Merge branch 'main' into delegation-grant-names

aws · Jan 16, 2024 · 9f6df3b · 9f6df3b
2 parents d6136dd + 66c1109
commit 9f6df3b
Show file tree

Hide file tree

Showing 3,206 changed files with 973,749 additions and 205,704 deletions.
diff --git a/.github/workflows/close-stale-prs.yml b/.github/workflows/close-stale-prs.yml
@@ -25,5 +25,5 @@ jobs:
           important-checks-regex: AutoBuildv2Project1C6BFA3F
           warn-message: This PR has been in the STATE state for 3 weeks, and looks abandoned. To keep this PR from being closed, please continue work on it. If not, it will automatically be closed in a week.
           close-message: This PR has been deemed to be abandoned, and will be automatically closed. Please create a new PR for these changes if you think this decision has been made in error.
-          skip-labels: contribution/core,pr-linter/do-not-close
+          skip-labels: contribution/core,pr-linter/do-not-close,pr/needs-maintainer-review
           close-label: closed-for-staleness
diff --git a/.github/workflows/github-merit-badger.yml b/.github/workflows/github-merit-badger.yml
@@ -17,4 +17,4 @@ jobs:
           badges: '[beginning-contributor,repeat-contributor,valued-contributor,admired-contributor,star-contributor,distinguished-contributor]'
           thresholds: '[0,3,6,13,25,50]'
           badge-type: 'achievement'
-          ignore-usernames: '[rix0rrr,MrArnoldPalmer,iliapolo,otaviomacedo,madeline-k,kaizencc,comcalvi,corymhall,peterwoodworth,TheRealAmazonKendra,vinayak-kukreja,mrgrain,pahud,cgarvis,kellertk,HBobertz,sumupitchayan,SankyRed,udaypant,colifran,khushail,scanlonp,mikewrighton,moelasmar,aws-cdk-automation,dependabot[bot],mergify[bot]]'
+          ignore-usernames: '[rix0rrr,MrArnoldPalmer,iliapolo,otaviomacedo,madeline-k,kaizencc,comcalvi,TheRealAmazonKendra,vinayak-kukreja,mrgrain,pahud,cgarvis,kellertk,HBobertz,sumupitchayan,SankyRed,udaypant,colifran,khushail,scanlonp,mikewrighton,moelasmar,paulhcsun,awsmjs,evgenyka,GavinZZ,aaythapa,xazhao,ConnorRobertson,ssenchenko,gracelu0,jfuss,SimonCMoore,aws-cdk-automation,dependabot[bot],mergify[bot]]'
diff --git a/.github/workflows/pr-linter-trigger.yml b/.github/workflows/pr-linter-trigger.yml
@@ -17,7 +17,7 @@ jobs:
           mkdir -p ./pr
           echo $PR_NUMBER > ./pr/pr_number
           echo $PR_SHA > ./pr/pr_sha
-      - uses: actions/upload-artifact@v3
+      - uses: actions/upload-artifact@v4
         with:
           name: pr_info
           path: pr/
diff --git a/.github/workflows/request-cli-integ-test.yml b/.github/workflows/request-cli-integ-test.yml
@@ -19,7 +19,7 @@ jobs:
           persist-credentials: false
       - name: Find changed cli files
         id: changed-cli-files
-        uses: tj-actions/changed-files@25ef3926d147cd02fc7e931c1ef50772bbb0d25d
+        uses: tj-actions/changed-files@62f4729b5df35e6e0e01265fa70a82ccaf196b4b
         with:
           base_sha: ${{ github.event.pull_request.base.sha }}
           files_yaml: |

diff --git a/.github/workflows/spec-update.yml b/.github/workflows/spec-update.yml
@@ -25,8 +25,19 @@ jobs:
         env:
           NODE_OPTIONS: "--max-old-space-size=8196 --experimental-worker ${NODE_OPTIONS:-}"
 
+      # Install all current dependencies
       - name: Yarn Install
         run: yarn install --frozen-lockfile
+
+      # Upload the current db to be used later
+      - name: Upload base database
+        uses: actions/upload-artifact@v4
+        with:
+          name: db.base.json.gz
+          path: node_modules/@aws-cdk/aws-service-spec/db.json.gz
+          if-no-files-found: error
+
+      # Perform the actual upgrade of the relevant packages
       - name: Install ncu tool
         run: npm -g install lerna npm-check-updates
       - name: Run "ncu" for service spec packages
@@ -36,6 +47,14 @@ jobs:
       - name: Install latest version & update lockfile
         run: yarn upgrade @aws-cdk/aws-service-spec @aws-cdk/service-spec-importers @aws-cdk/service-spec-types
 
+      # Now that we have updated the database, upload the new candidate db
+      - name: Upload head database
+        uses: actions/upload-artifact@v4
+        with:
+          name: db.head.json.gz
+          path: node_modules/@aws-cdk/aws-service-spec/db.json.gz
+          if-no-files-found: error
+
       # Build @aws-cdk/spec2cdk and run L1 gen script to generate base files for new modules
       - name: Build @aws-cdk/spec2cdk
         run: lerna run build --stream --no-progress --skip-nx-cache --scope @aws-cdk/spec2cdk
@@ -50,14 +69,56 @@ jobs:
           git add .
           git diff --patch --staged > ${{ runner.temp }}/update-spec.patch
       - name: Upload Patch
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: update-spec.patch
           path: ${{ runner.temp }}/update-spec.patch
 
+  diff-db:
+    needs: update-spec
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      id-token: none
+      pull-requests: write
+    env:
+      CI: "true"
+    steps:
+      - name: Download base database
+        uses: actions/download-artifact@v4
+        with:
+          name: db.base.json.gz
+          path: base
+      - name: Download head database
+        uses: actions/download-artifact@v4
+        with:
+          name: db.head.json.gz
+          path: head
+      - name: Diff databases
+        id: diff-db
+        run: npx --yes --package=@aws-cdk/service-spec-importers@latest -c 'diff-db base/db.json.gz head/db.json.gz' > DIFF || echo "diff-result=true" >> $GITHUB_OUTPUT
+        continue-on-error: true
+      - name: Create PR body file
+        run: |-
+          echo 'Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`' >> PR.md
+      - name: Add model changelog to PR body file
+        if: steps.diff-db.outputs.diff-result
+        run: |-
+          echo '' >> PR.md
+          echo '**L1 CloudFormation resource definition changes:**' >> PR.md
+          echo '```' >> PR.md
+          cat DIFF >> PR.md
+          echo '```' >> PR.md
+      - name: Upload PR body file
+        uses: actions/upload-artifact@v4
+        with:
+          name: PR.md
+          path: PR.md
   pr:
     name: Create Pull Request
-    needs: update-spec
+    needs:
+      - update-spec
+      - diff-db
     permissions:
       contents: write
       pull-requests: write
@@ -67,27 +128,32 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Download patch
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: update-spec.patch
           path: ${{ runner.temp }}
 
       - name: Apply patch
         run: '[ -s ${{ runner.temp }}/update-spec.patch ] && git apply ${{ runner.temp }}/update-spec.patch || echo "Empty patch. Skipping."'
 
+      - name: Download PR body file
+        uses: actions/download-artifact@v4
+        with:
+          name: PR.md
+          path: ${{ runner.temp }}
+
       - name: Make Pull Request
         uses: peter-evans/create-pull-request@v5
         with:
           # Git commit details
           branch: automation/spec-update
           author: aws-cdk-automation <[email protected]>
           commit-message: |-
-            feat: update AWS Service Spec
-            AWS Service Spec packages to latest versions.
+            feat: update L1 CloudFormation resource definitions
+            Updates the L1 CloudFormation resource definitions with the latest changes from `@aws-cdk/aws-service-spec`
           # Pull Request details
-          title: "feat: update AWS Service Spec"
-          body: |-
-            AWS Service Spec packages to latest versions.
+          title: "feat: update L1 CloudFormation resource definitions"
+          body-path: ${{ runner.temp }}/PR.md
           labels: contribution/core,dependencies,auto-approve,pr-linter/exempt-integ-test,pr-linter/exempt-readme,pr-linter/exempt-test
           team-reviewers: aws-cdk-team
           # Github prevents further Github actions to be run if the default Github token is used.

diff --git a/.github/workflows/sync-from-upstream.yml b/.github/workflows/sync-from-upstream.yml
@@ -0,0 +1,63 @@
+name: Sync repository from upstream
+on:
+  workflow_dispatch: {}
+  schedule:
+    - cron: 5 2 * * *
+
+env:
+  BRANCHES: main v2-release
+
+jobs:
+
+  # Check for the presence of a PROJEN_GITHUB_TOKEN secret.
+  #
+  # This is expected to contain a personal access token of someone who has
+  # permissions to bypass branch protection rules.
+  #
+  # If not present, we can only use GitHub Actions Token permissions,
+  # but this has the following downsides:
+  #
+  # - Those are bound by branch protection rules (so automated pushing won't work).
+  # - As soon as a workflow file needs to be changed, GitHub will reject the push.
+  #   Only Apps and Users can be allowed to modify workflows.
+  check-secret:
+    # Don't run on the target repo itself, only forks
+    if: github.repository != 'aws/aws-cdk'
+
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check for presence of PROJEN_GITHUB_TOKEN
+        id: check-secrets
+        run: |
+          if [ ! -z "${{ secrets.PROJEN_GITHUB_TOKEN }}" ]; then
+            echo "ok=true" >> $GITHUB_OUTPUT
+          else
+            echo "ok=false" >> $GITHUB_OUTPUT
+          fi
+    outputs:
+      ok: ${{ steps.check-secrets.outputs.ok }}
+
+  sync-branch:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+    needs: [check-secret]
+    steps:
+      - name: Checkout using User Token
+        if: needs.check-secret.outputs.ok == 'true'
+        uses: actions/checkout@v4
+        with:
+          token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+
+      - name: Checkout using GitHub Actions permissions
+        if: needs.check-secret.outputs.ok == 'false'
+        uses: actions/checkout@v4
+
+      - name: Sync from aws/aws-cdk
+        run: |-
+          git remote add upstream https://github.com/aws/aws-cdk.git
+          git fetch upstream $BRANCHES
+
+          for branch in $BRANCHES; do
+            git push origin --force refs/remotes/upstream/$branch:refs/heads/$branch
+          done
diff --git a/.github/workflows/update-metadata-regions.yml b/.github/workflows/update-metadata-regions.yml
@@ -33,7 +33,7 @@ jobs:
           git add .
           git diff --patch --staged > ${{ runner.temp }}/update-spec.patch
       - name: Upload Patch
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: update-spec.patch
           path: ${{ runner.temp }}/update-spec.patch
@@ -50,7 +50,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Download patch
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: update-spec.patch
           path: ${{ runner.temp }}

diff --git a/.github/workflows/yarn-upgrade.yml b/.github/workflows/yarn-upgrade.yml
@@ -62,13 +62,13 @@ jobs:
           ncu --upgrade --reject=@types/node,@types/prettier,constructs,typescript --target=minor
           # Upgrade all the packages
           lerna exec --parallel ncu -- --upgrade --filter=typescript --target=patch
-          lerna exec --parallel ncu -- --upgrade --reject='@types/conventional-commits-parser,@types/node,@types/prettier,constructs,typescript,aws-sdk-mock,@aws-cdk/aws-service-spec,@aws-cdk/service-spec-types,${{ steps.list-packages.outputs.list }}' --target=minor
+          lerna exec --parallel ncu -- --upgrade --reject='@types/conventional-commits-parser,@types/node,@types/prettier,constructs,typescript,aws-sdk-mock,@aws-sdk/*,@aws-cdk/aws-service-spec,@aws-cdk/service-spec-types,${{ steps.list-packages.outputs.list }}' --target=minor
           # Upgrade package.json files in init templates
           for pj in $(find packages/aws-cdk/lib/init-templates -name package.json); do
             (cd $(dirname $pj) && ncu --upgrade --reject='constructs,${{ steps.list-packages.outputs.list }}')
           done
           # Upgrade dependencies at an aws-eks integ test docker image
-          cd packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/sdk-call-integ-test-docker-app/app/ && ncu --upgrade --reject=',${{ steps.list-packages.outputs.list }}'
+          cd packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/sdk-call-integ-test-docker-app/app/ && ncu --upgrade --reject='@aws-sdk/*,${{ steps.list-packages.outputs.list }}'
 
       # This will ensure the current lockfile is up-to-date with the dependency specifications (necessary for "yarn upgrade" to run)
       - name: Run "yarn install"
@@ -89,7 +89,7 @@ jobs:
           git add .
           git diff --patch --staged > ${{ runner.temp }}/upgrade.patch
       - name: Upload Patch
-        uses: actions/upload-artifact@v3
+        uses: actions/upload-artifact@v4
         with:
           name: upgrade.patch
           path: ${{ runner.temp }}/upgrade.patch
@@ -106,7 +106,7 @@ jobs:
         uses: actions/checkout@v4
 
       - name: Download patch
-        uses: actions/download-artifact@v3
+        uses: actions/download-artifact@v4
         with:
           name: upgrade.patch
           path: ${{ runner.temp }}

diff --git a/.mergify.yml b/.mergify.yml
@@ -11,7 +11,7 @@ pull_request_rules:
       label:
         add: [ contribution/core ]
     conditions:
-      - author~=^(rix0rrr|MrArnoldPalmer|iliapolo|otaviomacedo|madeline-k|kaizencc|comcalvi|corymhall|peterwoodworth|TheRealAmazonKendra|vinayak-kukreja|mrgrain|pahud|cgarvis|kellertk|HBobertz|sumupitchayan|SankyRed|udaypant|colifran|scanlonp|mikewrighton|moelasmar)$
+      - author~=^(rix0rrr|MrArnoldPalmer|iliapolo|otaviomacedo|madeline-k|kaizencc|comcalvi|TheRealAmazonKendra|vinayak-kukreja|mrgrain|pahud|cgarvis|kellertk|HBobertz|sumupitchayan|SankyRed|udaypant|colifran|scanlonp|mikewrighton|moelasmar|paulhcsun|awsmjs|evgenyka|GavinZZ|aaythapa|xazhao|ConnorRobertson|ssenchenko|gracelu0|jfuss|SimonCMoore)$
       - -label~="contribution/core"
   - name: automatic merge
     actions:

diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,5 @@
+repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.17.0
+    hooks:
+      - id: gitleaks