Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
18 commits
Select commit Hold shift + click to select a range
340878c
docs: add telemetry instrumentation guide (#1197)
Hweinstock May 11, 2026
eba0e40
chore: replace PAT tokens with GitHub App token (#1198)
aidandaly24 May 11, 2026
ce50d52
fix: add batch eval, recommendation, and CloudWatch Logs write permis…
notgitika May 11, 2026
bceddde
feat: instrument telemetry for create command (CLI + TUI) (#1202)
Hweinstock May 11, 2026
5767d93
chore: replace all github.token/GITHUB_TOKEN with GitHub App token
aidandaly24 May 12, 2026
f1788bc
fix: bump versions to resolve security audit failure
Hweinstock May 12, 2026
a15c756
Merge pull request #1211 from Hweinstock/fix/old-deps
aidandaly24 May 12, 2026
0e6d577
revert: keep pr-title.yml using GITHUB_TOKEN (read-only access suffic…
aidandaly24 May 12, 2026
6dc4b7f
Merge pull request #1210 from aws/chore/replace-github-token-with-app…
aidandaly24 May 12, 2026
7d27f47
feat(evaluator): add kmsKeyArn support for custom evaluator (#994)
aws-aditya21 May 12, 2026
f010c12
refactor: unify result types with discriminated Result<T, E> union (#…
Hweinstock May 12, 2026
f69e252
feat: record command attrs on telemetry failure via fallbackAttrs (#1…
Hweinstock May 12, 2026
0153694
fix: sync-preview pushes directly on clean merge, PRs only on conflic…
notgitika May 12, 2026
ce00f57
feat: instrument telemetry for deploy command (CLI + TUI) (#1206)
Hweinstock May 12, 2026
d960978
chore: sync safe commits from main into preview
notgitika May 13, 2026
ecf8c3f
chore: record merge point with main (synced up to 01536945)
notgitika May 13, 2026
de28f21
chore: merge main into preview
notgitika May 13, 2026
3d7bcdd
chore: merge main into preview with Result refactor
notgitika May 13, 2026
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 7 additions & 1 deletion .github/workflows/cleanup-pr-tarballs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,10 +14,16 @@ jobs:
runs-on: ubuntu-latest

steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- uses: actions/checkout@v6
- name: Delete PR tarball releases older than 7 days
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
CUTOFF=$(date -u -d '7 days ago' +%Y-%m-%dT%H:%M:%SZ 2>/dev/null || date -u -v-7d +%Y-%m-%dT%H:%M:%SZ)

Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/pr-tarball.yml
Original file line number Diff line number Diff line change
Expand Up @@ -50,10 +50,16 @@ jobs:
run: |
TARBALL_NAME=$(ls *.tgz | head -1 | xargs basename)
echo "name=$TARBALL_NAME" >> $GITHUB_OUTPUT
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Create or update PR release
id: release
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
PR_NUMBER: ${{ github.event.pull_request.number }}
TARBALL_NAME: ${{ steps.tarball.outputs.name }}
run: |
Expand Down
18 changes: 16 additions & 2 deletions .github/workflows/release-main-and-preview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -135,9 +135,16 @@ jobs:
- name: Update snapshots
run: npm run test:update-snapshots

- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: Create release branch and PR
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
NEW_VERSION: ${{ steps.bump.outputs.version }}
run: |
BRANCH_NAME="release/v$NEW_VERSION"
Expand Down Expand Up @@ -219,9 +226,16 @@ jobs:
- name: Update snapshots
run: npm run test:update-snapshots

- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: Create release branch and PR
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
NEW_VERSION: ${{ steps.bump.outputs.version }}
run: |
BRANCH_NAME="release/v$NEW_VERSION"
Expand Down
9 changes: 8 additions & 1 deletion .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -160,9 +160,16 @@ jobs:
exit 1
fi

- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: Create Pull Request
env:
GH_TOKEN: ${{ github.token }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
NEW_VERSION: ${{ steps.bump.outputs.version }}
BASE_BRANCH: ${{ steps.release-meta.outputs.base_branch }}
DIST_TAG: ${{ steps.release-meta.outputs.dist_tag }}
Expand Down
8 changes: 7 additions & 1 deletion .github/workflows/strands-command.yml
Original file line number Diff line number Diff line change
Expand Up @@ -94,6 +94,12 @@ jobs:
};
await processInputs(context, github, core, inputs);

- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}
- name: Run Strands Agent
uses: ./.github/actions/strands-action
with:
Expand All @@ -104,7 +110,7 @@ jobs:
tools: 'strands_tools:shell,retrieve'
aws_role_arn: ${{ secrets.AWS_ROLE_ARN }}
aws_region: 'us-west-2'
pat_token: ${{ secrets.GITHUB_TOKEN }}
pat_token: ${{ steps.app-token.outputs.token }}
env:
SESSION_ID: ${{ steps.process-inputs.outputs.session_id }}
S3_SESSION_BUCKET: ${{ secrets.AGENT_SESSIONS_BUCKET }}
Expand Down
22 changes: 18 additions & 4 deletions .github/workflows/sync-from-public.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,10 +13,17 @@ jobs:
sync:
runs-on: ubuntu-latest
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Configure Git
run: |
Expand Down Expand Up @@ -101,15 +108,22 @@ jobs:
--head "$conflict_branch" || echo "⚠️ Failed to create PR"
fi
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}

sync-preview:
runs-on: ubuntu-latest
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
token: ${{ steps.app-token.outputs.token }}

- name: Configure Git
run: |
Expand Down Expand Up @@ -194,4 +208,4 @@ jobs:
--head "$conflict_branch" || echo "⚠️ Failed to create PR"
fi
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
146 changes: 106 additions & 40 deletions .github/workflows/sync-preview.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,93 +17,161 @@ jobs:
name: Merge main into preview
runs-on: ubuntu-latest
steps:
- name: Generate GitHub App Token
id: app-token
uses: actions/create-github-app-token@v1
with:
app-id: ${{ vars.APP_ID }}
private-key: ${{ secrets.APP_PRIVATE_KEY }}

- name: Checkout preview
uses: actions/checkout@v6
with:
ref: preview
fetch-depth: 0
token: ${{ steps.app-token.outputs.token }}

- name: Configure git
run: |
git config --global user.name "github-actions[bot]"
git config --global user.email "github-actions[bot]@users.noreply.github.com"

- name: Merge main into preview
id: merge
- name: Check if sync needed
id: check
run: |
git fetch origin main
MAIN_SHA=$(git rev-parse origin/main)
MERGE_BASE=$(git merge-base HEAD origin/main)

if [[ "$MAIN_SHA" == "$MERGE_BASE" ]]; then
echo "✅ preview already contains all of main"
echo "status=up-to-date" >> $GITHUB_OUTPUT
exit 0
echo "needed=false" >> $GITHUB_OUTPUT
else
echo "needed=true" >> $GITHUB_OUTPUT
fi

echo "ℹ️ Merging main into preview..."
- name: Skip if already synced
if: steps.check.outputs.needed == 'false'
run: echo "Nothing to sync."

- name: Merge main into preview
if: steps.check.outputs.needed == 'true'
id: merge
run: |
# Save preview's version before merge so we can restore it after
PREVIEW_VERSION=$(node -p "require('./package.json').version")
echo "preview_version=$PREVIEW_VERSION" >> $GITHUB_OUTPUT

if git merge origin/main --no-edit -m "chore: merge main into preview"; then
git push origin preview
echo "✅ main merged into preview and pushed"
echo "status=merged" >> $GITHUB_OUTPUT
echo "status=clean" >> $GITHUB_OUTPUT
else
git merge --abort
echo "status=conflict" >> $GITHUB_OUTPUT
# preview carries a higher version string than main (e.g. 1.0.0-preview.X vs 0.13.X).
# This means package.json/package-lock.json almost always conflict on the version field.
# Accept main's content here; the version is restored in the next step.
for f in package.json package-lock.json; do
if git diff --name-only --diff-filter=U | grep -qx "$f"; then
git checkout --theirs "$f"
git add "$f"
echo " ↳ resolved $f conflict (accepted main, will restore version)"
fi
done

# Check if all conflicts are now resolved
if [[ -z "$(git diff --name-only --diff-filter=U)" ]]; then
git commit --no-edit -m "chore: merge main into preview"
echo "status=clean" >> $GITHUB_OUTPUT
else
echo "status=conflict" >> $GITHUB_OUTPUT
fi
fi

- name: Get original commit author
if: steps.merge.outputs.status == 'conflict'
id: author
- name: Restore preview-owned files
if: steps.merge.outputs.status == 'clean'
run: |
AUTHOR=$(git log origin/main -1 --format='%an')
GH_USER=$(git log origin/main -1 --format='%ae' | grep -oP '.*(?=@users\.noreply\.github\.com)' || echo "")
if [[ -z "$GH_USER" ]]; then
# Try to get GitHub username from the commit
GH_USER=$(gh api "/repos/${{ github.repository }}/commits/$(git rev-parse origin/main)" --jq '.author.login // empty' 2>/dev/null || echo "")
# These files are auto-generated during preview releases and must not
# be overwritten by main's versions (schema-check CI will reject changes
# to schemas/, and CHANGELOG.md tracks preview releases separately).
PREVIEW_HEAD=$(git rev-parse HEAD^1)
for f in schemas/agentcore.schema.v1.json CHANGELOG.md; do
if git show "$PREVIEW_HEAD:$f" > /dev/null 2>&1; then
git show "$PREVIEW_HEAD:$f" > "$f"
git add "$f"
echo " ↳ restored preview's $f"
fi
done
if ! git diff --cached --quiet; then
git commit -m "chore: restore preview-owned files (schema, changelog)"
fi
echo "name=$AUTHOR" >> $GITHUB_OUTPUT
echo "gh_user=$GH_USER" >> $GITHUB_OUTPUT
env:
GH_TOKEN: ${{ github.token }}

- name: Restore preview version and push
if: steps.merge.outputs.status == 'clean'
run: |
PREVIEW_VERSION="${{ steps.merge.outputs.preview_version }}"
CURRENT_VERSION=$(node -p "require('./package.json').version")

if [[ "$CURRENT_VERSION" != "$PREVIEW_VERSION" ]]; then
PREVIEW_VERSION="$PREVIEW_VERSION" node -e "
const fs = require('fs');
const pkg = JSON.parse(fs.readFileSync('package.json', 'utf8'));
pkg.version = process.env.PREVIEW_VERSION;
fs.writeFileSync('package.json', JSON.stringify(pkg, null, 2) + '\n');
"
if [[ -f package-lock.json ]]; then
PREVIEW_VERSION="$PREVIEW_VERSION" node -e "
const fs = require('fs');
const lock = JSON.parse(fs.readFileSync('package-lock.json', 'utf8'));
lock.version = process.env.PREVIEW_VERSION;
if (lock.packages && lock.packages['']) {
lock.packages[''].version = process.env.PREVIEW_VERSION;
}
fs.writeFileSync('package-lock.json', JSON.stringify(lock, null, 2) + '\n');
"
fi
git add package.json
[[ -f package-lock.json ]] && git add package-lock.json
git commit -m "chore: restore preview version ($PREVIEW_VERSION)"
fi

git push origin HEAD:preview
echo "✅ main merged into preview and pushed"

- name: Create PR for conflict resolution
if: steps.merge.outputs.status == 'conflict'
env:
GH_TOKEN: ${{ github.token }}
AUTHOR_NAME: ${{ steps.author.outputs.name }}
AUTHOR_GH: ${{ steps.author.outputs.gh_user }}
GH_TOKEN: ${{ steps.app-token.outputs.token }}
run: |
BRANCH="sync-preview/merge-main-$(date +%Y%m%d-%H%M%S)"

# Check if there's already an open sync PR
EXISTING=$(gh pr list --base preview --search "sync-preview: merge main into preview" --state open --json number --jq 'length')
if [[ "$EXISTING" != "0" ]]; then
# Check if there's already an open sync PR (match by branch prefix, not title search)
COUNT=$(gh pr list --base preview --state open --json headRefName \
--jq '[.[] | select(.headRefName | startswith("sync-preview/"))] | length')
if [[ "$COUNT" != "0" ]]; then
echo "ℹ️ Sync PR already open — skipping duplicate."
exit 0
fi

# Create a branch from preview with the conflict markers
# Abort the failed merge and redo on a branch for the PR
git merge --abort

BRANCH="sync-preview/merge-main-$(date +%Y%m%d-%H%M%S)"
git checkout -b "$BRANCH"
git merge origin/main --no-edit -m "chore: merge main into preview" || true
git merge origin/main --no-edit -m "chore: merge main into preview (conflicts need resolution)" || true
git add -A
git commit --no-edit -m "chore: merge main into preview (conflicts need resolution)" || true
git push origin "$BRANCH"

# Build mention string
GH_USER=$(gh api "/repos/${{ github.repository }}/commits/$(git rev-parse origin/main)" --jq '.author.login // empty' 2>/dev/null || echo "")
MENTION=""
if [[ -n "$AUTHOR_GH" ]]; then
MENTION="cc @${AUTHOR_GH}"
if [[ -n "$GH_USER" ]]; then
MENTION="cc @${GH_USER}"
fi

gh pr create \
--base preview \
--head "$BRANCH" \
--title "sync-preview: merge main into preview" \
--title "sync-preview: merge main into preview (conflicts)" \
--body "$(cat <<BODY
The automated sync-preview workflow could not cleanly merge \`main\` into \`preview\`.
The automated sync could not cleanly merge \`main\` into \`preview\`.

**This PR contains the merge with conflict markers.** To resolve:
**This PR contains conflict markers.** To resolve:

1. Check out this branch locally:
\`\`\`bash
Expand All @@ -116,8 +184,6 @@ jobs:
3. Keep preview-specific values (package version, preview tests, etc.) — accept main's changes for everything else.
4. Commit and push, then merge this PR.

This must be resolved before the next coordinated release.

${MENTION}

_Opened automatically by the sync-preview workflow._
Expand Down
Loading
Loading