Merge branch 'main' of github.com:blimmer/aws-cdk into enable-rds-enc…

…ryption-by-default
aws · Feb 2, 2025 · bddf5b9 · bddf5b9
2 parents becf0a7 + 6b9e47a
commit bddf5b9
Show file tree

Hide file tree

Showing 4,053 changed files with 1,139,299 additions and 544,935 deletions.
diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md
@@ -16,7 +16,7 @@ What AWS use cases does this change enable? To enable the use cases, which AWS s
 
 ### Describe any new or updated permissions being added
 
-<!— What new or updated IAM permissions are needed to support the changes being introduced ? -->
+<!-- What new or updated IAM permissions are needed to support the changes being introduced ? -->
 
 
 ### Description of how you validated changes

diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -55,6 +55,11 @@ When approved this pushes the PR to the testing pipeline,
 thus starting the cli integ test build.
 Owner: Core CDK team
 
+### Initial Priority Assignment
+
+[project-prioritization-assignment.yml](project-prioritization-assignment.yml): GitHub action for automatically adding PR's with priorities to the project priority board based on their labels.
+Owner: CDK Support team
+
 ## Issue Triggered
 
 ### Closed Issue Message
@@ -103,3 +108,13 @@ Owner: Core CDK team
 
 [update-contributors.yml](update-contributors.yml): GitHub action that runs monthly to create a pull request for updating a CONTRIBUTORS file with the top contributors.
 Owner: Core CDK team
+
+### R2 Priority Assignment
+
+[project-prioritization-r2-assignment.yml](project-prioritization-r2-assignment.yml): GitHub action that runs every 6 hours to add PR's to the priority project board that satisfies R2 Priority.
+Owner: CDK Support team
+
+### R5 Priority Assignment
+
+[project-prioritization-r5-assignment.yml](project-prioritization-r5-assignment.yml): GitHub action that runs every day to add PR's to the priority project board that satisfies R5 Priority.
+Owner: CDK Support team
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
@@ -11,6 +11,8 @@ jobs:
     name: collect
     if: github.repository == 'aws/aws-cdk'
     runs-on: ubuntu-latest
+    permissions:
+      id-token: write
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -34,9 +36,9 @@ jobs:
         run: cd packages/aws-cdk && yarn test
 
       - name: Upload results to Codecov
-        uses: codecov/codecov-action@v4
+        uses: codecov/codecov-action@v5
         with:
           files: packages/aws-cdk/coverage/cobertura-coverage.xml,packages/aws-cdk-lib/coverage/cobertura-coverage.xml
           fail_ci_if_error: true
           flags: suite.unit
-          token: ${{ secrets.CODECOV_TOKEN }}
+          use_oidc: true
diff --git a/.github/workflows/github-merit-badger.yml b/.github/workflows/github-merit-badger.yml
@@ -17,4 +17,4 @@ jobs:
           badges: '[beginning-contributor,repeat-contributor,valued-contributor,admired-contributor,star-contributor,distinguished-contributor]'
           thresholds: '[0,3,6,13,25,50]'
           badge-type: 'achievement'
-          ignore-usernames: '[rix0rrr,iliapolo,otaviomacedo,kaizencc,comcalvi,TheRealAmazonKendra,mrgrain,pahud,kellertk,ashishdhingra,HBobertz,sumupitchayan,colifran,khushail,moelasmar,paulhcsun,GavinZZ,aaythapa,xazhao,gracelu0,jfuss,shikha372,kirtishrinkhala,godwingrs22,bergjaak,IanKonlog,Leo10Gama,samson-keung,scorbiere,michelle-wangg,jiayiwang7,1kaileychen,saiyush,5d,aws-cdk-automation,dependabot[bot],mergify[bot]]'
+          ignore-usernames: '[rix0rrr,iliapolo,otaviomacedo,kaizencc,comcalvi,TheRealAmazonKendra,mrgrain,pahud,kellertk,ashishdhingra,HBobertz,colifran,khushail,moelasmar,paulhcsun,GavinZZ,aaythapa,xazhao,gracelu0,jfuss,shikha372,kirtishrinkhala,godwingrs22,bergjaak,IanKonlog,Leo10Gama,samson-keung,scorbiere,michelle-wangg,jiayiwang7,1kaileychen,saiyush,5d,iankhou,aws-cdk-automation,dependabot[bot],mergify[bot]]'
diff --git a/.github/workflows/issue-label-assign.yml b/.github/workflows/issue-label-assign.yml
@@ -173,7 +173,6 @@ env:
             {"area":"@aws-cdk/aws-inspector","keywords":["aws-inspector","inspector"],"labels":["@aws-cdk/aws-inspector"]},
             {"area":"@aws-cdk/aws-iot","keywords":["internet-of-things","aws-iot","iot"],"labels":["@aws-cdk/aws-iot"],"affixes":{"suffixes":["-alpha"]}},
             {"area":"@aws-cdk/aws-iot-actions","keywords":["aws-iot-actions","iot-actions"],"labels":["@aws-cdk/aws-iot-actions"],"affixes":{"suffixes":["-alpha"]}},
-            {"area":"@aws-cdk/aws-iot1click","keywords":["aws-iot1click","iot1click"],"labels":["@aws-cdk/aws-iot1click"]},
             {"area":"@aws-cdk/aws-iotanalytics","keywords":["aws-iotanalytics","iotanalytics"],"labels":["@aws-cdk/aws-iotanalytics"]},
             {"area":"@aws-cdk/aws-iotevents","keywords":["aws-iotevents","iotevents"],"labels":["@aws-cdk/aws-iotevents"],"affixes":{"suffixes":["-alpha"]}},
             {"area":"@aws-cdk/aws-iotevents-actions","keywords":["aws-iotevents","iotevents-actions"],"labels":["@aws-cdk/aws-iotevents-actions"],"affixes":{"suffixes":["-alpha"]}},

diff --git a/.github/workflows/lambda-runtime-tests.yml b/.github/workflows/lambda-runtime-tests.yml
@@ -8,6 +8,8 @@ jobs:
   update-lambda-tests:
     if: github.repository == 'aws/aws-cdk'
     runs-on: ubuntu-latest
+    permissions:
+      contents: write
     steps:
       - uses: actions/checkout@v4
         with:
@@ -44,4 +46,6 @@ jobs:
           git config --global user.email '[email protected]'
           git add .
           git commit -m "chore: update lambda runtime integration tests"
-          git push origin ${{ github.event.pull_request.head.ref }}
+          git push origin ${{ github.event.pull_request.head.ref }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/pr-linter-review-trigger.yml b/.github/workflows/pr-linter-review-trigger.yml
@@ -0,0 +1,32 @@
+# Re-evaluate the PR linter after reviews. This is used to upgrade the label
+# of a PR to `needs-maintainer-review` after a trusted community members leaves
+# an approving review.
+#
+# Unprivileged workflow that runs in the context of the PR, when a review is changed.
+#
+# Save the PR number, and download it again in the PR Linter workflow which
+# needs to run in privileged `workflow_run` context (but then must restore the
+# PR context).
+name: PR Linter Trigger
+
+on:
+  pull_request_review:
+    types: [submitted, edited, dismissed]
+
+jobs:
+  upload:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Save PR number
+        env:
+          PR_NUMBER: ${{ github.event.pull_request.number }}
+          PR_SHA: ${{ github.event.pull_request.head.sha }}
+        run: |
+          mkdir -p ./pr
+          echo $PR_NUMBER > ./pr/pr_number
+          echo $PR_SHA > ./pr/pr_sha
+      - uses: actions/upload-artifact@v4
+        with:
+          name: pr_info
+          path: pr/
diff --git a/.github/workflows/pr-linter-trigger.yml b/.github/workflows/pr-linter-trigger.yml
diff --git a/.github/workflows/pr-linter.yml b/.github/workflows/pr-linter.yml
@@ -11,11 +11,19 @@ on:
       - opened
       - synchronize
       - reopened
+
+  # Triggered from a separate job when a review is added
   workflow_run:
     workflows: [PR Linter Trigger]
     types:
       - completed
-  status:
+
+  # Trigger when a status is updated (CodeBuild leads to statuses)
+  status: {}
+
+  # Trigger when a check suite is completed (GitHub actions and CodeCov create checks)
+  check_suite:
+    types: [completed]
 
 jobs:
   download-if-workflow-run:
@@ -26,39 +34,29 @@ jobs:
     # if conditions on all individual steps because subsequent jobs depend on this job
     # and we cannot skip it entirely
     steps:
-      - name: 'Download artifact'
+      - name: 'Download workflow_run artifact'
         if: github.event_name == 'workflow_run'
-        uses: actions/github-script@v7
+        uses: dawidd6/action-download-artifact@v8
         with:
-          script: |
-            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: context.payload.workflow_run.id,
-            });
-            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "pr_info"
-            })[0];
-            let download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            let fs = require('fs');
-            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_info.zip`, Buffer.from(download.data));
-      - name: 'Unzip artifact'
-        if: github.event_name == 'workflow_run'
-        run: unzip pr_info.zip
+          run_id: ${{ github.event.workflow_run.id }}
+          name: pr_info
+          path: pr/
+          search_artifacts: true
 
-      - name: 'Make GitHub output'
+      - name: 'Determine PR info'
+        # PR info comes from the artifact if downloaded, or GitHub context if not.
         if: github.event_name == 'workflow_run'
         id: 'pr_output'
         run: |
-          echo "cat pr_number"
-          echo "pr_number=$(cat pr_number)" >> "$GITHUB_OUTPUT"
-          echo "cat pr_sha"
-          echo "pr_sha=$(cat pr_sha)" >> "$GITHUB_OUTPUT"
+          if [[ ! -f pr/pr_number ]]; then
+            echo "${{ github.event.pull_request.number }}" > pr/pr_number
+          fi
+          if [[ ! -f pr/pr_sha ]]; then
+            echo "${{ github.event.pull_request.head.sha }}" > pr/pr_sha
+          fi
+          cat pr/*
+          echo "pr_number=$(cat pr/pr_number)" >> "$GITHUB_OUTPUT"
+          echo "pr_sha=$(cat pr/pr_sha)" >> "$GITHUB_OUTPUT"
 
   validate-pr:
     # Necessary to have sufficient permissions to write to the PR
@@ -67,6 +65,7 @@ jobs:
       pull-requests: write
       statuses: read
       issues: read
+      checks: read
     runs-on: ubuntu-latest
     needs: download-if-workflow-run
     steps:
@@ -80,7 +79,7 @@ jobs:
         uses: ./tools/@aws-cdk/prlint
         env:
           GITHUB_TOKEN: ${{ secrets.PROJEN_GITHUB_TOKEN }}
-          # PR_NUMBER and PR_SHA is empty if triggered by pull_request_target, since we already have that info
           PR_NUMBER: ${{ needs.download-if-workflow-run.outputs.pr_number }}
           PR_SHA: ${{ needs.download-if-workflow-run.outputs.pr_sha }}
+          LINTER_LOGIN: ${{ vars.LINTER_LOGIN }}
           REPO_ROOT: ${{ github.workspace }}
diff --git a/.github/workflows/project-prioritization-assignment.yml b/.github/workflows/project-prioritization-assignment.yml
@@ -0,0 +1,23 @@
+name: PR Prioritization
+on:
+  pull_request_target:
+    types:
+      - labeled
+      - opened
+      - reopened
+      - synchronize
+      - ready_for_review
+
+jobs:
+  prioritize:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Add PR to Project & Set Priority
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/assign-priority.js')
+            await script({github, context})
diff --git a/.github/workflows/project-prioritization-bug.yml b/.github/workflows/project-prioritization-bug.yml
@@ -0,0 +1,19 @@
+name: P1 Bug Prioritization
+on:
+  issues:
+    types:
+      - labeled
+
+jobs:
+  prioritize:
+    if: github.repository == 'aws/aws-cdk' && contains(github.event.issue.labels.*.name, 'bug') && contains(github.event.issue.labels.*.name, 'p1')
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Add P1 Bug to project
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/assign-bug-priority.js')
+            await script({github, context})
diff --git a/.github/workflows/project-prioritization-r2-assignment.yml b/.github/workflows/project-prioritization-r2-assignment.yml
@@ -0,0 +1,20 @@
+name: PR Prioritization R2 Check
+on:
+  schedule:
+    - cron: '0 */6 * * 1-5'  # Runs every 6 hours during weekdays
+  workflow_dispatch:        # Manual trigger
+
+jobs:
+  update_project_status:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Check and assign R2 Priority to PRs
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/assign-r2-priority.js')
+            await script({github})
diff --git a/.github/workflows/project-prioritization-r5-assignment.yml b/.github/workflows/project-prioritization-r5-assignment.yml
@@ -0,0 +1,19 @@
+name: PR Prioritization R5 Check
+on:
+  schedule:
+    - cron: '0 6 * * 1-5'  # Runs at 6AM every day during weekdays
+  workflow_dispatch:        # Manual trigger
+
+jobs:
+  update_project_status:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Check and Assign R5 Priority to PRs
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/assign-r5-priority.js')
+            await script({github})
diff --git a/.github/workflows/request-cli-integ-test.yml b/.github/workflows/request-cli-integ-test.yml
@@ -19,7 +19,7 @@ jobs:
           persist-credentials: false
       - name: Find changed cli files
         id: changed-cli-files
-        uses: tj-actions/changed-files@bab30c2299617f6615ec02a68b9a40d10bd21366
+        uses: tj-actions/changed-files@d6e91a2266cdb9d62096cebf1e8546899c6aa18f
         with:
           base_sha: ${{ github.event.pull_request.base.sha }}
           files_yaml: |

diff --git a/.mergify.yml b/.mergify.yml
@@ -12,6 +12,7 @@ queue_rules:
       - -closed
       - "#approved-reviews-by>=1"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -30,6 +31,7 @@ queue_rules:
       - -closed
       - "#approved-reviews-by>=1"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -43,7 +45,7 @@ pull_request_rules:
       label:
         add: [ contribution/core ]
     conditions:
-      - author~=^(rix0rrr|iliapolo|otaviomacedo|kaizencc|comcalvi|TheRealAmazonKendra|mrgrain|pahud|ashishdhingra|kellertk|HBobertz|sumupitchayan|colifran|moelasmar|paulhcsun|GavinZZ|aaythapa|xazhao|gracelu0|jfuss|shikha372|kirtishrinkhala|godwingrs22|bergjaak|samson-keung|IanKonlog|Leo10Gama|scorbiere|michelle-wangg|jiayiwang7|1kaileychen|saiyush|5d)$
+      - author~=^(rix0rrr|iliapolo|otaviomacedo|kaizencc|comcalvi|TheRealAmazonKendra|mrgrain|pahud|ashishdhingra|kellertk|HBobertz|colifran|moelasmar|paulhcsun|GavinZZ|aaythapa|xazhao|gracelu0|jfuss|shikha372|kirtishrinkhala|godwingrs22|bergjaak|samson-keung|IanKonlog|Leo10Gama|scorbiere|michelle-wangg|jiayiwang7|1kaileychen|saiyush|5d|iankhou)$
       - -label~="contribution/core"
   - name: automatic merge
     actions:
@@ -61,6 +63,7 @@ pull_request_rules:
       - author!=dependabot-preview[bot]
       - "#approved-reviews-by>=1"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -81,6 +84,7 @@ pull_request_rules:
       - author!=dependabot-preview[bot]
       - "#approved-reviews-by>=2"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -101,6 +105,7 @@ pull_request_rules:
       - author!=dependabot-preview[bot]
       - "#approved-reviews-by>=1"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -140,6 +145,7 @@ pull_request_rules:
       - -closed
       - author~=dependabot
       - "#approved-reviews-by>=1"
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr