From 60d4726a009558fd9edd75b169b1b246ceff9a4f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 7 Feb 2024 06:33:48 +0000
Subject: [PATCH 01/31] Bump django from 5.0.1 to 5.0.2 in /PyOdbDesignServer

Bumps [django](https://github.com/django/django) from 5.0.1 to 5.0.2.
- [Commits](https://github.com/django/django/compare/5.0.1...5.0.2)

---
updated-dependencies:
- dependency-name: django
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 PyOdbDesignServer/requirements.txt | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/PyOdbDesignServer/requirements.txt b/PyOdbDesignServer/requirements.txt
index ca9bc938..a1fd0426 100644
--- a/PyOdbDesignServer/requirements.txt
+++ b/PyOdbDesignServer/requirements.txt
@@ -8,9 +8,9 @@ asgiref==3.7.2 \
     --hash=sha256:89b2ef2247e3b562a16eef663bc0e2e703ec6468e2fa8a5cd61cd449786d4f6e \
     --hash=sha256:9e0ce3aa93a819ba5b45120216b23878cf6e8525eb3848653452b4192b92afed
     # via django
-django==5.0.1 \
-    --hash=sha256:8c8659665bc6e3a44fefe1ab0a291e5a3fb3979f9a8230be29de975e57e8f854 \
-    --hash=sha256:f47a37a90b9bbe2c8ec360235192c7fddfdc832206fcf618bb849b39256affc1
+django==5.0.2 \
+    --hash=sha256:56ab63a105e8bb06ee67381d7b65fe6774f057e41a8bab06c8020c8882d8ecd4 \
+    --hash=sha256:b5bb1d11b2518a5f91372a282f24662f58f66749666b0a286ab057029f728080
     # via
     #   -r requirements.in
     #   djangorestframework

From 36a9a191b8f6f626bccf26f2b765866a6a60d64a Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 20:25:11 -0800
Subject: [PATCH 02/31] don't install aws cli since its apparently already
 installed

---
 .github/workflows/deploy-eks.yml | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml
index 9147498b..534d5119 100644
--- a/.github/workflows/deploy-eks.yml
+++ b/.github/workflows/deploy-eks.yml
@@ -36,10 +36,11 @@ jobs:
     
     - name: Install AWS CLI
       run: |
-        curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
-        unzip awscliv2.zip
-        sudo ./aws/install
         aws --version
+        # curl "https://awscli.amazonaws.com/awscli-exe-linux-x86_64.zip" -o "awscliv2.zip"
+        # unzip awscliv2.zip
+        # sudo ./aws/install
+        # aws --version
 
     - name: Configure AWS credentials
       uses: aws-actions/configure-aws-credentials@v4.0.1
@@ -48,8 +49,9 @@ jobs:
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
         aws-region: ${{ env.AWS_REGION }}  
 
-    - name: Configure kubectl via Secret Env
-      run: | 
+    - name: Configure kubectl
+      run: |
+        aws --version
         echo ${{ secrets.KUBECONFIG }} > ${{ github.workspace }}/kubeconfig
         export KUBECONFIG=${{ github.workspace }}/kubeconfig
         echo $KUBECONFIG

From 703f01288a26f3e8fe054ec8cdc5a58eb58ec43b Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 20:57:29 -0800
Subject: [PATCH 03/31] add environment url and use payload.ref_name for
 environment name

---
 .github/workflows/deploy-eks.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml
index 534d5119..3bd94c1a 100644
--- a/.github/workflows/deploy-eks.yml
+++ b/.github/workflows/deploy-eks.yml
@@ -18,7 +18,9 @@ jobs:
   deploy:
     name: Deploy
     runs-on: ubuntu-22.04
-    environment: production
+    environment: 
+      name: ${{ github.event.client_payload.ref_name }}
+      url: http://default-ingress-1165108808.us-west-2.elb.amazonaws.com/swagger
 
     steps:
 

From c70ef07935c71ee4b9b1fa17dd64a0b28ac44d20 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 20:58:35 -0800
Subject: [PATCH 04/31] ass SBOM generation and submission workflow

---
 .github/workflows/sbom-generate-submit.yml | 30 ++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100644 .github/workflows/sbom-generate-submit.yml

diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml
new file mode 100644
index 00000000..759183b0
--- /dev/null
+++ b/.github/workflows/sbom-generate-submit.yml
@@ -0,0 +1,30 @@
+name: SBOM Generate and Submit
+
+on:
+  push:
+    branches: [ "release" ]
+  workflow_dispatch:
+
+permissions:
+    contents: read
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    permissions: read-all
+
+    steps:
+      - name: Checkout Code
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: SBOM Generate
+        uses: advanced-security/sbom-generator-action@v0.0.1
+        id: sbom-generate
+        env: 
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: SBOM Upload 
+        uses: advanced-security/spdx-dependency-submission-action@v0.0.1
+        with:
+            filePath: ${{steps.sbom-generate.outputs.fileName }}
+     
\ No newline at end of file

From 6c098151f727e9605a4bf5ca2b920912bb219ab3 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 20:59:00 -0800
Subject: [PATCH 05/31] change payload.ref to ref_name

---
 .github/workflows/docker-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index b1be7868..81406da4 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -110,4 +110,4 @@ jobs:
         with:
           repository: ${{ github.repository }}
           event-type: trigger_deploy_release_event
-          client-payload: '{"ref": "${{ github.ref_name }}", "dispatch_id": "${{ secrets.DISPATCH_ID }}"}'
+          client-payload: '{"ref_name": "${{ github.ref_name }}", "dispatch_id": "${{ secrets.DISPATCH_ID }}"}'

From 6d961b917cdb00864747f39e3c80e1b0279d8758 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 20:59:53 -0800
Subject: [PATCH 06/31] add dependency submission job to dependency review
 workflow

---
 .github/workflows/dependency-review.yml | 15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 50f55be6..63ae082c 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -15,8 +15,20 @@ permissions:
   contents: read  
 
 jobs:
+
+  dependency-submission:
+    runs-on: ubuntu-22.04
+    permissions: 
+      id-token: write
+      contents: write
+          
+    steps:
+      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+      - name: Component detection 
+        uses: advanced-security/component-detection-dependency-submission-action@v0.0.2       
+
   dependency-review:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-22.04
     permissions: 
       contents: write
       pull-requests: write
@@ -24,6 +36,7 @@ jobs:
     steps:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0
         with:

From e9c331b09da05bf2e2ca0ccdb3ea80e7633d4695 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 21:00:38 -0800
Subject: [PATCH 07/31] run sbom workflow on development branch pushes

---
 .github/workflows/sbom-generate-submit.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml
index 759183b0..240f752e 100644
--- a/.github/workflows/sbom-generate-submit.yml
+++ b/.github/workflows/sbom-generate-submit.yml
@@ -2,7 +2,7 @@ name: SBOM Generate and Submit
 
 on:
   push:
-    branches: [ "release" ]
+    branches: [ "development", "release" ]
   workflow_dispatch:
 
 permissions:

From dd7a421cfc4249a21e11d32660297ecf88ebeb37 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 21:04:55 -0800
Subject: [PATCH 08/31] simplify dependency review workflow

---
 .github/workflows/dependency-review.yml | 14 +++-----------
 1 file changed, 3 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 63ae082c..3c58ad21 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -16,17 +16,6 @@ permissions:
 
 jobs:
 
-  dependency-submission:
-    runs-on: ubuntu-22.04
-    permissions: 
-      id-token: write
-      contents: write
-          
-    steps:
-      - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - name: Component detection 
-        uses: advanced-security/component-detection-dependency-submission-action@v0.0.2       
-
   dependency-review:
     runs-on: ubuntu-22.04
     permissions: 
@@ -37,6 +26,9 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
+      - name: Component detection 
+        uses: advanced-security/component-detection-dependency-submission-action@v0.0.2       
+
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0
         with:

From c0f988ccc943590e4888a6359b2cf68000567f47 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 21:26:28 -0800
Subject: [PATCH 09/31] Create jekyll-gh-pages.yml

---
 .github/workflows/jekyll-gh-pages.yml | 54 +++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)
 create mode 100644 .github/workflows/jekyll-gh-pages.yml

diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
new file mode 100644
index 00000000..dfcc4878
--- /dev/null
+++ b/.github/workflows/jekyll-gh-pages.yml
@@ -0,0 +1,54 @@
+# Sample workflow for building and deploying a Jekyll site to GitHub Pages
+name: Deploy Jekyll with GitHub Pages dependencies preinstalled
+
+on:
+  # Runs on pushes targeting the default branch
+  push:
+    branches: ["release"]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  # Build job
+  build:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        
+      - name: Setup Pages
+        uses: actions/configure-pages@v4
+        
+      - name: Build with Jekyll
+        uses: actions/jekyll-build-pages@v1
+        with:
+          source: ./docs
+          destination: ./_site
+          
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+
+  # Deployment job
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

From edcbb6bc2effbf6afcfee8632c267bd31e448234 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 21:43:42 -0800
Subject: [PATCH 10/31] add write permissions for SBOM upload workflow

---
 .github/workflows/sbom-generate-submit.yml | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml
index 240f752e..a89ece22 100644
--- a/.github/workflows/sbom-generate-submit.yml
+++ b/.github/workflows/sbom-generate-submit.yml
@@ -2,7 +2,7 @@ name: SBOM Generate and Submit
 
 on:
   push:
-    branches: [ "development", "release" ]
+    branches: [ "main", "release", "development", "nam20485" ]
   workflow_dispatch:
 
 permissions:
@@ -11,7 +11,9 @@ permissions:
 jobs:
   build:
     runs-on: ubuntu-22.04
-    permissions: read-all
+    permissions: 
+        id-token: write
+        contents: write
 
     steps:
       - name: Checkout Code
@@ -26,5 +28,5 @@ jobs:
       - name: SBOM Upload 
         uses: advanced-security/spdx-dependency-submission-action@v0.0.1
         with:
-            filePath: ${{steps.sbom-generate.outputs.fileName }}
+            filePath: ${{ steps.sbom-generate.outputs.fileName }}
      
\ No newline at end of file

From ccdca91eb2655763de5a97575a794ef69f09488d Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Sun, 11 Feb 2024 21:48:52 -0800
Subject: [PATCH 11/31] make OdbDesignTestData repo public and use default
 token to access

---
 .github/workflows/cmake-multi-platform.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml
index ea553934..24c34d67 100644
--- a/.github/workflows/cmake-multi-platform.yml
+++ b/.github/workflows/cmake-multi-platform.yml
@@ -148,7 +148,7 @@ jobs:
         repository: 'nam20485/OdbDesignTestData'
         path: 'OdbDesignTestData'
         ref: 'main'
-        token: ${{ secrets.ODBDESIGN_TESTDATA_ACCESS_TOKEN }}
+        #token: ${{ secrets.ODBDESIGN_TESTDATA_ACCESS_TOKEN }}
         
     - name : Export ODB_TEST_DATA_DIR    
       uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1

From 685f32e8f94f68ef38cd5173d322e57748fc67b8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 12 Feb 2024 06:23:09 +0000
Subject: [PATCH 12/31] Bump actions/upload-artifact from 4.2.0 to 4.3.1

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.2.0 to 4.3.1.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/694cdabd8bdb0f10b2cea11669e1bf5453eed0a6...5d5d22a31266ced268874388b861e4b58bb5c2f3)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/cmake-multi-platform.yml | 2 +-
 .github/workflows/scorecard.yml            | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml
index 24c34d67..f40ee25d 100644
--- a/.github/workflows/cmake-multi-platform.yml
+++ b/.github/workflows/cmake-multi-platform.yml
@@ -207,7 +207,7 @@ jobs:
         Compress-Archive -Path "${{env.ARTIFACTS_DIR_WIN}}\*.dll","${{env.ARTIFACTS_DIR_WIN}}\*.exe"  -DestinationPath "${{env.ARTIFACTS_DIR_WIN}}\artifacts-${{matrix.os}}.zip" -Verbose -Force
 
     - name: Upload Artifacts
-      uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
+      uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
       with:
         name: ${{ matrix.os }}-artifacts
         path: ${{ env.ARTIFACTS_DIR }}/artifacts-${{matrix.os}}.zip
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index a3811e0c..2857989c 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -61,7 +61,7 @@ jobs:
       # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
       # format to the repository Actions tab.
       - name: "Upload artifact"
-        uses: actions/upload-artifact@694cdabd8bdb0f10b2cea11669e1bf5453eed0a6 # v4.2.0
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
         with:
           name: SARIF file
           path: results.sarif

From 7afd90d764862e3a5b8b95166a2adc405cbf1534 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 13 Feb 2024 06:32:10 +0000
Subject: [PATCH 13/31] Bump debian from bookworm-20240110-slim to
 bookworm-20240211-slim

Bumps debian from bookworm-20240110-slim to bookworm-20240211-slim.

---
updated-dependencies:
- dependency-name: debian
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 Dockerfile                   | 4 ++--
 Dockerfile (exe)             | 4 ++--
 Dockerfile_PyOdbDesignServer | 4 ++--
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 3515d544..c74844b8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM debian:bookworm-20240110@sha256:b16cef8cbcb20935c0f052e37fc3d38dc92bfec0bcfb894c328547f81e932d67 AS build
+FROM debian:bookworm-20240211@sha256:4482958b4461ff7d9fabc24b3a9ab1e9a2c85ece07b2db1840c7cbc01d053e90 AS build
 
 ARG OWNER=nam20485
 ARG GITHUB_TOKEN="PASSWORD"
@@ -66,7 +66,7 @@ RUN cmake --build --preset linux-release
 # RUN cmake --build --preset linux-debug
 
 # much smaller runtime image
-FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 AS run
+FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc AS run
 LABEL org.opencontainers.image.source=https://github.com/nam20485/OdbDesign
 LABEL org.opencontainers.image.authors=https://github.com/nam20485
 LABEL org.opencontainers.image.description="The OdbDesign Docker image runs the OdbDesignServer REST API server executable, listening on port 8888."
diff --git a/Dockerfile (exe) b/Dockerfile (exe)
index 2f1a1960..e78026c7 100644
--- a/Dockerfile (exe)	
+++ b/Dockerfile (exe)	
@@ -1,4 +1,4 @@
-FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 AS build
+FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc AS build
 
 # install dependencies
 RUN apt-get update && \
@@ -52,7 +52,7 @@ RUN cp /src/OdbDesign/out/build/linux-release/OdbDesignLib/libOdbDesign.so ./_Py
 #RUN python3 -m build
 
 # much smaller runtime image
-FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 AS run
+FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc AS run
 
 RUN mkdir /OdbDesign
 WORKDIR /OdbDesign
diff --git a/Dockerfile_PyOdbDesignServer b/Dockerfile_PyOdbDesignServer
index f6ba739c..55c6dff8 100644
--- a/Dockerfile_PyOdbDesignServer
+++ b/Dockerfile_PyOdbDesignServer
@@ -1,4 +1,4 @@
-FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 AS build
+FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc AS build
 
 # install dependencies
 RUN apt-get update && \
@@ -44,7 +44,7 @@ RUN cmake --build --preset python-linux-release
 
 # much smaller runtime image
 #FROM python:3.11.4-bullseye AS run
-FROM debian:bookworm-20240110-slim@sha256:f4a83aa865a2b4a064ff142aa91c713180df9fcb86ce676b5de2981029379c37 as run
+FROM debian:bookworm-20240211-slim@sha256:d02c76d82364cedca16ba3ed6f9102406fa9fa8833076a609cabf14270f43dfc as run
 
 # copy PyOdbDesignServer files
 COPY --from=build /src/OdbDesign/PyOdbDesignServer PyOdbDesignServer

From 9efc5116515729dc9904f119fc14e369db3a4419 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Tue, 13 Feb 2024 11:22:09 -0800
Subject: [PATCH 14/31] allow manual start for scorecard workflow

---
 .github/workflows/scorecard.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index a3811e0c..d25ad0c7 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -15,6 +15,7 @@ on:
   #  branches: [ "development" ]
   pull_request:
     branches: [ "development" ]
+  workflow_dispatch:
 
 # Declare default permissions as read only.
 permissions: read-all

From 4129d7c103b133c7b33a699f538f036278fcccd9 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Tue, 13 Feb 2024 11:22:35 -0800
Subject: [PATCH 15/31] add name for SBOM workflow

---
 .github/workflows/sbom-generate-submit.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml
index a89ece22..1d841f48 100644
--- a/.github/workflows/sbom-generate-submit.yml
+++ b/.github/workflows/sbom-generate-submit.yml
@@ -10,6 +10,7 @@ permissions:
 
 jobs:
   build:
+    name: Generate-Submit-SBOM
     runs-on: ubuntu-22.04
     permissions: 
         id-token: write

From 8c976fa06882c19c450d2836c9b5861bc08bb352 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Feb 2024 01:00:09 +0000
Subject: [PATCH 16/31] Bump github/codeql-action from 3.23.1 to 3.24.1

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.23.1 to 3.24.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/0b21cf2492b6b02c465a3e5d7c473717ad7721ba...e675ced7a7522a761fc9c8eb26682c8b27c42b2b)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/codeql.yml            | 4 ++--
 .github/workflows/docker-scout-scan.yml | 2 +-
 .github/workflows/scorecard.yml         | 2 +-
 3 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index fe603425..e168c41b 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -47,7 +47,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
+      uses: github/codeql-action/init@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
       with:        
         languages: ${{ matrix.language }}
         config-file: ${{ github.workspace }}/.github/codeql-config.yml        
@@ -78,6 +78,6 @@ jobs:
       run: cmake --build --preset linux-release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
+      uses: github/codeql-action/analyze@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
       with:
         category: "/language:${{matrix.language}}"
diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml
index 06c9fa79..f00d5bbf 100644
--- a/.github/workflows/docker-scout-scan.yml
+++ b/.github/workflows/docker-scout-scan.yml
@@ -138,7 +138,7 @@ jobs:
         
       - name: Upload SARIF result
         id: upload-sarif
-        uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
+        uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
         with:
           sarif_file: sarif.output.json
       
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 2857989c..61a3ddd3 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -69,6 +69,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@0b21cf2492b6b02c465a3e5d7c473717ad7721ba # v3.23.1
+        uses: github/codeql-action/upload-sarif@e675ced7a7522a761fc9c8eb26682c8b27c42b2b # v3.24.1
         with:
           sarif_file: results.sarif

From 3fa9219d14398f107b7a00529ea36a71f8a1c633 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Feb 2024 02:01:52 +0000
Subject: [PATCH 17/31] Bump ammaraskar/gcc-problem-matcher from 0.2.0 to 0.3.0

Bumps [ammaraskar/gcc-problem-matcher](https://github.com/ammaraskar/gcc-problem-matcher) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/ammaraskar/gcc-problem-matcher/releases)
- [Commits](https://github.com/ammaraskar/gcc-problem-matcher/compare/d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7...0f9c86f9e693db67dacf53986e1674de5f2e5f28)

---
updated-dependencies:
- dependency-name: ammaraskar/gcc-problem-matcher
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/cmake-multi-platform.yml | 2 +-
 .github/workflows/docker-publish.yml       | 2 +-
 .github/workflows/docker-scout-scan.yml    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml
index f40ee25d..07921cfc 100644
--- a/.github/workflows/cmake-multi-platform.yml
+++ b/.github/workflows/cmake-multi-platform.yml
@@ -59,7 +59,7 @@ jobs:
       uses: ammaraskar/msvc-problem-matcher@13149ebc00eaa00eadcd81b204d7159cca5de4fd # master
       if: matrix.os == 'windows-2022'
     - name: Add Problem Matchers
-      uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
+      uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master
       if: matrix.os != 'windows-2022'
     
     - name: Install vcpkg Dependencies
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 81406da4..313612b4 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -41,7 +41,7 @@ jobs:
 
       # add problem matchers
       - name: Add Problem Matchers
-        uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
+        uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master
 
         # Install the cosign tool except on PR
         # https://github.com/sigstore/cosign-installer
diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml
index f00d5bbf..c9608cc5 100644
--- a/.github/workflows/docker-scout-scan.yml
+++ b/.github/workflows/docker-scout-scan.yml
@@ -47,7 +47,7 @@ jobs:
 
       # add problem matchers
       - name: Add Problem Matchers
-        uses: ammaraskar/gcc-problem-matcher@d1fed1fac9e94d30e23b5a82dba4e2963e71d2e7 # master
+        uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master
 
     #   # Install the cosign tool except on PR
     #   # https://github.com/sigstore/cosign-installer

From fdbcb1334beac0f72ea88a0bc8e61fa0786c11ee Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Feb 2024 02:17:44 +0000
Subject: [PATCH 18/31] Bump ammaraskar/msvc-problem-matcher from 0.2.0 to
 0.3.0

Bumps [ammaraskar/msvc-problem-matcher](https://github.com/ammaraskar/msvc-problem-matcher) from 0.2.0 to 0.3.0.
- [Release notes](https://github.com/ammaraskar/msvc-problem-matcher/releases)
- [Commits](https://github.com/ammaraskar/msvc-problem-matcher/compare/13149ebc00eaa00eadcd81b204d7159cca5de4fd...1ebcb382869bfdc2cc645e8a2a43b6d319ea1cc0)

---
updated-dependencies:
- dependency-name: ammaraskar/msvc-problem-matcher
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/cmake-multi-platform.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml
index 07921cfc..addb806a 100644
--- a/.github/workflows/cmake-multi-platform.yml
+++ b/.github/workflows/cmake-multi-platform.yml
@@ -56,7 +56,7 @@ jobs:
     
     # add problem matchers by compiler
     - name: Add Problem Matchers
-      uses: ammaraskar/msvc-problem-matcher@13149ebc00eaa00eadcd81b204d7159cca5de4fd # master
+      uses: ammaraskar/msvc-problem-matcher@1ebcb382869bfdc2cc645e8a2a43b6d319ea1cc0 # master
       if: matrix.os == 'windows-2022'
     - name: Add Problem Matchers
       uses: ammaraskar/gcc-problem-matcher@0f9c86f9e693db67dacf53986e1674de5f2e5f28 # master

From ffedc4bd06ac910bc630cc862f914b0e0e3d675d Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Feb 2024 02:33:45 +0000
Subject: [PATCH 19/31] Bump dorny/test-reporter from 1.7.0 to 1.8.0

Bumps [dorny/test-reporter](https://github.com/dorny/test-reporter) from 1.7.0 to 1.8.0.
- [Release notes](https://github.com/dorny/test-reporter/releases)
- [Changelog](https://github.com/dorny/test-reporter/blob/main/CHANGELOG.md)
- [Commits](https://github.com/dorny/test-reporter/compare/v1.7.0...v1.8.0)

---
updated-dependencies:
- dependency-name: dorny/test-reporter
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/cmake-multi-platform.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml
index addb806a..5703006e 100644
--- a/.github/workflows/cmake-multi-platform.yml
+++ b/.github/workflows/cmake-multi-platform.yml
@@ -165,7 +165,7 @@ jobs:
            
     # report test results
     - name: Report Test Results
-      uses: dorny/test-reporter@v1.7.0
+      uses: dorny/test-reporter@v1.8.0
       if: steps.cmake-test.outcome == 'success' || steps.cmake-test.outcome == 'failure'
       with:
         name: ${{ matrix.os }}_test-results

From fbb432497a734c54fd4f1f691df71a5a37577d91 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Feb 2024 06:17:59 +0000
Subject: [PATCH 20/31] Bump aws-actions/configure-aws-credentials from 4.0.1
 to 4.0.2

Bumps [aws-actions/configure-aws-credentials](https://github.com/aws-actions/configure-aws-credentials) from 4.0.1 to 4.0.2.
- [Release notes](https://github.com/aws-actions/configure-aws-credentials/releases)
- [Changelog](https://github.com/aws-actions/configure-aws-credentials/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws-actions/configure-aws-credentials/compare/v4.0.1...v4.0.2)

---
updated-dependencies:
- dependency-name: aws-actions/configure-aws-credentials
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/deploy-eks.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml
index 3bd94c1a..254b80d2 100644
--- a/.github/workflows/deploy-eks.yml
+++ b/.github/workflows/deploy-eks.yml
@@ -45,7 +45,7 @@ jobs:
         # aws --version
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4.0.1
+      uses: aws-actions/configure-aws-credentials@v4.0.2
       with:
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}

From b7917963dbeaa17e114fe16e915ef6b0c3eb4149 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Feb 2024 18:21:36 +0000
Subject: [PATCH 21/31] Bump sigstore/cosign-installer from 3.3.0 to 3.4.0

Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 3.3.0 to 3.4.0.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](https://github.com/sigstore/cosign-installer/compare/9614fae9e5c5eddabb09f90a270fcb487c9f7149...e1523de7571e31dbe865fd2e80c5c7c23ae71eb4)

---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/docker-publish.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 313612b4..e8f92627 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -47,7 +47,7 @@ jobs:
         # https://github.com/sigstore/cosign-installer
       - name: cosign-installer
         if: github.event_name != 'pull_request'
-        uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0
+        uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0
 
       # Workaround: https://github.com/docker/build-push-action/issues/461
       - name: Setup Docker buildx

From dc7ffbdce878561bfba739e26137373db0b47f0f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Feb 2024 18:38:32 +0000
Subject: [PATCH 22/31] Bump docker/metadata-action from 5.5.0 to 5.5.1

Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.5.0 to 5.5.1.
- [Release notes](https://github.com/docker/metadata-action/releases)
- [Commits](https://github.com/docker/metadata-action/compare/dbef88086f6cef02e264edb7dbf63250c17cef6c...8e5442c4ef9f78752691e2d8f8d19755c6f78e81)

---
updated-dependencies:
- dependency-name: docker/metadata-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/docker-publish.yml    | 2 +-
 .github/workflows/docker-scout-scan.yml | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index e8f92627..046d7e9d 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -67,7 +67,7 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml
index c9608cc5..83733674 100644
--- a/.github/workflows/docker-scout-scan.yml
+++ b/.github/workflows/docker-scout-scan.yml
@@ -83,7 +83,7 @@ jobs:
       # https://github.com/docker/metadata-action
       - name: Extract Docker metadata
         id: meta
-        uses: docker/metadata-action@dbef88086f6cef02e264edb7dbf63250c17cef6c
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
         with:
           images: ${{ env.IMAGE_NAME }}
           tags: |

From acfeee43dedd1b6fd1cf0ade00403dcadfb5d3d5 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Wed, 14 Feb 2024 10:51:41 -0800
Subject: [PATCH 23/31] add concurrency group to deploy-eks workflow so that
 only one in-progress run is allowed at a time

---
 .github/workflows/deploy-eks.yml | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml
index 3bd94c1a..5ce60f42 100644
--- a/.github/workflows/deploy-eks.yml
+++ b/.github/workflows/deploy-eks.yml
@@ -8,8 +8,14 @@ on:
   repository_dispatch:
     types: [ "trigger_deploy_release_event" ]
 
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: false
+
 env:
-  AWS_REGION: us-west-2                   # set this to your preferred AWS region, e.g. us-west-1
+  AWS_REGION: us-west-2
 
 permissions:
   contents: read

From 3f9034a91bdd956d22baf4c55cdae7afe3cbb023 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Feb 2024 19:01:32 +0000
Subject: [PATCH 24/31] Bump actions/checkout from 3 to 4

Bumps [actions/checkout](https://github.com/actions/checkout) from 3 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Commits](https://github.com/actions/checkout/compare/v3...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/deploy-eks.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml
index 254b80d2..550b8342 100644
--- a/.github/workflows/deploy-eks.yml
+++ b/.github/workflows/deploy-eks.yml
@@ -34,7 +34,7 @@ jobs:
         fi
 
     - name: Checkout
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4
     
     - name: Install AWS CLI
       run: |

From 5ddc5932a6118219243963a8897ff4e5af192685 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Wed, 14 Feb 2024 19:17:48 +0000
Subject: [PATCH 25/31] Bump docker/scout-action from 1.3.0 to 1.4.1

Bumps [docker/scout-action](https://github.com/docker/scout-action) from 1.3.0 to 1.4.1.
- [Release notes](https://github.com/docker/scout-action/releases)
- [Commits](https://github.com/docker/scout-action/compare/42a6acc319ac229f86e12bfca3b83de09fb058be...4a5494eb7c2b3d712b805ee65ad57a0371d50874)

---
updated-dependencies:
- dependency-name: docker/scout-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/docker-scout-scan.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml
index 83733674..45fab314 100644
--- a/.github/workflows/docker-scout-scan.yml
+++ b/.github/workflows/docker-scout-scan.yml
@@ -128,7 +128,7 @@ jobs:
       - name: Analyze for critical and high CVEs
         id: docker-scout-cves       
         # if: ${{ github.event_name != 'pull_request_target' }} 
-        uses: docker/scout-action@42a6acc319ac229f86e12bfca3b83de09fb058be # v1.3.0
+        uses: docker/scout-action@4a5494eb7c2b3d712b805ee65ad57a0371d50874 # v1.4.1
         with:
           command: cves,recommendations
           image: ${{ steps.meta.outputs.tags }}
@@ -145,7 +145,7 @@ jobs:
       - name: Docker Scout Compare to Latest
         id: docker-scout
         if: ${{ github.event_name == 'pull_request' }}
-        uses: docker/scout-action@42a6acc319ac229f86e12bfca3b83de09fb058be # v1.3.0
+        uses: docker/scout-action@4a5494eb7c2b3d712b805ee65ad57a0371d50874 # v1.4.1
         with:
           command: compare
           image: ${{ steps.meta.outputs.tags }}

From 29be2331ac365df6f3da9995c4c2d6ab07b0a0eb Mon Sep 17 00:00:00 2001
From: StepSecurity Bot <bot@stepsecurity.io>
Date: Wed, 14 Feb 2024 20:27:17 +0000
Subject: [PATCH 26/31] [StepSecurity] ci: Harden GitHub Actions

Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
---
 .github/workflows/cmake-multi-platform.yml |  7 ++++++-
 .github/workflows/codeql.yml               |  5 +++++
 .github/workflows/create-release.yml       |  7 ++++++-
 .github/workflows/dependency-review.yml    |  7 ++++++-
 .github/workflows/deploy-eks.yml           |  9 +++++++--
 .github/workflows/docker-publish.yml       |  7 ++++++-
 .github/workflows/docker-scout-scan.yml    |  5 +++++
 .github/workflows/jekyll-gh-pages.yml      | 20 +++++++++++++++-----
 .github/workflows/sbom-generate-submit.yml |  9 +++++++--
 .github/workflows/scorecard.yml            |  5 +++++
 10 files changed, 68 insertions(+), 13 deletions(-)

diff --git a/.github/workflows/cmake-multi-platform.yml b/.github/workflows/cmake-multi-platform.yml
index 5703006e..287ba34b 100644
--- a/.github/workflows/cmake-multi-platform.yml
+++ b/.github/workflows/cmake-multi-platform.yml
@@ -51,6 +51,11 @@ jobs:
 
     steps:   
     
+    - name: Harden Runner
+      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit
+
     - name: Checkout Repository
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     
@@ -165,7 +170,7 @@ jobs:
            
     # report test results
     - name: Report Test Results
-      uses: dorny/test-reporter@v1.8.0
+      uses: dorny/test-reporter@eaa763f6ffc21c7a37837f56cd5f9737f27fc6c8 # v1.8.0
       if: steps.cmake-test.outcome == 'success' || steps.cmake-test.outcome == 'failure'
       with:
         name: ${{ matrix.os }}_test-results
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
index e168c41b..61185f57 100644
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -42,6 +42,11 @@ jobs:
         # Learn more about CodeQL language support at https://aka.ms/codeql-docs/language-support
 
     steps:
+    - name: Harden Runner
+      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit
+
     - name: Checkout repository
       uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
diff --git a/.github/workflows/create-release.yml b/.github/workflows/create-release.yml
index 5e051ad6..37ba240a 100644
--- a/.github/workflows/create-release.yml
+++ b/.github/workflows/create-release.yml
@@ -29,6 +29,11 @@ jobs:
     
     steps:
 
+          - name: Harden Runner
+            uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+            with:
+              egress-policy: audit
+
           - name: Check Dispatch ID
             run: |
               if [[ "${{ github.event.client_payload.dispatch_id }}" == "${{ secrets.DISPATCH_ID }}" ]]; then
@@ -42,7 +47,7 @@ jobs:
             uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
        
           - name: Download Artifacts
-            uses: dawidd6/action-download-artifact@v3.0.0
+            uses: dawidd6/action-download-artifact@e7466d1a7587ed14867642c2ca74b5bcc1e19a2d # v3.0.0
             with:
               workflow: cmake-multi-platform.yml
               workflow_conclusion: success
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 3c58ad21..64391d01 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -23,11 +23,16 @@ jobs:
       pull-requests: write
     
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: 'Checkout Repository'
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: Component detection 
-        uses: advanced-security/component-detection-dependency-submission-action@v0.0.2       
+        uses: advanced-security/component-detection-dependency-submission-action@5a8ce4ad8c6fbb9b88f66f672014e44b427d7d54 # v0.0.2       
 
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0
diff --git a/.github/workflows/deploy-eks.yml b/.github/workflows/deploy-eks.yml
index 932da2ba..86ffba11 100644
--- a/.github/workflows/deploy-eks.yml
+++ b/.github/workflows/deploy-eks.yml
@@ -30,6 +30,11 @@ jobs:
 
     steps:
 
+    - name: Harden Runner
+      uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+      with:
+        egress-policy: audit
+
     - name: Check Dispatch ID
       run: |
         if [[ "${{ github.event.client_payload.dispatch_id }}" == "${{ secrets.DISPATCH_ID }}" ]]; then
@@ -40,7 +45,7 @@ jobs:
         fi
 
     - name: Checkout
-      uses: actions/checkout@v4
+      uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
     
     - name: Install AWS CLI
       run: |
@@ -51,7 +56,7 @@ jobs:
         # aws --version
 
     - name: Configure AWS credentials
-      uses: aws-actions/configure-aws-credentials@v4.0.2
+      uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
       with:
         aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
         aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 046d7e9d..4067538d 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -36,6 +36,11 @@ jobs:
       id-token: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
@@ -106,7 +111,7 @@ jobs:
 
       - name: Trigger Deploy and Release Workflows
         if: github.ref_name == 'release' && github.event_name == 'push' 
-        uses: peter-evans/repository-dispatch@v3.0.0
+        uses: peter-evans/repository-dispatch@ff45666b9427631e3450c54a1bcbee4d9ff4d7c0 # v3.0.0
         with:
           repository: ${{ github.repository }}
           event-type: trigger_deploy_release_event
diff --git a/.github/workflows/docker-scout-scan.yml b/.github/workflows/docker-scout-scan.yml
index 45fab314..a4c0c122 100644
--- a/.github/workflows/docker-scout-scan.yml
+++ b/.github/workflows/docker-scout-scan.yml
@@ -42,6 +42,11 @@ jobs:
     if: github.event_name != 'pull_request' || github.base_ref != 'development' || github.head_ref == 'nam20485'
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout repository
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
diff --git a/.github/workflows/jekyll-gh-pages.yml b/.github/workflows/jekyll-gh-pages.yml
index dfcc4878..e9c34da5 100644
--- a/.github/workflows/jekyll-gh-pages.yml
+++ b/.github/workflows/jekyll-gh-pages.yml
@@ -26,20 +26,25 @@ jobs:
   build:
     runs-on: ubuntu-22.04
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         
       - name: Setup Pages
-        uses: actions/configure-pages@v4
+        uses: actions/configure-pages@1f0c5cde4bc74cd7e1254d0cb4de8d49e9068c7d # v4.0.0
         
       - name: Build with Jekyll
-        uses: actions/jekyll-build-pages@v1
+        uses: actions/jekyll-build-pages@3ef60073fe85b3ccba7e900c2ebf9d7542dc7a8f # v1.0.11
         with:
           source: ./docs
           destination: ./_site
           
       - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+        uses: actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa # v3.0.1
 
   # Deployment job
   deploy:
@@ -49,6 +54,11 @@ jobs:
     runs-on: ubuntu-latest
     needs: build
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Deploy to GitHub Pages
         id: deployment
-        uses: actions/deploy-pages@v4
+        uses: actions/deploy-pages@decdde0ac072f6dcbe43649d82d9c635fff5b4e4 # v4.0.4
diff --git a/.github/workflows/sbom-generate-submit.yml b/.github/workflows/sbom-generate-submit.yml
index 1d841f48..54d416e0 100644
--- a/.github/workflows/sbom-generate-submit.yml
+++ b/.github/workflows/sbom-generate-submit.yml
@@ -17,17 +17,22 @@ jobs:
         contents: write
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: Checkout Code
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 
       - name: SBOM Generate
-        uses: advanced-security/sbom-generator-action@v0.0.1
+        uses: advanced-security/sbom-generator-action@375dee8e6144d9fd0ec1f5667b4f6fb4faacefed # v0.0.1
         id: sbom-generate
         env: 
           GITHUB_TOKEN: ${{ github.token }}
 
       - name: SBOM Upload 
-        uses: advanced-security/spdx-dependency-submission-action@v0.0.1
+        uses: advanced-security/spdx-dependency-submission-action@dc069b56ba31ce546dc419b549aceb808c632d9a # v0.0.1
         with:
             filePath: ${{ steps.sbom-generate.outputs.fileName }}
      
\ No newline at end of file
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 13ae49d5..f2ced069 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -34,6 +34,11 @@ jobs:
       # actions: read
 
     steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
+        with:
+          egress-policy: audit
+
       - name: "Checkout code"
         uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
         with:

From e50bee67e3ddf3d5ac2e3abc4785eb970f7e70fc Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Wed, 14 Feb 2024 12:40:29 -0800
Subject: [PATCH 27/31] add id-token: write permission to dependency-review
 workflow for component-detection step

---
 .github/workflows/dependency-review.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 3c58ad21..2a6ce5c3 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -18,7 +18,8 @@ jobs:
 
   dependency-review:
     runs-on: ubuntu-22.04
-    permissions: 
+    permissions:
+      id-token: write 
       contents: write
       pull-requests: write
     

From ce6925bcac738a9e190e44738daae5f673dcdece Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Wed, 14 Feb 2024 17:02:47 -0800
Subject: [PATCH 28/31] provide require hashes argument to pip install

---
 Dockerfile_PyOdbDesignServer | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile_PyOdbDesignServer b/Dockerfile_PyOdbDesignServer
index 55c6dff8..8a91bf18 100644
--- a/Dockerfile_PyOdbDesignServer
+++ b/Dockerfile_PyOdbDesignServer
@@ -60,7 +60,7 @@ RUN apt-get update && \
         python3-pip
 
 WORKDIR /PyOdbDesignServer
-RUN python3 -m pip install -r requirements.txt --break-system-packages
+RUN python3 -m pip install -r requirements.txt --break-system-packages --require-hashes
 
 # run
 WORKDIR /PyOdbDesignServer

From 8a94814b3652091328cf21fc38bb0a244835db63 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Wed, 14 Feb 2024 17:08:22 -0800
Subject: [PATCH 29/31] add upload SBOM workflow status badge to README

---
 docs/README.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/docs/README.md b/docs/README.md
index edaf2d72..b3dd382e 100644
--- a/docs/README.md
+++ b/docs/README.md
@@ -68,6 +68,7 @@ The diagram describes the current state of parser implementation and data availa
 | Security Code Scan          | [![CodeQL Security Scan](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml) |
 | Docker Security Scan        | [![Docker Scout Scan](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml) |
 | Dependency Review Scan      | [![Dependency Review](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml) |
+| Upload SBOM                 | [![SBOM Generate and Submit](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml) |
 
 #### `main`
 
@@ -78,6 +79,7 @@ The diagram describes the current state of parser implementation and data availa
 | Security Code Scan          | [![CodeQL Security Scan](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml) |
 | Docker Security Scan        | [![Docker Scout Scan](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml/badge.svg?branch=main)](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml) |
 | Dependency Review Scan      | [![Dependency Review](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml/badge.svg?branch=main)](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml) |
+| Upload SBOM                 | [![SBOM Generate and Submit](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml/badge.svg?branch=main)](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml) |
 
 #### `release`
 
@@ -88,6 +90,7 @@ The diagram describes the current state of parser implementation and data availa
 | Security Code Scan          | [![CodeQL Security Scan](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml/badge.svg?branch=development)](https://github.com/nam20485/OdbDesign/actions/workflows/codeql.yml) |
 | Docker Security Scan        | [![Docker Scout Scan](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml/badge.svg?branch=release)](https://github.com/nam20485/OdbDesign/actions/workflows/docker-scout-scan.yml) |
 | Dependency Review Scan      | [![Dependency Review](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml/badge.svg?branch=release)](https://github.com/nam20485/OdbDesign/actions/workflows/dependency-review.yml) |
+| Upload SBOM                 | [![SBOM Generate and Submit](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml/badge.svg?branch=release)](https://github.com/nam20485/OdbDesign/actions/workflows/sbom-generate-submit.yml) |
 
 ### Architecture
 

From 57f229488b10477d987f8deebb455c01b6a2c310 Mon Sep 17 00:00:00 2001
From: Nathan Miller <nmiller217@gmail.com>
Date: Wed, 14 Feb 2024 17:32:53 -0800
Subject: [PATCH 30/31] change dependabot update scan to weekly

---
 .github/dependabot.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index fe0c15a2..9215c651 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,14 +3,14 @@ updates:
   - package-ecosystem: github-actions
     directory: /
     schedule:
-      interval: daily
+      interval: weekly
 
   - package-ecosystem: pip
     directory: /PyOdbDesignServer
     schedule:
-      interval: daily
+      interval: weekly
 
   - package-ecosystem: docker
     directory: /
     schedule:
-      interval: daily
+      interval: weekly

From 82cf7f03556f8f7a4850bf2462968de75de5ad8e Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 15 Feb 2024 01:57:49 +0000
Subject: [PATCH 31/31] Bump actions/dependency-review-action from 4.0.0 to
 4.1.0

Bumps [actions/dependency-review-action](https://github.com/actions/dependency-review-action) from 4.0.0 to 4.1.0.
- [Release notes](https://github.com/actions/dependency-review-action/releases)
- [Commits](https://github.com/actions/dependency-review-action/compare/4901385134134e04cec5fbe5ddfe3b2c5bd5d976...80f10bf419f34980065523f5efca7ebed17576aa)

---
updated-dependencies:
- dependency-name: actions/dependency-review-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/dependency-review.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
index 86f10a1e..5aa06663 100644
--- a/.github/workflows/dependency-review.yml
+++ b/.github/workflows/dependency-review.yml
@@ -36,6 +36,6 @@ jobs:
         uses: advanced-security/component-detection-dependency-submission-action@5a8ce4ad8c6fbb9b88f66f672014e44b427d7d54 # v0.0.2       
 
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@4901385134134e04cec5fbe5ddfe3b2c5bd5d976 # v4.0.0
+        uses: actions/dependency-review-action@80f10bf419f34980065523f5efca7ebed17576aa # v4.1.0
         with:
           comment-summary-in-pr: true