aws
diff --git a/‎.github/workflows/README.md‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/README.md‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/codecov-collect.yml‎
Lines changed: 35 additions & 0 deletions b/‎.github/workflows/codecov-collect.yml‎
Lines changed: 35 additions & 0 deletions
diff --git a/‎.github/workflows/codecov-upload.yml‎
Lines changed: 36 additions & 0 deletions b/‎.github/workflows/codecov-upload.yml‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎.github/workflows/pr-linter-exemption-labeler.yml‎
Lines changed: 3 additions & 1 deletion b/‎.github/workflows/pr-linter-exemption-labeler.yml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎.github/workflows/request-cli-integ-test.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/request-cli-integ-test.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/security-guardian.yml‎
Lines changed: 11 additions & 9 deletions b/‎.github/workflows/security-guardian.yml‎
Lines changed: 11 additions & 9 deletions
diff --git a/‎.github/workflows/yarn-upgrade-need-manual-work.yml‎
Lines changed: 120 additions & 0 deletions b/‎.github/workflows/yarn-upgrade-need-manual-work.yml‎
Lines changed: 120 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 2 additions & 2 deletions b/‎package.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/@aws-cdk-testing/framework-integ/package.json‎
Lines changed: 2 additions & 2 deletions b/‎packages/@aws-cdk-testing/framework-integ/package.json‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/aws-cloudwatch-actions/test/integ.lambda-alarm-multiple-stepscalingpolicy.js.snapshot/cdk.out‎
Lines changed: 1 addition & 0 deletions b/‎packages/@aws-cdk-testing/framework-integ/test/aws-cloudwatch-actions/test/integ.lambda-alarm-multiple-stepscalingpolicy.js.snapshot/cdk.out‎
Lines changed: 1 addition & 0 deletions
@@ -92,6 +92,12 @@ Owner: CDK support team
 patch file for downloading.
 Owner: Core CDK team
 
+### Yarn Upgrader for deps needing manual work
+
+[yarn-upgrade-need-manual-work.yml](yarn-upgrade-need-manual-work.yml): Upgrades specific dependencies that require manual intervention and creates a PR for review.
+For example, some dependency upgrades require manual updates to the integ test snapshots.
+Owner: Core CDK team
+
 ### AWS Service Spec Update
 
 [spec-update.yml](spec-update.yml): Updates AWS Service Spec and related packages to their latest versions
 
@@ -0,0 +1,35 @@
+name: Codecov Collect
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  collect:
+    name: Collect Coverage
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+
+      - name: Install dependencies
+        run: yarn install
+
+      - name: Build Library
+        run: npx lerna run build --scope=aws-cdk-lib
+
+      - name: Run Core tests
+        run: cd packages/aws-cdk-lib && yarn test core
+
+      - name: Upload Coverage and PR Info
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-artifacts
+          path: |
+            packages/aws-cdk-lib/coverage/cobertura-coverage.xml
@@ -0,0 +1,36 @@
+name: Codecov Upload
+
+on:
+  workflow_run:
+    workflows: ["Codecov Collect"]
+    types:
+      - completed
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  upload:
+    name: Upload to Codecov
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+
+    steps:
+      - name: Download Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-artifacts
+          path: ./coverage
+          repository: ${{ github.repository }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Upload to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          files: ./coverage/packages/aws-cdk-lib/coverage/cobertura-coverage.xml
+          fail_ci_if_error: true
+          flags: suite.unit
+          use_oidc: true
@@ -10,8 +10,10 @@ jobs:
   pr_commented:
     name: PR Comment
     if: ${{ (github.event.issue.pull_request) && (github.event.issue.state == 'open') }}
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: cdklabs/pr-linter-exemption-labeler@main
         with:
-          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
@@ -19,7 +19,7 @@ jobs:
           persist-credentials: false
       - name: Find changed cli files
         id: changed-cli-files
-        uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1
+        uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94
         with:
           base_sha: ${{ github.event.pull_request.base.sha }}
           files_yaml: |
 
@@ -3,21 +3,23 @@ on:
   pull_request: {}
 
 jobs:
+  log-skip:
+    if: |
+      startsWith(github.event.pull_request.title, 'chore(release):') ||
+      startsWith(github.event.pull_request.title, 'chore(merge-back):')
+    runs-on: ubuntu-latest
+    steps:
+      - run: echo "Skipping Security Guardian for release/merge-back PR"
   run-security-guardian:
+    if: |
+      !startsWith(github.event.pull_request.title, 'chore(release):') &&
+      !startsWith(github.event.pull_request.title, 'chore(merge-back):')
     runs-on: ubuntu-latest
     steps:      
-      - name: Skip check for release PRs
-        if: |
-            (
-              startsWith(github.event.pull_request.title, 'chore(release):') ||
-              startsWith(github.event.pull_request.title, 'chore(merge-back):')
-            )
-        run: echo "Skipping Security Guardian for release PR" && exit 0
-
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # Required to enable full git diff
+          fetch-depth: 0  
 
       - name: Install cfn-guard
         run: |
 
@@ -0,0 +1,120 @@
+name: Yarn Upgrade Dependencies Requiring Intervention
+# This workflow upgrade npm dependencies that will require manual work. For example, `@aws-cdk/asset-awscli-v1` upgrade always require manually updating snapshots.
+# When adding deps in this workflow, we must also exclude them in the Yarn Upgrade workflow. This is so that the PR from that workflow can be kept clean (i.e. does not need manual update).
+# See this line on how to exclude deps: https://github.com/aws/aws-cdk/blob/ce7b30775f354c7de774f73c5f8dedd9ce7530d3/.github/workflows/yarn-upgrade.yml#L61
+# If this proves to be too cumbersome, we can refactor both workflow to reference the deps list from a single place.
+
+on:
+  schedule:
+    # Every wednesday at 13:37 UTC
+    - cron: 37 13 * * 3
+  workflow_dispatch: {}
+
+# For multiple dependencies, do `DEPS_TO_UPGRADE:"p1 p2 p3"`
+env:
+  DEPS_TO_UPGRADE: "@aws-cdk/asset-awscli-v1"
+
+jobs:
+  upgrade:
+    name: Yarn Upgrade
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Out
+        uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "*"
+        env:
+          NODE_OPTIONS: "--max-old-space-size=8196 --experimental-worker ${NODE_OPTIONS:-}"
+
+      - name: Locate Yarn cache
+        id: yarn-cache
+        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
+
+      - name: Restore Yarn cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.yarn-cache.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |-
+            ${{ runner.os }}-yarn-
+      - name: Yarn Install
+        run: yarn install --frozen-lockfile
+      - name: Install Tools
+        run: |-
+          npm -g install lerna npm-check-updates
+      - name: Run "ncu -u"
+        run: |-
+          # Convert space-separated string to comma-separated string for the filter
+          FILTER=$(echo "$DEPS_TO_UPGRADE" | tr ' ' ',')
+          lerna exec --parallel ncu -- --upgrade --filter="$FILTER" --target=minor
+
+      - name: Run "yarn upgrade"
+        run: |
+          echo "Upgrading dependencies: $DEPS_TO_UPGRADE"
+          yarn upgrade $DEPS_TO_UPGRADE --exact
+
+      # Next, create and upload the changes as a patch file. This will later be downloaded to create a pull request
+      # Creating a pull request requires write permissions and it's best to keep write privileges isolated.
+      - name: Create Patch
+        run: |-
+          git add .
+          git diff --binary --patch --staged > ${{ runner.temp }}/upgrade.patch
+
+      - name: Upload Patch
+        uses: actions/upload-artifact@v4
+        with:
+          name: upgrade.patch
+          path: ${{ runner.temp }}/upgrade.patch
+
+  pr:
+    name: Create Pull Request
+    needs: upgrade
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Out
+        uses: actions/checkout@v4
+
+      - name: Download patch
+        uses: actions/download-artifact@v4
+        with:
+          name: upgrade.patch
+          path: ${{ runner.temp }}
+
+      - name: Apply patch
+        run: '[ -s ${{ runner.temp }}/upgrade.patch ] && git apply --binary ${{ runner.temp
+          }}/upgrade.patch || echo "Empty patch. Skipping."'
+
+      - name: Make Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          # Git commit details
+          branch: automation/yarn-upgrade-dependencies-requiring-intervention
+          author: aws-cdk-automation <aws-cdk-automation@users.noreply.github.com>
+          commit-message: |-
+            chore: npm-check-updates && yarn upgrade
+            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
+          # Pull Request details
+          title: 'chore: yarn upgrade dependencies requiring intervention'
+          body: |-
+            Ran npm-check-updates and yarn upgrade for the following dependencies:
+            ```
+            ${{ env.DEPS_TO_UPGRADE }}
+            ```
+            Checkout this branch and run integration tests locally to update snapshots.
+            ```
+            (cd packages/@aws-cdk-testing/framework-integ && yarn integ --update-on-failed)
+            ```
+            See https://www.npmjs.com/package/@aws-cdk/integ-runner for more integ runner options.
+          labels: contribution/core,dependencies
+          team-reviewers: aws-cdk-team
+          # Github prevents further Github actions to be run if the default Github token is used.
+          # Instead use a privileged token here, so further GH actions can be triggered on this PR.
+          token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
@@ -30,9 +30,9 @@
     "jsii-reflect": "1.112.0",
     "lerna": "^8.2.2",
     "nx": "^20",
-    "semver": "^7.7.1",
+    "semver": "^7.7.2",
     "standard-version": "^9.5.0",
-    "ts-jest": "^29.3.2",
+    "ts-jest": "^29.3.3",
     "ts-node": "^10.9.2",
     "typescript": "~5.5.4"
   },
 
@@ -30,7 +30,7 @@
   "license": "Apache-2.0",
   "devDependencies": {
     "@aws-cdk/cdk-build-tools": "0.0.0",
-    "@aws-cdk/integ-runner": "^2.186.6",
+    "@aws-cdk/integ-runner": "^2.186.7",
     "@aws-cdk/pkglint": "0.0.0",
     "@aws-sdk/client-acm": "3.632.0",
     "@aws-sdk/client-rds": "3.632.0",
@@ -47,7 +47,7 @@
     "@aws-cdk/lambda-layer-kubectl-v31": "^2.0.3",
     "@aws-cdk/lambda-layer-kubectl-v32": "^2.1.0",
     "aws-cdk-lib": "0.0.0",
-    "cdk8s": "2.69.67",
+    "cdk8s": "2.69.68",
     "cdk8s-plus-27": "2.9.5",
     "constructs": "^10.0.0"
   },