Merge branch 'develop' into fix-8477

Author: vicheey

.github/workflows/automated-updates-to-sam-cli.yml

@@ -14,13 +14,13 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout App Templates
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: aws/aws-sam-cli-app-templates
           path: aws-sam-cli-app-templates
 
       - name: Checkout SAM CLI
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: aws/aws-sam-cli
           path: aws-sam-cli
@@ -59,15 +59,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout SAM
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: aws/serverless-application-model
           path: serverless-application-model
           ref: main
           fetch-depth: 0
 
       - name: Checkout SAM CLI
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: aws/aws-sam-cli
           path: aws-sam-cli
@@ -110,15 +110,15 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout Lambda Builders
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: aws/aws-lambda-builders
           path: aws-lambda-builders
           ref: main
           fetch-depth: 0
 
       - name: Checkout SAM CLI
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
         with:
           repository: aws/aws-sam-cli
           path: aws-sam-cli

.github/workflows/build.yml

@@ -64,7 +64,7 @@ jobs:
         mkdir "D:\\Temp"
         echo "TEMP=D:\\Temp" >> $env:GITHUB_ENV  
       if: ${{ matrix.os == 'windows-latest' }}
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
     - uses: actions/setup-python@v6
       with:
         python-version: ${{ matrix.python }}
@@ -79,7 +79,7 @@ jobs:
       contents: write
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-python@v6
         name: Install Python 3.11
         with:
@@ -139,7 +139,7 @@ jobs:
           #- "traces"
           #- "validate"
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set TEMP to D:/Temp
         run: |
           mkdir "D:\\Temp"
@@ -160,8 +160,7 @@ jobs:
       - uses: actions/setup-go@v6
         with:
           go-version: '1.19'
-      # Pin to specific version until Lambda Builders support bundler 4.0.0
-      - uses: ruby/setup-ruby@v1.268.0
+      - uses: ruby/setup-ruby@v1
         with:
           ruby-version: "3.3"
       - uses: actions/setup-node@v6
@@ -176,6 +175,9 @@ jobs:
             17
             21
             25
+      - uses: actions/setup-dotnet@v5
+        with:
+          dotnet-version: '10.0.x'
        # Install and configure Rust & Cargo Lambda
       - name: Install and configure Rust & Cargo Lambda
         if: ${{ matrix.os == 'ubuntu-latest' }}
@@ -231,7 +233,7 @@ jobs:
             params: "-n 4 tests/smoke tests/functional"
             env_vars: "third-third"
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set TEMP to D:/Temp
         run: |
           mkdir "D:\\Temp"
@@ -261,7 +263,7 @@ jobs:
           - ubuntu-latest
           - windows-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Set TEMP to D:/Temp
         run: |
           mkdir "D:\\Temp"

.github/workflows/codeql.yml

@@ -42,7 +42,7 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL

.github/workflows/integration-tests.yml

@@ -24,7 +24,7 @@ env:
   CARGO_LAMBDA_VERSION: "v0.17.1"
   NOSE_PARAMETERIZED_NO_WARN: 1
   BY_CANARY: true
-  UV_PYTHON: python3.9
+  UV_PYTHON: python3.11
   CREDENTIAL_DISTRIBUTION_LAMBDA_ARN: ${{ secrets.CREDENTIAL_DISTRIBUTION_LAMBDA_ARN }}
   ACCOUNT_RESET_LAMBDA_ARN: ${{ secrets.ACCOUNT_RESET_LAMBDA_ARN }}
 
@@ -74,7 +74,7 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v6
         with:
           # For scheduled runs, always use develop
           # For manual runs, use the branch from "Use workflow from" dropdown
@@ -139,7 +139,7 @@ jobs:
 
       - name: Set up Go
         if: contains(fromJSON('["build-integ", "build-integ-java-python-provided", "build-integ-arm64"]'), matrix.test_suite) && matrix.container_runtime == 'no-container'
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: '1.25'
 
@@ -149,35 +149,35 @@ jobs:
           # Remove system Maven if it exists
           sudo apt-get remove -y maven || true
           
-          # Install Maven 3.9.11
-          wget https://dlcdn.apache.org/maven/maven-3/3.9.11/binaries/apache-maven-3.9.11-bin.zip -P /tmp
+          # Install Maven 3.9.12
+          wget https://dlcdn.apache.org/maven/maven-3/3.9.12/binaries/apache-maven-3.9.12-bin.zip -P /tmp
           sudo unzip -d /opt/mvn /tmp/apache-maven-*.zip
           
           # Install Gradle 9.2.0
           wget https://services.gradle.org/distributions/gradle-9.2.0-bin.zip -P /tmp
           sudo unzip -d /opt/gradle /tmp/gradle-*.zip
           
           # Create symlinks to ensure our Maven is used
-          sudo ln -sf /opt/mvn/apache-maven-3.9.11/bin/mvn /usr/local/bin/mvn
+          sudo ln -sf /opt/mvn/apache-maven-3.9.12/bin/mvn /usr/local/bin/mvn
           sudo ln -sf /opt/gradle/gradle-9.2.0/bin/gradle /usr/local/bin/gradle
           
           # Add to PATH (prepend to ensure our versions are used first)
-          echo "/opt/mvn/apache-maven-3.9.11/bin" >> $GITHUB_PATH
+          echo "/opt/mvn/apache-maven-3.9.12/bin" >> $GITHUB_PATH
           echo "/opt/gradle/gradle-9.2.0/bin" >> $GITHUB_PATH
           
           # Set MAVEN_HOME
-          echo "MAVEN_HOME=/opt/mvn/apache-maven-3.9.11" >> $GITHUB_ENV
+          echo "MAVEN_HOME=/opt/mvn/apache-maven-3.9.12" >> $GITHUB_ENV
           
           # Verify versions
-          export PATH="/opt/mvn/apache-maven-3.9.11/bin:/opt/gradle/gradle-9.2.0/bin:$PATH"
+          export PATH="/opt/mvn/apache-maven-3.9.12/bin:/opt/gradle/gradle-9.2.0/bin:$PATH"
           mvn --version
           gradle --version
 
-      - name: Install .NET 8 SDK
+      - name: Install .NET 10 SDK
         if: contains(fromJSON('["build-integ-java-python-provided", "build-integ-dotnet-node-ruby", "build-integ-arm64"]'), matrix.test_suite) && matrix.container_runtime == 'no-container' || matrix.test_suite == 'other-and-e2e'
         uses: actions/setup-dotnet@v5
         with:
-          dotnet-version: '8.0.x'
+          dotnet-version: '10.0.x'
 
       - name: Set up Ruby 3.3.7
         if: (contains(fromJSON('["build-integ","build-integ-dotnet-node-ruby", "build-integ-arm64"]'), matrix.test_suite) && matrix.container_runtime == 'no-container') || matrix.test_suite == 'other-and-e2e'
@@ -297,33 +297,52 @@ jobs:
       - name: Get testing resources and credentials
         run: |
           # Try with skip_role_deletion parameter first
-          test_env_var=$(python3.9 tests/get_testing_resources.py skip_role_deletion)
+          test_env_var=$(python3.11 tests/get_testing_resources.py skip_role_deletion)
           
           if [ $? -ne 0 ]; then
             echo "First attempt with skip_role_deletion failed, trying without parameter..."
-            test_env_var=$(python3.9 tests/get_testing_resources.py)
+            test_env_var=$(python3.11 tests/get_testing_resources.py)
             
             if [ $? -ne 0 ]; then
               echo "get_testing_resources failed. Failed to acquire credentials or test resources."
               exit 1
             fi
           fi
           
-          # Save current credentials for account reset later
+          # Save current credentials for account reset later (mask them first)
+          echo "::add-mask::$AWS_ACCESS_KEY_ID"
+          echo "::add-mask::$AWS_SECRET_ACCESS_KEY"
+          echo "::add-mask::$AWS_SESSION_TOKEN"
           echo "CI_ACCESS_ROLE_AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID" >> $GITHUB_ENV
           echo "CI_ACCESS_ROLE_AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY" >> $GITHUB_ENV
           echo "CI_ACCESS_ROLE_AWS_SESSION_TOKEN=$AWS_SESSION_TOKEN" >> $GITHUB_ENV
           
-          # Set test credentials
-          echo "AWS_ACCESS_KEY_ID=$(echo "$test_env_var" | jq -j ".accessKeyID")" >> $GITHUB_ENV
-          echo "AWS_SECRET_ACCESS_KEY=$(echo "$test_env_var" | jq -j ".secretAccessKey")" >> $GITHUB_ENV
-          echo "AWS_SESSION_TOKEN=$(echo "$test_env_var" | jq -j ".sessionToken")" >> $GITHUB_ENV
-          echo "TASK_TOKEN=$(echo "$test_env_var" | jq -j ".taskToken")" >> $GITHUB_ENV
+          # Extract test credentials and mask them before setting as env vars
+          TEST_ACCESS_KEY_ID=$(echo "$test_env_var" | jq -j ".accessKeyID")
+          TEST_SECRET_ACCESS_KEY=$(echo "$test_env_var" | jq -j ".secretAccessKey")
+          TEST_SESSION_TOKEN=$(echo "$test_env_var" | jq -j ".sessionToken")
+          TEST_TASK_TOKEN=$(echo "$test_env_var" | jq -j ".taskToken")
+          
+          # Mask sensitive credentials so they don't appear in logs
+          echo "::add-mask::$TEST_ACCESS_KEY_ID"
+          echo "::add-mask::$TEST_SECRET_ACCESS_KEY"
+          echo "::add-mask::$TEST_SESSION_TOKEN"
+          echo "::add-mask::$TEST_TASK_TOKEN"
+          
+          # Set test credentials as environment variables
+          echo "AWS_ACCESS_KEY_ID=$TEST_ACCESS_KEY_ID" >> $GITHUB_ENV
+          echo "AWS_SECRET_ACCESS_KEY=$TEST_SECRET_ACCESS_KEY" >> $GITHUB_ENV
+          echo "AWS_SESSION_TOKEN=$TEST_SESSION_TOKEN" >> $GITHUB_ENV
+          echo "TASK_TOKEN=$TEST_TASK_TOKEN" >> $GITHUB_ENV
+          
+          # Set other test resources (non-sensitive)
           echo "AWS_S3_TESTING=$(echo "$test_env_var" | jq -j ".TestBucketName")" >> $GITHUB_ENV
           echo "AWS_ECR_TESTING=$(echo "$test_env_var" | jq -j ".TestECRURI")" >> $GITHUB_ENV
           echo "AWS_KMS_KEY=$(echo "$test_env_var" | jq -j ".TestKMSKeyArn")" >> $GITHUB_ENV
           echo "AWS_SIGNING_PROFILE_NAME=$(echo "$test_env_var" | jq -j ".TestSigningProfileName")" >> $GITHUB_ENV
           echo "AWS_SIGNING_PROFILE_VERSION_ARN=$(echo "$test_env_var" | jq -j ".TestSigningProfileARN")" >> $GITHUB_ENV
+          echo "LMI_SUBNET_ID=$(echo "$test_env_var" | jq -j ".LMISubnetId")" >> $GITHUB_ENV
+          echo "LMI_SECURITY_GROUP_ID=$(echo "$test_env_var" | jq -j ".LMISecurityGroupId")" >> $GITHUB_ENV
 
       - name: Login to Public ECR
         if: matrix.container_runtime != 'no-container' && env.BY_CANARY == 'true'
@@ -368,13 +387,13 @@ jobs:
               pytest -vv -n 2 --reruns 3 tests/integration/buildcmd/test_build_cmd_arm64.py -m 'java' -k "${CONTAINER_FILTER}" --json-report --json-report-file=TEST_REPORT-integration-buildcmd-arm64-java-${{ matrix.container_runtime }}.json
               ;;
             "terraform-build")
-              pytest -vv -n 4 --reruns 4 tests/integration/buildcmd/test_build_terraform_applications.py tests/integration/buildcmd/test_build_terraform_applications_other_cases.py --json-report --json-report-file=TEST_REPORT-integration-terraform-${{ matrix.container_runtime }}.json
+              pytest -vv -n 4 --reruns 3 tests/integration/buildcmd/test_build_terraform_applications.py tests/integration/buildcmd/test_build_terraform_applications_other_cases.py --json-report --json-report-file=TEST_REPORT-integration-terraform-${{ matrix.container_runtime }}.json
               ;;
             "package-delete-deploy")
               pytest -vv tests/integration/package tests/integration/delete tests/integration/deploy --dist=loadgroup -n 6 --reruns 4 --json-report --json-report-file=TEST_REPORT-integration-package-delete-deploy-${{ matrix.container_runtime }}.json
               ;;
             "sync")
-              pytest -vv tests/integration/sync -n 6 --reruns 3 --dist loadscope --json-report --json-report-file=TEST_REPORT-integration-sync-${{ matrix.container_runtime }}.json
+              pytest -vv tests/integration/sync -n 4 --reruns 3 --dist loadscope --json-report --json-report-file=TEST_REPORT-integration-sync-${{ matrix.container_runtime }}.json
               ;;
             "local-invoke")
               pytest -vv --reruns 3 tests/integration/local/invoke tests/integration/local/generate_event --ignore tests/integration/local/invoke/test_invoke_durable.py --json-report --json-report-file=TEST_REPORT-integration-local-invoke-${{ matrix.container_runtime }}.json
@@ -389,14 +408,13 @@ jobs:
               pytest -vv --reruns 3 tests/integration/local/invoke/test_invoke_durable.py tests/integration/local/start_api/test_start_api_durable.py tests/integration/local/start_lambda/test_start_lambda_durable.py tests/integration/local/callback/test_callback.py tests/integration/local/execution/test_execution.py --json-report --json-report-file=TEST_REPORT-integration-durable-functions-${{ matrix.container_runtime }}.json
               ;;
             "other-and-e2e")
-              pytest -vv -n 4 --reruns 4 --dist loadgroup tests/integration tests/end_to_end --ignore=tests/integration/buildcmd --ignore=tests/integration/delete --ignore=tests/integration/deploy --ignore=tests/integration/package --ignore=tests/integration/sync --ignore=tests/integration/local --json-report --json-report-file=TEST_REPORT-integration-others-${{ matrix.container_runtime }}.json
-              pytest -vv --reruns 3 tests/regression --json-report --json-report-file=TEST_REPORT-regression-${{ matrix.container_runtime }}.json
+              pytest -vv -n 4 --reruns 3 --dist loadgroup tests/integration tests/end_to_end tests/regression --ignore=tests/integration/buildcmd --ignore=tests/integration/delete --ignore=tests/integration/deploy --ignore=tests/integration/package --ignore=tests/integration/sync --ignore=tests/integration/local --json-report --json-report-file=TEST_REPORT-integration-others-${{ matrix.container_runtime }}.json
               ;;
           esac
 
       - name: Upload test results
         if: always()
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v6
         with:
           name: test-results-${{ matrix.test_suite }}-${{ matrix.container_runtime }}
           path: TEST_REPORT-*.json

.github/workflows/update-reproducibles.yml

@@ -15,32 +15,23 @@ jobs:
       pull-requests: write
       contents: write
     if: github.repository_owner == 'aws'
-    strategy:
-      matrix:
-        include:
-          - os: ubuntu-latest
-            python: 3.11
-            target: update-reproducible-linux-reqs
-          - os: macos-latest
-            python: 3.11
-            target: update-reproducible-mac-reqs
-          - os: windows-latest
-            python: 3.12
-            target: update-reproducible-win-reqs
-      max-parallel: 1
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
         with:
           ref: ${{ github.head_ref }}
       - uses: actions/setup-python@v6
         with:
-          python-version: ${{ matrix.python }}
-      - run: make ${{ matrix.target }}
+          python-version: "3.11"
+      - name: Install uv
+        uses: astral-sh/setup-uv@v5
+      - name: Update all reproducible requirements
+        run: make update-reproducible-reqs-uv
       - name: Push changes
         run: |
           git config --global user.email "action@github.com"
           git config --global user.name "GitHub Action"
           git remote set-url origin https://x-access-token:${{ secrets.GITHUB_TOKEN }}@github.com/${{ github.repository }}
-          git commit -am "Update reproducibles: ${{ matrix.target }}" || echo "nothing to commit"
+          git add requirements/reproducible-*.txt
+          git commit -m "Update reproducible requirements" || echo "nothing to commit"
           git push

.github/workflows/validate_pyinstaller.yml

@@ -16,7 +16,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - name: Make installer script executable
         run: chmod +x ./installer/pyinstaller/build-linux.sh
       - name: Build PyInstaller in manylinux container
@@ -32,7 +32,7 @@ jobs:
           sudo ./sam-installation/install
           sam-beta --version
           ./tests/sanity-check.sh
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v6
         with:
           name: pyinstaller-linux-zip
           path: .build/output/aws-sam-cli-linux-x86_64.zip
@@ -45,7 +45,7 @@ jobs:
     strategy:
       fail-fast: false
     steps:
-      - uses: actions/checkout@v5
+      - uses: actions/checkout@v6
       - uses: actions/setup-python@v6
         with:
           python-version: "3.11"
@@ -61,7 +61,7 @@ jobs:
           sudo ./sam-installation/install
           sam-beta --version
           ./tests/sanity-check.sh
-      - uses: actions/upload-artifact@v5
+      - uses: actions/upload-artifact@v6
         with:
           name: pyinstaller-macos-zip
           path: .build/output/aws-sam-cli-macos-x86_64.zip

Makefile

@@ -87,3 +87,10 @@ update-reproducible-win-reqs:
 
 
 update-reproducible-reqs: update-reproducible-linux-reqs update-reproducible-mac-reqs
+
+# Update all reproducible requirements using uv (can run from any platform)
+update-reproducible-reqs-uv:
+	@command -v uv >/dev/null 2>&1 || pip install uv
+	uv pip compile setup.py --generate-hashes --output-file requirements/reproducible-linux.txt --python-platform linux --python-version 3.11 --no-cache --no-strip-extras
+	uv pip compile setup.py --generate-hashes --output-file requirements/reproducible-mac.txt --python-platform macos --python-version 3.11 --no-cache --no-strip-extras
+	uv pip compile setup.py --generate-hashes --output-file requirements/reproducible-win.txt --python-platform windows --python-version 3.12 --no-cache --no-strip-extras