awslabs · estohlmann · Sep 29, 2025 · Sep 3, 2025 · Sep 4, 2025 · Sep 4, 2025
diff --git a/.devcontainer/post_create_command.sh b/.devcontainer/post_create_command.sh
@@ -13,8 +13,8 @@ echo "source .venv/bin/activate" >> ~/.zshrc
 echo "alias deploylisa='make clean && npm ci && make deploy HEADLESS=true'" >> ~/.bashrc
 echo "alias deploylisa='make clean && npm ci && make deploy HEADLESS=true'" >> ~/.zshrc
 
-pip install --upgrade pip
-pip3 install yq huggingface_hub s5cmd
+python -m pip install --upgrade pip
+pip3 install yq==3.4.3 huggingface_hub==0.26.3 s5cmd==2.2.2
 make installPythonRequirements
 
 make createTypeScriptEnvironment

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,240 @@
+version: 2
+updates:
+  # Enable version updates for npm
+  - package-ecosystem: "npm"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "monday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 5
+    rebase-strategy: "auto"
+
+  # Enable version updates for pip - root directory
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 5
+
+  # Enable version updates for pip - lisa-sdk
+  - package-ecosystem: "pip"
+    directory: "/lisa-sdk"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 5
+
+  # Enable version updates for pip - authorizer layer
+  - package-ecosystem: "pip"
+    directory: "/lib/core/layers/authorizer"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 5
+
+  # Enable version updates for pip - common layer
+  - package-ecosystem: "pip"
+    directory: "/lib/core/layers/common"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 5
+
+  # Enable version updates for pip - fastapi layer
+  - package-ecosystem: "pip"
+    directory: "/lib/core/layers/fastapi"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 5
+
+  # Enable version updates for pip - rest-api src
+  - package-ecosystem: "pip"
+    directory: "/lib/serve/rest-api/src"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 5
+
+  # Enable version updates for pip - rag layer
+  - package-ecosystem: "pip"
+    directory: "/lib/rag/layer"
+    schedule:
+      interval: "weekly"
+      day: "tuesday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 5
+
+  # Enable security updates for GitHub Actions
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+      day: "wednesday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 5
+
+  # Enable updates for Docker - RAG ingestion
+  - package-ecosystem: "docker"
+    directory: "/lib/rag/ingestion/ingestion-image"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 3
+
+  # Enable updates for Docker - vector store
+  - package-ecosystem: "docker"
+    directory: "/lib/rag/vector-store/state_machine"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 3
+
+  # Enable updates for Docker - REST API
+  - package-ecosystem: "docker"
+    directory: "/lib/serve/rest-api"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 3
+
+  # Enable updates for Docker - MCP workbench
+  - package-ecosystem: "docker"
+    directory: "/lib/serve/mcp-workbench"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 3
+
+  # Enable updates for Docker - VLLM
+  - package-ecosystem: "docker"
+    directory: "/lib/serve/ecs-model/vllm"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 3
+
+  # Enable updates for Docker - TEI
+  - package-ecosystem: "docker"
+    directory: "/lib/serve/ecs-model/embedding/tei"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 3
+
+  # Enable updates for Docker - instructor
+  - package-ecosystem: "docker"
+    directory: "/lib/serve/ecs-model/embedding/instructor"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 3
+
+  # Enable updates for Docker - TGI
+  - package-ecosystem: "docker"
+    directory: "/lib/serve/ecs-model/textgen/tgi"
+    schedule:
+      interval: "weekly"
+      day: "thursday"
+      time: "09:00"
+    reviewers:
+      - "awslabs/lisa-maintainers"
+    commit-message:
+      prefix: "chore"
+      include: "scope"
+    open-pull-requests-limit: 3
diff --git a/.github/workflows/code.deploy.demo.yml b/.github/workflows/code.deploy.demo.yml
@@ -11,7 +11,7 @@ jobs:
   CheckPendingWorkflow:
     runs-on: ubuntu-latest
     steps:
-      - uses: ahmadnassri/action-workflow-queue@v1
+      - uses: ahmadnassri/action-workflow-queue@542658b3a8270cac81ae15d401b0d974732808ac # v1
         with:
           delay: 300000
           timeout: 7200000
@@ -20,9 +20,9 @@ jobs:
     environment: demo
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@3d21ddcb5087c3d29b7e19fe293e3455fabe32af # v4
         with:
           aws-region: ${{ vars.AWS_REGION }}
           role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/${{ vars.ROLE_NAME_TO_ASSUME }}
@@ -33,11 +33,11 @@ jobs:
         run: |
           echo "${{vars.CONFIG_YAML}}" > config-custom.yaml
       - name: Set up Python 3.11
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.11"
       - name: Use Node.js 20.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20.x
       - name: Install CDK dependencies
@@ -53,7 +53,7 @@ jobs:
     if: always()
     steps:
       - name: Send Notification that Demo Deploy Finished
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # v2
         env:
           SLACK_WEBHOOK: ${{ secrets.INTERNAL_DEV_SLACK_WEBHOOK_URL }}
           SLACK_COLOR: ${{ contains(join(needs.*.result, ' '), 'failure') && 'failure' || 'success' }}

diff --git a/.github/workflows/code.deploy.dev.yml b/.github/workflows/code.deploy.dev.yml
@@ -11,7 +11,7 @@ jobs:
   CheckPendingWorkflow:
     runs-on: ubuntu-latest
     steps:
-      - uses: ahmadnassri/action-workflow-queue@v1
+      - uses: ahmadnassri/action-workflow-queue@542658b3a8270cac81ae15d401b0d974732808ac # v1
         with:
           delay: 300000
           timeout: 7200000
@@ -20,9 +20,9 @@ jobs:
     environment: dev
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@3d21ddcb5087c3d29b7e19fe293e3455fabe32af # v4
         with:
           aws-region: ${{ vars.AWS_REGION }}
           role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT }}:role/${{ vars.ROLE_NAME_TO_ASSUME }}
@@ -33,11 +33,11 @@ jobs:
         run: |
           echo "${{vars.CONFIG_YAML}}" > config-custom.yaml
       - name: Set up Python 3.11
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
         with:
           python-version: "3.11"
       - name: Use Node.js 20.x
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
         with:
           node-version: 20.x
       - name: Install CDK dependencies
@@ -53,7 +53,7 @@ jobs:
     if: always()
     steps:
       - name: Send Notification that Dev Deploy Finished
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # v2
         env:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
           SLACK_COLOR: ${{ contains(join(needs.*.result, ' '), 'failure') && 'failure' || 'success' }}

diff --git a/.github/workflows/code.draft-release-and-tag.yml b/.github/workflows/code.draft-release-and-tag.yml
@@ -5,24 +5,28 @@ on:
     types: [closed]
 
 permissions:
-  id-token: write
-  contents: write
+  contents: read  # Default read-only
 
 jobs:
   draft_release:
     runs-on: ubuntu-latest
+    permissions:
+      contents: write  # Required for creating releases
+      id-token: write  # Required for AWS authentication
     if: (startsWith(github.event.pull_request.head.ref, 'release/' ) || startsWith(github.event.pull_request.head.ref, 'hotfix/')) && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
     steps:
       - name: Checkout Source Tag
-        uses: actions/checkout@v4
+        uses: actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955 # v4
         with:
           ref: main
       - name: Get Version
         id: get-version
         run: |
-          version=$(echo ${{github.event.pull_request.head.ref}} | cut -d/ -f2)
+          version=$(echo "$GITHUB_HEAD_REF" | cut -d/ -f2)
           echo "version=$version" >> $GITHUB_OUTPUT
           echo "VERSION = $version"
+        env:
+          GITHUB_HEAD_REF: ${{ github.event.pull_request.head.ref }}
       - name: Create Release
         run: |
           gh release create ${{ steps.get-version.outputs.version }} --generate-notes -d -t "${{ steps.get-version.outputs.version }}" --target main
@@ -33,15 +37,19 @@ jobs:
     needs: [draft_release]
     runs-on: ubuntu-latest
     if: always()
+    permissions:
+      contents: read
     steps:
       - name: Get Version
         id: get-version
         run: |
-          version=$(echo ${{github.event.pull_request.head.ref}} | cut -d/ -f2)
+          version=$(echo "$GITHUB_HEAD_REF" | cut -d/ -f2)
           echo "version=$version" >> $GITHUB_OUTPUT
           echo "VERSION = $version"
+        env:
+          GITHUB_HEAD_REF: ${{ github.event.pull_request.head.ref }}
       - name: Send Notification that Draft Release is Ready
-        uses: rtCamp/action-slack-notify@v2
+        uses: rtCamp/action-slack-notify@cdf0a2130cbcdfd82ba5fcac8e076370bf381b36 # v2
         if: (startsWith(github.event.pull_request.head.ref, 'release/' ) || startsWith(github.event.pull_request.head.ref, 'hotfix/')) && github.event.pull_request.merged == true && github.event.pull_request.base.ref == 'main'
         with:
           status: success()