Merge branch 'main' into feat/iam-sid-validation-flag-main

Author: camerondurham

.github/workflows/issue-label-assign.yml

@@ -143,6 +143,7 @@ env:
             {"area":"@aws-cdk/aws-ecs-patterns","keywords":["aws-ecs-patterns","ecs-patterns"],"labels":["@aws-cdk/aws-ecs-patterns"]},
             {"area":"@aws-cdk/aws-efs","keywords":["aws-efs","efs","accesspoint"],"labels":["@aws-cdk/aws-efs"]},
             {"area":"@aws-cdk/aws-eks","keywords":["aws-eks","eks","fargateprofile","fargatecluster"],"labels":["@aws-cdk/aws-eks"]},
+            {"area":"@aws-cdk/aws-eks-v2-alpha", "keywords":["aws-eks-v2", "eks-v2", "aws-eks-v2-alpha"],"labels":["@aws-cdk/aws-eks-v2-alpha"]},
             {"area":"@aws-cdk/aws-elasticache","keywords":["aws-elasticache","elastic-cache"],"labels":["@aws-cdk/aws-elasticache"]},
             {"area":"@aws-cdk/aws-elasticbeanstalk","keywords":["aws-elasticbeanstalk","elastic-beanstalk"],"labels":["@aws-cdk/aws-elasticbeanstalk"]},
             {"area":"@aws-cdk/aws-elasticloadbalancing","keywords":["aws-elasticloadbalancing","elastic-loadbalancing","elb"],"labels":["@aws-cdk/aws-elasticloadbalancing"]},
@@ -289,5 +290,8 @@ env:
             {"area":"@aws-cdk/aws-s3tables-alpha", "keywords":["aws-s3tables", "aws-s3tables-alpha"],"labels":["@aws-cdk/aws-s3tables-alpha"]},
             {"area":"@aws-cdk/aws-pipes-enrichments-alpha", "keywords":["aws-pipes-enrichments", "aws-pipes-enrichments-alpha"],"labels":["@aws-cdk/aws-pipes-enrichments-alpha"]},
             {"area":"@aws-cdk/aws-pipes-sources-alpha", "keywords":["aws-pipes-sources", "aws-pipes-sources-alpha"],"labels":["@aws-cdk/aws-pipes-sources-alpha"]},
-            {"area":"@aws-cdk/aws-pipes-targets-alpha", "keywords":["aws-pipes-targets", "aws-pipes-targets-alpha"],"labels":["@aws-cdk/aws-pipes-targets-alpha"]}
+            {"area":"@aws-cdk/aws-pipes-targets-alpha", "keywords":["aws-pipes-targets", "aws-pipes-targets-alpha"],"labels":["@aws-cdk/aws-pipes-targets-alpha"]},
+            {"area":"@aws-cdk/aws-bedrock-alpha", "keywords":["aws-bedrock", "aws-bedrock-alpha"],"labels":["@aws-cdk/aws-bedrock-alpha"]},
+            {"area":"@aws-cdk/aws-bedrock-agentcore-alpha", "keywords":["aws-bedrock-agentcore", "aws-bedrock-agentcore-alpha"],"labels":["@aws-cdk/aws-bedrock-agentcore-alpha"]},
+            {"area":"@aws-cdk/aws-imagebuilder-alpha", "keywords":["aws-imagebuilder", "aws-imagebuilder-alpha"],"labels":["@aws-cdk/aws-imagebuilder-alpha"]}
           ]

.github/workflows/security-guardian.yml

@@ -19,6 +19,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
         with:
+          ref: ${{ github.event.pull_request.head.sha }}
           fetch-depth: 0  
 
       - name: Install cfn-guard
@@ -34,10 +35,21 @@ jobs:
         run: yarn install --frozen-lockfile && cd tools/@aws-cdk/security-guardian && yarn build
 
       - name: Run Security Guardian
+        id: security-guardian
         uses: ./tools/@aws-cdk/security-guardian
         with:
           base_sha: ${{ github.event.pull_request.base.sha }}
           head_sha: ${{ github.event.pull_request.head.sha }}
           rule_set_path: './tools/@aws-cdk/security-guardian/rules'
-          show_summary: 'fail'
-          output_format: 'json'
+      - name: Save PR info for security-report
+        if: always()
+        run: |
+          echo "${{ github.event.pull_request.number }}" > ./test-results/pr_number
+          echo "${{ github.event.pull_request.head.sha }}" > ./test-results/pr_sha
+      
+      - name: Upload Security Guardian XML Reports
+        uses: actions/upload-artifact@v5
+        if: always()
+        with:
+          name: security-guardian-reports
+          path: test-results/

.github/workflows/security-report.yml

@@ -0,0 +1,66 @@
+name: Security Report
+on:
+  workflow_run:
+    workflows: ["Security Guardian"]
+    types: [completed]
+
+jobs:
+  report:
+    runs-on: ubuntu-latest
+    permissions:
+      checks: write
+      pull-requests: write
+      actions: read
+    steps:
+      - name: Download artifacts
+        uses: actions/download-artifact@v6
+        with:
+          name: security-guardian-reports
+          path: test-results/
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          run-id: ${{ github.event.workflow_run.id }}
+          repository: ${{ github.repository }}
+      
+      - name: Get PR info
+        id: pr_info
+        run: |
+          echo "pr_number=$(cat test-results/pr_number)" >> "$GITHUB_OUTPUT"
+          echo "pr_sha=$(cat test-results/pr_sha)" >> "$GITHUB_OUTPUT"
+          echo "PR: $(cat test-results/pr_number), SHA: $(cat test-results/pr_sha)"
+      - name: Publish Security Test Results 
+        uses: mikepenz/action-junit-report@v6
+        if: always()
+        with:
+          report_paths: 'test-results/**/cfn-guard-static.xml'
+          check_name: 'Security Guardian Results'
+          exclude_sources: 'node_modules,dist'
+          commit: ${{ steps.pr_info.outputs.pr_sha }}
+          check_annotations: true
+          comment: true
+          pr_id: ${{ steps.pr_info.outputs.pr_number }}
+          detailed_summary: true
+          include_passed: false
+          fail_on_failure: false
+          group_suite: true
+          include_skipped: false
+          check_title_template: '{{TEST_NAME}}'
+          include_empty_in_summary: false
+
+      - name: Publish Security Test Results for resolved templates
+        uses: mikepenz/action-junit-report@v6
+        if: always()
+        with:
+          report_paths: 'test-results/**/cfn-guard-resolved.xml'
+          check_name: 'Security Guardian Results with resolved templates'
+          exclude_sources: 'node_modules,dist'
+          commit: ${{ steps.pr_info.outputs.pr_sha }}
+          check_annotations: true
+          comment: true
+          pr_id: ${{ steps.pr_info.outputs.pr_number }}
+          detailed_summary: true
+          include_passed: false
+          fail_on_failure: false
+          group_suite: true
+          include_skipped: false
+          check_title_template: '{{TEST_NAME}}'
+          include_empty_in_summary: false

.github/workflows/spec-update.yml

@@ -58,9 +58,9 @@ jobs:
       # Build @aws-cdk/spec2cdk and run L1 gen script to generate base files for new modules
       - name: Build @aws-cdk/spec2cdk
         run: lerna run build --stream --no-progress --skip-nx-cache --scope @aws-cdk/spec2cdk
-      - name: Generate L1s
-        working-directory: packages/aws-cdk-lib
+      - name: Generate code
         run: yarn gen
+        run: lerna run gen --stream --no-progress --skip-nx-cache --scope aws-cdk-lib --scope @aws-cdk/mixins-preview
 
       # Next, create and upload the changes as a patch file. This will later be downloaded to create a pull request
       # Creating a pull request requires write permissions and it's best to keep write privileges isolated.

CHANGELOG.v2.alpha.md

@@ -2,6 +2,17 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.232.1-alpha.0](https://github.com/aws/aws-cdk/compare/v2.232.0-alpha.0...v2.232.1-alpha.0) (2025-12-05)
+
+## [2.232.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.231.0-alpha.0...v2.232.0-alpha.0) (2025-12-04)
+
+
+### Bug Fixes
+
+* **bedrock-agentcore-alpha:** use static construct ID for asset-based runtime artifacts ([#36241](https://github.com/aws/aws-cdk/issues/36241)) ([e2bdddd](https://github.com/aws/aws-cdk/commit/e2bdddd82f3e04f1cb2aebb187c580563bae453f)), closes [#35968](https://github.com/aws/aws-cdk/issues/35968)
+* **mixins-preview:** service exports are different then in `aws-cdk-lib` ([#36201](https://github.com/aws/aws-cdk/issues/36201)) ([5858006](https://github.com/aws/aws-cdk/commit/585800660b65a3a87d2b358054c7b5e162faabcf)), closes [#36210](https://github.com/aws/aws-cdk/issues/36210)
+* **mixins-preview:** strongly-typed ConstructSelector interface ([#36266](https://github.com/aws/aws-cdk/issues/36266)) ([1d2f473](https://github.com/aws/aws-cdk/commit/1d2f4730cc4358d35198980957e4fc01a21e9daf))
+
 ## [2.231.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.230.0-alpha.0...v2.231.0-alpha.0) (2025-12-01)
 
 

CHANGELOG.v2.md

@@ -2,6 +2,28 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.232.1](https://github.com/aws/aws-cdk/compare/v2.232.0...v2.232.1) (2025-12-05)
+
+
+### Bug Fixes
+
+* **core:** TypeScript properties missing for types which extend internal interfaces ([#36313](https://github.com/aws/aws-cdk/issues/36313)) ([3e7e17c](https://github.com/aws/aws-cdk/commit/3e7e17c0def24567610a541e39195596f5d83387)), closes [#36310](https://github.com/aws/aws-cdk/issues/36310)
+
+## [2.232.0](https://github.com/aws/aws-cdk/compare/v2.231.0...v2.232.0) (2025-12-04)
+
+
+### Features
+
+* update L1 CloudFormation resource definitions ([#36299](https://github.com/aws/aws-cdk/issues/36299)) ([0945692](https://github.com/aws/aws-cdk/commit/0945692b91b01b6a8c69e844cffe7629cc52695a))
+* **bedrock-agentcore:** add fromImageUri method to AgentRuntimeArtifact ([#36263](https://github.com/aws/aws-cdk/issues/36263)) ([ad25aba](https://github.com/aws/aws-cdk/commit/ad25aba9785c6801085525da4d6adcc8c3204a70))
+* **lambda:** add support for durable functions ([#36282](https://github.com/aws/aws-cdk/issues/36282)) ([599a1d3](https://github.com/aws/aws-cdk/commit/599a1d3b26a1a9edf22f1cde41da323e560145fb))
+* update L1 CloudFormation resource definitions ([#36277](https://github.com/aws/aws-cdk/issues/36277)) ([c4fa99b](https://github.com/aws/aws-cdk/commit/c4fa99b9149b512494c9ae94b8d4aebba4436eb0))
+
+
+### Bug Fixes
+
+* **core:** temp cleanup does not work with jest ([#36238](https://github.com/aws/aws-cdk/issues/36238)) ([1f4a224](https://github.com/aws/aws-cdk/commit/1f4a2249b2651115cf02a26fd4bba09b151f426e)), closes [#36226](https://github.com/aws/aws-cdk/issues/36226)
+
 ## [2.231.0](https://github.com/aws/aws-cdk/compare/v2.230.0...v2.231.0) (2025-12-01)
 
 

package.json

@@ -28,9 +28,9 @@
     "fs-extra": "^9.1.0",
     "graceful-fs": "^4.2.11",
     "jest-junit": "^13.2.0",
-    "jsii-diff": "1.120.0",
-    "jsii-pacmak": "1.120.0",
-    "jsii-reflect": "1.120.0",
+    "jsii-diff": "1.121.0",
+    "jsii-pacmak": "1.121.0",
+    "jsii-reflect": "1.121.0",
     "lerna": "^8.2.4",
     "nx": "^20",
     "semver": "^7.7.3",

packages/@aws-cdk-testing/framework-integ/package.json

@@ -50,7 +50,7 @@
     "@aws-cdk/lambda-layer-kubectl-v34": "^2.0.0",
     "@aws-cdk/region-info": "0.0.0",
     "aws-cdk-lib": "0.0.0",
-    "cdk8s": "2.70.30",
+    "cdk8s": "2.70.31",
     "cdk8s-plus-27": "2.9.5",
     "constructs": "^10.0.0"
   },