chore: add yarn upgrade workflow (#10346)

This workflow runs `npm-check-updates` throughout the repository, and runs
an equivalent of `yarn install --force` (equivalent to `yarn install && yarn upgrade`,
except in a single command so more efficient).

Some packages enjoy "special handling":
- `@types/node` will stay on the currently set *major* version (since this reflects
  the minimal supported `node` version)
- `@types/fs-extra` will stay on the currently set *major* version (because the
  latest major version is known to be broken with `@types/node >=10`, as seen
  in DefinitelyTyped/DefinitelyTyped#30398
- `typescript` will stay on the currently set *minor* version (since it does not
  follow semantic versioning, and *Major.Minor* is where the stability point is

This ensures all dependencies are up-to-date, on the latest version, including
transitive dependencies that may not have been updated by the `dependabot`
workflows previously.

This files a pull request once done if there are any changes. It requires a secret
called `AUTOMATION_GITHUB_TOKEN` that will need to be created, and contain
a GitHub token that has `workflows` permissions, so PR validation workflows will
trigger on the PR.

.github/workflows/yarn-upgrade.yml

@@ -0,0 +1,75 @@
+name: Yarn Upgrade
+
+on:
+  schedule:
+    # Every wednesday at 13:37 UTC
+    - cron: 37 13 * * 3
+  workflow_dispatch: {}
+
+jobs:
+  upgrade:
+    name: Yarn Upgrade
+    runs-on: ubuntu-latest
+    steps:
+
+      - name: Check Out
+        uses: actions/checkout@v2
+
+      - name: Set up Node
+        uses: actions/setup-node@v2.1.0
+        with:
+          node-version: 10
+
+      - name: Locate Yarn cache
+        id: yarn-cache
+        run: echo "::set-output name=dir::$(yarn cache dir)"
+
+      - name: Restore Yarn cache
+        uses: actions/cache@v2
+        with:
+          path: ${{ steps.yarn-cache.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |-
+            ${{ runner.os }}-yarn-
+      - name: Install Tools
+        run: |-
+          npm -g install lerna npm-check-updates@^9.0.0
+      - name: List Mono-Repo Packages
+        id: list-packages
+        # These need to be ignored from the `ncu` runs!
+        run: |-
+          echo -n "::set-output name=list::"
+          node -p "$(lerna ls --all --json 2>/dev/null).map(item => item.name).join(',')"
+      - name: Run "ncu -u"
+        # We special-case @types/node because we want to stay on the current major (minimum supported node release)
+        # We special-case @types/fs-extra because the current major (9.x) is broken with @types/node >= 10
+        # We special-case typescript because it's not semantically versionned
+        run: |-
+          # Upgrade dependencies at repository root
+          ncu --upgrade --filter=@types/node,@types/fs-extra --target=minor
+          ncu --upgrade --filter=typescript --target=patch
+          ncu --upgrade --reject=@types/node,@types/fs-extra,typescript
+          # Upgrade all the packages
+          lerna exec --parallel ncu -- --upgrade --filter=@types/node,@types/fs-extra --target=minor
+          lerna exec --parallel ncu -- --upgrade --filter=typescript --target=patch
+          lerna exec --parallel ncu -- --upgrade --reject='@types/node,@types/fs-extra,typescript,${{ steps.list-packages.outputs.list }}'
+      # This will create a brand new `yarn.lock` file (this is more efficient than `yarn install && yarn upgrade`)
+      - name: Run "yarn install --force"
+        run: yarn install --force
+
+      - name: Make Pull Request
+        uses: peter-evans/create-pull-request@v2
+        with:
+          # Git commit details
+          branch: automation/yarn-upgrade
+          commit-message: |-
+            chore: npm-check-updates && yarn upgrade
+            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
+          # Pull Request details
+          title: 'chore: npm-check-updates && yarn upgrade'
+          body: |-
+            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
+          labels: contribution/core,dependencies
+          team-reviewers: aws-cdk-team
+          # Privileged token so automated PR validation happens
+          token: ${{ secrets.AUTOMATION_GITHUB_TOKEN }}