Merge branch 'main' into empty-state-triggers

Author: lyubov-voloshko

.github/workflows/build-agent.yml

@@ -67,9 +67,6 @@ jobs:
           name: bake-meta
           path: /tmp
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -84,6 +81,7 @@ jobs:
         uses: docker/bake-action@v5
         with:
           sbom: true
+          provenance: true
           files: |
             ./docker-bake-agent.hcl
             /tmp/bake-meta.json
@@ -108,14 +106,18 @@ jobs:
           retention-days: 1
 
       - name: Attest Build Provenance
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@v2
         with:
           subject-digest: "${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}"
           push-to-registry: false
           subject-name: ${{ env.REGISTRY_IMAGE }}
 
   merge:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     needs:
       - build
     steps:
@@ -147,6 +149,20 @@ jobs:
           docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \
             $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
 
+      - name: Get merged manifest digest
+        id: manifest
+        run: |
+          TAG=$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)
+          DIGEST="sha256:$(docker buildx imagetools inspect "${{ env.REGISTRY_IMAGE }}:${TAG}" --raw | sha256sum | cut -d ' ' -f1)"
+          echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
+
+      - name: Attest Merged Manifest Provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-digest: ${{ steps.manifest.outputs.digest }}
+          subject-name: ${{ env.REGISTRY_IMAGE }}
+          push-to-registry: false
+
       - name: Inspect image
         run: |
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)

.github/workflows/build.yml

@@ -68,9 +68,6 @@ jobs:
           name: bake-meta
           path: /tmp
 
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
@@ -85,6 +82,7 @@ jobs:
         uses: docker/bake-action@v5
         with:
           sbom: true
+          provenance: true
           files: |
             ./docker-bake.hcl
             /tmp/bake-meta.json
@@ -109,14 +107,18 @@ jobs:
           retention-days: 1
 
       - name: Attest Build Provenance
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@v2
         with:
           subject-digest: "${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}"
           push-to-registry: false
-          subject-name: ${{ env.REGISTRY_IMAGE }}          
+          subject-name: ${{ env.REGISTRY_IMAGE }}
 
   merge:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     needs:
       - build
     steps:
@@ -148,6 +150,20 @@ jobs:
           docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \
             $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
 
+      - name: Get merged manifest digest
+        id: manifest
+        run: |
+          TAG=$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)
+          DIGEST="sha256:$(docker buildx imagetools inspect "${{ env.REGISTRY_IMAGE }}:${TAG}" --raw | sha256sum | cut -d ' ' -f1)"
+          echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
+
+      - name: Attest Merged Manifest Provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-digest: ${{ steps.manifest.outputs.digest }}
+          subject-name: ${{ env.REGISTRY_IMAGE }}
+          push-to-registry: false
+
       - name: Inspect image
         run: |
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)

.github/workflows/quay.yml

@@ -92,6 +92,7 @@ jobs:
         uses: docker/bake-action@v5
         with:
           sbom: true
+          provenance: true
           files: |
             ./docker-bake.hcl
             /tmp/bake-meta.json
@@ -116,14 +117,18 @@ jobs:
           retention-days: 1
 
       - name: Attest Build Provenance
-        uses: actions/attest-build-provenance@v1
+        uses: actions/attest-build-provenance@v2
         with:
           subject-digest: "${{ fromJSON(steps.bake.outputs.metadata).image['containerimage.digest'] }}"
           push-to-registry: false
           subject-name: ${{ env.REGISTRY_IMAGE }}
 
   merge:
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      contents: read
+      attestations: write
     needs:
       - build
     steps:
@@ -156,6 +161,20 @@ jobs:
           docker buildx imagetools create $(jq -cr '.target."docker-metadata-action".tags | map(select(startswith("${{ env.REGISTRY_IMAGE }}")) | "-t " + .) | join(" ")' /tmp/bake-meta.json) \
             $(printf '${{ env.REGISTRY_IMAGE }}@sha256:%s ' *)
 
+      - name: Get merged manifest digest
+        id: manifest
+        run: |
+          TAG=$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)
+          DIGEST="sha256:$(docker buildx imagetools inspect "${{ env.REGISTRY_IMAGE }}:${TAG}" --raw | sha256sum | cut -d ' ' -f1)"
+          echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
+
+      - name: Attest Merged Manifest Provenance
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-digest: ${{ steps.manifest.outputs.digest }}
+          subject-name: ${{ env.REGISTRY_IMAGE }}
+          push-to-registry: false
+
       - name: Inspect image
         run: |
           docker buildx imagetools inspect ${{ env.REGISTRY_IMAGE }}:$(jq -r '.target."docker-metadata-action".args.DOCKER_META_VERSION' /tmp/bake-meta.json)

.github/workflows/saas.yml

@@ -27,6 +27,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      attestations: write
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
       id-token: write
@@ -92,6 +93,16 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          sbom: true
+          provenance: true
+
+      - name: Attest Build Provenance
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker

.github/workflows/ws-server.yml

@@ -27,6 +27,7 @@ jobs:
     permissions:
       contents: read
       packages: write
+      attestations: write
       # This is used to complete the identity challenge
       # with sigstore/fulcio when running outside of PRs.
       id-token: write
@@ -80,6 +81,16 @@ jobs:
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          sbom: true
+          provenance: true
+
+      - name: Attest Build Provenance
+        if: ${{ github.event_name != 'pull_request' }}
+        uses: actions/attest-build-provenance@v2
+        with:
+          subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          subject-digest: ${{ steps.build-and-push.outputs.digest }}
+          push-to-registry: true
 
       # Sign the resulting Docker image digest except on PRs.
       # This will only write to the public Rekor transparency log when the Docker

backend/package.json

@@ -25,38 +25,38 @@
 	},
 	"dependencies": {
 		"@amplitude/node": "1.10.2",
-		"@aws-sdk/client-bedrock-runtime": "^3.990.0",
-		"@aws-sdk/client-s3": "^3.990.0",
-		"@aws-sdk/lib-dynamodb": "^3.990.0",
-		"@aws-sdk/s3-request-presigner": "^3.990.0",
-		"@cedar-policy/cedar-wasm": "^4.9.0",
-		"@electric-sql/pglite": "^0.3.15",
+		"@aws-sdk/client-bedrock-runtime": "^3.1011.0",
+		"@aws-sdk/client-s3": "^3.1011.0",
+		"@aws-sdk/lib-dynamodb": "^3.1011.0",
+		"@aws-sdk/s3-request-presigner": "^3.1011.0",
+		"@cedar-policy/cedar-wasm": "^4.9.1",
+		"@electric-sql/pglite": "^0.4.0",
 		"@faker-js/faker": "^10.3.0",
-		"@langchain/aws": "^1.3.0",
-		"@langchain/core": "^1.1.29",
-		"@langchain/openai": "^1.2.11",
-		"@nestjs/common": "11.1.14",
+		"@langchain/aws": "^1.3.3",
+		"@langchain/core": "^1.1.33",
+		"@langchain/openai": "^1.3.0",
+		"@nestjs/common": "11.1.17",
 		"@nestjs/config": "4.0.3",
-		"@nestjs/core": "11.1.14",
-		"@nestjs/platform-express": "11.1.14",
+		"@nestjs/core": "11.1.17",
+		"@nestjs/platform-express": "11.1.17",
 		"@nestjs/schedule": "^6.1.1",
 		"@nestjs/swagger": "^11.2.6",
 		"@nestjs/throttler": "^6.5.0",
 		"@nestjs/typeorm": "^11.0.0",
 		"@nestjsx/crud": "4.6.2",
 		"@rocketadmin/shared-code": "workspace:*",
 		"@sentry/minimal": "^6.19.7",
-		"@sentry/node": "10.40.0",
+		"@sentry/node": "10.44.0",
 		"@toon-format/toon": "^2.1.0",
 		"@types/crypto-js": "^4.2.2",
 		"@types/jsonwebtoken": "^9.0.10",
-		"@types/multer": "^2.0.0",
+		"@types/multer": "^2.1.0",
 		"@types/nodemailer": "^7.0.11",
 		"@types/nunjucks": "^3.2.6",
 		"@types/qrcode": "^1.5.6",
 		"@zapier/secret-scrubber": "^1.1.6",
 		"argon2": "0.44.0",
-		"axios": "^1.13.5",
+		"axios": "^1.13.6",
 		"base32-encode": "^2.0.0",
 		"basic-auth": "2.0.1",
 		"bcrypt": "6.0.0",
@@ -66,7 +66,7 @@
 		"cookie-parser": "^1.4.7",
 		"crc": "^4.3.2",
 		"crypto-js": "4.2.0",
-		"csv": "^6.4.1",
+		"csv": "^6.5.0",
 		"dotenv": "17.3.1",
 		"express": "5.2.1",
 		"fetch-blob": "^4.0.0",
@@ -76,25 +76,25 @@
 		"json2csv": "^5.0.7",
 		"jsonwebtoken": "^9.0.3",
 		"knex": "3.1.0",
-		"langchain": "^1.2.28",
-		"lru-cache": "^11.2.6",
-		"nanoid": "5.1.6",
-		"nodemailer": "^8.0.1",
+		"langchain": "^1.2.34",
+		"lru-cache": "^11.2.7",
+		"nanoid": "5.1.7",
+		"nodemailer": "^8.0.2",
 		"nunjucks": "^3.2.4",
-		"openai": "^6.25.0",
+		"openai": "^6.32.0",
 		"otplib": "^12.0.1",
 		"p-queue": "9.1.0",
-		"pg": "^8.19.0",
-		"pg-connection-string": "^2.11.0",
+		"pg": "^8.20.0",
+		"pg-connection-string": "^2.12.0",
 		"qrcode": "^1.5.4",
 		"query-string": "^9.3.1",
 		"reflect-metadata": "0.2.2",
 		"rimraf": "6.1.3",
 		"rxjs": "7.8.2",
-		"safe-regex2": "^5.0.0",
+		"safe-regex2": "^5.1.0",
 		"secure-json-parse": "4.1.0",
 		"typeorm": "0.3.28",
-		"typeorm-pglite": "^0.3.2",
+		"typeorm-pglite": "^0.3.4",
 		"uuid": "^13.0.0",
 		"validator": "^13.15.26",
 		"winston": "3.19.0"
@@ -103,7 +103,7 @@
 		"@ava/typescript": "6.0.0",
 		"@nestjs/cli": "^11.0.16",
 		"@nestjs/schematics": "11.0.9",
-		"@nestjs/testing": "^11.1.14",
+		"@nestjs/testing": "^11.1.17",
 		"@types/bcrypt": "^6.0.0",
 		"@types/body-parser": "^1.19.6",
 		"@types/cookie-parser": "^1.4.10",
@@ -112,13 +112,13 @@
 		"@types/ibm_db": "^3.2.0",
 		"@types/json2csv": "^5.0.7",
 		"@types/node": "^24.10.1",
-		"@types/pg": "^8.16.0",
+		"@types/pg": "^8.18.0",
 		"@types/safe-regex": "^1.1.6",
 		"@types/supertest": "^7.2.0",
 		"@types/uuid": "^11.0.0",
 		"@types/validator": "^13.15.10",
 		"ava": "6.4.1",
-		"knip": "^5.85.0",
+		"knip": "^5.88.0",
 		"nock": "^14.0.11",
 		"supertest": "^7.2.2",
 		"ts-loader": "^9.5.4",

backend/src/common/data-injection.tokens.ts

@@ -114,6 +114,8 @@ export enum UseCaseType {
 	FREEZE_CONNECTIONS_IN_COMPANY = 'FREEZE_CONNECTIONS_IN_COMPANY',
 	UNFREEZE_CONNECTIONS_IN_COMPANY = 'UNFREEZE_CONNECTIONS_IN_COMPANY',
 	SAAS_REGISTER_USER_WITH_SAML = 'SAAS_REGISTER_USER_WITH_SAML',
+	SAAS_CREATE_CONNECTION_FOR_HOSTED_DB = 'SAAS_CREATE_CONNECTION_FOR_HOSTED_DB',
+	SAAS_DELETE_CONNECTION_FOR_HOSTED_DB = 'SAAS_DELETE_CONNECTION_FOR_HOSTED_DB',
 
 	INVITE_USER_IN_COMPANY_AND_CONNECTION_GROUP = 'INVITE_USER_IN_COMPANY_AND_CONNECTION_GROUP',
 	VERIFY_INVITE_USER_IN_COMPANY_AND_CONNECTION_GROUP = 'VERIFY_INVITE_USER_IN_COMPANY_AND_CONNECTION_GROUP',