Merge branch 'main' into 33034-add-versioned-access

.devcontainer/Dockerfile

@@ -4,8 +4,9 @@ USER root
 
 # Setup oh-my-zsh
 RUN apt-get update && export DEBIAN_FRONTEND=noninteractive \
-    && apt-get -y install --no-install-recommends zsh vim \
+    && apt-get -y install --no-install-recommends zsh vim git-lfs \
     && rm -rf /var/lib/apt/lists/* \
+    && git lfs install \
     && chsh -s $(which zsh) superchain
 
 # Required, otherwise shell is extermly slow due the size of the aws-cdk

.gitattributes

@@ -14,3 +14,5 @@
 **/*.snapshot/**/*.template.json -linguist-generated
 **/*.snapshot/**/*DeployAssert*.template.json linguist-generated
 packages/@aws-cdk-testing/framework-integ/test/aws-s3-deployment/test/integ.bucket-deployment-big-response.js.snapshot/asset.3322b7049fb0ed2b7cbb644a2ada8d1116ff80c32dca89e6ada846b5de26f961.zip filter=lfs diff=lfs merge=lfs -text
+packages/@aws-cdk-testing/framework-integ/test/**/*.snapshot/**/asset*.zip filter=lfs diff=lfs merge=lfs -text
+packages/@aws-cdk/*-alpha/test/**/*.snapshot/**/asset*.zip filter=lfs diff=lfs merge=lfs -text

.github/workflows/README.md

@@ -55,6 +55,11 @@ When approved this pushes the PR to the testing pipeline,
 thus starting the cli integ test build.
 Owner: Core CDK team
 
+### Initial Priority Assignment
+
+[project-prioritization-assignment.yml](project-prioritization-assignment.yml): GitHub action for automatically adding PR's with priorities to the project priority board based on their labels.
+Owner: CDK Support team
+
 ## Issue Triggered
 
 ### Closed Issue Message
@@ -68,6 +73,11 @@ Owner: CDK support team
 [issue-label-assign.yml](issue-label-assign.yml): Github action for automatically adding labels and/or setting assignees when an Issue or PR is opened or edited based on user-defined Area
 Owner: CDK support team
 
+### P1 Bug Priority Assignment
+
+[project-prioritization-bug.yml](project-prioritization-bug.yml): Github action for automatically adding P1 bugs to the prioritization project board
+Owner: CDK support team
+
 ## Scheduled Actions
 
 ### Issue Lifecycle Handling
@@ -103,3 +113,18 @@ Owner: Core CDK team
 
 [update-contributors.yml](update-contributors.yml): GitHub action that runs monthly to create a pull request for updating a CONTRIBUTORS file with the top contributors.
 Owner: Core CDK team
+
+### R2 Priority Assignment
+
+[project-prioritization-r2-assignment.yml](project-prioritization-r2-assignment.yml): GitHub action that runs every 6 hours to add PR's to the priority project board that satisfies R2 Priority.
+Owner: CDK Support team
+
+### R5 Priority Assignment
+
+[project-prioritization-r5-assignment.yml](project-prioritization-r5-assignment.yml): GitHub action that runs every day to add PR's to the priority project board that satisfies R5 Priority.
+Owner: CDK Support team
+
+### Needs Attention Status Update
+
+[project-prioritization-needs-attention.yml](project-prioritization-needs-attention.yml): GitHub action that runs every day to update Needs Attention field in the prioritization project board.
+Owner: CDK Support team

.github/workflows/analytics-metadata-updater.yml

@@ -0,0 +1,62 @@
+name: CDK Analytics Metadata Updater
+on:
+  workflow_dispatch:
+  pull_request:
+    branches:
+      - yuanhaoz/metadata_workflow # TODO, remove this
+      - v2-release
+
+jobs:
+  update-analytics-metadata:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "*"
+        env:
+          NODE_OPTIONS: "--max-old-space-size=8196 --experimental-worker ${NODE_OPTIONS:-}"
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile && cd tools/@aws-cdk/construct-metadata-updater && yarn build+test
+
+      - name: Invoke Analytics Metadata Updater
+        run: |
+          cd tools/@aws-cdk/construct-metadata-updater
+          ./bin/update-construct-metadata
+
+      - name: Check for changes
+        id: git-check
+        run: |
+          if [[ -n "$(git status --porcelain)" ]]; then
+            echo "changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "changes=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Commit & Push changes
+        if: steps.git-check.outputs.changes == 'true'
+        run: |
+          git config --global user.name 'aws-cdk-automation'
+          git config --global user.email 'aws-cdk-automation@users.noreply.github.com'
+
+          git fetch origin ${{ github.event.pull_request.head.ref }}
+
+          if [ "$(git rev-parse HEAD)" != "$(git rev-parse origin/${{ github.event.pull_request.head.ref }})" ]; then
+            echo "Remote branch updated since approved commit; aborting."
+            exit 1
+          fi
+
+          git add .
+          git commit -m "chore: update analytics metadata blueprints"
+          git push origin ${{ github.event.pull_request.head.ref }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/close-stale-prs.yml

@@ -23,7 +23,16 @@ jobs:
 
           # Optional
           important-checks-regex: AutoBuildv2Project1C6BFA3F
-          warn-message: This PR has been in the STATE state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.
+          warn-message: |
+            This PR has been in the STATE state for 3 weeks, and looks abandoned. Note that PRs with failing linting check or builds are not reviewed, please ensure your build is passing 
+            
+            To prevent automatic closure:
+            - Resume work on the PR
+            - OR request an exemption by adding a comment containing 'Exemption Request' with justification e.x "Exemption Request: <justification>"
+            - OR request clarification by adding a comment containing 'Clarification Request' with a question e.x "Clarification Request: <question>"
+
+            This PR will automatically close in 7 days if no action is taken.
+
           close-message: This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.
           skip-labels: contribution/core,pr-linter/do-not-close,pr/needs-maintainer-review,pr-linter/exemption-requested
           close-label: closed-for-staleness

.github/workflows/codecov.yml

@@ -5,12 +5,14 @@ on:
     branches: [ "main" ]
   pull_request:
     branches: [ "main" ]
-    
+
 jobs:
   collect:
     name: collect
     if: github.repository == 'aws/aws-cdk'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -24,19 +26,13 @@ jobs:
       - name: Build Library
         run: npx lerna run build --scope=aws-cdk-lib
 
-      - name: Build CLI
-        run: npx lerna run build --scope=aws-cdk
-
       - name: Run Core tests
         run: cd packages/aws-cdk-lib && yarn test core
 
-      - name: Run CLI tests
-        run: cd packages/aws-cdk && yarn test
-
       - name: Upload results to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
-          files: packages/aws-cdk/coverage/cobertura-coverage.xml,packages/aws-cdk-lib/coverage/cobertura-coverage.xml
+          files: packages/aws-cdk-lib/coverage/cobertura-coverage.xml
           fail_ci_if_error: true
           flags: suite.unit
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true

.github/workflows/lambda-runtime-tests.yml

@@ -13,7 +13,7 @@ jobs:
     steps:
       - uses: actions/checkout@v4
         with:
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Set up Node
         uses: actions/setup-node@v4
@@ -44,8 +44,16 @@ jobs:
         run: |
           git config --global user.name 'aws-cdk-automation'
           git config --global user.email 'aws-cdk-automation@users.noreply.github.com'
+
+          git fetch origin ${{ github.event.pull_request.head.ref }}
+
+          if [ "$(git rev-parse HEAD)" != "$(git rev-parse origin/${{ github.event.pull_request.head.ref }})" ]; then
+            echo "Remote branch updated since approved commit; aborting."
+            exit 1
+          fi
+
           git add .
           git commit -m "chore: update lambda runtime integration tests"
           git push origin ${{ github.event.pull_request.head.ref }}
         env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/lock-issue-pr-with-message.yml

@@ -13,7 +13,7 @@ jobs:
       issues: write
     runs-on: ubuntu-latest
     steps:
-      - uses: aws-actions/closed-issue-message@v1
+      - uses: aws-actions/closed-issue-message@v2
         with:
           repo-token: "${{ secrets.GITHUB_TOKEN }}"
           message: |

.github/workflows/pr-linter.yml

@@ -11,11 +11,19 @@ on:
       - opened
       - synchronize
       - reopened
+
+  # Triggered from a separate job when a review is added
   workflow_run:
     workflows: [PR Linter Trigger]
     types:
       - completed
-  status:
+
+  # Trigger when a status is updated (CodeBuild leads to statuses)
+  status: {}
+
+  # Trigger when a check suite is completed (GitHub actions and CodeCov create checks)
+  check_suite:
+    types: [completed]
 
 jobs:
   download-if-workflow-run:
@@ -28,7 +36,7 @@ jobs:
     steps:
       - name: 'Download workflow_run artifact'
         if: github.event_name == 'workflow_run'
-        uses: dawidd6/action-download-artifact@v7
+        uses: dawidd6/action-download-artifact@v8
         with:
           run_id: ${{ github.event.workflow_run.id }}
           name: pr_info
@@ -57,6 +65,7 @@ jobs:
       pull-requests: write
       statuses: read
       issues: read
+      checks: read
     runs-on: ubuntu-latest
     needs: download-if-workflow-run
     steps:

.github/workflows/project-prioritization-assignment.yml

@@ -0,0 +1,23 @@
+name: PR Prioritization
+on:
+  pull_request_target:
+    types:
+      - labeled
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+jobs:
+  prioritize:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Add PR to Project & Set Priority
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/assign-priority.js')
+            await script({github, context})

.github/workflows/project-prioritization-bug.yml

@@ -0,0 +1,19 @@
+name: P1 Bug Prioritization
+on:
+  issues:
+    types:
+      - labeled
+
+jobs:
+  prioritize:
+    if: github.repository == 'aws/aws-cdk' && contains(github.event.issue.labels.*.name, 'bug') && contains(github.event.issue.labels.*.name, 'p1')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Add P1 Bug to project
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/assign-bug-priority.js')
+            await script({github, context})

.github/workflows/project-prioritization-needs-attention.yml

@@ -0,0 +1,20 @@
+name: PR Prioritization Needs Attention Status
+on:
+  schedule:
+    - cron: '0 7 * * 1-5'  # Runs at 7AM every day during weekdays
+  workflow_dispatch:        # Manual trigger
+
+jobs:
+  update_project_status:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Update Needs Attention Status
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/update-attention-status.js')
+            await script({github})

.github/workflows/project-prioritization-r2-assignment.yml

@@ -0,0 +1,20 @@
+name: PR Prioritization R2 Check
+on:
+  schedule:
+    - cron: '0 */6 * * 1-5'  # Runs every 6 hours during weekdays
+  workflow_dispatch:        # Manual trigger
+
+jobs:
+  update_project_status:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check and assign R2 Priority to PRs
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/assign-r2-priority.js')
+            await script({github})

.github/workflows/project-prioritization-r5-assignment.yml

@@ -0,0 +1,19 @@
+name: PR Prioritization R5 Check
+on:
+  schedule:
+    - cron: '0 6 * * 1-5'  # Runs at 6AM every day during weekdays
+  workflow_dispatch:        # Manual trigger
+
+jobs:
+  update_project_status:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check and Assign R5 Priority to PRs
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/assign-r5-priority.js')
+            await script({github})