner-fleeting-plugin/main.tf [93:46 - 114:24] (21 lines, 119 tokens)
   examples/runner-windows/main.tf [118:46 - 139:29]

Clone found (hcl):
 - examples/runner-docker/versions.tf [2:1 - 27:2] (25 lines, 140 tokens)
   examples/runner-windows/versions.tf [2:1 - 27:2]

Clone found (hcl):
 - examples/runner-docker/main.tf [18:3 - 44:9] (26 lines, 122 tokens)
   examples/runner-windows/main.tf [27:3 - 53:14]

Clone found (hcl):
 - examples/runner-default/versions.tf [2:1 - 27:2] (25 lines, 140 tokens)
   examples/runner-windows/versions.tf [2:1 - 27:2]

Clone found (hcl):
 - examples/runner-default/variables.tf [1:1 - 34:2] (33 lines, 158 tokens)
   examples/runner-windows/variables.tf [1:1 - 34:2]

Clone found (hcl):
 - examples/runner-default/main.tf [1:1 - 62:4] (61 lines, 321 tokens)
   examples/runner-windows/main.tf [1:1 - 62:25]

Clone found (hcl):
 - examples/runner-certificates/versions.tf [2:1 - 27:2] (25 lines, 140 tokens)
   examples/runner-windows/versions.tf [2:1 - 27:2]

Clone found (hcl):
 - examples/runner-certificates/variables.tf [1:1 - 28:2] (27 lines, 130 tokens)
   examples/runner-docker/variables.tf [1:1 - 28:2]

Clone found (hcl):
 - examples/runner-certificates/main.tf [3:1 - 49:50] (46 lines, 225 tokens)
   examples/runner-windows/main.tf [8:1 - 53:14]

┌──────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format   │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ python   │ 1              │ 298         │ 1851         │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ smarty   │ 1              │ 7           │ 73           │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ hcl      │ 50             │ 3425        │ 20321        │ 13           │ 430 (12.55%)     │ 2228 (10.96%)     │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ bash     │ 2              │ 677         │ 4567         │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ markdown │ 1              │ 4           │ 38           │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ toml     │ 1              │ 9           │ 40           │ 0            │ 0 (0%)           │ 0 (0%)            │
├──────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:   │ 56             │ 4420        │ 26890        │ 13           │ 430 (9.73%)      │ 2228 (8.29%)      │
└──────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 13 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (9.73%) over threshold (0%)
Error: ERROR: jscpd found too many duplicates (9.73%) over threshold (0%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:615:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:108:22
    at async /node-deps/node_modules/jscpd/dist/bin/jscpd.js:9:5

❌ ACTION / zizmor - 1 error

INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'artipacked' audit failed on file://.github/workflows/ci.yml

Caused by:
    0: error in 'artipacked' audit
    1: couldn't list tags for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ZizmorLinter] Zizmor failed to reach the GitHub API.
To allow zizmor to use GITHUB_TOKEN, add the following to your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository