Feat/runtime upgrades (#1218)

### Description List
- Upgraded Python lambdas and pipelines to 3.14, excepting purchases
lambda, which is held back at 3.12
- Upgraded NodeJS lambdas and pipelines to 24
- Upgraded libraries
- Addressed/tested aws-cdk bugfix that introduced a DynamoDB resource
policy statement that was previously missing, due to the bug

### Testing List
- Ran investigation smoke test to verify Python API / Node email
function
- Tested SSN UI features and SSN table backups, to verify continued
function after introduction of missing policy statement
- Deployed and loaded UI to verify CSP lambda function
- Code review
- Deploy via pipeline to test, to verify pipeline compatibility

Closes #1216


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **New Features**
* Added signature-auth examples and notes documenting the Purchases
service running in its own Python 3.12 environment

* **Bug Fixes**
  * Corrected ISO8601 timestamp formatting in test utilities

* **Documentation**
* Updated Node.js/Python prerequisite versions and added convenience
scripts and usage notes

* **Chores**
* Upgraded CI/tooling targets (Python → 3.14, Node → 24.x) and bumped
many dependency pins
* Added private key gitignore patterns; removed an unused lambda
dependency

* **Tests**
  * Refactored tests and assertions for improved maintainability

<sub>✏️ Tip: You can customize this high-level summary in your review
settings.</sub>
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: John Sandoval <jsandoval81@users.noreply.github.com>

Author: jusdino

.github/workflows/check-common-cdk.yml

@@ -17,12 +17,12 @@ jobs:
   LintPython:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: '3.14'
 
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
 
       - name: Install dev dependencies
         run: "pip install -r backend/common-cdk/requirements-dev.in"
@@ -38,12 +38,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Checks-out the repository under $GITHUB_WORKSPACE
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: '3.14'
 
       - name: Install dev dependencies
         run: "pip install -r backend/common-cdk/requirements-dev.in"

.github/workflows/check-compact-connect-ui-app.yml

@@ -17,12 +17,12 @@ jobs:
   LintPython:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: '3.14'
 
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
 
       - name: Install dev dependencies
         run: "pip install -r backend/compact-connect-ui-app/requirements-dev.txt"
@@ -39,16 +39,16 @@ jobs:
 
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
 
       - run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
       - run: echo "🖥️ The workflow is now ready to test your code on the runner."
 
       # Setup Node
       - name: Setup Node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v6
         with:
-          node-version: '22.1.0'
+          node-version: '24.11.1'
 
       # Use any cached yarn dependencies (saves build time)
       - uses: actions/cache@v4
@@ -75,18 +75,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Checks-out the repository under $GITHUB_WORKSPACE
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: '3.14'
 
       # Setup Node
       - name: Setup Node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v6
         with:
-          node-version: '22.1.0'
+          node-version: '24.11.1'
 
       # Use any cached yarn dependencies (saves build time)
       - uses: actions/cache@v4

.github/workflows/check-compact-connect.yml

@@ -17,12 +17,12 @@ jobs:
   LintPython:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: '3.14'
 
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
 
       - name: Install dev dependencies
         run: "pip install -r backend/compact-connect/requirements-dev.txt"
@@ -39,16 +39,16 @@ jobs:
 
     steps:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
 
       - run: echo "💡 The ${{ github.repository }} repository has been cloned to the runner."
       - run: echo "🖥️ The workflow is now ready to test your code on the runner."
 
       # Setup Node
       - name: Setup Node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v6
         with:
-          node-version: '22.1.0'
+          node-version: '24.11.1'
 
       # Use any cached yarn dependencies (saves build time)
       - uses: actions/cache@v4
@@ -75,18 +75,18 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       # Checks-out the repository under $GITHUB_WORKSPACE
-      - uses: actions/checkout@v2
+      - uses: actions/checkout@v5
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
-          python-version: '3.12'
+          python-version: '3.14'
 
       # Setup Node
       - name: Setup Node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v6
         with:
-          node-version: '22.1.0'
+          node-version: '24.11.1'
 
       # Use any cached yarn dependencies (saves build time)
       - uses: actions/cache@v4
@@ -109,3 +109,31 @@ jobs:
 
       - name: Test backend
         run: "cd backend/compact-connect; bin/run_tests.sh -l all -no"
+
+  # The purchases lambda Python version has to be held back because of its Authorize.net dependency
+  # so we will check it separately
+  TestAndLintPurchases:
+    runs-on: ubuntu-latest
+    steps:
+      # Checks-out the repository under $GITHUB_WORKSPACE
+      - uses: actions/checkout@v5
+
+      - uses: actions/setup-python@v6
+        with:
+          python-version: '3.12'
+
+      - name: Install dependencies
+        run: "cd backend/compact-connect/lambdas/python/purchases; pip install -r requirements.txt"
+
+      - name: Install dev dependencies
+        run: "cd backend/compact-connect/lambdas/python/purchases; pip install -r requirements-dev.txt"
+
+      - name: Lint Code
+        run: "cd backend/compact-connect/lambdas/python/purchases; ruff check $(git ls-files '*.py')"
+
+      - name: Check Dependencies
+        # Ignore pip vulnerability that does not affect Python 3.12+
+        run: "pip-audit --ignore-vuln GHSA-4xh5-x5gv-qwph"
+
+      - name: Test backend
+        run: "cd backend/compact-connect/lambdas/python/purchases; PYTHONPATH=../common pytest tests --cov --cov-fail-under=90"

.github/workflows/check-for-external-state-api-spec-update.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 

.github/workflows/check-for-internal-api-spec-update.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 

.github/workflows/check-multi-account.yml

@@ -17,7 +17,7 @@ jobs:
   LintPython:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/setup-python@v5
+      - uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 
@@ -41,7 +41,7 @@ jobs:
       - uses: actions/checkout@v2
 
       - name: Setup Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@v6
         with:
           python-version: '3.12'
 

.github/workflows/zap-scan-test.yml

@@ -34,7 +34,7 @@ jobs:
       - run: echo "🖥️ The workflow is now ready to test your code on the runner."
 
       - name: Setup Node
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v6
         with:
           node-version: '22.1.0'
 

backend/compact-connect-ui-app/lambdas/nodejs/README.md

@@ -4,7 +4,7 @@ This folder contains all lambda runtimes that are written with NodeJS/JavaScript
 
 
 ## Prerequisites
-* **[Node](https://github.com/creationix/nvm#installation) `22.X`**
+* **[Node](https://github.com/creationix/nvm#installation) `24.X`**
 * **[Yarn](https://yarnpkg.com/en/) `1.22.22`**
     * `npm install --global yarn@1.22.22`
 

backend/compact-connect-ui-app/lambdas/nodejs/cloudfront-csp/README.md

@@ -8,7 +8,7 @@
 
 ---
 ## Prerequisites
-* **[Node](https://github.com/creationix/nvm#installation) `22.X`**
+* **[Node](https://github.com/creationix/nvm#installation) `24.X`**
 * **[Yarn](https://yarnpkg.com/en/) `1.22.22`**
     * `npm install --global yarn@1.22.22`
 * **[Mocha](https://mochajs.org/) `10.x.x`+**

backend/compact-connect-ui-app/lambdas/nodejs/package.json

@@ -29,7 +29,6 @@
     "@aws-sdk/client-dynamodb": "^3.682.0",
     "@aws-sdk/client-s3": "^3.682.0",
     "@aws-sdk/util-dynamodb": "^3.682.0",
-    "aws-lambda": "1.0.7",
     "zod": "^3.23.8"
   }
 }