Merge branch 'dev' into feature/net8-upgrade

Author: philasmar

.autover/changes/1c879063-ec4b-4330-80a2-3f2116812150.json

@@ -0,0 +1,117 @@
+name: Auto Update Bootstrap Version Changes
+
+on:
+  schedule:
+    # Runs at 00:00 UTC every Monday
+    - cron: '0 0 * * 1'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+  id-token: write
+
+jobs:
+  detect-cdk-bootstrap-changes:
+    runs-on: ubuntu-latest
+    steps:
+    - name: Configure AWS Credentials
+      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
+      with:
+        role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }}
+        aws-region: us-west-2
+
+    - name: Retrieve secret from AWS Secrets Manager
+      uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9
+      with:
+        secret-ids: |
+          AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }}
+        parse-json-secrets: true
+
+    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
+      with:
+        fetch-depth: '0'
+        ref: dev
+        token: ${{ env.AWS_SECRET_TOKEN }}
+
+    - name: Setup .NET
+      uses: actions/setup-dotnet@67a3573c9a986a3f9c594539f4ab511d57bb3ce9 #v4.3.1
+      with:
+        dotnet-version: '8.0.x'
+
+    - name: Install AWS CDK
+      run: |
+        npm install -g aws-cdk
+
+    - name: Create temporary directory
+      run: mkdir -p temp_cdk
+
+    - name: Save New CDK Bootstrap Template
+      working-directory: temp_cdk
+      run: |
+        cdk acknowledge 32775
+        cdk bootstrap --show-template > newTemplate.yml
+
+    - name: Update Template with Required Policies
+      working-directory: temp_cdk
+      run: |
+        yq eval '.Resources.StagingBucket.UpdateReplacePolicy = "Delete"' -i newTemplate.yml
+        yq eval '.Resources.StagingBucket.DeletionPolicy = "Delete"' -i newTemplate.yml
+
+    - name: Check for version changes
+      id: check_version
+      run: |
+        OLD_VERSION=$(yq eval '.Resources.CdkBootstrapVersion.Properties.Value' src/AWS.Deploy.Orchestration/CDK/CDKBootstrapTemplate.yaml)
+        NEW_VERSION=$(yq eval '.Resources.CdkBootstrapVersion.Properties.Value' temp_cdk/newTemplate.yml)
+        
+        if [ "$OLD_VERSION" != "$NEW_VERSION" ]; then
+          echo "Version changed from $OLD_VERSION to $NEW_VERSION"
+          echo "version_changed=true" >> $GITHUB_OUTPUT
+          echo "new_version=$NEW_VERSION" >> $GITHUB_OUTPUT
+        else
+          echo "No version change detected"
+          echo "version_changed=false" >> $GITHUB_OUTPUT
+        fi
+
+    - name: Update CDK Bootstrap Template
+      if: steps.check_version.outputs.version_changed == 'true'
+      run: |
+        cp temp_cdk/newTemplate.yml src/AWS.Deploy.Orchestration/CDK/CDKBootstrapTemplate.yaml
+
+    - name: Generate change file
+      if: steps.check_version.outputs.version_changed == 'true'
+      env:
+        NEW_VERSION: ${{ steps.check_version.outputs.new_version }}
+      run: |
+        dotnet tool install -g autover --version 0.0.25
+        autover change --project-name "AWS.Deploy.CLI" -m "Update CDK Bootstrap template to version $NEW_VERSION"
+
+    - name: Setup Git User
+      run: |
+        git config --global user.email "github-aws-sdk-dotnet-automation@amazon.com"
+        git config --global user.name "aws-sdk-dotnet-automation"
+
+    - name: Delete existing branch if it exists
+      if: steps.check_version.outputs.version_changed == 'true'
+      env:
+        GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }}
+      run: |
+        # Check if branch exists and delete it if it does
+        if git ls-remote --heads origin update-cdk-bootstrap-template | grep -q update-cdk-bootstrap-template; then
+          git push origin --delete update-cdk-bootstrap-template || true
+        fi
+
+    - name: Create Pull Request
+      if: steps.check_version.outputs.version_changed == 'true'
+      env:
+        GITHUB_TOKEN: ${{ env.AWS_SECRET_TOKEN }}
+      run: |
+        git checkout -b update-cdk-bootstrap-template
+        git add src/AWS.Deploy.Orchestration/CDK/CDKBootstrapTemplate.yaml .autover/
+        git commit -m "chore: update CDK bootstrap template to version ${{ steps.check_version.outputs.new_version }}"
+        git push origin update-cdk-bootstrap-template
+        gh pr create \
+          --title "Update CDK Bootstrap Template to Version ${{ steps.check_version.outputs.new_version }}" \
+          --base dev \
+          --head update-cdk-bootstrap-template \
+          --fill

.github/workflows/AutoUpdateBootstrap.yml

@@ -10,7 +10,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0
+      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
       with:
         role-to-assume: ${{ secrets.CI_MAIN_TESTING_ACCOUNT_ROLE_ARN }}
         role-duration-seconds: 7200

.github/workflows/DetectDocGeneratorChanges.yml

@@ -16,7 +16,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Configure AWS Credentials
-      uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0
+      uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
       with:
         aws-region: us-west-2
         role-to-assume: ${{ secrets.DOCKER_IMAGE_UPLOADER_ROLE }}

.github/workflows/UploadDockerImage.yml

@@ -17,7 +17,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
         with:
           role-to-assume: ${{ secrets.CI_MAIN_TESTING_ACCOUNT_ROLE_ARN }}
           role-duration-seconds: 7200
@@ -30,7 +30,7 @@ jobs:
           $roleArn=$(cat ./response.json)
           "roleArn=$($roleArn -replace '"', '')" >> $env:GITHUB_OUTPUT
       - name: Configure Test Runner Credentials
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
         with:
           role-to-assume: ${{ steps.lambda.outputs.roleArn }}
           role-duration-seconds: 7200

.github/workflows/aws-ci.yml

@@ -25,13 +25,13 @@ jobs:
     steps:
       # Assume an AWS Role that provides access to the Access Token
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
         with:
           role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }}
           aws-region: us-west-2
       # Retrieve the Access Token from Secrets Manager
       - name: Retrieve secret from AWS Secrets Manager
-        uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8
+        uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9
         with:
           secret-ids: |
             AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }}

.github/workflows/create-release-pr.yml

@@ -16,14 +16,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
         with:
           role-to-assume: ${{ secrets.CI_MAIN_TESTING_ACCOUNT_ROLE_ARN }}
           aws-region: us-west-2
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #v4.2.2
         with:
           fetch-depth: '0'
-      - uses: actions/setup-python@65d7f2d534ac1bc67fcd62888c5f4f3d2cb2b236 #v4.7.1
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 #v5.6.0
         with:
           python-version: 3.x
       - name: Setup .NET 8

.github/workflows/doc-builder.yml

@@ -13,6 +13,6 @@ jobs:
       discussions: write
     steps:
       - name: Stale discussions action
-        uses: aws-github-ops/handle-stale-discussions@711a9813957be17629fc6933afcd8bd132c57254 #v1.6
+        uses: aws-github-ops/handle-stale-discussions@c0beee451a5d33d9c8f048a6d4e7c856b5422544 #v1.6.0
         env:
           GITHUB_TOKEN:  ${{secrets.GITHUB_TOKEN}}

.github/workflows/handle-stale-discussions.yml

@@ -30,7 +30,7 @@ jobs:
             p/owasp-top-ten
 
       - name: Upload SARIF file for GitHub Advanced Security Dashboard
-        uses: github/codeql-action/upload-sarif@28deaeda66b76a05916b6923827895f2b14ab387 #v3.28.16 
+        uses: github/codeql-action/upload-sarif@fca7ace96b7d713c7035871441bd52efbe39e27e #v3.28.19
         with:
           sarif_file: semgrep.sarif
         if: always()

.github/workflows/semgrep-analysis.yml

@@ -26,13 +26,13 @@ jobs:
     steps:
       # Assume an AWS Role that provides access to the Access Token
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@ececac1a45f3b08a01d2dd070d28d111c5fe6722 #v4.1.0
+        uses: aws-actions/configure-aws-credentials@b47578312673ae6fa5b5096b330d9fbac3d116df #v4.2.1
         with:
           role-to-assume: ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_ROLE_ARN }}
           aws-region: us-west-2
       # Retrieve the Access Token from Secrets Manager
       - name: Retrieve secret from AWS Secrets Manager
-        uses: aws-actions/aws-secretsmanager-get-secrets@fbd65ea98e018858715f591f03b251f02b2316cb #v2.0.8
+        uses: aws-actions/aws-secretsmanager-get-secrets@5e19ff380d035695bdd56bbad320ca535c9063f2 #v2.0.9
         with:
           secret-ids: |
             AWS_SECRET, ${{ secrets.RELEASE_WORKFLOW_ACCESS_TOKEN_NAME }}