Merge branch 'main' into feat/iam-sid-validation-flag-main

Author: camerondurham

.github/workflows/codebuild-pr-build.yml

@@ -39,15 +39,15 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: "18"
+          node-version: "20"
           cache: "yarn"
 
       - name: Set up Docker
         uses: docker/setup-buildx-action@v3
 
       - name: Load Docker images
         id: docker-cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@v5
         with:
           path: |
             ~/.docker-images.tar
@@ -58,7 +58,7 @@ jobs:
         run: docker image load --input ~/.docker-images.tar
 
       - name: Cache build artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.s3buildcache
@@ -84,12 +84,12 @@ jobs:
 
       - name: Cache Docker images
         if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@v5
         with:
           path: |
             ~/.docker-images.tar
           key: docker-cache-${{ runner.os }}
-          
+
       - name: Save PR info for PR Linter
         if: github.event_name == 'pull_request'
         env:
@@ -102,7 +102,7 @@ jobs:
 
       - name: Upload PR info artifact
         if: github.event_name == 'pull_request'
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: pr_info
           path: pr/

.github/workflows/codecov-collect.yml

@@ -28,7 +28,7 @@ jobs:
         run: cd packages/aws-cdk-lib && yarn test core
 
       - name: Upload Coverage and PR Info
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: coverage-artifacts
           path: |

.github/workflows/codecov-upload.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Download Artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: coverage-artifacts
           path: ./packages/aws-cdk-lib/core/coverage

.github/workflows/integration-test-deployment.yml

@@ -52,7 +52,7 @@ jobs:
 
       - name: Load Docker images
         id: docker-cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@v5
         with:
           path: |
             ~/.docker-images.tar
@@ -63,7 +63,7 @@ jobs:
         run: docker image load --input ~/.docker-images.tar
 
       - name: Cache build artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.s3buildcache
@@ -101,7 +101,7 @@ jobs:
 
       - name: Cache Docker images
         if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@v5
         with:
           path: |
             ~/.docker-images.tar

.github/workflows/issue-sync.yml

@@ -19,7 +19,7 @@ jobs:
 
       # Cache node_modules
       - name: Cache node_modules
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         id: cache-modules
         with:
           path: |
@@ -37,7 +37,7 @@ jobs:
 
       # Cache build output
       - name: Cache build output
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         id: cache-build
         with:
           path: |

.github/workflows/pr-build.yml

@@ -34,15 +34,15 @@ jobs:
       - name: Setup Node.js
         uses: actions/setup-node@v6
         with:
-          node-version: "18"
+          node-version: "20"
           cache: "yarn"
 
       - name: Set up Docker
         uses: docker/setup-buildx-action@v3
 
       - name: Load Docker images
         id: docker-cache
-        uses: actions/cache/restore@v4
+        uses: actions/cache/restore@v5
         with:
           path: |
             ~/.docker-images.tar
@@ -53,7 +53,7 @@ jobs:
         run: docker image load --input ~/.docker-images.tar
 
       - name: Cache build artifacts
-        uses: actions/cache@v4
+        uses: actions/cache@v5
         with:
           path: |
             ~/.s3buildcache
@@ -79,7 +79,7 @@ jobs:
 
       - name: Cache Docker images
         if: ${{ github.event_name == 'push' && github.ref_name == 'main' }}
-        uses: actions/cache/save@v4
+        uses: actions/cache/save@v5
         with:
           path: |
             ~/.docker-images.tar

.github/workflows/pr-linter-review-trigger.yml

@@ -26,7 +26,7 @@ jobs:
           mkdir -p ./pr
           echo $PR_NUMBER > ./pr/pr_number
           echo $PR_SHA > ./pr/pr_sha
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v6
         with:
           name: pr_info
           path: pr/

.github/workflows/security-guardian.yml

@@ -1,6 +1,8 @@
 name: Security Guardian
 on:
-  pull_request: {}
+  pull_request:
+    paths:
+      - '**.js.snapshot**'
 
 jobs:
   log-skip:
@@ -48,7 +50,7 @@ jobs:
           echo "${{ github.event.pull_request.head.sha }}" > ./test-results/pr_sha
       
       - name: Upload Security Guardian XML Reports
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         if: always()
         with:
           name: security-guardian-reports

.github/workflows/security-report.yml

@@ -11,9 +11,12 @@ jobs:
       checks: write
       pull-requests: write
       actions: read
+    env:
+      CHECK_NAME_STATIC: 'Security Guardian Results'
+      CHECK_NAME_RESOLVED: 'Security Guardian Results with resolved templates'
     steps:
       - name: Download artifacts
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: security-guardian-reports
           path: test-results/
@@ -28,11 +31,12 @@ jobs:
           echo "pr_sha=$(cat test-results/pr_sha)" >> "$GITHUB_OUTPUT"
           echo "PR: $(cat test-results/pr_number), SHA: $(cat test-results/pr_sha)"
       - name: Publish Security Test Results 
+        id: junit_static
         uses: mikepenz/action-junit-report@v6
         if: always()
         with:
           report_paths: 'test-results/**/cfn-guard-static.xml'
-          check_name: 'Security Guardian Results'
+          check_name: ${{ env.CHECK_NAME_STATIC }}
           exclude_sources: 'node_modules,dist'
           commit: ${{ steps.pr_info.outputs.pr_sha }}
           check_annotations: true
@@ -46,12 +50,46 @@ jobs:
           check_title_template: '{{TEST_NAME}}'
           include_empty_in_summary: false
 
+      - name: Add disclaimer to static results comment
+        uses: actions/github-script@v7
+        if: steps.junit_static.outcome == 'success'
+        env:
+          PR_NUMBER: ${{ steps.pr_info.outputs.pr_number }}
+          CHECK_NAME: ${{ env.CHECK_NAME_STATIC }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const prNumber = process.env.PR_NUMBER;
+            const checkName = process.env.CHECK_NAME;
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+            });
+            
+            const botComment = comments.data.find(comment => 
+              comment.user.type === 'Bot' && 
+              comment.body.includes(checkName) &&
+              !comment.body.includes('resolved templates')
+            );
+            
+            if (botComment) {
+              const disclaimer = '⚠️ **Experimental Feature**: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined. \n**Please try `merge from main` to avoid findings unrelated to the PR.**\n\n---\n\n';
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: disclaimer + botComment.body
+              });
+            }
+
       - name: Publish Security Test Results for resolved templates
+        id: junit_resolved
         uses: mikepenz/action-junit-report@v6
         if: always()
         with:
           report_paths: 'test-results/**/cfn-guard-resolved.xml'
-          check_name: 'Security Guardian Results with resolved templates'
+          check_name: ${{ env.CHECK_NAME_RESOLVED }}
           exclude_sources: 'node_modules,dist'
           commit: ${{ steps.pr_info.outputs.pr_sha }}
           check_annotations: true
@@ -64,3 +102,35 @@ jobs:
           include_skipped: false
           check_title_template: '{{TEST_NAME}}'
           include_empty_in_summary: false
+
+      - name: Add disclaimer to resolved results comment
+        uses: actions/github-script@v7
+        if: steps.junit_resolved.outcome == 'success'
+        env:
+          PR_NUMBER: ${{ steps.pr_info.outputs.pr_number }}
+          CHECK_NAME: ${{ env.CHECK_NAME_RESOLVED }}
+        with:
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          script: |
+            const prNumber = process.env.PR_NUMBER;
+            const checkName = process.env.CHECK_NAME;
+            const comments = await github.rest.issues.listComments({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: prNumber,
+            });
+            
+            const botComment = comments.data.find(comment => 
+              comment.user.type === 'Bot' && 
+              comment.body.includes(checkName)
+            );
+            
+            if (botComment) {
+              const disclaimer = '⚠️ **Experimental Feature**: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined. \n**Please try `merge from main` to avoid findings unrelated to the PR.**\n\n---\n\n';
+              await github.rest.issues.updateComment({
+                owner: context.repo.owner,
+                repo: context.repo.repo,
+                comment_id: botComment.id,
+                body: disclaimer + botComment.body
+              });
+            }

.github/workflows/spec-update.yml

@@ -31,7 +31,7 @@ jobs:
 
       # Upload the current db to be used later
       - name: Upload base database
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: db.base.json.gz
           path: node_modules/@aws-cdk/aws-service-spec/db.json.gz
@@ -49,7 +49,7 @@ jobs:
 
       # Now that we have updated the database, upload the new candidate db
       - name: Upload head database
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: db.head.json.gz
           path: node_modules/@aws-cdk/aws-service-spec/db.json.gz
@@ -59,7 +59,6 @@ jobs:
       - name: Build @aws-cdk/spec2cdk
         run: lerna run build --stream --no-progress --skip-nx-cache --scope @aws-cdk/spec2cdk
       - name: Generate code
-        run: yarn gen
         run: lerna run gen --stream --no-progress --skip-nx-cache --scope aws-cdk-lib --scope @aws-cdk/mixins-preview
 
       # Next, create and upload the changes as a patch file. This will later be downloaded to create a pull request
@@ -69,7 +68,7 @@ jobs:
           git add .
           git diff --patch --staged > ${{ runner.temp }}/update-spec.patch
       - name: Upload Patch
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: update-spec.patch
           path: ${{ runner.temp }}/update-spec.patch
@@ -85,12 +84,12 @@ jobs:
       CI: "true"
     steps:
       - name: Download base database
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: db.base.json.gz
           path: base
       - name: Download head database
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: db.head.json.gz
           path: head
@@ -110,7 +109,7 @@ jobs:
           cat DIFF >> PR.md
           echo '```' >> PR.md
       - name: Upload PR body file
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: PR.md
           path: PR.md
@@ -128,7 +127,7 @@ jobs:
         uses: actions/checkout@v6
 
       - name: Download patch
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: update-spec.patch
           path: ${{ runner.temp }}
@@ -137,13 +136,13 @@ jobs:
         run: '[ -s ${{ runner.temp }}/update-spec.patch ] && git apply ${{ runner.temp }}/update-spec.patch || echo "Empty patch. Skipping."'
 
       - name: Download PR body file
-        uses: actions/download-artifact@v6
+        uses: actions/download-artifact@v7
         with:
           name: PR.md
           path: ${{ runner.temp }}
 
       - name: Make Pull Request
-        uses: peter-evans/create-pull-request@v7
+        uses: peter-evans/create-pull-request@v8
         with:
           # Git commit details
           branch: automation/spec-update