chore(deps): lock file maintenance

[renovate]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

Review

• Updates have been tested and work
• If updates are AWS related, versions match the infrastructure (e.g. Lambda runtime, database, etc.)

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) in timezone America/Montreal, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Production: hosted_zone

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
❌   Terraform Plan: failed
❌   Conftest: failed

Show plan

Error: Error acquiring the state lock

Error message: 2 errors occurred:
	* ConditionalCheckFailedException: The conditional request failed
	* unexpected end of JSON input



Terraform acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.
time=2026-06-24T23:00:42Z level=error msg=Terraform invocation failed in /home/runner/work/github-secret-scanning/github-secret-scanning/terragrunt/env/production/hosted_zone/.terragrunt-cache/cxZj7uoOZ39Tdx5KZDHETcPj4mE/lVFJLQKYtqHgkyEGSnm7gn4u0uA/hosted_zone prefix=[/home/runner/work/github-secret-scanning/github-secret-scanning/terragrunt/env/production/hosted_zone] 
time=2026-06-24T23:00:42Z level=error msg=1 error occurred:
	* exit status 1

[github-actions]

Production: cloudfront

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
❌   Terraform Plan: failed
❌   Conftest: failed

Show plan

Error: Error acquiring the state lock

Error message: ConditionalCheckFailedException: The conditional request
failed
Lock Info:
  ID:        e2785996-d182-ab12-059d-e2efbad6f334
  Path:      github-secret-scanning-production-tf/production/cloudfront/terraform.tfstate
  Operation: OperationTypePlan
  Who:       runner@runnervmmklqx
  Version:   1.3.8
  Created:   2026-06-24 23:01:08.207926161 +0000 UTC
  Info:      


Terraform acquires a state lock to protect the state from being written
by multiple users at the same time. Please resolve the issue above and try
again. For most commands, you can disable locking with the "-lock=false"
flag, but this is not recommended.
time=2026-06-24T23:01:22Z level=error msg=Terraform invocation failed in /home/runner/work/github-secret-scanning/github-secret-scanning/terragrunt/env/production/cloudfront/.terragrunt-cache/WNUxIlB0eWnWsL8k9PQBSgr3hpk/lVFJLQKYtqHgkyEGSnm7gn4u0uA/cloudfront prefix=[/home/runner/work/github-secret-scanning/github-secret-scanning/terragrunt/env/production/cloudfront] 
time=2026-06-24T23:01:22Z level=error msg=1 error occurred:
	* exit status 1

[github-actions]

Production: alarms

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 4 to change, 0 to destroy

Show summary

CHANGE	NAME
update	aws_cloudwatch_metric_alarm.api_error
	aws_cloudwatch_metric_alarm.api_secret_detected
	aws_kms_key.sns_cloudwatch
	aws_sns_topic.cloudwatch_alarm

Show plan

Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_cloudwatch_metric_alarm.api_error will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "api_error" {
        id                        = "GitHub secret scanning: error"
      ~ tags                      = {
          + "CostCentre" = "github-secret-scanning-production"
          + "Terraform"  = "true"
          + "ssc_cbrid"  = "22DH"
        }
      ~ tags_all                  = {
          + "CostCentre" = "github-secret-scanning-production"
          + "Terraform"  = "true"
          + "ssc_cbrid"  = "22DH"
        }
        # (19 unchanged attributes hidden)
    }

  # aws_cloudwatch_metric_alarm.api_secret_detected will be updated in-place
  ~ resource "aws_cloudwatch_metric_alarm" "api_secret_detected" {
        id                        = "GitHub secret scanning: secret detected"
      ~ tags                      = {
          + "CostCentre" = "github-secret-scanning-production"
          + "Terraform"  = "true"
          + "ssc_cbrid"  = "22DH"
        }
      ~ tags_all                  = {
          + "CostCentre" = "github-secret-scanning-production"
          + "Terraform"  = "true"
          + "ssc_cbrid"  = "22DH"
        }
        # (19 unchanged attributes hidden)
    }

  # aws_kms_key.sns_cloudwatch will be updated in-place
  ~ resource "aws_kms_key" "sns_cloudwatch" {
        id                                 = "17a3cee1-81fc-462c-99b7-e23b21612aa3"
      ~ tags                               = {
          + "ssc_cbrid"  = "22DH"
            # (2 unchanged elements hidden)
        }
      ~ tags_all                           = {
          + "ssc_cbrid"  = "22DH"
            # (2 unchanged elements hidden)
        }
        # (12 unchanged attributes hidden)
    }

  # aws_sns_topic.cloudwatch_alarm will be updated in-place
  ~ resource "aws_sns_topic" "cloudwatch_alarm" {
        id                                       = "arn:aws:sns:ca-central-1:283582579564:github-secret-scanning-cloudwatch-alarm"
        name                                     = "github-secret-scanning-cloudwatch-alarm"
      ~ tags                                     = {
          + "ssc_cbrid"  = "22DH"
            # (2 unchanged elements hidden)
        }
      ~ tags_all                                 = {
          + "ssc_cbrid"  = "22DH"
            # (2 unchanged elements hidden)
        }
        # (13 unchanged attributes hidden)
    }

Plan: 0 to add, 4 to change, 0 to destroy.

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"

Show Conftest results

WARN - plan.json - main - Cloudwatch log metric pattern is invalid: ["aws_cloudwatch_log_metric_filter.api_error"]

21 tests, 20 passed, 1 warning, 0 failures, 0 exceptions

[github-actions]

Production: alert_compromise

✅   Terraform Init: success
✅   Terraform Validate: success
✅   Terraform Format: success
✅   Terraform Plan: success
✅   Conftest: success

Plan: 0 to add, 3 to change, 0 to destroy

Show summary

CHANGE	NAME
update	aws_iam_role.group_broadcast_alert_role
	aws_lambda_function.broadcast_alert
	aws_ssm_parameter.notify_doc_api_key

Show plan

Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # aws_iam_role.group_broadcast_alert_role will be updated in-place
  ~ resource "aws_iam_role" "group_broadcast_alert_role" {
        id                    = "group_broadcast_alert_role"
        name                  = "group_broadcast_alert_role"
      ~ tags                  = {
          + "CostCentre" = "github-secret-scanning-production"
          + "Terraform"  = "true"
          + "ssc_cbrid"  = "22DH"
        }
      ~ tags_all              = {
          + "CostCentre" = "github-secret-scanning-production"
          + "Terraform"  = "true"
          + "ssc_cbrid"  = "22DH"
        }
        # (8 unchanged attributes hidden)

        # (3 unchanged blocks hidden)
    }

  # aws_lambda_function.broadcast_alert will be updated in-place
  ~ resource "aws_lambda_function" "broadcast_alert" {
        id                             = "broadcast_alert"
        tags                           = {}
      ~ tags_all                       = {
          + "ssc_cbrid" = "22DI"
        }
        # (31 unchanged attributes hidden)

        # (4 unchanged blocks hidden)
    }

  # aws_ssm_parameter.notify_doc_api_key will be updated in-place
  ~ resource "aws_ssm_parameter" "notify_doc_api_key" {
        id              = "notify_doc_api_key"
        name            = "notify_doc_api_key"
      ~ tags            = {
          + "ssc_cbrid"  = "22DH"
            # (2 unchanged elements hidden)
        }
      ~ tags_all        = {
          + "ssc_cbrid"  = "22DH"
            # (2 unchanged elements hidden)
        }
        # (10 unchanged attributes hidden)
    }

Plan: 0 to add, 3 to change, 0 to destroy.

Warning: Argument is deprecated

  with aws_iam_role.group_broadcast_alert_role,
  on iam.tf line 4, in resource "aws_iam_role" "group_broadcast_alert_role":
   4:   managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"]

managed_policy_arns is deprecated. Use the aws_iam_role_policy_attachment
resource instead. If Terraform should exclusively manage all managed policy
attachments (the current behavior of this argument), use the
aws_iam_role_policy_attachments_exclusive resource as well.

(and one more similar warning elsewhere)

─────────────────────────────────────────────────────────────────────────────

Saved the plan to: plan.tfplan

To perform exactly these actions, run the following command to apply:
    terraform apply "plan.tfplan"
Releasing state lock. This may take a few moments...

Show Conftest results

WARN - plan.json - main - Missing Common Tags: ["aws_lambda_function.broadcast_alert"]

21 tests, 20 passed, 1 warning, 0 failures, 0 exceptions