jkemmererupgrade · jkemmererupgrade · Mar 10, 2026 · Mar 10, 2026 · Mar 11, 2026 · Mar 11, 2026
diff --git a/.github/ISSUE_TEMPLATE/bug_report.md → .github/ISSUE_TEMPLATE/01-bug-report.md b/.github/ISSUE_TEMPLATE/bug_report.md → .github/ISSUE_TEMPLATE/01-bug-report.md
@@ -1,10 +1,8 @@
 ---
 name: Bug report
-about: Create a bug report to help us improve
-title: "[Bug] "
-labels: bug
-projects: "aws/112"
-assignees: ""
+about: Something isn't working as expected
+labels: bug, triage
+type: Bug
 ---
 
 ## Description
@@ -37,13 +35,8 @@ assignees: ""
 
 ---
 
-<!-- prettier-ignore -->
 > [!IMPORTANT]
-> If you are interested in working on this issue or have submitted
-> a pull request, please leave a comment.
+> If you are interested in working on this issue, please leave a comment.
 
-<!-- prettier-ignore -->
 > [!TIP]
-> Please use a 👍 reaction to provide a +1/vote.
->
-> This helps the community and maintainers prioritize this request.
+> Please use a 👍 reaction to provide a +1/vote. This helps the community and maintainers prioritize this request.
diff --git a/.github/ISSUE_TEMPLATE/02-feature-request.md b/.github/ISSUE_TEMPLATE/02-feature-request.md
@@ -0,0 +1,35 @@
+---
+name: Feature request
+about: Suggest a new feature or improvement
+labels: enhancement, triage
+type: Feature
+---
+
+## Description
+
+<!--
+  A clear and concise description of what the problem is.
+  e.g. I'm frustrated when [...]
+-->
+
+## Preferred Solution
+
+<!-- A clear and concise description of what you want to happen. -->
+
+## Related Issues
+
+<!--
+  Use a bulleted list since GitHub auto-expands issue/PR titles.
+  e.g.
+  - Originated from #1234
+  - Depends on #1234
+  - Related to #1234
+-->
+
+---
+
+> [!IMPORTANT]
+> If you are interested in working on this issue, please leave a comment.
+
+> [!TIP]
+> Please use a 👍 reaction to provide a +1/vote. This helps the community and maintainers prioritize this request.
diff --git a/.github/ISSUE_TEMPLATE/03-epic.md b/.github/ISSUE_TEMPLATE/03-epic.md
@@ -0,0 +1,35 @@
+---
+name: Epic
+about: A large feature broken into smaller tasks
+labels: enhancement, triage
+type: Epic
+---
+
+## Description
+
+<!--
+  A clear and concise description of what the problem is.
+  e.g. I'm frustrated when [...]
+-->
+
+## High-Level Plan
+
+<!-- A clear and concise description of the approach and major steps. -->
+
+## Related Issues
+
+<!--
+  Use a bulleted list since GitHub auto-expands issue/PR titles.
+  e.g.
+  - Originated from #1234
+  - Depends on #1234
+  - Related to #1234
+-->
+
+---
+
+> [!IMPORTANT]
+> If you are interested in working on this issue, please leave a comment.
+
+> [!TIP]
+> Please use a 👍 reaction to provide a +1/vote. This helps the community and maintainers prioritize this request.
diff --git a/.github/ISSUE_TEMPLATE/04-task.md b/.github/ISSUE_TEMPLATE/04-task.md
@@ -0,0 +1,15 @@
+---
+name: Task
+about: A small, focused unit of work
+type: Task
+---
+
+<!-- Describe the task briefly. -->
+
+---
+
+> [!IMPORTANT]
+> If you are interested in working on this issue, please leave a comment.
+
+> [!TIP]
+> Please use a 👍 reaction to provide a +1/vote. This helps the community and maintainers prioritize this request.
diff --git a/.github/ISSUE_TEMPLATE/05-spike.md b/.github/ISSUE_TEMPLATE/05-spike.md
@@ -0,0 +1,31 @@
+---
+name: Spike
+about: Exploratory work to produce estimates or inform planning
+type: Spike
+---
+
+## Goal
+
+<!-- What question or uncertainty does this spike aim to resolve? -->
+
+## Expected Outcome
+
+<!-- What deliverables are expected? e.g. estimates, a tasked-out epic, a proof of concept, a recommendation -->
+
+## Related Issues
+
+<!--
+  Use a bulleted list since GitHub auto-expands issue/PR titles.
+  e.g.
+  - Originated from #1234
+  - Depends on #1234
+  - Related to #1234
+-->
+
+---
+
+> [!IMPORTANT]
+> If you are interested in working on this issue, please leave a comment.
+
+> [!TIP]
+> Please use a 👍 reaction to provide a +1/vote. This helps the community and maintainers prioritize this request.
diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1 @@
+blank_issues_enabled: false
diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md
diff --git a/.github/pull_request_template.md b/.github/pull_request_template.md
@@ -26,7 +26,7 @@ Please read the [Code of Conduct](https://github.com/aws/graph-explorer/blob/mai
 -->
 
 - [ ] I confirm that my contribution is made under the terms of the Apache 2.0 license.
-- [ ] I have run `pnpm checks` to ensure code compiles and meets standards.
-- [ ] I have run `pnpm test` to check if all tests are passing.
+- [ ] I have verified `pnpm checks` passes with no errors.
+- [ ] I have verified `pnpm test` passes with no failures.
 - [ ] I have covered new added functionality with unit tests if necessary.
-- [ ] I have added an entry in the `Changelog.md`.
+- [ ] I have updated documentation if necessary.
diff --git a/.github/workflows/build_docker.yml b/.github/workflows/build_docker.yml
@@ -15,37 +15,39 @@ on:
     branches:
       - main
 
+permissions:
+  contents: read
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
 jobs:
   build-and-push-image:
     runs-on: ubuntu-latest
-    permissions:
-      contents: read
 
     steps:
       - name: Checkout
-        uses: actions/checkout@v4
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
 
       - name: Get package version
-        uses: tyankatsu0105/read-package-version-actions@v1
-        with:
-          path: "./"
         id: package-version
+        run: echo "version=$(node -p 'require("./package.json").version')" >> $GITHUB_OUTPUT
 
       - name: Get image tag
         id: get-image-tag
+        env:
+          IS_RELEASE: ${{ github.event_name == 'workflow_dispatch' && inputs.image_tag == 'release' }}
+          VERSION: ${{ steps.package-version.outputs.version }}
         run: |
-          if ${{ github.event_name == 'workflow_dispatch' }} ; then
-            if ${{ inputs.image_tag == 'release'}}; then
-              echo "image_tag=${{ steps.package-version.outputs.version }}" >> $GITHUB_OUTPUT
-            else
-              echo "image_tag=latest-SNAPSHOT" >> $GITHUB_OUTPUT
-            fi
+          if [ "$IS_RELEASE" = "true" ]; then
+            echo "image_tag=$VERSION" >> $GITHUB_OUTPUT
           else
             echo "image_tag=latest-SNAPSHOT" >> $GITHUB_OUTPUT
           fi
 
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@v4
+        uses: aws-actions/configure-aws-credentials@61815dcd50bd041e203e49132bacad1fd04d2708 # v5.1.1
         with:
           aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID_ECR }}
           aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY_ECR }}
@@ -56,7 +58,7 @@ jobs:
 
       - name: Login to Amazon ECR
         id: login-ecr-public
-        uses: aws-actions/amazon-ecr-login@v2
+        uses: aws-actions/amazon-ecr-login@376925c9d111252e87ae59691e5a442dd100ef6a # v2.1.3
         with:
           registry-type: public
 

diff --git a/.github/workflows/security-audit.yml b/.github/workflows/security-audit.yml
@@ -0,0 +1,61 @@
+name: Security Audit
+
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - main
+  schedule:
+    # Every day at 9:00 UTC
+    - cron: "0 9 * * *"
+
+permissions:
+  contents: read
+
+jobs:
+  dependency-audit:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Run Trivy filesystem scan
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          scan-type: fs
+          scan-ref: .
+          vuln-type: library
+          format: sarif
+          output: trivy-fs-results.sarif
+
+      - name: Upload Trivy filesystem results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          sarif_file: trivy-fs-results.sarif
+          category: dependency-scan
+
+  docker-image-audit:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5.0.1
+
+      - name: Scan Docker image for vulnerabilities
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
+        with:
+          image-ref: public.ecr.aws/neptune/graph-explorer:latest-SNAPSHOT
+          vuln-type: os
+          format: sarif
+          output: trivy-image-results.sarif
+
+      - name: Upload Trivy image results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          sarif_file: trivy-image-results.sarif
+          category: docker-image-scan