Merge branch 'master' into bernard/condition-schedules

Author: bernardjkim

.github/ISSUE_TEMPLATE/testplan.md

@@ -2206,6 +2206,16 @@ Docs: [IP Pinning](https://goteleport.com/docs/admin-guides/access-controls/guid
     - [ ] Verify that manually deleting a nested Access List used as a member or owner does not break UserLoginState generation or listing Access Lists.
     - [ ] Verify that an Access List can be added as a member or owner of another Access List using `tctl`.
     - [ ] Verify that Access Lists added as members or owners of other Access Lists using `tctl` are validated (no circular references, no nesting > 10 levels).
+  - [ ] For Access Lists of "static" type:
+    - [ ] Verify that static Access List and its members (including nested list members) can be [created/modified/deleted with Terraform](../../docs/pages/identity-governance/access-lists/terraform.mdx) ([teleport_access_list_member ref](../../docs/pages/reference/terraform-provider/resources/access_list_member.mdx))
+    - [ ] Verify non-static Access List members cannot be imported to Terraform (Create an Access List in the web UI and add a member and try to import the member to Terraform)
+    - [ ] In Terraform: check if member's MEMBERSHIP_KIND_USER (1) is changed to MEMBERSHIP_KIND_LIST (2) forces re-creation
+    - [ ] Verify setting audit to past date/zero date doesn't create a review badge on the list in the UI
+    - [ ] Verify changing spec.type is forbidden
+    - [ ] Verify other lists cannot be converted to "static"
+    - [ ] Verify expiration and eligibility of members
+    - [ ] In the web UI: check if modifications/deletion of static lists are blocked
+    - [ ] In the web UI: check if the review is blocked (add `#review` at the end of the Access List URL)
 
 - [ ] Verify Okta Sync Service
   - [ ] Verify Okta Plugin configuration.

.github/workflows/aws-e2e-tests-non-root.yaml

@@ -88,7 +88,7 @@ jobs:
         continue-on-error: true
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
           aws-region: ${{ env.AWS_REGION }}
           role-to-assume: ${{ env.GHA_ASSUME_ROLE }}

.github/workflows/backport.yaml

@@ -22,7 +22,7 @@ jobs:
     steps:
       - name: Generate GitHub Token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.BACKPORT_APP_ID }}
           private-key: ${{ secrets.BACKPORT_PRIVATE_KEY }}

.github/workflows/bloat.yaml

@@ -29,15 +29,15 @@ jobs:
 
     steps:
       - name: Checkout base
-        uses: actions/checkout@v3 # Cannot upgrade to v4 while this runs in centos:7 due to nodejs GLIBC incompatibility
+        uses: actions/checkout@v5
         with:
           ref: ${{ github.event.before }}
 
       - name: Prepare workspace
         uses: ./.github/actions/prepare-workspace
 
       - name: Checkout shared-workflow
-        uses: actions/checkout@v3 # Cannot upgrade to v4 while this runs in centos:7 due to nodejs GLIBC incompatibility
+        uses: actions/checkout@v5
         with:
           repository: gravitational/shared-workflows
           path: .github/shared-workflows
@@ -53,10 +53,10 @@ jobs:
 
       - name: Generate GitHub Token
         id: generate_token
-        uses: actions/create-github-app-token@v1.0.5 # Cannot upgrade past v1.1 while this runs in centos:7 due to nodejs GLIBC incompatibility
+        uses: actions/create-github-app-token@v2
         with:
-          app_id: ${{ secrets.REVIEWERS_APP_ID }}
-          private_key: ${{ secrets.REVIEWERS_PRIVATE_KEY }}
+          app-id: ${{ secrets.REVIEWERS_APP_ID }}
+          private-key: ${{ secrets.REVIEWERS_PRIVATE_KEY }}
 
       - if: ${{ steps.cache-build-restore.outputs.cache-hit != 'true' }}
         name: Build base
@@ -83,13 +83,13 @@ jobs:
           echo "base_stats=$(cat ~/teleport_base_build_stats)" >> $GITHUB_ENV
 
       - name: Checkout branch
-        uses: actions/checkout@v3 # Cannot upgrade to v4 while this runs in centos:7 due to nodejs GLIBC incompatibility
+        uses: actions/checkout@v5
         with:
           clean: false
           ref: ${{ github.event.after }}
 
       - name: Checkout shared-workflow
-        uses: actions/checkout@v3 # Cannot upgrade to v4 while this runs in centos:7 due to nodejs GLIBC incompatibility
+        uses: actions/checkout@v5
         with:
           repository: gravitational/shared-workflows
           path: .github/shared-workflows

.github/workflows/build-ci-service-images.yaml

@@ -44,7 +44,7 @@ jobs:
 
       - name: Build etcd image
         id: docker_build
-        uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+        uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: ${{ github.workspace }}
           file: .github/services/Dockerfile.etcd

.github/workflows/build-macos.yaml

@@ -48,9 +48,10 @@ jobs:
           echo "rust: ${RUST_VERSION}"
 
       - name: Install Node Toolchain
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: ${{ env.NODE_VERSION }}
+          package-manager-cache: false
 
       - name: Setup pnpm
         run: |

.github/workflows/build-usage-image.yaml

@@ -16,15 +16,15 @@ jobs:
           echo "version=${GITHUB_REF_NAME#v}" >> $GITHUB_OUTPUT
       - uses: actions/checkout@v4
       - uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
-      - uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 # v4.1.0
+      - uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
           role-to-assume: ${{ secrets.TELEPORT_USAGE_IAM_ROLE_ARN }}
           aws-region: us-east-1
       - uses: aws-actions/amazon-ecr-login@062b18b96a7aff071d4dc91bc00c4c1a7945b076 # v2.0.1
         with:
           registry-type: public
       # Build and publish container image on ECR.
-      - uses: docker/build-push-action@471d1dc4e07e5cdedd4c2171150001c434f0b7a4 # v6.15.0
+      - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
         with:
           context: "examples/teleport-usage"
           tags: public.ecr.aws/gravitational/teleport-usage:${{ steps.version.outputs.version }}

.github/workflows/check.yaml

@@ -37,7 +37,7 @@ jobs:
     steps:
       - name: Generate GitHub Token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.REVIEWERS_APP_ID }}
           private-key: ${{ secrets.REVIEWERS_PRIVATE_KEY }}

.github/workflows/cla-assistant.yaml

@@ -26,7 +26,7 @@ jobs:
     steps:
       - name: Fetch installation token
         id: fetch-token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.CLA_ASSISTANT_APP_ID }}
           private-key: ${{ secrets.CLA_ASSISTANT_APP_PRIVATE_KEY }}

.github/workflows/doc-tests.yaml

@@ -59,7 +59,7 @@ jobs:
 
       - name: Generate GitHub Token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.REVIEWERS_APP_ID }}
           private-key: ${{ secrets.REVIEWERS_PRIVATE_KEY }}