luk-kop · luk-kop · Jan 19, 2026 · Jan 19, 2026 · Jan 19, 2026 · Jan 19, 2026
diff --git a/.github/labeler.yml b/.github/labeler.yml
@@ -1,23 +1,32 @@
 Workflows:
-- changed-files:
-  - any-glob-to-any-file: .github/workflows/**
+  - changed-files:
+      - any-glob-to-any-file:
+          - .github/workflows/**
 
 Documentation:
-- changed-files:
-  - any-glob-to-any-file: ['images/**', '**/*.md']
+  - changed-files:
+      - any-glob-to-any-file:
+          - images/**
+          - "**/*.md"
+          - docs/**
 
 Terraform:
-- changed-files:
-  - any-glob-to-any-file: terraform/**
+  - changed-files:
+      - any-glob-to-any-file:
+          - terraform/**
 
 Lambda:
-- changed-files:
-  - any-glob-to-any-file: lambda/**
+  - changed-files:
+      - any-glob-to-any-file:
+          - lambda/**
 
 Pytest:
-- changed-files:
-  - any-glob-to-any-file: tests/**
+  - changed-files:
+      - any-glob-to-any-file:
+          - tests/**
 
 Python:
-- changed-files:
-  - any-glob-to-any-file: '**/*.py'
+  - changed-files:
+      - any-glob-to-any-file:
+          - "**/*.py"
+          - "!tests/**"
diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
@@ -15,10 +15,10 @@ on:
   workflow_dispatch:
 
 env:
-  PYTHON_VERSION: '3.11'
-  CERTBOT_LAMBDA_DIR: 'lambdas/certbot'
-  UV_VERSION: '0.5'
+  LAMBDAS_DIR: 'lambdas'
+  UV_VERSION: '0.9.26'
   RUFF_VERSION: '0.14.13'
+  BANDIT_VERSION: '1.9.3'
   TF_VERSION: '1.12.1'
   TF_LINT_VERSION: 'latest'
   TF_DOCS_VERSION: 'latest'
@@ -33,19 +33,6 @@ jobs:
       - name: Check-out code
         uses: actions/checkout@v6
 
-      - name: Set up uv
-        uses: astral-sh/setup-uv@v4
-        with:
-          version: ${{ env.UV_VERSION }}
-
-      - name: Set up Python
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
-      - name: Install dependencies (workspace)
-        run: uv sync --all-packages
-
       - name: Ruff check (linter)
         uses: astral-sh/ruff-action@v3
         with:
@@ -77,16 +64,10 @@ jobs:
 
       - name: Set up uv
         if: steps.check-tests.outputs.exists == 'true'
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@v7
         with:
           version: ${{ env.UV_VERSION }}
 
-      - name: Set up Python
-        if: steps.check-tests.outputs.exists == 'true'
-        uses: actions/setup-python@v6
-        with:
-          python-version: ${{ env.PYTHON_VERSION }}
-
       # Test dependencies are declared in pyproject.toml
       - name: Install dependencies (workspace)
         if: steps.check-tests.outputs.exists == 'true'
@@ -98,7 +79,7 @@ jobs:
           AWS_DEFAULT_REGION: 'us-east-1'
         run: |
           uv run pytest tests/ \
-            --cov=${{ env.CERTBOT_LAMBDA_DIR }} \
+            --cov=${{ env.LAMBDAS_DIR }} \
             --cov-report=xml \
             --cov-report=html \
             --cov-report=term-missing \
@@ -116,7 +97,7 @@ jobs:
         if: always() && steps.check-tests.outputs.exists == 'true'
         uses: actions/upload-artifact@v5
         with:
-          name: pytest-results-${{ env.PYTHON_VERSION }}
+          name: pytest-results
           path: |
             junit/test-results.xml
             htmlcov/
@@ -192,13 +173,13 @@ jobs:
           sarif_file: 'trivy-results.sarif'
 
       - name: Set up uv
-        uses: astral-sh/setup-uv@v4
+        uses: astral-sh/setup-uv@v7
         with:
           version: ${{ env.UV_VERSION }}
 
       - name: Python Security Check (Bandit)
         run: |
-          uvx bandit -r . -f json -o bandit-report.json || true
+          uvx bandit@${{ env.BANDIT_VERSION }} -r ${{ env.LAMBDAS_DIR }} -f screen
 
       - name: Check for secrets (Gitleaks)
         uses: gitleaks/gitleaks-action@v2

diff --git a/.github/workflows/pr-validation.yml b/.github/workflows/pr-validation.yml
@@ -8,6 +8,10 @@ on:
       - reopened
       - synchronize
 
+env:
+  WARN_SIZE: 1M
+  FAIL_SIZE: 10M
+
 jobs:
   validate-pr:
     name: Validate Pull Request
@@ -28,15 +32,27 @@ jobs:
 
       - name: Check file sizes
         run: |
-          # Check for large files (excluding .git)
-          find . -path ./.git -prune -o -type f -size +1M -exec ls -lh {} \; | awk '{print $9 ": " $5}'
+          echo "Checking for files larger than ${WARN_SIZE} (warning only)"
+
+          # List files > WARN_SIZE (excluding .git)
+          find . -path ./.git -prune -o -type f -size +${WARN_SIZE} -print0 \
+            | xargs -0 -r ls -lh \
+            | awk '{print "WARN:", $9, "(", $5, ")"}' || true
+
+          echo ""
+          echo "Failing PR if files larger than ${FAIL_SIZE} are found"
 
-          # Fail if files larger than 10MB (excluding .git)
-          if find . -path ./.git -prune -o -type f -size +10M -print | grep -q .; then
-            echo "Error: Files larger than 10MB found"
+          # Find files > FAIL_SIZE (excluding .git)
+          LARGE_FILES=$(find . -path ./.git -prune -o -type f -size +${FAIL_SIZE} -print)
+
+          if [ -n "$LARGE_FILES" ]; then
+            echo "ERROR: Files larger than ${FAIL_SIZE} detected:"
+            echo "$LARGE_FILES"
             exit 1
           fi
 
+          echo "File size check passed ✔"
+
   labeler:
     name: Label PR
     runs-on: ubuntu-latest

diff --git a/README.md b/README.md
@@ -195,7 +195,7 @@ You can control whether the ACME account key is persisted using the `acme_persis
 
 ## Lambda Layer Building
 
-The Lambda function requires Python dependencies (`acme`, `cryptography`, `josepy`, `boto3`) packaged as a Lambda layer. Terraform builds this layer locally during `terraform apply` using `uv pip install` with the `--python-platform x86_64-manylinux2014` flag to ensure compatibility with the Lambda runtime.
+The Lambda function requires Python dependencies (`acme`, `cryptography`, `josepy`) packaged as a Lambda layer. Terraform builds this layer locally during `terraform apply` using `uv pip install` with the `--python-platform x86_64-manylinux2014` flag to ensure compatibility with the Lambda runtime.
 
 **Why local building?**
 - Simple setup - no Docker or CI/CD pipeline required
@@ -211,7 +211,7 @@ The Lambda function requires Python dependencies (`acme`, `cryptography`, `josep
 **Manual build** (when needed):
 ```bash
 # From project root:
-uv lock  # if uv.lock doesn't exist
+test -f uv.lock || uv lock
 uv export --package certbot-lambda --no-hashes --no-dev --frozen --no-emit-project -o lambdas/certbot/requirements.txt
 cd lambdas/certbot
 rm -rf python layer.zip
@@ -223,6 +223,8 @@ zip -r layer.zip python
 
 For production environments with stricter reproducibility needs, consider building the layer in CI/CD and storing it in S3.
 
+> **See also:** [Using uv with AWS Lambda](https://docs.astral.sh/uv/guides/integration/aws-lambda/)
+
 ## Deployment
 
 See [terraform/README.md](terraform/README.md) for detailed configuration, variables, and outputs.
@@ -460,6 +462,3 @@ uv sync --all-packages
 ```
 
 Then create corresponding Terraform resources in `terraform/` for the new Lambda function.
-
-## TODO
-- Add support for multiple Hosted Zones