From 152b49bd00bd8323d1cd573e04254eee02498809 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Fri, 26 Dec 2025 23:19:41 +0000
Subject: [PATCH 1/2] [#patch](deps): Bump the actions-deps group with 2
 updates

Bumps the actions-deps group with 2 updates: [actions/attest-build-provenance](https://github.com/actions/attest-build-provenance) and [Checkmarx/kics-github-action](https://github.com/checkmarx/kics-github-action).


Updates `actions/attest-build-provenance` from 3.0.0 to 3.1.0
- [Release notes](https://github.com/actions/attest-build-provenance/releases)
- [Changelog](https://github.com/actions/attest-build-provenance/blob/main/RELEASE.md)
- [Commits](https://github.com/actions/attest-build-provenance/compare/977bb373ede98d70efdf65b84cb5f73e068dcc2a...00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8)

Updates `Checkmarx/kics-github-action` from 2.1.16 to 2.1.18
- [Release notes](https://github.com/checkmarx/kics-github-action/releases)
- [Commits](https://github.com/checkmarx/kics-github-action/compare/6b6fc1162a0f06704e4cca6e5f8e008ab20fabe5...63fca4ca72e56edbb5a599ee756e6af1fdb1e785)

---
updated-dependencies:
- dependency-name: actions/attest-build-provenance
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: actions-deps
- dependency-name: Checkmarx/kics-github-action
  dependency-version: 2.1.18
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: actions-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/docker-build-and-push.yml | 2 +-
 .github/workflows/infra-security-scan.yml   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
index c0f9e78..567ef3a 100644
--- a/.github/workflows/docker-build-and-push.yml
+++ b/.github/workflows/docker-build-and-push.yml
@@ -151,7 +151,7 @@ jobs:
           tags: localimage:${{ github.sha }}
       - name: Generate artifact attestation
         if: inputs.push
-        uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
+        uses: actions/attest-build-provenance@00014ed6ed5efc5b1ab7f7f34a39eb55d41aa4f8 # v3.1.0
         with:
           subject-name: ${{ inputs.registry }}/${{ inputs.image }}
           subject-digest: ${{ steps.build.outputs.digest }}
diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml
index 7c23429..8ce98e4 100644
--- a/.github/workflows/infra-security-scan.yml
+++ b/.github/workflows/infra-security-scan.yml
@@ -52,7 +52,7 @@ jobs:
         with:
           persist-credentials: false
       - name: Kics Scan
-        uses: Checkmarx/kics-github-action@6b6fc1162a0f06704e4cca6e5f8e008ab20fabe5 # v2.1.16
+        uses: Checkmarx/kics-github-action@63fca4ca72e56edbb5a599ee756e6af1fdb1e785 # v2.1.18
         with:
           path: ${{ inputs.working-directory }}
           output_path: ${{ inputs.working-directory }}/kics_results.sarif

From 88ef48c00d755f14f272e229ee5a939d6d485f29 Mon Sep 17 00:00:00 2001
From: Edoardo Rosa <6991986+notdodo@users.noreply.github.com>
Date: Sat, 27 Dec 2025 00:27:28 +0100
Subject: [PATCH 2/2] fix

---
 .github/workflows/pulumi-preview.yml | 2 +-
 .github/workflows/pulumi-up.yml      | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/pulumi-preview.yml b/.github/workflows/pulumi-preview.yml
index 2c79e3f..c424c61 100644
--- a/.github/workflows/pulumi-preview.yml
+++ b/.github/workflows/pulumi-preview.yml
@@ -56,6 +56,7 @@ jobs:
           disable-sudo-and-containers: ${{ inputs.disable-sudo }}
           egress-policy: block
           allowed-endpoints: >
+            *.amazonaws.com:443
             api.github.com:443
             api.pulumi.com:443
             files.pythonhosted.org:443
@@ -64,7 +65,6 @@ jobs:
             objects.githubusercontent.com:443
             pypi.org:443
             release-assets.githubusercontent.com:443
-            *.amazonaws.com:443
             ${{ inputs.egress-policy-allowlist }}
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
diff --git a/.github/workflows/pulumi-up.yml b/.github/workflows/pulumi-up.yml
index eba5205..0544567 100644
--- a/.github/workflows/pulumi-up.yml
+++ b/.github/workflows/pulumi-up.yml
@@ -55,6 +55,7 @@ jobs:
           disable-sudo-and-containers: ${{ inputs.disable-sudo }}
           egress-policy: block
           allowed-endpoints: >
+            *.amazonaws.com:443
             api.github.com:443
             api.pulumi.com:443
             files.pythonhosted.org:443
@@ -63,7 +64,6 @@ jobs:
             objects.githubusercontent.com:443
             pypi.org:443
             release-assets.githubusercontent.com:443
-            *.amazonaws.com:443
             ${{ inputs.egress-policy-allowlist }}
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: