diff --git a/.github/actions/spell-check/README.md b/.github/actions/spell-check/README.md
new file mode 100644
index 0000000..d82bed7
--- /dev/null
+++ b/.github/actions/spell-check/README.md
@@ -0,0 +1,16 @@
+# check-spelling/check-spelling configuration
+
+File | Purpose | Format | Info
+-|-|-|-
+[dictionary.txt](dictionary.txt) | Replacement dictionary (creating this file will override the default dictionary) | one word per line | [dictionary](https://github.com/check-spelling/check-spelling/wiki/Configuration#dictionary)
+[allow.txt](allow.txt) | Add words to the dictionary | one word per line (only letters and `'`s allowed) | [allow](https://github.com/check-spelling/check-spelling/wiki/Configuration#allow)
+[reject.txt](reject.txt) | Remove words from the dictionary (after allow) | grep pattern matching whole dictionary words | [reject](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-reject)
+[excludes.txt](excludes.txt) | Files to ignore entirely | perl regular expression | [excludes](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-excludes)
+[only.txt](only.txt) | Only check matching files (applied after excludes) | perl regular expression | [only](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-only)
+[patterns.txt](patterns.txt) | Patterns to ignore from checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns)
+[line_forbidden.patterns](line_forbidden.patterns) | Patterns to flag in checked lines | perl regular expression (order matters, first match wins) | [patterns](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-patterns)
+[expect.txt](expect.txt) | Expected words that aren't in the dictionary | one word per line (sorted, alphabetically) | [expect](https://github.com/check-spelling/check-spelling/wiki/Configuration#expect)
+[advice.md](advice.md) | Supplement for GitHub comment when unrecognized words are found | GitHub Markdown | [advice](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice)
+
+Note: you can replace any of these files with a directory by the same name (minus the suffix)
+and then include multiple files inside that directory (with that suffix) to merge multiple files together.
diff --git a/.github/actions/spell-check/advice.md b/.github/actions/spell-check/advice.md
new file mode 100644
index 0000000..54f0c9b
--- /dev/null
+++ b/.github/actions/spell-check/advice.md
@@ -0,0 +1,25 @@
+<!-- See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples%3A-advice --> <!-- markdownlint-disable MD033 MD041 -->
+<details><summary>If the flagged items are false positives</summary>
+
+If items relate to a ...
+* binary file (or some other file you wouldn't want to check at all).
+
+  Please add a file path to the `excludes.txt` file matching the containing file.
+
+  File paths are Perl 5 Regular Expressions - you can [test](
+https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your files.
+
+  `^` refers to the file's path from the root of the repository, so `^README\.md$` would exclude [README.md](
+../tree/HEAD/README.md) (on whichever branch you're using).
+
+* well-formed pattern.
+
+  If you can write a [pattern](https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns) that would match it,
+  try adding it to the `patterns.txt` file.
+
+  Patterns are Perl 5 Regular Expressions - you can [test](
+https://www.regexplanet.com/advanced/perl/) yours before committing to verify it will match your lines.
+
+  Note that patterns can't match multiline strings.
+
+</details>
diff --git a/.github/actions/spell-check/allow.txt b/.github/actions/spell-check/allow.txt
new file mode 100644
index 0000000..494d4de
--- /dev/null
+++ b/.github/actions/spell-check/allow.txt
@@ -0,0 +1,4 @@
+github
+https
+ssh
+ubuntu
diff --git a/.github/actions/spell-check/excludes.txt b/.github/actions/spell-check/excludes.txt
index 573a76d..ade36ec 100644
--- a/.github/actions/spell-check/excludes.txt
+++ b/.github/actions/spell-check/excludes.txt
@@ -1,6 +1,58 @@
-^\.github/workflows/
-^\.github/actions/spell-check/
-^go\.(?:mod|sum)$
+# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-excludes
+(?:^|/)(?i)COPYRIGHT
+(?:^|/)(?i)LICEN[CS]E
+(?:^|/)go\.sum$
+(?:^|/)package(?:-lock|)\.json$
+(?:^|/)vendor/
 ignore$
+\.a$
+\.ai$
+\.avi$
+\.bmp$
+\.bz2$
+\.crt$
+\.dll$
+\.docx?$
+\.drawio$
+\.DS_Store$
+\.eot$
+\.exe$
+\.gif$
+\.gitattributes$
+\.graffle$
+\.gz$
+\.icns$
+\.ico$
+\.jar$
+\.jpe?g$
+\.key$
+\.lib$
 \.env
 \.lock$
+\.map$
+\.min\..
+\.mod$
+\.mp[34]$
+\.o$
+\.ocf$
+\.otf$
+\.pdf$
+\.pem$
+\.png$
+\.psd$
+\.s$
+\.svg$
+\.tar$
+\.tiff?$
+\.ttf$
+\.wav$
+\.webm$
+\.webp$
+\.woff2?$
+\.zip$
+^\.github/actions/spelling/
+^\.github/actions/spell-check/
+^go\.sum$
+^\Q.github/workflows/spelling.yml\E$
+^\Qdeploy/kubernetes/secrets.development.env\E$
+^\QGemfile\E$
diff --git a/.github/actions/spell-check/expect.txt b/.github/actions/spell-check/expect.txt
index e606cc5..cb109c5 100644
--- a/.github/actions/spell-check/expect.txt
+++ b/.github/actions/spell-check/expect.txt
@@ -1,128 +1,50 @@
-acl
-acm
-addons
 adduser
-afbb
 AKS
-amazonaws
-api
 apparmor
-args
 asn
-attrs
 automount
 autorun
-aws
 awslogs
 awsvpc
-backend
-blog
 brrrr
-buf
 bugsnag
-CGO
-charset
-chown
-chr
-ci
-cidr
 cidrsubnet
 Cleanuper
-cloudfront
-cloudwatch
 coc
-codebase
 concat
-config
 contacttracing
-CORS
 covidshield
-CSRF
-ctx
 datenumber
-datetime
 dbconn
-dddcd
-deadbeefcafe
-dependabot
 deregistration
 developerguide
-dns
 Dockerhub
-dsa
-dst
-eaa
-eb
-ecdsa
-ece
-ecr
-ecs
 eip
-Ej
-ek
-elasticloadbalancing
-endian
-enexposureconfiguration
-ENTRYPOINT
-enum
 enummodule
 esac
-exposurenotification
 extendee
 fargate
-fbeb
-fcac
-ffee
-ffeec
-foreach
-Fprintf
-fqdn
-frontend
-func
-gc
+fqdns
 gcflags
-GCP
 gecos
-Gemfile
 genmain
-Getenv
 getopts
-gh
-github
 GKE
-GNJo
 gnumake
 gochecknoglobals
 goerr
 GOFILES
-golang
 golangci
 GOLDFLAGS
 google
-gopkg
 gopsutil
 gosec
-grpc
-GZIP
 hadolint
 hashicorp
 hdr
 hexdigest
-hmac
-homepage
-hostname
-html
-http
-httptrace
-iam
 Idxs
-ioutil
-ip
-ipv
-Itoa
-javascript
-jq
-json
+ints
 kcq
 kcr
 kcre
@@ -132,60 +54,35 @@ kubectl
 kubernetes
 kwargs
 ldflags
-len
 libprotoc
 libsodium
-lifecycle
-linux
 lll
-localhost
-lockfile
 logrus
 mcc
-metadata
 metricstdout
-mgo
-microsoft
-Middleware
 minikube
-minitest
-mkdir
 mnc
 mozilla
-mprotoc
-mrm
 msgclass
 myshopify
-mysql
 mysqladmin
-nacl
-namespace
 namespacing
 natgw
-nginx
 nixpkgs
 nkeys
 nolint
 nologin
 nosniff
-omitempty
 opc
 openshift
-openssl
 opentelemetry
 OPTARG
 OPTIND
 otel
-passwd
 patsubst
-pb
-php
-pid
 PKey
-plugin
+plugins
 podsecuritypolicies
-Printf
-Println
 Procfile
 protobuf
 protoc
@@ -193,29 +90,15 @@ protoimpl
 protoreflect
 psps
 ptypes
-pv
 qqqqwwww
 railgun
-rb
-rbac
 rbnacl
-rds
-README
-Referer
-regexp
 repudiability
 roundtrip
 rsin
-rsn
-rubygems
-rubyzip
-sbin
-sdk
 sdktrace
 seccomp
-secretsmanager
 securerandom
-Serverless
 serviceaccounts
 servlet
 seu
@@ -226,71 +109,35 @@ sirupsen
 SMALLINT
 sni
 sourced
-Sprintf
-sql
-src
 srvutil
-ssl
-stderr
-stdout
-strconv
-strftime
 stringio
-sts
-svg
 Syncer
 tcp
 tek
 tempfile
 terraform
-tf
 tfplan
 tfstate
 tfvars
 thisisatoken
 timemath
-TLS
-TLSv
-tmp
-TODO
 tracerstdout
 triaging
 trimpath
-ttl
-ubuntu
-uid
-uint
 ulimits
-uniq
-Unmarshal
 unmarshall
 unmarshalling
-uri
-url
 usedpercent
-username
 usr
 utc
 utf
-UUID
-validator
 VARCHAR
 varint
 vendored
-vm
-vpc
 wafregional
 waitpid
-wiki
 WORKDIR
-workflow
 wsl
-www
-XPOST
 XSalsa
-yaml
 yarnpkg
-yml
-youtube
-yp
 zipw
diff --git a/.github/actions/spell-check/line_forbidden.patterns b/.github/actions/spell-check/line_forbidden.patterns
new file mode 100644
index 0000000..58e9252
--- /dev/null
+++ b/.github/actions/spell-check/line_forbidden.patterns
@@ -0,0 +1,56 @@
+# reject `m_data` as there's a certain OS which has evil defines that break things if it's used elsewhere
+# \bm_data\b
+
+# If you have a framework that uses `it()` for testing and `fit()` for debugging a specific test,
+# you might not want to check in code where you were debugging w/ `fit()`, in which case, you might want
+# to use this:
+#\bfit\(
+
+# s.b. GitHub
+\bGithub\b
+
+# s.b. GitLab
+\bGitlab\b
+
+# s.b. JavaScript
+\bJavascript\b
+
+# s.b. Microsoft
+\bMicroSoft\b
+
+# s.b. another
+\ban[- ]other\b
+
+# s.b. greater than
+\bgreater then\b
+
+# s.b. into
+\bin to\b
+
+# s.b. less than
+\bless then\b
+
+# s.b. otherwise
+\bother[- ]wise\b
+
+# s.b. nonexistent
+\bnon existing\b
+\b[Nn]o[nt][- ]existent\b
+
+# s.b. preexisting
+[Pp]re-existing
+
+# s.b. preempt
+[Pp]re-empt\b
+
+# s.b. preemptively
+[Pp]re-emptively
+
+# s.b. reentrancy
+[Rr]e-entrancy
+
+# s.b. reentrant
+[Rr]e-entrant
+
+# Reject duplicate words
+\s([A-Z]{3,}|[A-Z][a-z]{2,}|[a-z]{3,})\s\g{-1}\s
diff --git a/.github/actions/spell-check/patterns.txt b/.github/actions/spell-check/patterns.txt
index 8f1dde6..b409522 100644
--- a/.github/actions/spell-check/patterns.txt
+++ b/.github/actions/spell-check/patterns.txt
@@ -1,2 +1,59 @@
+# See https://github.com/check-spelling/check-spelling/wiki/Configuration-Examples:-patterns
+
 (?:0[Xx]|U\+|#)[a-f0-9A-FGgRr]{2,}[Uu]?[Ll]{0,2}\b
-\b([A-Za-z])\1{3,}\b
+
+# Automatically suggested patterns
+# hit-count: 25 file-count: 1
+# ANSI color codes
+(?:\\(?:u00|x)1b|\x1b)\[\d+(?:;\d+|)m
+
+# hit-count: 14 file-count: 7
+# hex runs
+\b[0-9a-fA-F]{16,}\b
+
+# hit-count: 11 file-count: 3
+# Amazon
+\bamazon\.com/[-\w]+/(?:dp/[0-9A-Z]+|)
+
+# hit-count: 3 file-count: 3
+# curl arguments
+\b(?:\\n|)curl(?:\s+-[a-zA-Z]{1,2}\b)*(?:\s+-[a-zA-Z]{3,})(?:\s+-[a-zA-Z]+)*
+
+# hit-count: 3 file-count: 1
+# version suffix <word>v#
+(?:(?<=[A-Z]{2})V|(?<=[a-z]{2}|[A-Z]{2})v)\d+(?:\b|(?=[a-zA-Z_]))
+
+# hit-count: 2 file-count: 2
+# apple
+\bdeveloper\.apple\.com/[-\w?=/]+
+
+# hit-count: 2 file-count: 2
+# GitHub SHAs (markdown)
+(?:\[`?[0-9a-f]+`?\]\(https:/|)/(?:www\.|)github\.com(?:/[^/\s"]+){2,}(?:/[^/\s")]+)(?:[0-9a-f]+(?:[-0-9a-zA-Z/#.]*|)\b|)
+
+# hit-count: 1 file-count: 1
+# While you could try to match `http://` and `https://` by using `s?` in `https?://`, sometimes there
+# YouTube url
+\b(?:(?:www\.|)youtube\.com|youtu.be)/(?:channel/|embed/|user/|playlist\?list=|watch\?v=|v/|)[-a-zA-Z0-9?&=_]*
+
+# hit-count: 1 file-count: 1
+# While you could try to match `http://` and `https://` by using `s?` in `https?://`, sometimes there
+# YouTube url
+\b(?:(?:www\.|)youtube\.com|youtu.be)/(?:channel/|embed/|user/|playlist\?list=|watch\?v=|v/|)[-a-zA-Z0-9?&=_]*
+
+# acceptable duplicates
+# ls directory listings
+[-bcdlpsw](?:[-r][-w][-sx]){3}\s+\d+\s+(\S+)\s+\g{-1}\s+\d+\s+
+# C types
+\s(long|LONG) \g{-1}\s
+# javadoc / .net
+(?:[\\@](?:groupname|param)|(?:public|private)(?:\s+static|\s+readonly)*)\s+(\w+)\s+\g{-1}\s
+
+# Commit message -- Signed-off-by and friends
+^\s*(?:(?:Based-on-patch|Co-authored|Helped|Mentored|Reported|Reviewed|Signed-off)-by|Thanks-to): (?:[^<]*<[^>]*>|[^<]*)\s*$
+
+# Autogenerated revert commit message
+^This reverts commit [0-9a-f]{40}\.$
+
+# ignore long runs of a single character:
+\b([A-Za-z])\g{-1}{3,}\b
diff --git a/.github/actions/spell-check/reject.txt b/.github/actions/spell-check/reject.txt
new file mode 100644
index 0000000..b5a6d36
--- /dev/null
+++ b/.github/actions/spell-check/reject.txt
@@ -0,0 +1,10 @@
+^attache$
+benefitting
+occurences?
+^dependan.*
+^oer$
+Sorce
+^[Ss]pae.*
+^untill$
+^untilling$
+^wether.*
diff --git a/.github/workflows/spelling.yml b/.github/workflows/spelling.yml
index 892e411..0091f55 100644
--- a/.github/workflows/spelling.yml
+++ b/.github/workflows/spelling.yml
@@ -1,26 +1,83 @@
 name: Spell checking
+
+# Updating pull request branches is managed via comment handling.
+# For details, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-expect-list
+#
+# These elements work together to make it happen:
+#
+# `on.issue_comment`
+#   This event listens to comments by users asking to update the metadata.
+#
+# `jobs.update`
+#   This job runs in response to an issue_comment and will push a new commit
+#   to update the spelling metadata.
+#
+# `with.experimental_apply_changes_via_bot`
+#   Tells the action to support and generate messages that enable it
+#   to make a commit to update the spelling metadata.
+#
+# `with.ssh_key`
+#   In order to trigger workflows when the commit is made, you can provide a
+#   secret (typically, a write-enabled github deploy key).
+#
+#   For background, see: https://github.com/check-spelling/check-spelling/wiki/Feature:-Update-with-deploy-key
+
 on:
-  pull_request:
-    branches:
-      - "**"
-    tags-ignore:
-      - "**"
   push:
-    branches:
-      - "**"
-    tags-ignore:
-      - "**"
+    branches: ["**"]
+    tags-ignore: ["**"]
+  pull_request_target:
 
 jobs:
-  build:
-    name: Spell checking
+  spelling:
+    name: Check Spelling
+    permissions:
+      contents: read
+      pull-requests: read
+      actions: read
+    outputs:
+      followup: ${{ steps.spelling.outputs.followup }}
+    runs-on: ubuntu-latest
+    if: "contains(github.event_name, 'pull_request') || github.event_name == 'push'"
+    concurrency:
+      group: spelling-${{ github.event.pull_request.number || github.ref }}
+      # note: If you use only_check_changed_files, you do not want cancel-in-progress
+      cancel-in-progress: true
+    steps:
+    - name: check-spelling
+      id: spelling
+      uses: check-spelling/check-spelling@v0.0.20
+      with:
+        config: .github/actions/spell-check
+        suppress_push_for_open_pull_request: 1
+        checkout: true
+        post_comment: 0
+        experimental_apply_changes_via_bot: 1
+        dictionary_source_prefixes: '{"cspell": "https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220427/dictionaries/", "cspell1": "https://raw.githubusercontent.com/check-spelling/cspell-dicts/v20220814/dictionaries/"}'
+        extra_dictionaries:
+          cspell1:software-terms/src/software-terms.txt
+          cspell:aws/aws.txt
+          cspell:node/node.txt
+          cspell:php/php.txt
+          cspell:golang/go.txt
+          cspell:npm/npm.txt
+          cspell:ruby/ruby.txt
+          cspell:html/html.txt
+          cspell:filetypes/filetypes.txt
+        check_extra_dictionaries: ''
+
+  comment:
+    name: Report
     runs-on: ubuntu-latest
+    needs: spelling
+    permissions:
+      contents: write
+      pull-requests: write
+    if: (success() || failure()) && needs.spelling.outputs.followup
     steps:
-    - uses: actions/checkout@v2.0.0
+    - name: comment
+      uses: check-spelling/check-spelling@v0.0.20
       with:
-        fetch-depth: 5
-    - uses: check-spelling/check-spelling@0.0.16-alpha
-      env:
-        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-        bucket: .github/actions
-        project: spell-check
+        config: .github/actions/spell-check
+        checkout: true
+        task: ${{ needs.spelling.outputs.followup }}
diff --git a/config/infrastructure/aws/README.md b/config/infrastructure/aws/README.md
index a48bb0b..ec3dbef 100644
--- a/config/infrastructure/aws/README.md
+++ b/config/infrastructure/aws/README.md
@@ -58,7 +58,7 @@ All Terraform variables are defined in `config/terraform/aws/variables.tf` & the
 - `TF_VAR_ecs_task_key_submission_env_key_claim_token`
 - `TF_VAR_rds_backend_db_password`
 
-If you are using Terraform in Github actions the above can be set as Github secrets, and set as environment variables in your YAML file (see `.github/workflows/terraform.yml`).
+If you are using Terraform in GitHub actions the above can be set as GitHub secrets, and set as environment variables in your YAML file (see `.github/workflows/terraform.yml`).
 
 There is an optional Terraform variable that can be set to control which container to deploy. It should match a container tag that both Key Retrieval & Key Submission share. By default Terraform will deploy the latest commit on the master branch.
 
diff --git a/config/terraform/aws/variables.auto.tfvars b/config/terraform/aws/variables.auto.tfvars
index 7673ba2..8543fed 100644
--- a/config/terraform/aws/variables.auto.tfvars
+++ b/config/terraform/aws/variables.auto.tfvars
@@ -21,14 +21,14 @@ ecs_name = "CovidShield"
 
 # Key Retrieval
 ecs_key_retrieval_name = "KeyRetrieval"
-# Value should come from a TF_VAR environment variable (e.g. set in a Github Secret)
+# Value should come from a TF_VAR environment variable (e.g. set in a GitHub Secret)
 # ecs_task_key_retrieval_env_hmac_key = ""
-# Value should come from a TF_VAR environment variable (e.g. set in a Github Secret)
+# Value should come from a TF_VAR environment variable (e.g. set in a GitHub Secret)
 # ecs_task_key_retrieval_env_ecdsa_key = ""
 
 # Key Submission
 ecs_key_submission_name = "KeySubmission"
-# Value should come from a TF_VAR environment variable (e.g. set in a Github Secret)
+# Value should come from a TF_VAR environment variable (e.g. set in a GitHub Secret)
 # Must be a string of the form <secret1>=<MMC_code>:<secret2>=<MMC_code> - https://www.mcc-mnc.com
 # ecs_task_key_submission_env_key_claim_token = ""
 
@@ -48,7 +48,7 @@ rds_db_subnet_group_name = "server"
 # Key Retrieval/Submission
 rds_server_db_name = "server"
 rds_server_db_user = "root"
-# Value should come from a TF_VAR environment variable (e.g. set in a Github Secret)
+# Value should come from a TF_VAR environment variable (e.g. set in a GitHub Secret)
 # rds_server_db_password       = ""
 rds_server_allocated_storage = "5"
 rds_server_instance_class    = "db.t3.small"