chore: try fix mise/node sec issue

.github/actions/terragrunt/README.md

@@ -5,7 +5,7 @@ This GitHub Action sets up **Terraform** and **Terragrunt** and runs a specified
 ## Features
 
 - Installs pinned versions of Terraform and Terragrunt
-- Installs Terragrunt through `gruntwork-io/terragrunt-action@v3`
+- Installs Terragrunt through `jdx/mise-action@v3`
 - Uses AWS credentials already configured earlier in the same job when needed
 - Optionally passes Terragrunt variables via JSON tfvars
 - Supports `plan` mode for producing local saved plan files

.github/actions/terragrunt/action.yml

@@ -40,10 +40,15 @@ runs:
         terraform_wrapper: false
 
     - name: Install Terragrunt
-      uses: gruntwork-io/terragrunt-action@v3
+      uses: jdx/mise-action@v3
       with:
-        tg_version: ${{ inputs.tg_version }}
-        tf_path: terraform
+        tool_versions: |
+          terragrunt ${{ inputs.tg_version }}
+        github_token: ${{ github.token }}
+
+    - name: Verify Terragrunt installation
+      shell: bash
+      run: terragrunt --version
 
     - name: Normalize and write override_tg_vars
       if: inputs.tg_action == 'apply' || inputs.tg_action == 'plan' || inputs.tg_action == 'destroy'

.github/docs/README.md

@@ -51,7 +51,7 @@ If you are unsure, the live `aws/oidc` stack in the target environment is the so
 - `release.yml`
   Creates release tags, prepares shared CI artifacts, builds release outputs, and publishes the GitHub release. Version bumps come from a repo-local action that scans commit subjects since the latest semver tag and matches configurable major/minor/patch prefixes.
 - `pull_request.yml`
-  Provides fast validation for workflow syntax, Terraform formatting/linting, changed runtime builds, and a direct execution check of the repo-local `get-next-version` Docker action. The version preview job classifies the PR title, so it reflects the version that would be implied if that PR title lands on `main`. Its `check` job runs the repo-local `get-changes` Docker action directly, using the PR base SHA for a PR-style `base...HEAD` diff. When `.github/actions/**` changed, the workflow reuses `shared_directories_get.yml` to discover action directories with `Dockerfile`s and runs a Docker unit-test matrix for them after the GitHub formatting job. The Lambda naming check only runs when Lambda sources changed, and the ECS task/service pair check runs when container sources or Terragrunt live-stack directories changed; each is an explicit prerequisite for the corresponding build job. Terragrunt installation in that workflow now uses `gruntwork-io/terragrunt-action@v3`.
+  Provides fast validation for workflow syntax, Terraform formatting/linting, changed runtime builds, and a direct execution check of the repo-local `get-next-version` Docker action. The version preview job classifies the PR title, so it reflects the version that would be implied if that PR title lands on `main`. Its `check` job normally runs the repo-local `get-changes` Docker action directly, using the PR base SHA for a PR-style `base...HEAD` diff, but manual `workflow_dispatch` runs now force every change flag on and rerun the full validation surface without a PR diff. When `.github/actions/**` changed, the workflow reuses `shared_directories_get.yml` to discover action directories with `Dockerfile`s and runs a Docker unit-test matrix for them after the GitHub formatting job. The Lambda naming check only runs when Lambda sources changed, and the ECS task/service pair check runs when container sources or Terragrunt live-stack directories changed; each is an explicit prerequisite for the corresponding build job. Terragrunt installation in that workflow now uses `jdx/mise-action@v3`.
 
 The local version action can also be tested outside GitHub Actions, either by running the Python entrypoint directly or through its dedicated Docker image.
 
@@ -145,7 +145,7 @@ Run these checks on every CI, workflow, or deploy-contract change.
 - `./.github/actions/terragrunt` always uploads per-stack plan artifacts on `plan` and always downloads them on `apply_plan`, using the caller-provided `PLAN_ARTIFACT_S3_PREFIX` environment variable, so graph executors like `shared_infra.yml` do not need separate `./.github/actions/just` steps for those transfers
 - both repo-local composite actions, `./.github/actions/just` and `./.github/actions/terragrunt`, now assume AWS credentials are already configured in the current job when they need AWS access. The repo pattern is to run `aws-actions/configure-aws-credentials` at the top of each AWS-using job and then call the local actions without extra auth inputs
 - `./.github/actions/just` installs the requested `just` version through `extractions/setup-crate@v2` in the same minimal composite-action shape as `extractions/setup-just`, rather than depending on `extractions/setup-just` itself
-- `./.github/actions/terragrunt` installs the requested Terragrunt version through `gruntwork-io/terragrunt-action@v3`, passing `tf_path: terraform` so the repo keeps using the separately pinned Terraform binary from `hashicorp/setup-terraform`
+- `./.github/actions/terragrunt` installs the requested Terragrunt version through `jdx/mise-action@v3`, while Terraform stays pinned separately through `hashicorp/setup-terraform`
 - saved infra-plan storage is intentionally split into two levels:
   - one run-level metadata file at `<plan_artifact_s3_prefix>/infra-plan-metadata/plan-metadata.json`
   - one per-stack plan bundle under `<plan_artifact_s3_prefix>/terragrunt-plan-<sanitized-tg-directory>/`

.github/workflows/pull_request.yml

@@ -1,4 +1,4 @@
-name: PR
+name: Pull Request
 
 on:
   pull_request:
@@ -11,13 +11,20 @@ on:
         ready_for_review,
         edited,
       ]
+  workflow_dispatch:
+    inputs:
+      pr_title:
+        description: "PR title to validate and use for version preview when running manually"
+        required: false
+        type: string
+        default: "chore: manual workflow dispatch"
 
 jobs:
   check-pr-title:
     name: PR Title
     runs-on: ubuntu-latest
     env:
-      PR_TITLE: ${{ github.event.pull_request.title }}
+      PR_TITLE: ${{ github.event.pull_request.title || inputs.pr_title }}
       ALLOWED_PREFIXES: "breaking: feat: patch: fix: minor: chore: docs:"
     steps:
       - name: Fail if PR title does not start with an allowed prefix
@@ -40,26 +47,40 @@ jobs:
       pull-requests: read
       contents: read
     outputs:
-      actions: ${{ steps.filter.outputs.actions }}
-      terraform: ${{ steps.filter.outputs.terraform }}
-      terragrunt: ${{ steps.filter.outputs.terragrunt }}
-      github: ${{ steps.filter.outputs.github }}
-      frontend: ${{ steps.filter.outputs.frontend }}
-      lambdas: ${{ steps.filter.outputs.lambdas }}
-      containers: ${{ steps.filter.outputs.containers }}
+      actions: ${{ steps.force_all.outputs.actions || steps.filter.outputs.actions }}
+      terraform: ${{ steps.force_all.outputs.terraform || steps.filter.outputs.terraform }}
+      terragrunt: ${{ steps.force_all.outputs.terragrunt || steps.filter.outputs.terragrunt }}
+      github: ${{ steps.force_all.outputs.github || steps.filter.outputs.github }}
+      frontend: ${{ steps.force_all.outputs.frontend || steps.filter.outputs.frontend }}
+      lambdas: ${{ steps.force_all.outputs.lambdas || steps.filter.outputs.lambdas }}
+      containers: ${{ steps.force_all.outputs.containers || steps.filter.outputs.containers }}
     steps:
       - name: Checkout repository
         uses: actions/checkout@v6
         with:
           ref: ${{ github.sha }}
           fetch-depth: 0
 
+      - name: Force all change flags for manual dispatch
+        id: force_all
+        if: ${{ github.event_name == 'workflow_dispatch' }}
+        shell: bash
+        run: |
+          echo "actions=true" >> "$GITHUB_OUTPUT"
+          echo "terraform=true" >> "$GITHUB_OUTPUT"
+          echo "terragrunt=true" >> "$GITHUB_OUTPUT"
+          echo "github=true" >> "$GITHUB_OUTPUT"
+          echo "frontend=true" >> "$GITHUB_OUTPUT"
+          echo "lambdas=true" >> "$GITHUB_OUTPUT"
+          echo "containers=true" >> "$GITHUB_OUTPUT"
+
       - name: Detect changed files
+        if: ${{ github.event_name != 'workflow_dispatch' }}
         id: filter
         uses: ./.github/actions/get-changes
         with:
           ref: ${{ github.sha }}
-          base_ref: ${{ github.event.pull_request.base.sha }}
+          base_ref: ${{ github.event.pull_request.base.sha || github.sha }}
 
       - shell: bash
         run: echo "actions changes - ${{ steps.filter.outputs.actions }}"
@@ -92,7 +113,7 @@ jobs:
         id: get_next_version
         uses: ./.github/actions/get-next-version
         with:
-          subjects: ${{ github.event.pull_request.title }}
+          subjects: ${{ github.event.pull_request.title || inputs.pr_title }}
 
       - name: Show action outputs
         run: |
@@ -152,10 +173,14 @@ jobs:
     steps:
       - uses: actions/checkout@v6
       - uses: hashicorp/setup-terraform@v4
-      - uses: gruntwork-io/terragrunt-action@v3
+      - uses: jdx/mise-action@v3
         with:
-          tg_version: 0.45.10
-          tf_path: terraform
+          tool_versions: |
+            terragrunt 0.45.10
+          github_token: ${{ github.token }}
+
+      - name: Verify Terragrunt installation
+        run: terragrunt --version
 
       - name: Terraform fmt check
         run: terraform fmt -check -recursive