aws · mergify · May 15, 2025 · May 7, 2025 · May 7, 2025 · May 7, 2025
diff --git a/.github/workflows/README.md b/.github/workflows/README.md
@@ -92,6 +92,12 @@ Owner: CDK support team
 patch file for downloading.
 Owner: Core CDK team
 
+### Yarn Upgrader for deps needing manual work
+
+[yarn-upgrade-need-manual-work.yml](yarn-upgrade-need-manual-work.yml): Upgrades specific dependencies that require manual intervention and creates a PR for review.
+For example, some dependency upgrades require manual updates to the integ test snapshots.
+Owner: Core CDK team
+
 ### AWS Service Spec Update
 
 [spec-update.yml](spec-update.yml): Updates AWS Service Spec and related packages to their latest versions

diff --git a/.github/workflows/codecov-collect.yml b/.github/workflows/codecov-collect.yml
@@ -0,0 +1,35 @@
+name: Codecov Collect
+
+on:
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  collect:
+    name: Collect Coverage
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+
+      - name: Install dependencies
+        run: yarn install
+
+      - name: Build Library
+        run: npx lerna run build --scope=aws-cdk-lib
+
+      - name: Run Core tests
+        run: cd packages/aws-cdk-lib && yarn test core
+
+      - name: Upload Coverage and PR Info
+        uses: actions/upload-artifact@v4
+        with:
+          name: coverage-artifacts
+          path: |
+            packages/aws-cdk-lib/coverage/cobertura-coverage.xml
diff --git a/.github/workflows/codecov-upload.yml b/.github/workflows/codecov-upload.yml
@@ -0,0 +1,38 @@
+name: Codecov Upload
+
+on:
+  workflow_run:
+    workflows: ["Codecov Collect"]
+    types:
+      - completed
+
+permissions:
+  contents: write
+  id-token: write
+  actions: read
+
+jobs:
+  upload:
+    name: Upload to Codecov
+    runs-on: ubuntu-latest
+    if: >
+      github.event.workflow_run.event == 'pull_request' &&
+      github.event.workflow_run.conclusion == 'success'
+
+    steps:
+      - name: Download Artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-artifacts
+          path: ./coverage
+          github-token: ${{ secrets.GITHUB_TOKEN }}
+          repository: ${{ github.repository }}
+          run-id: ${{ github.event.workflow_run.id }}
+
+      - name: Upload to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          files: ./coverage/packages/aws-cdk-lib/coverage/cobertura-coverage.xml
+          fail_ci_if_error: true
+          flags: suite.unit
+          use_oidc: true
diff --git a/.github/workflows/codecov.yml b/.github/workflows/codecov.yml
diff --git a/.github/workflows/enum-static-mapping-updater.yml b/.github/workflows/enum-static-mapping-updater.yml
@@ -52,10 +52,10 @@ jobs:
           git checkout -b "$branchName"
 
           git add .  # Add all files changed
-          git commit -m "chore: update enum static mapping"
+          git commit -m "chore(enum-updater): update enum static mapping"
           git push -f origin "$branchName"
 
-          gh pr create --title "chore: update enum static mapping" \
+          gh pr create --title "chore(enum-updater): update enum static mapping" \
            --body "This PR updates the CDK enum mapping file." \
            --base main \
            --head "$branchName" \

diff --git a/.github/workflows/pr-linter-exemption-labeler.yml b/.github/workflows/pr-linter-exemption-labeler.yml
@@ -10,8 +10,10 @@ jobs:
   pr_commented:
     name: PR Comment
     if: ${{ (github.event.issue.pull_request) && (github.event.issue.state == 'open') }}
+    permissions:
+      pull-requests: write
     runs-on: ubuntu-latest
     steps:
       - uses: cdklabs/pr-linter-exemption-labeler@main
         with:
-          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
diff --git a/.github/workflows/request-cli-integ-test.yml b/.github/workflows/request-cli-integ-test.yml
@@ -19,7 +19,7 @@ jobs:
           persist-credentials: false
       - name: Find changed cli files
         id: changed-cli-files
-        uses: step-security/changed-files@3dbe17c78367e7d60f00d78ae6781a35be47b4a1
+        uses: step-security/changed-files@95b56dadb92a30ca9036f16423fd3c088a71ee94
         with:
           base_sha: ${{ github.event.pull_request.base.sha }}
           files_yaml: |

diff --git a/.github/workflows/security-guardian.yml b/.github/workflows/security-guardian.yml
@@ -3,13 +3,23 @@ on:
   pull_request: {}
 
 jobs:
-  run-security-guardian:
+  log-skip:
+    if: |
+      startsWith(github.event.pull_request.title, 'chore(release):') ||
+      startsWith(github.event.pull_request.title, 'chore(merge-back):')
     runs-on: ubuntu-latest
     steps:
+      - run: echo "Skipping Security Guardian for release/merge-back PR"
+  run-security-guardian:
+    if: |
+      !startsWith(github.event.pull_request.title, 'chore(release):') &&
+      !startsWith(github.event.pull_request.title, 'chore(merge-back):')
+    runs-on: ubuntu-latest
+    steps:      
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # Required to enable full git diff
+          fetch-depth: 0  
 
       - name: Install cfn-guard
         run: |

diff --git a/.github/workflows/yarn-upgrade-need-manual-work.yml b/.github/workflows/yarn-upgrade-need-manual-work.yml
@@ -0,0 +1,120 @@
+name: Yarn Upgrade Dependencies Requiring Intervention
+# This workflow upgrade npm dependencies that will require manual work. For example, `@aws-cdk/asset-awscli-v1` upgrade always require manually updating snapshots.
+# When adding deps in this workflow, we must also exclude them in the Yarn Upgrade workflow. This is so that the PR from that workflow can be kept clean (i.e. does not need manual update).
+# See this line on how to exclude deps: https://github.com/aws/aws-cdk/blob/ce7b30775f354c7de774f73c5f8dedd9ce7530d3/.github/workflows/yarn-upgrade.yml#L61
+# If this proves to be too cumbersome, we can refactor both workflow to reference the deps list from a single place.
+
+on:
+  schedule:
+    # Every wednesday at 13:37 UTC
+    - cron: 37 13 * * 3
+  workflow_dispatch: {}
+
+# For multiple dependencies, do `DEPS_TO_UPGRADE:"p1 p2 p3"`
+env:
+  DEPS_TO_UPGRADE: "@aws-cdk/asset-awscli-v1"
+
+jobs:
+  upgrade:
+    name: Yarn Upgrade
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Out
+        uses: actions/checkout@v4
+
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "*"
+        env:
+          NODE_OPTIONS: "--max-old-space-size=8196 --experimental-worker ${NODE_OPTIONS:-}"
+
+      - name: Locate Yarn cache
+        id: yarn-cache
+        run: echo "dir=$(yarn cache dir)" >> $GITHUB_OUTPUT
+
+      - name: Restore Yarn cache
+        uses: actions/cache@v4
+        with:
+          path: ${{ steps.yarn-cache.outputs.dir }}
+          key: ${{ runner.os }}-yarn-${{ hashFiles('**/yarn.lock') }}
+          restore-keys: |-
+            ${{ runner.os }}-yarn-
+      - name: Yarn Install
+        run: yarn install --frozen-lockfile
+      - name: Install Tools
+        run: |-
+          npm -g install lerna npm-check-updates
+      - name: Run "ncu -u"
+        run: |-
+          # Convert space-separated string to comma-separated string for the filter
+          FILTER=$(echo "$DEPS_TO_UPGRADE" | tr ' ' ',')
+          lerna exec --parallel ncu -- --upgrade --filter="$FILTER" --target=minor
+
+      - name: Run "yarn upgrade"
+        run: |
+          echo "Upgrading dependencies: $DEPS_TO_UPGRADE"
+          yarn upgrade $DEPS_TO_UPGRADE --exact
+
+      # Next, create and upload the changes as a patch file. This will later be downloaded to create a pull request
+      # Creating a pull request requires write permissions and it's best to keep write privileges isolated.
+      - name: Create Patch
+        run: |-
+          git add .
+          git diff --binary --patch --staged > ${{ runner.temp }}/upgrade.patch
+
+      - name: Upload Patch
+        uses: actions/upload-artifact@v4
+        with:
+          name: upgrade.patch
+          path: ${{ runner.temp }}/upgrade.patch
+
+  pr:
+    name: Create Pull Request
+    needs: upgrade
+    permissions:
+      contents: write
+      pull-requests: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Out
+        uses: actions/checkout@v4
+
+      - name: Download patch
+        uses: actions/download-artifact@v4
+        with:
+          name: upgrade.patch
+          path: ${{ runner.temp }}
+
+      - name: Apply patch
+        run: '[ -s ${{ runner.temp }}/upgrade.patch ] && git apply --binary ${{ runner.temp
+          }}/upgrade.patch || echo "Empty patch. Skipping."'
+
+      - name: Make Pull Request
+        uses: peter-evans/create-pull-request@v7
+        with:
+          # Git commit details
+          branch: automation/yarn-upgrade-dependencies-requiring-intervention
+          author: aws-cdk-automation <aws-cdk-automation@users.noreply.github.com>
+          commit-message: |-
+            chore: npm-check-updates && yarn upgrade
+            Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.
+          # Pull Request details
+          title: 'chore: yarn upgrade dependencies requiring intervention'
+          body: |-
+            Ran npm-check-updates and yarn upgrade for the following dependencies:
+            ```
+            ${{ env.DEPS_TO_UPGRADE }}
+            ```
+            Checkout this branch and run integration tests locally to update snapshots.
+            ```
+            (cd packages/@aws-cdk-testing/framework-integ && yarn integ --update-on-failed)
+            ```
+            See https://www.npmjs.com/package/@aws-cdk/integ-runner for more integ runner options.
+          labels: contribution/core,dependencies
+          team-reviewers: aws-cdk-team
+          # Github prevents further Github actions to be run if the default Github token is used.
+          # Instead use a privileged token here, so further GH actions can be triggered on this PR.
+          token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
diff --git a/.github/workflows/yarn-upgrade.yml b/.github/workflows/yarn-upgrade.yml
@@ -58,7 +58,7 @@ jobs:
           ncu --upgrade --reject=@types/node,@types/prettier,constructs,jsii,jsii-rosetta,typescript --target=minor
           # Upgrade all the packages
           lerna exec --parallel ncu -- --upgrade --filter=jsii,jsii-rosetta,typescript --target=patch
-          lerna exec --parallel ncu -- --upgrade --reject='@types/conventional-commits-parser,@types/node,@types/prettier,constructs,jsii,jsii-rosetta,typescript,aws-sdk-mock,@aws-sdk/*,@aws-cdk/aws-service-spec,@aws-cdk/service-spec-types,${{ steps.list-packages.outputs.list }}' --target=minor
+          lerna exec --parallel ncu -- --upgrade --reject='@aws-cdk/asset-awscli-v1,@types/conventional-commits-parser,@types/node,@types/prettier,constructs,jsii,jsii-rosetta,typescript,aws-sdk-mock,@aws-sdk/*,@aws-cdk/aws-service-spec,@aws-cdk/service-spec-types,${{ steps.list-packages.outputs.list }}' --target=minor
           # Upgrade package.json files in init templates
           for pj in $(find packages/aws-cdk/lib/init-templates -name package.json); do
             (cd $(dirname $pj) && ncu --upgrade --reject='constructs,${{ steps.list-packages.outputs.list }}')

diff --git a/CHANGELOG.v2.alpha.md b/CHANGELOG.v2.alpha.md
@@ -2,6 +2,21 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.196.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.195.0-alpha.0...v2.196.0-alpha.0) (2025-05-15)
+
+
+### Features
+
+* **msk:** support Kafka versions 3.9.x and 3.9.x Kraft ([#34213](https://github.com/aws/aws-cdk/issues/34213)) ([a1226db](https://github.com/aws/aws-cdk/commit/a1226db3164f885ab1bbf13a18697831cfde74d0))
+* **pipes-targets:** add SNS ([#34159](https://github.com/aws/aws-cdk/issues/34159)) ([2f846b3](https://github.com/aws/aws-cdk/commit/2f846b395cc5061363bd6def946a04740ac0139b))
+* **s3tables:** server-side encryption by customer managed KMS key ([#34229](https://github.com/aws/aws-cdk/issues/34229)) ([488f0db](https://github.com/aws/aws-cdk/commit/488f0db714c20fcaf5dbdf682277a70c6a938d3f))
+
+
+### Bug Fixes
+
+* **ec2:**  dual-stack vpc without private subnets creates EgressOnlyInternetGateway (under feature flag) ([#34437](https://github.com/aws/aws-cdk/issues/34437)) ([35e818b](https://github.com/aws/aws-cdk/commit/35e818b4f86638b5fe6074705511d1eee16266d2)), closes [#30981](https://github.com/aws/aws-cdk/issues/30981)
+* **ec2-alpha:** fix resource id references and tags for migration behind feature flag ([#34377](https://github.com/aws/aws-cdk/issues/34377)) ([aa73534](https://github.com/aws/aws-cdk/commit/aa735341a8e95224a14241b5e1c5c5ba71de5022))
+
 ## [2.195.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.194.0-alpha.0...v2.195.0-alpha.0) (2025-05-07)