ci: Move AWS CDK check into it's own GHA job

[akash1810]

What does this change?

Currently CI will fail when the version of AWS CDK libraries being used are over 5 releases out of date. This forces us to keep somewhat up to date with releases, however it does introduce an odd situation:

1. Raise PR
2. CI passes on PR
3. PR gets approved
4. New AWS CDK released
5. PR merged
6. Semantic Release creates a new release
7. Robot that keeps version in package.json up to date raises PR
8. Robot PR fails CI and cannot be automatically merged

The latest example of this can be seen on:

• feat: Add Stack Set support #977
• chore(release): 31.5.0 #995
• chore(deps)!: Update aws-cdk libraries to 1.137.0 #997.

Where #977 passed CI (step 2) and was merged (step 5) and #995 (step 7) is now failing it's CI checks (step 8).

When this happens we usually update the branch of the robot's PR to remove the AWS CDK check, allowing CI to pass. This isn't great as we put the check back in the next PR. This is noise.

This change moves the AWS CDK check into a discrete job in GHA. This should mean we can resolve the above solution by updating the branch protection rules, allowing the AWS CDK check to fail but still require the tests to pass.

This yields less noise in the repository.

How to test

CI should pass and there should be another build report.

How can we measure success?

#995 can be merged before #997 and thus the revision history stays truthful.

More importantly though, we able to ignore the AWS CDK check a little more easily.

Have we considered potential risks?

???

Checklist

• I have listed any breaking changes, along with a migration path ¹
• I have updated the documentation as required for the described changes ²

Footnotes

1. Consider whether this is something that will mean changes to projects that have already been migrated, or to the CDK CLI tool. If changes are required, consider adding a checklist here and/or linking to related PRs. ↩

2. If you are adding a new construct or pattern, has new documentation been added? If you are amending defaults or changing behaviour, are the existing docs still valid? ↩

[akash1810]

There's a little dance to do with this PR:

• Merge this in (the "check-aws-cdk" check will be failing)
• Rebase chore(release): 31.5.0 #995 with main and merge it (the "check-aws-cdk" check will be failing)
• Update branch protection rules to require "check-aws-cdk" to pass before a PR can be merged
• Rebase chore(deps)!: Update aws-cdk libraries to 1.137.0 #997 with main and merge it
• Rebase any open branches with main (largely Dependabot ones)

[jacobwinch]

This change moves the AWS CDK check into a discrete job in GHA. This should mean we can resolve the above solution by updating the branch protection rules, allowing the AWS CDK check to fail but still require the tests to pass.

We could also bypass this check automatically for machine users, for example: https://github.com/guardian/cdk/pull/1000/files#diff-944291df2c9c06359d37cc8833d182d705c9e8c3108e7cfe132d61a06e9133ddR22.

[github-actions]

🎉 This PR is included in version 32.0.0 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀

[akash1810]

We could also bypass this check automatically for machine users, for example: https://github.com/guardian/cdk/pull/1000/files#diff-944291df2c9c06359d37cc8833d182d705c9e8c3108e7cfe132d61a06e9133ddR22.

YES! Even more reason to move away from script/ci!