Merge branch 'main' into gpu_slicing

.github/workflows/issue-metrics.yml

@@ -32,7 +32,7 @@ jobs:
 
       - name: Run GitHub Issue Metrics action
         id: run_github_issue_metrics
-        uses: github/issue-metrics@fbe4e7c4aa13284d6960ba64db0cff8ef51bee0a # v3.6.0
+        uses: github/issue-metrics@0926cffe61d20f924b1d9e3f04224da393f35a95 # v3.7.0
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           SEARCH_QUERY: 'repo:ministryofjustice/data-platform is:issue created:${{ env.last_month }} -reason:"not planned"'

.github/workflows/repository-dependabot-configuration-generator.yml

@@ -38,7 +38,7 @@ jobs:
 
       - name: Commit Changes
         id: commit_changes
-        uses: planetscale/ghcommit-action@b662a9d7235a07e80d976152ed5afe41651c4973 # v0.1.39
+        uses: planetscale/ghcommit-action@c8ba2501e51d7257efb393109e6e10bc36a3f769 # v0.1.40
         with:
           commit_message: "🤖 Update .github/dependabot.yml"
           file_pattern: ".github/dependabot.yml"

.github/workflows/reusable-workflow-charts.yml

@@ -142,7 +142,7 @@ jobs:
 
       - name: Login to GitHub Container Registry
         id: login_ghcr
-        uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
+        uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
         with:
           registry: ghcr.io
           username: ${{ github.actor }}

terraform/auth0/ministryofjustice-data-platform-development/terraform.tf

@@ -10,7 +10,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.50.0"
+      version = "5.51.1"
     }
     auth0 = {
       source  = "auth0/auth0"

terraform/auth0/ministryofjustice-data-platform/terraform.tf

@@ -10,7 +10,7 @@ terraform {
   required_providers {
     aws = {
       source  = "hashicorp/aws"
-      version = "5.50.0"
+      version = "5.51.1"
     }
     auth0 = {
       source  = "auth0/auth0"

terraform/aws/analytical-platform-data-production/tooling-iam/datahub-iam.tf

@@ -86,6 +86,40 @@ resource "aws_iam_policy" "datahub_read_cadet_bucket" {
   policy = data.aws_iam_policy_document.datahub_read_cadet_bucket.json
 }
 
+# Allow Github actions to assume a role via OIDC.
+# So that scheduled jobs in the data-catalogue repo can access the CaDeT bucket.
+data "aws_iam_policy_document" "datahub_ingestion_github_actions" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+
+    principals {
+      type        = "Federated"
+      identifiers = ["arn:aws:iam::${var.account_ids["analytical-platform-data-production"]}:oidc-provider/token.actions.githubusercontent.com"]
+    }
+    condition {
+      test     = "StringEquals"
+      values   = ["sts.amazonaws.com"]
+      variable = "token.actions.githubusercontent.com:aud"
+    }
+    condition {
+      test     = "StringLike"
+      values   = ["repo:ministryofjustice/data-catalogue:*"]
+      variable = "token.actions.githubusercontent.com:sub"
+    }
+  }
+}
+
+resource "aws_iam_role" "datahub_ingestion_github_actions" {
+  name               = "datahub-ingestion-github-actions"
+  assume_role_policy = data.aws_iam_policy_document.datahub_ingestion_github_actions.json
+}
+
+resource "aws_iam_role_policy_attachment" "datahub_ingestion_github_actions" {
+  policy_arn = aws_iam_policy.datahub_read_cadet_bucket.arn
+  role       = aws_iam_role.datahub_ingestion_github_actions.name
+}
+
 #trivy:ignore:avd-aws-0057:sensitive action 'glue:GetDatabases' on wildcarded resource
 data "aws_iam_policy_document" "datahub_ingest_glue_datasets" {
   statement {