Merge branch 'main' into feat/origin-group-selection-criteria

.github/workflows/check-suite-test.yaml

@@ -0,0 +1,25 @@
+
+name: Check Suite Logger
+
+on:
+  check_suite:
+    types: [completed]
+
+jobs:
+  log-check-suite:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Log check suite event details
+        run: |
+          echo "Check Suite ID: ${{ github.event.check_suite.id }}"
+          echo "Status: ${{ github.event.check_suite.status }}"
+          echo "Conclusion: ${{ github.event.check_suite.conclusion }}"
+          echo "URL: ${{ github.event.check_suite.url }}"
+          echo "Head Branch: ${{ github.event.check_suite.head_branch }}"
+          echo "Head SHA: ${{ github.event.check_suite.head_sha }}"
+          echo "Repository: ${{ github.event.repository.full_name }}"
+          echo "Sender: ${{ github.event.sender.login }}"
+          echo "Created At: ${{ github.event.check_suite.created_at }}"
+          echo "Updated At: ${{ github.event.check_suite.updated_at }}"
+          echo "Pull Requests: ${{ toJson(github.event.check_suite.pull_requests) }}"

.github/workflows/pr-linter-trigger.yml → .github/workflows/pr-linter-review-trigger.yml

@@ -1,3 +1,12 @@
+# Re-evaluate the PR linter after reviews. This is used to upgrade the label
+# of a PR to `needs-maintainer-review` after a trusted community members leaves
+# an approving review.
+#
+# Unprivileged workflow that runs in the context of the PR, when a review is changed.
+#
+# Save the PR number, and download it again in the PR Linter workflow which
+# needs to run in privileged `workflow_run` context (but then must restore the
+# PR context).
 name: PR Linter Trigger
 
 on:

.github/workflows/pr-linter.yml

@@ -26,39 +26,29 @@ jobs:
     # if conditions on all individual steps because subsequent jobs depend on this job
     # and we cannot skip it entirely
     steps:
-      - name: 'Download artifact'
+      - name: 'Download workflow_run artifact'
         if: github.event_name == 'workflow_run'
-        uses: actions/github-script@v7
+        uses: dawidd6/action-download-artifact@v7
         with:
-          script: |
-            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: context.payload.workflow_run.id,
-            });
-            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "pr_info"
-            })[0];
-            let download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            let fs = require('fs');
-            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_info.zip`, Buffer.from(download.data));
-      - name: 'Unzip artifact'
-        if: github.event_name == 'workflow_run'
-        run: unzip pr_info.zip
+          run_id: ${{ github.event.workflow_run.id }}
+          name: pr_info
+          path: pr/
+          search_artifacts: true
 
-      - name: 'Make GitHub output'
+      - name: 'Determine PR info'
+        # PR info comes from the artifact if downloaded, or GitHub context if not.
         if: github.event_name == 'workflow_run'
         id: 'pr_output'
         run: |
-          echo "cat pr_number"
-          echo "pr_number=$(cat pr_number)" >> "$GITHUB_OUTPUT"
-          echo "cat pr_sha"
-          echo "pr_sha=$(cat pr_sha)" >> "$GITHUB_OUTPUT"
+          if [[ ! -f pr/pr_number ]]; then
+            echo "${{ github.event.pull_request.number }}" > pr/pr_number
+          fi
+          if [[ ! -f pr/pr_sha ]]; then
+            echo "${{ github.event.pull_request.head.sha }}" > pr/pr_sha
+          fi
+          cat pr/*
+          echo "pr_number=$(cat pr/pr_number)" >> "$GITHUB_OUTPUT"
+          echo "pr_sha=$(cat pr/pr_sha)" >> "$GITHUB_OUTPUT"
 
   validate-pr:
     # Necessary to have sufficient permissions to write to the PR
@@ -80,7 +70,7 @@ jobs:
         uses: ./tools/@aws-cdk/prlint
         env:
           GITHUB_TOKEN: ${{ secrets.PROJEN_GITHUB_TOKEN }}
-          # PR_NUMBER and PR_SHA is empty if triggered by pull_request_target, since we already have that info
           PR_NUMBER: ${{ needs.download-if-workflow-run.outputs.pr_number }}
           PR_SHA: ${{ needs.download-if-workflow-run.outputs.pr_sha }}
+          LINTER_LOGIN: ${{ vars.LINTER_LOGIN }}
           REPO_ROOT: ${{ github.workspace }}

.mergify.yml

@@ -12,6 +12,7 @@ queue_rules:
       - -closed
       - "#approved-reviews-by>=1"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -30,6 +31,7 @@ queue_rules:
       - -closed
       - "#approved-reviews-by>=1"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -61,6 +63,7 @@ pull_request_rules:
       - author!=dependabot-preview[bot]
       - "#approved-reviews-by>=1"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -81,6 +84,7 @@ pull_request_rules:
       - author!=dependabot-preview[bot]
       - "#approved-reviews-by>=2"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -101,6 +105,7 @@ pull_request_rules:
       - author!=dependabot-preview[bot]
       - "#approved-reviews-by>=1"
       - -approved-reviews-by~=author
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr
@@ -140,6 +145,7 @@ pull_request_rules:
       - -closed
       - author~=dependabot
       - "#approved-reviews-by>=1"
+      # This is important! It makes the PR Linter work.
       - "#changes-requested-reviews-by=0"
       - status-success~=AWS CodeBuild us-east-1
       - status-success=validate-pr

CONTRIBUTING.md

@@ -1,18 +1,20 @@
 # Contributing to the AWS Cloud Development Kit
 
-Thanks for your interest in contributing to the AWS CDK! ❤️
+The AWS Cloud Development Kit (AWS CDK) is an open-source software development
+framework that you can contribute to. We highly value community contributions,
+which significantly impact the development of the AWS CDK. This document will
+guide you through learning about contributions, getting started with creating
+contributions, and understanding what is required to ensure that your
+efforts are impactful and your contribution process goes smoothly.
 
-We highly value contributions, with roughly half of all commits to the CDK
-coming from the community. We want to recognize all your hard work
-by getting your code merged as quickly as we can, so please read the guidance
-here carefully to make sure the review process goes smoothly.
+Thank you for your interest in contributing to the AWS CDK! We look forward to
+working with you to improve the AWS CDK for everyone. ❤️
 
-The CDK is released under the [Apache license](http://aws.amazon.com/apache2.0/).
-Any code you submit will be released under that license.
-
-This document describes how to set up a development environment and submit your changes. Please
-let us know if it's not up-to-date (even better, submit a PR with your corrections ;-)).
+The AWS CDK is released under the [Apache license](http://aws.amazon.com/apache2.0/).
+Any code that you submit will be released under that license.
 
+- [What are contributions?](#what-are-contributions)
+- [How contributions work](#how-contributions-work)
 - [Where To Contribute](#where-to-contribute)
   - [Demonstrating Value](#demonstrating-value)
   - [Publishing Your Own Package](#publishing-your-own-package)
@@ -52,47 +54,58 @@ let us know if it's not up-to-date (even better, submit a PR with your correctio
 - [Badges (Pilot Program)](#badges-pilot-program)
 - [Related Repositories](#related-repositories)
 
-## Contribution Workflow Diagram
+## What are contributions?
+
+A *contribution* refers to any improvement or addition to the AWS CDK from the
+community. You make contributions to the AWS CDK through the `aws-cdk`
+repository. They can include the following:
+
+- **New features** - New functionality for existing L2 constructs or new L2
+  constructs for new or existing AWS services.
+- **Bug fixes** - Address and fix issues in the code to improve functionality
+  or correct errors.
+- **Documentation** - Improve documentation, such as adding examples, enhancing
+  readability, or updating existing content.
+- **Tests** - Add or improve tests to increase code coverage and ensure
+  stability.
+- **Refactoring** - Improve the code structure or performance without altering
+  its behavior.
+
+Contributions can be *major* or *minor* in scope and size:
+
+- **Major contributions** - Includes major new additions, such as new L2
+  constructs, updates that change how the AWS CDK works, or enhancements to
+  existing AWS CDK features and functionality that introduce breaking changes.
+- **Minor contributions** - Includes bug fixes, improvements to existing L2
+  constructs, and other updates that don't alter how the AWS CDK works, such
+  as the addition of tests and changes to documentation.
+
+## How contributions work
+
+The following diagram illustrates how contributions work, from creation to completion:
+
 ```mermaid
 flowchart TD
-    A(Identify Desired Functionality) --> B(Search For Existing Artifacts)
-    B --> C[External Packages]
-    B --> D[Relevant Issues And PRs]
-    C --> E{"Does A High Quality
-            Solution Exist?"}
-    D --> F{"Is There A PR In Progress"}
-    E --> |Yes| G(("Ask How You
-                    Can Help"))
-    F --> |Yes| G
-    E --> |No| H(Evaluate Where To Contribute)
-    F --> |No| H
-    H --> I{"Is There Clear Evidence
-            For Inclusion In AWS-CDK"}
-    I --> |Yes| subEvidence
-    I --> |No| J{"Do You Want To Pursue Eventual
-                  Inclusion In AWS-CDK"}
-    J --> |No| L(("Create Private
-                  Implementation"))
-    J --> |Yes| K((Publish A Package))
-    subEvidence --> M(Make Pull Request)
-    M --> N{"Passes CI Checks, Linters,
-            And Follows Design Guidelines"}
-    N --> O(Review)
-    O --> |Accepted| R(Hooray!)
-    O --> P(Changes Requested)
-    P --> Q(Make Changes)
-    Q --> O
-    O --> |Refused| K
-
-subgraph subEvidence[Gather Evidence]
-    direction LR
-    engagement[Engagement from Multiple users]
-    core[Intersects With Core Framework Concerns]
-    quality["Clear, Well Defined, Solution With
-            Limited Scope And Clear Boundaries"]
-    external[External Packages]
-    issues[Relevant Issues And PRs]
-end
+  A(Identify desired functionality) --> B(Consider a contribution)
+  B --> C[External packages]
+  B --> D[Relevant Issues and PRs]
+  C --> E{Is a contribution the right solution?}
+  D --> E
+  E --> |Yes|F{Is your contribution major or minor?}
+  E --> |No|G((Pursue alternative solutions))
+  F --> |Major|H(Submit an RFC to discuss)
+  F --> |Minor|I(Code your changes)
+  H --> Q{Is a contribution the right solution?}
+  I --> J(Submit your PR)
+  J --> K[PR passes checks, linters, and follows design guidelines]
+  K --> L[PR is reviewed]
+  L --> M{Should PR be approved?}
+  M --> |Yes|N((PR is approved and merged))
+  M --> |No|O{Should PR be modified or closed?}
+  O --> |Modified|I
+  O --> |Closed|P((PR is closed))
+  Q --> |Yes|I
+  Q --> |No|S((RFC is closed))
 ```
 
 ## Where to Contribute
@@ -123,7 +136,7 @@ All of this information will help make it clear to reviewers why your contributi
 
 This is by far the strongest signal you can give to the CDK team that a feature should be included within the core aws-cdk packages. A package published on npm, PyPI, Maven Central, NuGet, and GitHub (for Go) that has good documentation, a clear purpose, and an active group of users is a good indication that the functionality it provides is useful and should be examined for inclusion in the core aws-cdk packages. This may not be the goal of any given package, and some constructs and features do not provide functionality that should ever be vended as part of the core framework. However, if a package you own does include functionality that you and other users believe should be vended as part of the core CDK, we encourage making a pull request, or RFC if appropriate, proposing its inclusion.
 
-#### Trust and Third Party Packages 
+#### Trust and Third Party Packages
 
 An argument we commonly hear why contributors don't want to publish their contributions in their own packages, is that organizations have restrictions on what packages they allow to be used and these restrictions commonly include limiting usage of packages to those owned and distributed only from trusted sources. We recognize trust is an important part of the software dependency chain, and we take that into consideration when evaluating contributions in aws-cdk. However, not everything can be owned by the aws-cdk team. Strictly from a technical limitation perspective, `aws-cdk-lib` is big. Continuing a system that makes it, potentially, many multiple times bigger, has a cost on usability. Additionally, as the surface area widens, the aws-cdk team becomes stretched ever thinner and isn't able to properly maintain what we own.
 
@@ -718,6 +731,10 @@ To make this easier we have a `pr/needs-review` label that we can add to each
 PR. If you do not see this label on your PR then it means that something needs
 to be fixed before it can be reviewed.
 
+> [!NOTE]  
+> The `aws-cdk` repository is frequently updated, so PR branches may quickly become out-of-date, showing "This branch is out-of-date with the base branch." This is not an issue as long as there are no conflicts with the newly merged commits. Once the PR is approved, our automation will update it with the latest `main` branch and handle the merge. No action is needed on your part.
+
+
 #### Adding construct runtime dependencies
 
 Any tool that is not part of the CDK, and needs to be used by a construct during

README.md

@@ -7,7 +7,6 @@
 [![NuGet version](https://badge.fury.io/nu/Amazon.CDK.Lib.svg)](https://badge.fury.io/nu/Amazon.CDK.Lib)
 [![Maven Central](https://maven-badges.herokuapp.com/maven-central/software.amazon.awscdk/aws-cdk-lib/badge.svg)](https://maven-badges.herokuapp.com/maven-central/software.amazon.awscdk/aws-cdk-lib)
 [![Go Reference](https://pkg.go.dev/badge/github.com/aws/aws-cdk-go/awscdk/v2.svg)](https://pkg.go.dev/github.com/aws/aws-cdk-go/awscdk/v2)
-[![Mergify](https://img.shields.io/endpoint.svg?url=https://gh.mergify.io/badges/aws/aws-cdk&style=flat)](https://mergify.io)
 
 [![View on Construct Hub](https://constructs.dev/badge?package=aws-cdk-lib)](https://constructs.dev/packages/aws-cdk-lib)
 

aws-cdk.code-workspace

@@ -31,6 +31,7 @@
         "name": "aws-custom-resource-sdk-adapter",
         "rootPath": "packages/@aws-cdk/aws-custom-resource-sdk-adapter"
       },
+      { "name": "toolkit", "rootPath": "packages/@aws-cdk/toolkit" },
       { "name": "user-input-gen", "rootPath": "tools/@aws-cdk/user-input-gen" }
     ]
   },

packages/@aws-cdk-testing/cli-integ/resources/cdk-apps/sam_cdk_integ_app/src/docker/DockerImageFunctionConstruct/Dockerfile

@@ -5,5 +5,7 @@ COPY app.js  package.json ./
 
 RUN npm install
 
+USER nobody
+
 # Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile)
 CMD [ "app.lambdaHandler" ]