chore(deps): Update testing-tools

[github-actions]

This PR contains the following updates:

Package	Change	Age	Confidence	Type	Update	Pending
awscli (source, changelog)	1.45.29 → 1.45.33			testing_tools	patch	1.45.34
helm/helm	v4.2.1 → v4.2.2			testing_tools	patch
helmfile/helmfile	v1.5.3 → v1.5.5			testing_tools	patch
ministackorg/ministack	1.3.63 → 1.3.65			testing_tools	patch	1.3.66
tilt-dev/tilt	0.37.3 → 0.37.4			testing_tools	patch
zarf-dev/zarf	v0.78.0 → v0.79.0			testing_tools	minor

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Release Notes

aws/aws-cli (awscli)

v1.45.33

Compare Source

=======

• api-change:application-autoscaling: Adds support for ECS high-resolution predefined scaling metrics (ECSServiceAverageCPUUtilizationHighResolution, ECSServiceAverageMemoryUtilizationHighResolution) enabling 20-second metric periods for faster scaling
• api-change:batch: Adds Support for ordered allocation strategies- BEST-FIT-PROGRESSIVE-ORDERED or SPOT-CAPACITY-OPTIMIZED-PRIORITIZED
• api-change:cognito-idp: In order to support the new TLS Self-Service feature, this change adds SecurityPolicyType to CustomDomainConfigType. During CreateUserPoolDomain and UpdateUserPoolDomain this is used to select a custom domain's TLS enforcement, and for DescribeUserPoolDomain it informs users about the current TLS.
• api-change:compute-optimizer: This release surfaces two new metrics Volume IOPS Exceeded and Volume Throughput Exceeded into EBS volume rightsizing recommendations.
• api-change:ec2: Documentation updates clarifying CancelCapacityReservation cancellable states
• api-change:ecs: Amazon ECS services now support high resolution (20 second) CloudWatch metrics for CPUUtilization and MemoryUtilization. Use these metrics for faster service auto scaling.
• api-change:eks: Adds support for configurable control plane egress routing in Amazon EKS, allowing you to route control plane egress traffic through your VPC and control how the control plane reaches resources in your network such as webhook servers and OIDC providers.
• api-change:gamelift: Amazon GameLift Servers has launched support for customizing Linux capabilities in container fleets. You can now specify additional Linux capabilities for containers in a container group definition, giving you finer control over the default Docker capabilities available to your containers.
• api-change:healthlake: Adding New Configurations to the FHIR Create Datastore. The new configurations include NLP Configuration, AnalyticsConfiguration, ProfileConfiguration
• api-change:lambda: Converging and fixing existing documentation gaps in Lambda SDK
• api-change:logs: Added optional startFromHead parameter to FilterLogEvents enabling descending timestamp order (newest first) when set to false. Default true preserves existing ascending order. Reverse sorting requires a startTime on or after Jan 1, 2024.
• api-change:sagemaker: Adds support for automatic AMI patching on HyperPod clusters. Customers can configure patching strategies to automatically apply security patch with zero job termination. Customers can also specify an AMI version at instance group level and update cluster software to a certain AMI version.
• api-change:synthetics: CloudWatch Synthetics adds support for multi-location canaries. Customers can now monitor their endpoints from multiple locations with centralized management from a primary location. The SDK includes new parameters for configuring multiple locations and tracking their state.

v1.45.32

Compare Source

=======

• api-change:bedrock-agent: Launching Bedrock Managed Knowledge Bases. Added support for resource-based policies on Knowledge Base resources, enabling cross-account access for Managed Knowledge Bases.
• api-change:bedrock-agentcore: AgentCore Harness service will be Generally Available at NYS 2026 with this Treb release. Harness will support invoking specific endpoints via the qualifier parameter, AWS Skills for pre-built agent capabilities, and improved validation for skill git source URLs.
• api-change:bedrock-agentcore-control: AgentCore Gateway now supports inference targets to LLM providers (direct config or built-in connectors), HTTP passthrough targets with session stickiness, runtime target API schemas, AWS WAF web ACL association with configurable fail-open or fail-close modes, and interceptor payload filtering.
• api-change:bedrock-agent-runtime: Adds new AgenticRetrieveStream API for managed knowledge bases to use conversation history and autonomously plan for multi-hop multi-KB reasoning with built-in evaluation and access-control. Updates Retrieve API for access-control-based filtering for managed knowledge bases.
• api-change:compute-optimizer-automation: This launch adds IfExists comparison operators to Compute Optimizer Automation rule criteria, so a rule can include recommended actions whose specified attribute isn't present.
• api-change:devops-agent: Adds support for Remote A2A (Agent-to-Agent) agent registration and management. Adds new Release Readiness Review and Release Testing capabilities. Adds support for Git managed skills in AWS DevOps Agent.
• api-change:ecs: Releasing the ability to bring-your-own task-definition for CreateExpressGatewayService and UpdateGatewayExpressService
• api-change:glue: This release adds support for Search and Discovery in AWS Glue, letting you and your applications search Data Catalog assets such as table and enrich them with business context and glossary terms.
• api-change:mq: This release adds private networking support for Amazon MQ for RabbitMQ. You can now associate AWS RAM resource shares with your broker and retrieve shared resource details using the new DescribeSharedResources API.
• api-change:opensearch: Adds support for configuring IAM Identity Center options on existing OpenSearch applications via the UpdateApplication API.
• api-change:partnercentral-selling: Cosell Resonate AND Prospecing API Launch with ARN correction
• api-change:securityagent: Updated AWS Security Agent SDK model with new APIs for threat modeling, code review, security requirements, and additional integration providers.

v1.45.31

Compare Source

=======

• api-change:directconnect: Added VIF rate limiting support for AWS Direct Connect, allowing customers to set bandwidth allocations on virtual interfaces to manage traffic on dedicated connections.
• api-change:outposts: Adds support for creating an order from quotes.
• api-change:partnercentral-selling: Added Prospecting APIs to convert engagements into AI-enriched leads with scoring insights. Extended Engagement APIs with ProspectingResult and Lead contexts. Added CoSell Scoring to GetAwsOpportunitySummary- quality score, trend, agent-driven recommendations, and engagement classification.
• api-change:route53resolver: Adds supports for PartnerManagedRules
• api-change:s3: Added support for annotations. You can now attach up to 1000 annotations (up to 1 MB each) directly to objects and create, retrieve, list, and delete them using new annotation APIs. Also added support for configuring an annotation table in S3 Metadata.
• api-change:s3vectors: Amazon S3 Vectors now supports paginated QueryVectors requests, returning up to 10,000 results per query.
• api-change:sagemaker: Add EnableDetailedObservability to Endpoint MetricsConfig. Publishes GPU, host, and framework-native inference metrics to CloudWatch with per-inference-component, availability-zone, and instance dimensions. Adds Inference Component provisioning lifecycle and multi-AZ placement metrics.

v1.45.30

Compare Source

=======

• api-change:bedrock-runtime: InvokeGuardrailChecks API evaluates prompts and responses against safety checks (content filters, prompt attacks, sensitive info) without creating guardrail resources. It's a detect-only API, returning numeric scores so you can build adaptive logic as per your application.
• api-change:datazone: Adds support for deleting lineage events in Amazon DataZone.
• api-change:logs: Added endTimeOffset parameter to Scheduled Queries APIs (Create, Update, Get) enabling bounded time window configuration. Introduced scheduleType filter (CUSTOMER MANAGED, AWS MANAGED) for ListScheduledQueries and exposed it in Get and Update responses.
• api-change:mgn: AWS Transform for VMware now supports Amazon FSx for NetApp ONTAP as a target storage. Customers can migrate source server disks directly to FSx for NetApp ONTAP iSCSI LUNs. Target storage is configurable per source server, and compute, network, and storage migrate together in coordinated waves.
• api-change:rds: Adding support for RDS SQL Server BYOM and DB2 Community Edition
• api-change:wafv2: AWS WAF now supports AI traffic monetization for CloudFront. Configure payment networks and pricing on your web ACL, use the new Monetize rule action to charge AI agents via x402, and monitor revenue with new GetRevenueStatisticsSummary, GetRevenueStatistics, and ListSettlementRecords APIs.
• api-change:workspaces: Added a validation for null check for ImageIds in DescribeWorkspaceImages API request parameters.

helm/helm (helm/helm)

v4.2.2: Helm v4.2.2

Compare Source

Helm v4.2.2 is a patch release. Users are encouraged to upgrade for the best experience.

The community keeps growing, and we'd love to see you there!

• Join the discussion in Kubernetes Slack:
  • for questions and just to hang out
  • for discussing PRs, code, and bugs
• Hang out at the Public Developer Call: Thursday, 9:30 Pacific via Zoom
• Test, debug, and contribute charts: ArtifactHub/packages

Notable Changes

• Revert: Fixed a race condition in WaitForDelete where the status observer canceled the watch too early, causing intermittent failures when running a full test suite #​32214

Installation and Upgrading

Download Helm v4.2.2. The common platform binaries are here:

• MacOS amd64 (checksum / 10c1e36ee8c5f2e2ee25a16599cb03ab74c0953cd889cacb980a49ba4b6574ba)
• MacOS arm64 (checksum / 5410a0dae3d5d91f45653b161260d9301aabc4ae80ae50a6605d66884b6df8ea)
• Linux amd64 (checksum / 9adafecab4d406853bba163a70e9f104f47dbbf65ce24b7653bae7e36150bcb6)
• Linux arm (checksum / 7e9490169874695e04ab1af47c5620621fc13c84219a258fcc1afdcd40ca7438)
• Linux arm64 (checksum / 78803142087a0069fa4b50d3f32a84d3ef25c14d1ee8a40fbccf86a6216d2f36)
• Linux i386 (checksum / 8e1fdcda4a476ffc5d1179c7f16d33a3d54267efa08fd720f7678277d68bc2d5)
• Linux loong64 (checksum / b8bfe96b8b0b0e2af51af4a00ef521cc5a7e03793aea3568cf8500a63ae05041)
• Linux ppc64le (checksum / 814a80fd98eb9e4c5a9d610f3b9c15ffe120c2f5e39df16a2f491723ebc90126)
• Linux s390x (checksum / d84cdf1123f20cfbef19a2af1cd6afe8b00626bd9846bccb9dae978c810c8274)
• Linux riscv64 (checksum / f07c105180dff2619ab45134b9b47b7845387e8f3299e12ebe0efb87c7548717)
• Windows amd64 (checksum / 5fad8562e98c34fa5af3ef904086a5874a6701050f9bf36e30238c975df94dcd)
• Windows arm64 (checksum / 2e993d6a1dd8197a33e65d8e90b26df9d248ff3501701dea401856aa265a2dab)

This release was signed by @​gjenkins8 with key BF88 8333 D96A 1C18 E268 2AAE D79D 67C9 EC01 6739, which can be found at https://keys.openpgp.org/vks/v1/by-fingerprint/BF888333D96A1C18E2682AAED79D67C9EC016739. Please use the attached signatures for verifying this release using gpg.

The Quickstart Guide will get you going from there. For upgrade instructions or detailed installation notes, check the install guide. You can also use a script to install on any system with bash.

What's Next

• 4.2.3 and 3.21.2 are the next patch releases scheduled for July 8, 2026
• 4.3.0 and 3.22.0 are the next minor releases scheduled for September 9, 2026

Changelog

• Revert "fix(kube): prevent spurious early exit in WaitForDelete during informer sync" b05881c (George Jenkins)

Full Changelog: helm/helm@v4.2.1...v4.2.2

helmfile/helmfile (helmfile/helmfile)

v1.5.5

Compare Source

What's Changed

• fix: restore s3:: vhost-style remote source support (#​2643) by @​yxxhero in #​2644
• feat: add helm 4 --server-side flag support for diff and bump helm-diff to v3.15.10 by @​yxxhero in #​2645

Full Changelog: helmfile/helmfile@v1.5.4...v1.5.5

v1.5.4

Compare Source

What's Changed

• build(deps): bump golang.org/x/term from 0.43.0 to 0.44.0 by @​dependabot[bot] in #​2629
• build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.23 to 1.32.24 by @​dependabot[bot] in #​2627
• build(deps): bump github.com/aws/aws-sdk-go-v2/service/s3 from 1.103.2 to 1.103.3 by @​dependabot[bot] in #​2628
• fix: Fix broken trackLogs functionality in Kubedog tracker by @​ggillies in #​2630
• build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.24 to 1.32.25 by @​dependabot[bot] in #​2632
• Bump Helm support to 4.2.1 and 3.21.1 by @​Copilot in #​2635
• build(deps): bump github.com/helmfile/vals from 0.44.0 to 0.44.1 by @​dependabot[bot] in #​2637
• build(deps): bump github.com/helmfile/chartify from 0.26.4 to 0.26.5 by @​dependabot[bot] in #​2636
• Add App.WithFileSystem by @​toyamagu-2021 in #​2638
• fix: include release values in .Values for patch template rendering by @​yxxhero in #​2556
• build(deps): bump helm-diff to v3.15.9 by @​yxxhero in #​2642
• feat: add support for helm 4 --server-side upgrade flag by @​yxxhero in #​2641

New Contributors

• @​ggillies made their first contribution in #​2630

Full Changelog: helmfile/helmfile@v1.5.3...v1.5.4

ministackorg/ministack (ministackorg/ministack)

v1.3.65

Compare Source

Fixed

• EC2 — source security groups (UserIdGroupPairs) now returned by DescribeSecurityGroupRules / DescribeSecurityGroups — AuthorizeSecurityGroupIngress/Egress rules that reference another security group were dropped at ingestion and never surfaced: DescribeSecurityGroupRules omitted ReferencedGroupInfo and DescribeSecurityGroups returned an empty <groups>. Source-group pairs are now parsed and emitted by both. Reported by @​kamegoro. Contributed by @​kurok.
• Auto Scaling — instance refresh actions implemented — StartInstanceRefresh, DescribeInstanceRefreshes, and CancelInstanceRefresh previously failed with InvalidAction: Unknown AutoScaling action. They are now handled and recorded on the Auto Scaling group, so a refresh can be started, polled, and cancelled. Contributed by @​c-julin.
• S3 — GetBucketOwnershipControls now 404s after delete — it always returned a default ownership block (HTTP 200), so DeleteBucketOwnershipControls was not observable and Terraform's delete waiter looped (found resource), blocking terraform destroy. It now returns OwnershipControlsNotFoundError (404) once controls have been deleted, while still reporting the default Object Ownership for a never-configured bucket. Contributed by @​c-julin.
• Glue — GetUserDefinedFunctions accepts java.util.regex \Q…\E patterns — real AWS compiles Pattern with java.util.regex, so clients like Trino's Glue connector send literal-quoted patterns (e.g. trino__\Qname\E__.*); Python's re rejected \Q…\E with InvalidInputException: Invalid pattern syntax. The literal-quote sequences are now translated before matching. Contributed by @​yonatoasis.
• API Gateway v2 — CloudFormation provisioner honours the ms-custom-id tag — AWS::ApiGatewayV2::Api resources always got a random API id, ignoring an ms-custom-id tag in the template even though the direct CreateApi path and the v1 REST provisioner already honoured it. The v2 provisioner now resolves the custom id before falling back to a generated one. Contributed by @​hiddengearz.
• Lambda — function code stored as content-addressed blob files — get_state base64-encoded every code_zip inline into lambda.json, so a deployment with many large zips (e.g. 26 functions × ~30 MB) produced a ~1 GB state file that OOM'd on warm boot while decoding. Code bytes are now written as content-addressed blobs alongside the state and loaded lazily. Contributed by @​mattwang44.
• Lambda — CloudFormation/CDK-provisioned layers now carry their content — layers created via CloudFormation stored no _zip_data, so _resolve_layer_zip returned None at worker spawn and functions could not import their layer packages even though ListLayers showed them. The provisioner now stores the layer bytes.
• Lambda — CloudFormation-created DynamoDB-stream ESMs anchor LATEST at create time — matching the CreateEventSourceMapping API path, so a LATEST mapping skips records that already existed when the stack was deployed instead of replaying them; no-op for SQS/Kinesis sources.
• ECS — RunTask secrets now resolve SSM Parameter Store references — containerDefinitions[].secrets valueFrom entries pointing at SSM parameters were previously left unresolved; they are now fetched in-process and injected into the container environment alongside Secrets Manager references.

---

v1.3.64

Compare Source

Fixed

• Step Functions — mocked Throw responses now route to Catch — a SFN_MOCK_CONFIG Throw was raised above the state's Retry/Catch handling, so the execution always failed instead of routing to a matching Catch handler. The mocked error now flows through the same Retry/Catch machinery as a real task failure. Reported by @​amissemer.
• Glue — GetUserDefinedFunctions treats Pattern as a regular expression — the pattern was matched as a glob, so regex patterns (such as the Trino Glue connector's trino__<name>__.*) never matched; an invalid pattern now returns InvalidInputException. Contributed by @​yonatoasis.
• S3 — WebsiteRedirectLocation is now preserved — x-amz-website-redirect-location set on PutObject is now stored and returned by GetObject / HeadObject. Contributed by @​murlock.
• IAM — instance-profile tagging actions implemented — TagInstanceProfile, UntagInstanceProfile, and ListInstanceProfileTags previously failed with InvalidAction: Unknown IAM action. They are now handled, tags are stored on the instance-profile object (including tags supplied at CreateInstanceProfile time), and they read back from GetInstanceProfile / ListInstanceProfiles (via the Tags member) and ListInstanceProfileTags. This read-back lets Terraform's aws_iam_instance_profile settle to "No changes" on re-apply instead of detecting tag drift. Contributed by @​c-julin.
• EventBridge — input transformer reserved variables — substitute <aws.events.event.json>, <aws.events.event>, <aws.events.rule-name>, <aws.events.rule-arn>, and <aws.events.event.ingestion-time> so CDK-style templates that embed the source event deliver valid JSON. Contributed by @​AbdoNile.
• CloudFormation — GetTemplateSummary now returns Capabilities and CapabilitiesReason — the handler already accepted TemplateBody and returned Parameters / ResourceTypes correctly, but omitted the Capabilities and CapabilitiesReason fields. These are now computed from the template: CAPABILITY_NAMED_IAM for IAM resources with explicit name properties (RoleName, UserName, etc.), CAPABILITY_IAM for unnamed IAM resources, and CAPABILITY_AUTO_EXPAND for templates with a Transform. CapabilitiesReason uses the format confirmed against the AWS API: "The following resource(s) require capabilities: [<type>]". Contributed by @​maximoosemine.
• Lambda - CreateEventSourceMapping persists FilterCriteria — CreateEventSourceMapping was silently dropping the FilterCriteria parameter, so any filter specified at creation time was never applied. Contributed by @​maximoosemine.
• ECS — RunTask now applies containerOverrides.command to the launched Docker container — Overridden commands (including an explicit empty command) were ignored at runtime because the Docker containers.run(...) call still used the task-definition command. The effective container definition now carries the matched override command into Docker, while non-overridden containers keep their defaults. Contributed by @​noynoy83.
• ECS — RunTask now injects containerDefinitions[].secrets from Secrets Manager — secret valueFrom references (including the :json-key: form that selects one field from a JSON secret) were silently dropped, so containers started without those environment variables. They are now resolved in-process and merged into the container environment before container overrides are applied; SSM Parameter Store references are not yet resolved. Reported by @​kamegoro. Contributed by @​kurok.
• S3 — DeletePublicAccessBlock now actually clears the configuration — after delete, GetPublicAccessBlock returned a default all-blocked configuration with HTTP 200 instead of NoSuchPublicAccessBlockConfiguration (404), so the delete was not observable and Terraform's aws_s3_bucket_public_access_block delete waiter timed out (found resource), blocking terraform destroy. GetPublicAccessBlock now returns 404 when no configuration is set (never configured, or deleted). Reported by @​kamegoro. Contributed by @​kurok.
• Lambda - CloudFormation-created ESMs now poll DynamoDB Streams — Before, these streams were not getting polled. Contributed by @​maximoosemine.
• CloudWatch Logs — subscription filters now deliver matching log events to the destination Lambda — a SubscriptionFilter (created via CloudFormation or PutSubscriptionFilter) was provisioned but never forwarded log events, so the processor Lambda was never invoked. Matching events from PutLogEvents and from Lambda's own log emission are now delivered to Lambda destinations in AWS's awslogs gzip+base64 DATA_MESSAGE envelope, with a self-loop guard so a filter on a function's own log group can't recurse. Reported by @​ankitaabad.

---

tilt-dev/tilt (tilt-dev/tilt)

v0.37.4

Compare Source

Install Tilt ⬇️ | Upgrade Tilt ⬆️ | Tilt Extensions 🧰

Changelog

• d3bc306: Update version numbers: 0.37.3 (@​dev-errant)
• 98108ca: add a one-shot retry for object not found errors (#​6759) (@​glightfoot)
• 99a0f39: adding jsonpath dict filtering (#​6751) (@​benjamin-wright)
• 6bde8ad: build(deps): bump @​babel/plugin-transform-modules-systemjs in /web (#​6761) (@​dependabot[bot])
• ef74a99: build(deps): bump @​tootallnate/once from 1.1.2 to 2.0.1 in /web (#​6769) (@​dependabot[bot])
• 85d7d27: build(deps): bump form-data from 3.0.4 to 3.0.5 in /web (#​6777) (@​dependabot[bot])
• 4fd0633: build(deps): bump js-cookie from 2.2.1 to 3.0.7 in /web (#​6770) (@​dependabot[bot])
• b43995c: build(deps): bump launch-editor from 2.6.1 to 2.14.1 in /web (#​6772) (@​dependabot[bot])
• 51c2088: build(deps): bump shell-quote from 1.8.1 to 1.8.4 in /web (#​6773) (@​dependabot[bot])
• 47393fb: fix: secure mutating and sensitive requests to HUD server (#​6776) (@​nicksieger)
• ba6b2ad: scripts: remove homebrew formula bump from release script (#​6774) (@​nicks)
• 65ddaec: vendor: update to go 1.26 (#​6764) (@​nicks)

zarf-dev/zarf (zarf-dev/zarf)

v0.79.0

Compare Source

⚠ BREAKING CHANGES

• values: expose pkg built in (#​4981)

Features

• injector: dynamically determine host based on IP family (#​4985) (8ef592c)
• values: expose pkg built in (#​4981) (1e7e767)

Bug Fixes

• docs: render markdown tables (#​4982) (c96636e)
• pull: always pull values.yaml and values.schema.json (#​4987) (78ac28e)

What's Changed

🚀 Updates

• chore(main): release 0.79.0 by @​zarf-release-please[bot] in #​4984

Full Changelog: zarf-dev/zarf@v0.79.0-rc1...v0.79.0

Verifying Init Packages

The init packages in this release are signed with keyless Sigstore signing. Verify with:

amd64:

zarf package verify zarf-init-amd64-v0.79.0.tar.zst \
  --certificate-identity "https://github.com/zarf-dev/zarf/.github/workflows/release.yml@refs/tags/v0.79.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

arm64:

zarf package verify zarf-init-arm64-v0.79.0.tar.zst \
  --certificate-identity "https://github.com/zarf-dev/zarf/.github/workflows/release.yml@refs/tags/v0.79.0" \
  --certificate-oidc-issuer "https://token.actions.githubusercontent.com"

See RELEASES.md for details.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[copy-pr-bot]

This pull request requires additional validation before any workflows can run on NVIDIA's runners.

Pull request vetters can view their responsibilities here.

Contributors can view more details about this message here.

[github-actions]

Coverage Report ✅

Metric	Value
Coverage	77.2%
Threshold	75%
Status	Pass

Coverage Badge

![Coverage](https://img.shields.io/badge/coverage-77.2%25-green)

No Go source files changed in this PR.