Merge branch 'main' into merge-back/2.239.0

Author: mergify[bot]

.github/workflows/integration-test-deployment-auto.yml

@@ -0,0 +1,157 @@
+name: Integration Test deployment (Auto)
+
+# This workflow automatically runs integration tests when a PR with snapshot changes
+# is approved by a CDK team member. No manual approval required.
+#
+# SHADOW MODE: This workflow is in shadow mode - failures don't block PR merges.
+# Once validated, this will replace the label-based workflow (integration-test-deployment.yml).
+
+on:
+  pull_request_review:
+    types: [submitted]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number }}
+  cancel-in-progress: true
+
+jobs:
+  # Early validation: Check if approver is a CDK team member and PR has snapshot changes
+  validate_approver:
+    if: github.event.review.state == 'approved'
+    runs-on: ubuntu-latest
+    outputs:
+      should_run: ${{ steps.check_team.outputs.is_member == 'true' && steps.check_snapshots.outputs.has_snapshots == 'true' }}
+    permissions:
+      contents: read
+      pull-requests: read
+    steps:
+      - name: Checkout for path filtering
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "lts/*"
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile
+
+      - name: Build deployment-integ
+        run: yarn --cwd tools/@aws-cdk/integration-test-deployment build
+
+      - name: Check for snapshot changes
+        id: check_snapshots
+        env:
+          TARGET_BRANCH_COMMIT: ${{ github.event.pull_request.base.sha }}
+          SOURCE_BRANCH_COMMIT: ${{ github.event.pull_request.head.sha }}
+        run: |
+          # Reuses getChangedSnapshots() from utils.ts — single source of truth
+          if yarn --cwd tools/@aws-cdk/integration-test-deployment check-snapshots; then
+            echo "has_snapshots=true" >> $GITHUB_OUTPUT
+          else
+            echo "has_snapshots=false" >> $GITHUB_OUTPUT
+          fi
+
+      - name: Check if approver is CDK team member
+        id: check_team
+        if: steps.check_snapshots.outputs.has_snapshots == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          APPROVER: ${{ github.event.review.user.login }}
+        run: |
+          # Use gh CLI to check team membership (pre-installed in GitHub Actions runners)
+          # https://docs.github.com/en/rest/teams/members#get-team-membership-for-a-user
+          if gh api "orgs/aws/teams/aws-cdk-team/memberships/${APPROVER}" --jq '.state' 2>/dev/null | grep -q "active"; then
+            echo "${APPROVER} is an active CDK team member"
+            echo "is_member=true" >> $GITHUB_OUTPUT
+          else
+            echo "${APPROVER} is not a CDK team member or membership is not active"
+            echo "is_member=false" >> $GITHUB_OUTPUT
+          fi
+
+  integration_test_deployment_auto:
+    needs: validate_approver
+    # Only run if approver is a CDK team member AND PR has snapshot changes
+    if: needs.validate_approver.outputs.should_run == 'true'
+    runs-on: codebuild-aws-cdk-github-actions-deployment-integ-runner-${{ github.run_id }}-${{ github.run_attempt }}
+    # No environment - runs automatically without manual approval
+    # Shadow mode: workflow reports success even if tests fail
+    continue-on-error: true
+    name: 'Deploy integration test snapshots (Auto)'
+
+    # Job-level permissions for least privilege
+    permissions:
+      id-token: write # Required for OIDC authentication with AWS Atmosphere
+      pull-requests: read # Required to check PR reviews and labels
+      contents: read # Required to checkout code
+
+    env:
+      PR_BUILD: true
+
+    steps:
+      - name: Checkout HEAD
+        uses: actions/checkout@v6
+        with:
+          ref: ${{ github.event.pull_request.head.sha }}
+          fetch-depth: 0
+
+      - name: Setup Node.js
+        uses: actions/setup-node@v6
+        with:
+          node-version: "lts/*"
+          cache: "yarn"
+          cache-dependency-path: |
+            yarn.lock
+
+      - name: Set up Docker
+        uses: docker/setup-buildx-action@v3
+
+      - name: Load Docker images
+        id: docker-cache
+        uses: actions/cache/restore@v5
+        with:
+          path: |
+            ~/.docker-images.tar
+          key: docker-cache-${{ runner.os }}
+
+      - name: Restore Docker images
+        if: ${{ steps.docker-cache.outputs.cache-hit }}
+        run: docker image load --input ~/.docker-images.tar
+
+      - name: Cache build artifacts
+        uses: actions/cache@v5
+        with:
+          path: |
+            ~/.s3buildcache
+          key: s3buildcache-${{ runner.os }}
+
+      - name: Configure system settings
+        run: |
+          (command -v sysctl || sudo apt-get update && sudo apt-get install -y procps) && \
+          sudo sysctl -w vm.max_map_count=2251954
+
+      - name: Install dependencies for Integration Tests
+        run: yarn install --frozen-lockfile
+
+      - name: Build deployment-integ
+        run: yarn --cwd tools/@aws-cdk/integration-test-deployment build
+
+      - name: Build Integration Test packages
+        run: npx lerna run build --scope="{@aws-cdk/*,@aws-cdk-testing/framework-integ}"
+
+      - name: Run integration tests
+        run: yarn run atmosphere-integ-test
+        env:
+          CDK_ATMOSPHERE_ENDPOINT: ${{ vars.CDK_ATMOSPHERE_ENDPOINT }}
+          CDK_ATMOSPHERE_POOL: ${{ vars.CDK_ATMOSPHERE_POOL }}
+          CDK_ATMOSPHERE_OIDC_ROLE: ${{ vars.CDK_ATMOSPHERE_OIDC_ROLE }}
+          CDK_ATMOSPHERE_BATCH_SIZE: ${{ vars.CDK_ATMOSPHERE_BATCH_SIZE }}
+          TARGET_BRANCH_COMMIT: ${{ github.event.pull_request.base.sha }}
+          SOURCE_BRANCH_COMMIT: ${{ github.event.pull_request.head.sha }}
+          # GitHub context for preflight check (validates CDK team membership)
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_REPOSITORY: ${{ github.repository }}
+          PR_NUMBER: ${{ github.event.pull_request.number }}

packages/@aws-cdk/mixins-preview/lib/services/aws-devopsagent/mixins.ts

@@ -1 +1,2 @@
 export * from './cfn-props-mixins.generated';
+export * from './logs-delivery-mixins.generated';

packages/@aws-cdk/mixins-preview/lib/services/aws-s3/mixins.ts

@@ -1,3 +1,4 @@
 export * from './bucket';
 export * from './bucket-policy';
 export * from './cfn-props-mixins.generated';
+export * from './logs-delivery-mixins.generated';

packages/@aws-cdk/mixins-preview/package.json

@@ -663,7 +663,7 @@
     "@aws-cdk/integ-runner": "^2.195.0",
     "@aws-cdk/integ-tests-alpha": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",
-    "@aws-cdk/service-spec-types": "^0.0.218",
+    "@aws-cdk/service-spec-types": "^0.0.219",
     "@aws-cdk/spec2cdk": "0.0.0",
     "@cdklabs/tskb": "^0.0.4",
     "@cdklabs/typewriter": "^0.0.15",

packages/aws-cdk-lib/package.json

@@ -134,7 +134,7 @@
   },
   "devDependencies": {
     "@aws-cdk/lambda-layer-kubectl-v31": "^2.1.0",
-    "@aws-cdk/aws-service-spec": "^0.1.152",
+    "@aws-cdk/aws-service-spec": "^0.1.153",
     "@aws-cdk/cdk-build-tools": "0.0.0",
     "@aws-cdk/custom-resource-handlers": "0.0.0",
     "@aws-cdk/pkglint": "0.0.0",

tools/@aws-cdk/integration-test-deployment/README.md

@@ -6,11 +6,14 @@ A tool for running AWS CDK integration tests against changed snapshots using AWS
 
 This tool automatically detects changed integration test snapshots in the CDK repository and runs them against real AWS environments managed by Atmosphere. It ensures that CDK changes don't break existing functionality by testing them in isolated AWS accounts.
 
-This tool is used by the [Integration Test Deployment workflow](../../../.github/workflows/codebuild-pr-deployment-integ.yml).
+This tool is used by two workflows:
+- [Integration Test Deployment](../../../.github/workflows/integration-test-deployment.yml) - Label-triggered with manual approval
+- [Integration Test Deployment (Auto)](../../../.github/workflows/integration-test-deployment-auto.yml) - Auto-triggered on CDK team approval (shadow mode)
 
 ## Features
 
 - **Automatic Change Detection**: Filters through the changed files to detect the integration tests
+- **Preflight Check**: Validates that the PR is approved by a CDK team member before running tests
 - **AWS Environment Management**: Integrates with AWS Atmosphere for temporary AWS account allocation
 - **Isolated Testing**: Each test run gets its own AWS environment with proper credentials
 - **Cleanup**: Automatically releases AWS resources after test completion
@@ -21,10 +24,26 @@ Authenticating to assume atmosphere role through OIDC token.
 
 ## Environment Variables
 
-| Variable | Description
-|----------|-------------
-| `CDK_ATMOSPHERE_ENDPOINT` | AWS Atmosphere service endpoint
-| `CDK_ATMOSPHERE_POOL` | AWS account pool name for allocation
+| Variable | Description |
+|----------|-------------|
+| `CDK_ATMOSPHERE_ENDPOINT` | AWS Atmosphere service endpoint |
+| `CDK_ATMOSPHERE_POOL` | AWS account pool name for allocation |
+| `CDK_ATMOSPHERE_OIDC_ROLE` | IAM role ARN for OIDC authentication |
+| `CDK_ATMOSPHERE_BATCH_SIZE` | (Optional) Number of tests to run in parallel |
+| `TARGET_BRANCH_COMMIT` | Base branch commit SHA for diff |
+| `SOURCE_BRANCH_COMMIT` | PR head commit SHA for diff |
+| `GITHUB_TOKEN` | (Optional) GitHub token for preflight check |
+| `GITHUB_REPOSITORY` | (Optional) Repository in format `owner/repo` |
+| `PR_NUMBER` | (Optional) Pull request number |
+
+## Preflight Check
+
+When GitHub context is provided (`GITHUB_TOKEN`, `GITHUB_REPOSITORY`, `PR_NUMBER`), the tool performs a preflight check before running integration tests:
+
+1. **Snapshot Changes**: Verifies the PR contains `.snapshot` file changes
+2. **Authorization**: Checks if the PR is approved by a CDK team member (`@aws/aws-cdk-team`)
+
+If the preflight check fails, the tool exits gracefully without running tests. This prevents unnecessary test runs on PRs that haven't been reviewed by the CDK team yet.
 
 ## Development 
 

tools/@aws-cdk/integration-test-deployment/bin/index.ts

@@ -1,24 +1,15 @@
 #!/usr/bin/env node
-import { deployIntegTests } from '../lib/integration-test-runner';
-
-const endpoint = process.env.CDK_ATMOSPHERE_ENDPOINT;
-const pool = process.env.CDK_ATMOSPHERE_POOL;
-const atmosphereRoleArn = process.env.CDK_ATMOSPHERE_OIDC_ROLE;
-const batchSize = process.env.CDK_ATMOSPHERE_BATCH_SIZE !== undefined ? Number.parseInt(process.env.CDK_ATMOSPHERE_BATCH_SIZE) : undefined;
-
-if (!endpoint) {
-  throw new Error('CDK_ATMOSPHERE_ENDPOINT environment variable is required');
-}
-
-if (!pool) {
-  throw new Error('CDK_ATMOSPHERE_POOL environment variable is required');
-}
-
-if (!atmosphereRoleArn) {
-  throw new Error('CDK_ATMOSPHERE_OIDC_ROLE environment variable is required');
-}
-
-deployIntegTests({ atmosphereRoleArn, endpoint, pool, batchSize }).catch((e) => {
+import { main } from '../lib/main';
+
+main({
+  endpoint: process.env.CDK_ATMOSPHERE_ENDPOINT,
+  pool: process.env.CDK_ATMOSPHERE_POOL,
+  atmosphereRoleArn: process.env.CDK_ATMOSPHERE_OIDC_ROLE,
+  batchSize: process.env.CDK_ATMOSPHERE_BATCH_SIZE !== undefined ? Number.parseInt(process.env.CDK_ATMOSPHERE_BATCH_SIZE) : undefined,
+  githubToken: process.env.GITHUB_TOKEN,
+  githubRepository: process.env.GITHUB_REPOSITORY,
+  prNumber: process.env.PR_NUMBER,
+}).catch((e) => {
   console.error(e);
   process.exitCode = 1;
 });

tools/@aws-cdk/integration-test-deployment/lib/main.ts

@@ -0,0 +1,69 @@
+import { deployIntegTests } from './integration-test-runner';
+import { shouldRunIntegTests } from './preflight';
+
+export interface MainConfig {
+  endpoint?: string;
+  pool?: string;
+  atmosphereRoleArn?: string;
+  batchSize?: number;
+  githubToken?: string;
+  githubRepository?: string;
+  prNumber?: string;
+}
+
+/**
+ * Main entry point for integration test deployment.
+ * Extracted for testability.
+ */
+export async function main(config: MainConfig): Promise<void> {
+  const { endpoint, pool, atmosphereRoleArn, batchSize, githubToken, githubRepository, prNumber } = config;
+
+  // Run preflight check if GitHub context is available
+  if (githubToken && githubRepository && prNumber) {
+    // Validate repository format
+    const repoParts = githubRepository.split('/');
+    if (repoParts.length !== 2 || !repoParts[0] || !repoParts[1]) {
+      throw new Error(`Invalid GITHUB_REPOSITORY format: "${githubRepository}". Expected format: owner/repo`);
+    }
+    const [owner, repo] = repoParts;
+
+    // Validate PR number
+    const parsedPrNumber = parseInt(prNumber, 10);
+    if (isNaN(parsedPrNumber) || parsedPrNumber <= 0) {
+      throw new Error(`Invalid PR number: "${prNumber}". Expected a positive integer.`);
+    }
+
+    console.log(`Running preflight check for PR #${parsedPrNumber}...`);
+
+    const preflight = await shouldRunIntegTests({
+      githubToken,
+      owner,
+      repo,
+      prNumber: parsedPrNumber,
+    });
+
+    console.log(`Preflight result: ${preflight.reason}`);
+
+    if (!preflight.shouldRun) {
+      console.log('Skipping integration test deployment.');
+      return;
+    }
+  } else {
+    console.log('GitHub context not available, skipping preflight check (manual run or workflow_dispatch)');
+  }
+
+  // Validate required environment variables for deployment
+  if (!endpoint) {
+    throw new Error('CDK_ATMOSPHERE_ENDPOINT environment variable is required');
+  }
+
+  if (!pool) {
+    throw new Error('CDK_ATMOSPHERE_POOL environment variable is required');
+  }
+
+  if (!atmosphereRoleArn) {
+    throw new Error('CDK_ATMOSPHERE_OIDC_ROLE environment variable is required');
+  }
+
+  await deployIntegTests({ atmosphereRoleArn, endpoint, pool, batchSize });
+}