fix(integ-runner): region is not passed to CDK App #376
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # ~~ Generated by projen. To modify, edit .projenrc.ts and run "npx projen". | |
| name: bootstrap-template-protection | |
| on: | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - reopened | |
| - labeled | |
| - unlabeled | |
| merge_group: {} | |
| jobs: | |
| check-bootstrap-template: | |
| name: Check Bootstrap Template Changes | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| pull-requests: write | |
| if: (github.event_name == 'pull_request' || github.event_name == 'pull_request_target') | |
| steps: | |
| - name: Checkout merge commit | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| ref: refs/pull/${{ github.event.pull_request.number }}/merge | |
| - name: Checkout base branch | |
| run: git fetch origin ${{ github.event.pull_request.base.ref }} | |
| - name: Check if bootstrap template changed | |
| id: template-changed | |
| run: |- | |
| # Check if the bootstrap template differs between base and merge commit | |
| if ! git diff --quiet --name-only origin/${{ github.event.pull_request.base.ref }}..HEAD -- packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml; then | |
| echo "Bootstrap template modified - protection checks required" | |
| echo "changed=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "✅ Bootstrap template not modified - no protection required" | |
| echo "changed=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Extract current and previous bootstrap versions | |
| id: version-check | |
| if: steps.template-changed.outputs.changed == 'true' | |
| run: |- | |
| # Get current version from PR - look for CdkBootstrapVersion Value | |
| CURRENT_VERSION=$(yq '.Resources.CdkBootstrapVersion.Properties.Value' packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml) | |
| # Get previous version from base branch | |
| git show origin/${{ github.event.pull_request.base.ref }}:packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml > /tmp/base-template.yaml | |
| PREVIOUS_VERSION=$(yq '.Resources.CdkBootstrapVersion.Properties.Value' /tmp/base-template.yaml) | |
| echo "current-version=$CURRENT_VERSION" >> $GITHUB_OUTPUT | |
| echo "previous-version=$PREVIOUS_VERSION" >> $GITHUB_OUTPUT | |
| if [ "$CURRENT_VERSION" -gt "$PREVIOUS_VERSION" ]; then | |
| echo "version-incremented=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "version-incremented=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Check for security review and exemption labels | |
| id: label-check | |
| if: steps.template-changed.outputs.changed == 'true' | |
| run: |- | |
| if [[ "${{ contains(github.event.pull_request.labels.*.name, 'pr/security-reviewed') }}" == "true" ]]; then | |
| echo "has-security-label=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has-security-label=false" >> $GITHUB_OUTPUT | |
| fi | |
| if [[ "${{ contains(github.event.pull_request.labels.*.name, 'pr/exempt-bootstrap-version') }}" == "true" ]]; then | |
| echo "has-version-exempt-label=true" >> $GITHUB_OUTPUT | |
| else | |
| echo "has-version-exempt-label=false" >> $GITHUB_OUTPUT | |
| fi | |
| - name: Post comment | |
| if: steps.template-changed.outputs.changed == 'true' | |
| uses: thollander/actions-comment-pull-request@v3 | |
| with: | |
| comment-tag: bootstrap-template-protection | |
| mode: recreate | |
| message: | | |
| ## ⚠️ Bootstrap Template Protection | |
| This PR modifies the bootstrap template (`packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml`), which requires special protections. | |
| ${{ ((steps.version-check.outputs.version-incremented == 'true' || steps.label-check.outputs.has-version-exempt-label == 'true') && steps.label-check.outputs.has-security-label == 'true') && '**✅ All requirements met! This PR can proceed with normal review process.**' || '**❌ This PR cannot be merged until all requirements are met.**' }} | |
| ### Requirements | |
| **Version Increment** | |
| ${{ (steps.version-check.outputs.version-incremented == 'true' && format('✅ Version incremented from {0} to {1}', steps.version-check.outputs.previous-version, steps.version-check.outputs.current-version)) || (steps.label-check.outputs.has-version-exempt-label == 'true' && format('✅ Version increment exempted (PR has `{0}` label)', 'pr/exempt-bootstrap-version')) || '❌ Version increment required' }} | |
| ${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && format(' - Current version: `{0}`', steps.version-check.outputs.current-version) || '' }} | |
| ${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && format(' - Previous version: `{0}`', steps.version-check.outputs.previous-version) || '' }} | |
| ${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && ' - Please increment the version in `CdkBootstrapVersion`' || '' }} | |
| ${{ steps.version-check.outputs.version-incremented != 'true' && steps.label-check.outputs.has-version-exempt-label != 'true' && format(' - Or add the `{0}` label if not needed', 'pr/exempt-bootstrap-version') || '' }} | |
| **Security Review** | |
| ${{ (steps.label-check.outputs.has-security-label == 'true' && format('✅ Review completed (PR has `{0}` label)', 'pr/security-reviewed')) || '❌ Review required' }} | |
| ${{ steps.label-check.outputs.has-security-label != 'true' && ' - A maintainer will conduct a security review' || '' }} | |
| ${{ steps.label-check.outputs.has-security-label != 'true' && format(' - Once reviewed, they will add the `{0}` label', 'pr/security-reviewed') || '' }} | |
| ### Why these protections exist | |
| - The bootstrap template contains critical infrastructure | |
| - Changes can affect IAM roles, policies, and resource access across all CDK deployments | |
| - Version increments ensure users are notified of updates | |
| - name: Check requirements | |
| if: steps.template-changed.outputs.changed == 'true' | |
| run: |- | |
| # Check version requirement (either incremented or exempted) | |
| VERSION_INCREMENTED="${{ steps.version-check.outputs.version-incremented }}" | |
| VERSION_EXEMPTED="${{ steps.label-check.outputs.has-version-exempt-label }}" | |
| SECURITY_REVIEWED="${{ steps.label-check.outputs.has-security-label }}" | |
| # Both requirements must be met | |
| if [[ "$VERSION_INCREMENTED" == "true" || "$VERSION_EXEMPTED" == "true" ]] && [[ "$SECURITY_REVIEWED" == "true" ]]; then | |
| echo "✅ All requirements met!" | |
| exit 0 | |
| fi | |
| # Show what's missing | |
| echo "❌ Requirements not met:" | |
| if [[ "$VERSION_INCREMENTED" != "true" && "$VERSION_EXEMPTED" != "true" ]]; then | |
| echo " - Version must be incremented OR add 'pr/exempt-bootstrap-version' label" | |
| fi | |
| if [[ "$SECURITY_REVIEWED" != "true" ]]; then | |
| echo " - PR must have 'pr/security-reviewed' label" | |
| fi | |
| exit 1 |