diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml
index 716307d..79cb538 100644
--- a/.github/workflows/docker-build-and-push.yml
+++ b/.github/workflows/docker-build-and-push.yml
@@ -110,10 +110,12 @@ jobs:
             *.sigstore.dev:443
             *.trivy.dev:443
             api.github.com:443
+            codeload.github.com:443
             docker-images-prod.*.r2.cloudflarestorage.com:443
             ghcr.io:443
             github.com:443
             mirror.gcr.io:443
+            release-assets.githubusercontent.com:443
             ${{ inputs.egress-policy-allowlist }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -180,7 +182,7 @@ jobs:
             echo "local_image_ref=${LOCAL_IMAGE_REF}"
           } >> "${GITHUB_OUTPUT}"
       - name: Run Trivy Scan
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         if: inputs.scan-image
         with:
           format: sarif
@@ -191,7 +193,7 @@ jobs:
           output: ${{ inputs.working-directory }}/trivy_results.sarif
           github-pat: ${{ secrets.GITHUB_TOKEN }}
       - name: Generate SBOM
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         if: inputs.push
         with:
           format: spdx-json
diff --git a/.github/workflows/infra-security-scan.yml b/.github/workflows/infra-security-scan.yml
index 9661b62..5b2eeb7 100644
--- a/.github/workflows/infra-security-scan.yml
+++ b/.github/workflows/infra-security-scan.yml
@@ -100,7 +100,7 @@ jobs:
           filter_mode: nofilter
           tool_name: actionlint
       - name: Install uv
-        uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+        uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
         with:
           enable-cache: true
       - name: Run zizmor
diff --git a/.github/workflows/pulumi-preview.yml b/.github/workflows/pulumi-preview.yml
index f84b759..3e82153 100644
--- a/.github/workflows/pulumi-preview.yml
+++ b/.github/workflows/pulumi-preview.yml
@@ -88,7 +88,7 @@ jobs:
           installer-parallel: true
 
       # ----- UV -----
-      - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+      - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
         if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }}
         with:
           enable-cache: true
diff --git a/.github/workflows/pulumi-up.yml b/.github/workflows/pulumi-up.yml
index f07e6c6..047ed75 100644
--- a/.github/workflows/pulumi-up.yml
+++ b/.github/workflows/pulumi-up.yml
@@ -87,7 +87,7 @@ jobs:
           installer-parallel: true
 
       # ----- UV -----
-      - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+      - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
         if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }}
         with:
           enable-cache: true
diff --git a/.github/workflows/python-ci.yml b/.github/workflows/python-ci.yml
index 7da2701..3ea6b5d 100644
--- a/.github/workflows/python-ci.yml
+++ b/.github/workflows/python-ci.yml
@@ -66,7 +66,7 @@ jobs:
           installer-parallel: true
 
       # ----- UV -----
-      - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0
+      - uses: astral-sh/setup-uv@5a095e7a2014a4212f075830d4f7277575a9d098 # v7.3.1
         if: ${{ hashFiles(format('{0}/uv.lock', inputs.working-directory)) != '' }}
         with:
           enable-cache: true
diff --git a/.github/workflows/rust-ci.yml b/.github/workflows/rust-ci.yml
index d8e8cbc..657a8d7 100644
--- a/.github/workflows/rust-ci.yml
+++ b/.github/workflows/rust-ci.yml
@@ -66,7 +66,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           components: rustfmt
           toolchain: ${{ inputs.rust-version }}
@@ -99,7 +99,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           toolchain: ${{ inputs.rust-version }}
           cache-workspaces: |-
@@ -132,7 +132,7 @@ jobs:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
-      - uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           components: clippy
           toolchain: ${{ inputs.rust-version }}
@@ -204,7 +204,7 @@ jobs:
         uses: mlugg/setup-zig@d1434d08867e3ee9daa34448df10607b98908d29 # v2.2.1
         with:
           version: latest
-      - uses: actions-rust-lang/setup-rust-toolchain@1780873c7b576612439a134613cc4cc74ce5538c # v1.15.2
+      - uses: actions-rust-lang/setup-rust-toolchain@a0b538fa0b742a6aa35d6e2c169b4bd06d225a98 # v1.15.3
         with:
           toolchain: ${{ inputs.rust-version }}
           cache-workspaces: |-
diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml
index 087b349..7156eb5 100644
--- a/.github/workflows/terraform-ci.yml
+++ b/.github/workflows/terraform-ci.yml
@@ -52,7 +52,9 @@ jobs:
           disable-sudo: ${{ inputs.disable-sudo }}
           egress-policy: audit
           allowed-endpoints: >
+            codeload.github.com:443
             raw.githubusercontent.com:443
+            release-assets.githubusercontent.com:443
             ${{ inputs.egress-policy-allowlist }}
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
@@ -101,7 +103,7 @@ jobs:
           filter_mode: nofilter
 
       - name: Run Trivy Scan
-        uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
         with:
           hide-progress: true
           format: sarif
diff --git a/auto-tagger/.gitignore b/.gitignore
similarity index 92%
rename from auto-tagger/.gitignore
rename to .gitignore
index 09697aa..fe9cf21 100644
--- a/auto-tagger/.gitignore
+++ b/.gitignore
@@ -1,4 +1,5 @@
 __pycache__/
+.cache
 .mypy_cache
 .pytest_cache
 .ruff_cache