Merge branch 'develop' into fix-8148

Author: vicheey

.github/workflows/build.yml

@@ -68,6 +68,7 @@ jobs:
     - uses: actions/setup-python@v6
       with:
         python-version: ${{ matrix.python }}
+    - uses: astral-sh/setup-uv@v7
     - run: test -f "./.github/ISSUE_TEMPLATE/Bug_report.md"  # prevent Bug_report.md from being renamed or deleted
     - run: make pr
 
@@ -171,7 +172,7 @@ jobs:
           ruby-version: "3.3"
       - uses: actions/setup-node@v6
         with:
-          node-version: 22
+          node-version: 24
       - uses: actions/setup-java@v5
         with:
           distribution: 'corretto'
@@ -185,18 +186,9 @@ jobs:
         with:
           dotnet-version: '10.0.x'
        # Install and configure Rust & Cargo Lambda
-      - name: Install and configure Rust & Cargo Lambda
+      - name: Install Rust toolchain and cargo-lambda
         if: ${{ matrix.os == 'ubuntu-latest' }}
-        run: |
-          : install rustup if needed
-          if ! command -v rustup &> /dev/null ; then
-            curl --proto '=https' --tlsv1.2 --retry 10 --retry-connrefused -fsSL "https://sh.rustup.rs" | sh -s -- --default-toolchain none -y
-            echo "${CARGO_HOME:-$HOME/.cargo}/bin" >> $GITHUB_PATH
-          fi
-          rustup toolchain install stable --profile minimal --no-self-update
-          rustup default stable
-          pip install cargo-lambda==$CARGO_LAMBDA_VERSION
-          echo "$HOME/.local/bin" >> $GITHUB_PATH
+        run: bash tests/install-rust.sh
       - name: Init samdev
         run: make init
       - name: uv install setuptools in Python3.12

.github/workflows/codeql.yml

@@ -23,7 +23,7 @@ on:
 jobs:
   analyze:
     name: Analyze
-    if: github.repository_owner == 'aws'
+    if: github.repository == 'aws/aws-sam-cli'
     runs-on: ubuntu-latest
     permissions:
       actions: read

.github/workflows/integration-tests.yml

@@ -1,8 +1,6 @@
 name: Slack Notifications
 
 on:
-  pull_request:
-    types: [labeled]
   issues:
     types: [opened]
 
@@ -12,17 +10,8 @@ jobs:
     permissions:
       contents: read
     steps:
-      - name: Send External PR Notification
-        if: github.event_name == 'pull_request' && github.event.label.name == 'pr/external'
-        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
-        env:
-          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
-          SLACK_TITLE: 'PR Created: ${{ github.event.pull_request.title }} by ${{ github.event.pull_request.user.login }}'
-          SLACK_FOOTER: ''
-          MSG_MINIMAL: true
-          SLACK_MESSAGE: '${{ github.event.pull_request.html_url }}'
       - name: Send New Issue Notification
-        if: github.event_name == 'issue'
+        if: github.event_name == 'issues'
         uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
         env:
           SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}

.github/workflows/notify-slack.yml

@@ -19,7 +19,9 @@ jobs:
       pull-requests: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/github-script@v8
+      - name: Apply internal/external label
+        id: label_step
+        uses: actions/github-script@v8
         with:
           github-token: ${{secrets.GITHUB_TOKEN}}
           script: |
@@ -29,19 +31,30 @@ jobs:
               'Vandita2020', 'roger-zhangg',
               'vicheey', 'bnusunny', 'tobixlea', 
               'reedham-aws', 'licjun', 'dependabot[bot]'
-            ]
+            ];
             if (maintainers.includes(context.payload.sender.login)) {
-              github.rest.issues.addLabels({
+              await github.rest.issues.addLabels({
                 issue_number: context.issue.number,
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 labels: ['pr/internal']
-              })
+              });
+              core.setOutput("external", "false");
             } else {
-              github.rest.issues.addLabels({
+              await github.rest.issues.addLabels({
                 issue_number: context.issue.number,
                 owner: context.repo.owner,
                 repo: context.repo.repo,
                 labels: ['pr/external', 'stage/needs-triage']
-              })
+              });
+              core.setOutput("external", "true");
             }
+      - name: Send Slack Notification for External PR
+        if: steps.label_step.outputs.external == 'true'
+        uses: rtCamp/action-slack-notify@e31e87e03dd19038e411e38ae27cbad084a90661 # v2
+        env:
+          SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_URL }}
+          SLACK_TITLE: 'PR Created: ${{ github.event.pull_request.title }} by ${{ github.event.pull_request.user.login }}'
+          SLACK_FOOTER: ''
+          MSG_MINIMAL: true
+          SLACK_MESSAGE: '${{ github.event.pull_request.html_url }}'

.github/workflows/pr-labeler.yml

@@ -0,0 +1,26 @@
+name: "Sync to Mirror Repo"
+
+on:
+  schedule:
+    # Run twice daily at 3am and 3pm PST
+    - cron: '0 11,23 * * *'
+  workflow_dispatch: # Allow manual trigger
+
+jobs:
+  sync-from-public:
+    runs-on: ubuntu-latest
+    if: github.repository != 'aws/aws-sam-cli' # Only run in mirror repo
+    permissions:
+      contents: write
+    steps:
+      - name: Checkout public repo
+        uses: actions/checkout@v6
+        with:
+          repository: aws/aws-sam-cli
+          ref: develop
+          fetch-depth: 0
+
+      - name: Push to mirror repo
+        run: |
+          git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}.git
+          git push origin develop:develop --force

.github/workflows/sync-to-mirror-repo.yml

@@ -32,7 +32,7 @@ jobs:
           sudo ./sam-installation/install
           sam-beta --version
           ./tests/sanity-check.sh
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         with:
           name: pyinstaller-linux-zip
           path: .build/output/aws-sam-cli-linux-x86_64.zip
@@ -61,7 +61,7 @@ jobs:
           sudo ./sam-installation/install
           sam-beta --version
           ./tests/sanity-check.sh
-      - uses: actions/upload-artifact@v6
+      - uses: actions/upload-artifact@v7
         with:
           name: pyinstaller-macos-zip
           path: .build/output/aws-sam-cli-macos-x86_64.zip

.github/workflows/validate_pyinstaller.yml

@@ -60,6 +60,70 @@ GitHub provides additional document on [forking a repository](https://help.githu
 [creating a pull request](https://help.github.com/articles/creating-a-pull-request/).
 
 
+## Integration Test Guidelines
+
+Integration tests run in CI via `.github/workflows/integration-tests.yml`. All jobs have AWS credentials. Tests in `build` and `local` jobs that require credentials are separated using a pytest marker.
+
+### Tests that require AWS credentials
+
+Some tests in `tests/integration/buildcmd/` and `tests/integration/local/` need AWS credentials (e.g. STS calls, Lambda layer publishing, SAR template resolution). These are:
+
+- **Excluded** from build/local jobs via `-m "not requires_credential"`
+- **Collected and run** in the dedicated `cloud-based-tests` CI job via `-m requires_credential`
+
+To mark a test that requires AWS credentials, add the marker:
+
+```python
+import pytest
+
+@pytest.mark.requires_credential
+class TestMyCloudFeature(SomeBaseClass):
+    ...
+```
+
+The marker is registered in `tests/conftest.py`. Build and local jobs automatically exclude these tests; `cloud-based-tests` automatically includes them.
+
+### Docker container cleanup in parallel tests
+
+`start-api` and `start-lambda` tests run in parallel (`-n 2`). Each test class snapshots existing Docker container IDs before starting its local server, and on teardown only removes containers created after the snapshot. This prevents one worker from killing another worker's containers.
+
+If you write a new base class that manages Docker containers, follow the same pattern in `start_lambda_api_integ_base.py` and `start_api_integ_base.py`: snapshot container IDs in `setUpClass`, and scope removal to only new containers in `tearDownClass`.
+
+### Tier 1 cross-platform smoke tests
+
+A curated subset of ~50 tests marked with `@pytest.mark.tier1` runs on every OS/container-runtime combination (e.g. Linux+Finch). These validate platform-specific code paths: file system operations, container runtime interaction, process spawning, and network operations.
+
+There are two markers:
+
+- `tier1` — standalone tests that don't duplicate any parameterized entry (e.g. a dedicated `test_tier1_*` method calling unique logic)
+- `tier1_extra` — dedicated `test_tier1_*` methods whose parameter set already exists in a `@parameterized.expand` list on the same class. These are excluded from normal Linux+Docker CI (via `-m "not tier1_extra"`) to avoid running the same test twice, but included in the tier1 Finch job (via `-m "tier1 or tier1_extra"`).
+
+Run locally with: `pytest -m "tier1 or tier1_extra" tests/integration tests/regression`
+
+To add a tier 1 test for a new feature:
+
+1. Add a dedicated `test_tier1_*` method that calls the existing test logic with one specific parameter set:
+
+```python
+@pytest.mark.tier1
+def test_tier1_my_feature(self):
+    """Single test for cross-platform validation."""
+    self._test_my_feature("runtime_x", use_container=False)
+
+@pytest.mark.tier1
+@skipIf(SKIP_DOCKER_TESTS or SKIP_DOCKER_BUILD, SKIP_DOCKER_MESSAGE)
+def test_tier1_my_feature_in_container(self):
+    """Single container test for cross-platform validation."""
+    self._test_my_feature("runtime_x", use_container=True)
+```
+
+2. If the parameter set already exists in a `@parameterized.expand` list, keep it in the original list and use `@pytest.mark.tier1_extra` instead of `@pytest.mark.tier1` on the dedicated method. This avoids running the same test twice in Linux+Docker CI.
+
+3. If the parameter set does NOT exist in any parameterized list (i.e. it's unique to the tier1 method), use `@pytest.mark.tier1`.
+
+4. Each runtime should have one non-container and one container tier 1 test.
+
+
 ## Finding contributions to work on
 Looking at the existing issues is a great way to find something to contribute on. As our projects, by default, use the default GitHub issue labels ((enhancement/bug/duplicate/help wanted/invalid/question/wontfix), looking at any ['help wanted'](https://github.com/aws/aws-sam-cli/labels/help%20wanted) issues is a great place to start. 
 

CONTRIBUTING.md

@@ -2,16 +2,32 @@
 # environment variable.
 SAM_CLI_TELEMETRY ?= 0
 
-.PHONY: schema
+.PHONY: schema init-nightly init-latest-release setup-pytest
 
 # Initialize environment specifically for Github action tests using uv
 init:
 	@if [ "$$GITHUB_ACTIONS" = "true" ]; then \
-		pip install uv==0.9.1 && SAM_CLI_DEV=1 uv pip install --system -e '.[dev]'; \
+		command -v uv >/dev/null 2>&1 || pip install uv==0.9.1; \
+		SAM_CLI_DEV=1 uv pip install --system -e '.[dev]'; \
 	else \
 		SAM_CLI_DEV=1 pip install -e '.[dev]'; \
 	fi
 
+# Set up a pytest venv with test dependencies
+setup-pytest:
+	python3.11 -m venv $(HOME)/pytest
+	uv pip install --python $(HOME)/pytest/bin/python3 -r requirements/dev.txt -r requirements/base.txt
+	sudo ln -sf $(HOME)/pytest/bin/pytest /usr/local/bin/pytest
+	pytest --version
+
+# Install SAM CLI nightly binary
+init-nightly:
+	bash tests/install-sam-cli-binary.sh sam-cli-nightly
+
+# Install SAM CLI latest release binary
+init-latest-release:
+	bash tests/install-sam-cli-binary.sh
+
 test:
 	# Run unit tests and fail if coverage falls below 94%
 	pytest --cov samcli --cov schema --cov-report term-missing --cov-fail-under 94 tests/unit
@@ -51,7 +67,11 @@ black:
 	black setup.py samcli tests schema
 
 black-check:
-	black --check setup.py samcli tests schema
+	@if python -c "import sys; sys.exit(0 if sys.version_info >= (3, 10) else 1)" 2>/dev/null; then \
+		black --check setup.py samcli tests schema; \
+	else \
+		echo "Skipping black check on Python < 3.10"; \
+	fi
 
 format: black
 	ruff check samcli --fix

Makefile

@@ -20,7 +20,7 @@ if [ "$openssl_version" = "" ]; then
 fi
 
 if [ "$zlib_version" = "" ]; then
-    zlib_version="1.3.1";
+    zlib_version="1.3.2";
 fi
 
 if [ "$CI_OVERRIDE" = "1" ]; then