Merge branch 'main' into olrostob/s3tables-new-features

Author: olenarostotskyy

.github/workflows/close-stale-prs.yml

@@ -10,6 +10,7 @@ jobs:
     permissions:
       pull-requests: write
     runs-on: ubuntu-latest
+    environment: automation
     steps:
       - uses: cdklabs/close-stale-prs@main
         with:

.github/workflows/codebuild-pr-build.yml

@@ -102,7 +102,7 @@ jobs:
 
       - name: Upload PR info artifact
         if: github.event_name == 'pull_request'
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: pr_info
           path: pr/

.github/workflows/codecov-collect.yml

@@ -28,7 +28,7 @@ jobs:
         run: cd packages/aws-cdk-lib && yarn test core
 
       - name: Upload Coverage and PR Info
-        uses: actions/upload-artifact@v6
+        uses: actions/upload-artifact@v7
         with:
           name: coverage-artifacts
           path: |

.github/workflows/codecov-upload.yml

@@ -23,7 +23,7 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v6
       - name: Download Artifacts
-        uses: actions/download-artifact@v7
+        uses: actions/download-artifact@v8
         with:
           name: coverage-artifacts
           path: ./packages/aws-cdk-lib/core/coverage

.github/workflows/enum-auto-updater.yml

@@ -23,7 +23,7 @@ jobs:
           NODE_OPTIONS: "--max-old-space-size=8196 --experimental-worker ${NODE_OPTIONS:-}"
 
       - name: Install dependencies
-        run: cd tools/@aws-cdk/enum-updater && yarn install --frozen-lockfile && yarn build
+        run: yarn install --frozen-lockfile && cd tools/@aws-cdk/enum-updater && yarn build
 
       - name: Identify Missing Values and Apply Code Changes
         run: |

.github/workflows/integration-test-deployment-auto.yml

@@ -0,0 +1,157 @@
+name: Integration Test deployment (Auto)
+
+# This workflow automatically runs integration tests when a PR with snapshot changes
+# is approved by a CDK team member. No manual approval required.
+#
+# SHADOW MODE: This workflow is in shadow mode - failures don't block PR merges.
+# Once validated, this will replace the label-based workflow (integration-test-deployment.yml).
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  # Early validation: Check if approver is a CDK team member and PR has snapshot changes
+  validate_approver:
+    if: github.event.review.state == 'approved'
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: ${{ steps.check_team.outputs.is_member == 'true' && steps.check_snapshots.outputs.has_snapshots == 'true' }}
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Checkout for path filtering
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "lts/*"
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Build deployment-integ
+        run: yarn --cwd tools/@aws-cdk/integration-test-deployment build
+
+      - name: Check for snapshot changes
+        id: check_snapshots
+        env:
+          TARGET_BRANCH_COMMIT: ${{ github.event.pull_request.base.sha }}
+          SOURCE_BRANCH_COMMIT: ${{ github.event.pull_request.head.sha }}
+        run: |
+          # Reuses getChangedSnapshots() from utils.ts — single source of truth
+          if yarn --cwd tools/@aws-cdk/integration-test-deployment check-snapshots; then
+            echo "has_snapshots=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_snapshots=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check if approver is CDK team member
+        id: check_team
+        if: steps.check_snapshots.outputs.has_snapshots == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPROVER: ${{ github.event.review.user.login }}
+        run: |
+          # Use gh CLI to check team membership (pre-installed in GitHub Actions runners)
+          # https://docs.github.com/en/rest/teams/members#get-team-membership-for-a-user
+          if gh api "orgs/aws/teams/aws-cdk-team/memberships/${APPROVER}" --jq '.state' 2>/dev/null | grep -q "active"; then
+            echo "${APPROVER} is an active CDK team member"
+            echo "is_member=true" >> $GITHUB_OUTPUT
+          else
+            echo "${APPROVER} is not a CDK team member or membership is not active"
+            echo "is_member=false" >> $GITHUB_OUTPUT
+          fi
+
+  integration_test_deployment_auto:
+    needs: validate_approver
+    # Only run if approver is a CDK team member AND PR has snapshot changes
+    if: needs.validate_approver.outputs.should_run == 'true'
+    runs-on: codebuild-aws-cdk-github-actions-deployment-integ-runner-${{ github.run_id }}-${{ github.run_attempt }}
+    # No environment - runs automatically without manual approval
+    # Shadow mode: workflow reports success even if tests fail
+    continue-on-error: true
+    name: 'Deploy integration test snapshots (Auto)'
+
+    # Job-level permissions for least privilege
+    permissions:
+      id-token: write # Required for OIDC authentication with AWS Atmosphere
+      pull-requests: read # Required to check PR reviews and labels
+      contents: read # Required to checkout code
+
+    env:
+      PR_BUILD: true
+
+    steps:
+      - name: Checkout HEAD
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "lts/*"
+          cache: "yarn"
+          cache-dependency-path: |
+            yarn.lock
+
+      - name: Set up Docker
+        uses: docker/setup-buildx-action@v3
+
+      - name: Load Docker images
+        id: docker-cache
+        uses: actions/cache/restore@v5
+        with:
+          path: |
+            ~/.docker-images.tar
+          key: docker-cache-${{ runner.os }}
+
+      - name: Restore Docker images
+        if: ${{ steps.docker-cache.outputs.cache-hit }}
+        run: docker image load --input ~/.docker-images.tar
+
+      - name: Cache build artifacts
+        uses: actions/cache@v5
+        with:
+          path: |
+            ~/.s3buildcache
+          key: s3buildcache-${{ runner.os }}
+
+      - name: Configure system settings
+        run: |
+          (command -v sysctl || sudo apt-get update && sudo apt-get install -y procps) && \
+          sudo sysctl -w vm.max_map_count=2251954
+
+      - name: Install dependencies for Integration Tests
+        run: yarn install --frozen-lockfile
+
+      - name: Build deployment-integ
+        run: yarn --cwd tools/@aws-cdk/integration-test-deployment build
+
+      - name: Build Integration Test packages
+        run: npx lerna run build --scope="{@aws-cdk/*,@aws-cdk-testing/framework-integ}"
+
+      - name: Run integration tests
+        run: yarn run atmosphere-integ-test
+        env:
+          CDK_ATMOSPHERE_ENDPOINT: ${{ vars.CDK_ATMOSPHERE_ENDPOINT }}
+          CDK_ATMOSPHERE_POOL: ${{ vars.CDK_ATMOSPHERE_POOL }}
+          CDK_ATMOSPHERE_OIDC_ROLE: ${{ vars.CDK_ATMOSPHERE_OIDC_ROLE }}
+          CDK_ATMOSPHERE_BATCH_SIZE: ${{ vars.CDK_ATMOSPHERE_BATCH_SIZE }}
+          TARGET_BRANCH_COMMIT: ${{ github.event.pull_request.base.sha }}
+          SOURCE_BRANCH_COMMIT: ${{ github.event.pull_request.head.sha }}
+          # GitHub context for preflight check (validates CDK team membership)
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}

.github/workflows/integration-test-deployment.yml

@@ -25,6 +25,7 @@ concurrency:
 jobs:
   integration_test_deployment:
     runs-on: codebuild-aws-cdk-github-actions-deployment-integ-runner-${{ github.run_id }}-${{ github.run_attempt }}
+    timeout-minutes: 7200 # Maximum limit for self-hosted runners, job can still be limited by our runner timeout (which is set at 36 hours).
     environment: deployment-integ-test # Do not change or remove this without discussing with Appsec
     if: contains(github.event.pull_request.labels.*.name, 'pr/needs-integration-tests-deployment')
     name: 'Deploy integration test snapshots (requires `pr/needs-integration-tests-deployment` label)'