Skip to content
25 changes: 23 additions & 2 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -27,14 +27,35 @@ updates:
prefix: 'chore'
include: 'scope'
open-pull-requests-limit: 10
cooldown:
default-days: 1

- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'weekly'
interval: 'daily'
groups:
github-actions:
minor-and-patch:
patterns:
- '*'
update-types:
- 'minor'
- 'patch'
# Workaround for dependabot/dependabot-core#14202: without an explicit
# major group, major updates matching the minor-and-patch pattern are
# silently suppressed. Remove this group when #14202 is fixed to get
# individual (ungrouped) PRs per major bump instead.
major:
patterns:
- '*'
update-types:
- 'major'
labels:
- 'dependencies'
- 'github-actions'
commit-message:
prefix: 'ci'
include: 'scope'
open-pull-requests-limit: 10
cooldown:
default-days: 1
14 changes: 9 additions & 5 deletions .github/workflows/agent-restricted.yml
Original file line number Diff line number Diff line change
Expand Up @@ -56,15 +56,19 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check authorization
env:
AUTHORIZED_USERS: ${{ secrets.AUTHORIZED_USERS }}
ACTOR: ${{ github.actor }}
run: |
AUTHORIZED_USERS="${{ secrets.AUTHORIZED_USERS }}"
if [[ ",$AUTHORIZED_USERS," != *",${{ github.actor }},"* ]]; then
echo "❌ User ${{ github.actor }} is NOT authorized"
if [[ ",$AUTHORIZED_USERS," != *",$ACTOR,"* ]]; then
echo "❌ User $ACTOR is NOT authorized"
exit 1
fi
echo "✅ User ${{ github.actor }} is authorized"
echo "✅ User $ACTOR is authorized"

- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Run Strands Agent
uses: ./.github/actions/strands-action
Expand Down
20 changes: 12 additions & 8 deletions .github/workflows/build-and-test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,11 @@ jobs:
node-version: [20.x, 22.x, 24.x]

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v6
uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
Expand All @@ -36,14 +38,14 @@ jobs:
git config --global user.email "bedrock-agentcore-npm+ci@amazon.com"
git config --global user.name "CI"
- name: Install uv
uses: astral-sh/setup-uv@v7
uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
- run: npm ci
- run: npm run build --if-present
- run: npm run test:unit
- run: npm run test:integ
- name: Upload coverage artifact
if: matrix.node-version == '20.x'
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: coverage-report
path: coverage/
Expand All @@ -61,7 +63,7 @@ jobs:
test -f sanitytest/agentcore/agentcore.json
- name: Upload tarball artifact
if: matrix.node-version == '20.x'
uses: actions/upload-artifact@v7
uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7
with:
name: tarball
path: '*.tgz'
Expand All @@ -75,14 +77,16 @@ jobs:
pull-requests: write

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Download coverage artifact
uses: actions/download-artifact@v8
uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8
with:
name: coverage-report
path: coverage/
- name: Coverage Report
uses: davelosert/vitest-coverage-report-action@v2
uses: davelosert/vitest-coverage-report-action@02f3c2e641286b7fa308cd3e430783103ce6103b # v2
with:
json-summary-path: coverage/coverage-summary.json
json-final-path: coverage/coverage-final.json
Expand Down
4 changes: 3 additions & 1 deletion .github/workflows/cleanup-pr-tarballs.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,9 @@ jobs:
runs-on: ubuntu-latest

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Delete PR tarball releases older than 7 days
env:
GH_TOKEN: ${{ github.token }}
Expand Down
11 changes: 8 additions & 3 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,9 @@ on:
pull_request_target:
branches: ['main']

permissions:
contents: read

# Cancel in-progress runs for PRs; never cancel runs on main (merges should not abort each other)
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
Expand All @@ -23,12 +26,14 @@ jobs:
contents: read

steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false

- name: Initialize CodeQL
uses: github/codeql-action/init@v4
uses: github/codeql-action/init@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
with:
languages: javascript-typescript

- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v4
uses: github/codeql-action/analyze@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4.35.4
32 changes: 32 additions & 0 deletions .github/workflows/dependabot-auto-merge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
name: Dependabot Auto-Merge (Minor/Patch)

on:
pull_request_target:
types: [opened, synchronize]

permissions:
contents: write
pull-requests: write

jobs:
auto-merge:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Auto-approve and merge minor/patch github-actions updates
if: >-
steps.metadata.outputs.package-ecosystem == 'github_actions' && (steps.metadata.outputs.update-type ==
'version-update:semver-minor' ||
steps.metadata.outputs.update-type == 'version-update:semver-patch')
env:
GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
PR_URL: ${{ github.event.pull_request.html_url }}
run: |
gh pr review "$PR_URL" --approve
gh pr merge "$PR_URL" --auto --merge
144 changes: 144 additions & 0 deletions .github/workflows/dependabot-major-analysis.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,144 @@
name: Dependabot Major Version Analysis

on:
pull_request_target:
types: [opened]

permissions:
contents: read
pull-requests: write

jobs:
analyze-major:
runs-on: ubuntu-latest
if: github.event.pull_request.user.login == 'dependabot[bot]'
steps:
- name: Fetch Dependabot metadata
id: metadata
uses: dependabot/fetch-metadata@21025c705c08248db411dc16f3619e6b5f9ea21a # v2.5.0
with:
github-token: ${{ secrets.GITHUB_TOKEN }}

- name: Analyze major version bump
if: >-
steps.metadata.outputs.package-ecosystem == 'github_actions' && steps.metadata.outputs.update-type ==
'version-update:semver-major'
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
env:
DEP_NAME: ${{ steps.metadata.outputs.dependency-names }}
PREV_VERSION: ${{ steps.metadata.outputs.previous-version }}
NEW_VERSION: ${{ steps.metadata.outputs.new-version }}
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
script: |
const depName = process.env.DEP_NAME;
const prevVersion = process.env.PREV_VERSION;
const newVersion = process.env.NEW_VERSION;
const parts = depName.split('/');
const owner = parts[0];
const repo = parts[1];
const repoSlug = `${owner}/${repo}`;

let releases = [];
try {
const { data } = await github.rest.repos.listReleases({ owner, repo, per_page: 50 });
releases = data;
} catch (err) {
core.warning(`Could not fetch releases for ${repoSlug}: ${err.message}`);
}

const prevMajor = parseInt(prevVersion.replace(/^v/, ''), 10);
const newMajor = parseInt(newVersion.replace(/^v/, ''), 10);

const relevantReleases = releases.filter(r => {
const major = parseInt(r.tag_name.replace(/^v/, ''), 10);
return major > prevMajor && major <= newMajor;
});

let releaseNotesSummary = '';
let breakingChanges = '';

if (relevantReleases.length === 0) {
releaseNotesSummary = '_No releases found between these versions._';
breakingChanges = `_Unable to determine breaking changes automatically. Please review the [full changelog](https://github.com/${repoSlug}/releases)._`;
} else {
for (const release of relevantReleases.slice(0, 10)) {
const body = release.body || '_No release notes._';
releaseNotesSummary += `### ${release.tag_name}${release.name && release.name !== release.tag_name ? ' — ' + release.name : ''}\n\n`;
releaseNotesSummary += body.substring(0, 2000);
if (body.length > 2000) releaseNotesSummary += '\n\n_...truncated_';
releaseNotesSummary += '\n\n---\n\n';
const lines = body.split('\n');
for (const line of lines) {
if (/breaking|BREAKING|removed|deprecated|incompatible|migration/i.test(line)) {
breakingChanges += `- ${line.trim()}\n`;
}
}
}
}

if (!breakingChanges) {
breakingChanges = '_No explicit breaking changes detected in release notes. Manual review recommended._';
}

let commentBody = `## :warning: Major Version Update — Manual Review Required

| Field | Value |
|-------|-------|
| **Action** | [\`${depName}\`](https://github.com/${repoSlug}) |
| **Previous** | \`v${prevVersion}\` |
| **New** | \`v${newVersion}\` |
| **Type** | Major (\`v${prevMajor}\` → \`v${newMajor}\`) |

### Breaking Changes

${breakingChanges}

### Release Notes (v${prevMajor + 1} → v${newMajor})

${releaseNotesSummary}

### Next Steps

1. Review breaking changes above
2. Check if workflow inputs/outputs changed
3. Verify compatibility with your CI/CD configuration

> Full changelog: https://github.com/${repoSlug}/releases

---
_Generated automatically for Dependabot major version PRs._`.replace(/^ /gm, '');

if (commentBody.length > 64000) {
commentBody = commentBody.substring(0, 63900) + '\n\n_...comment truncated due to size limit._';
}

await github.rest.issues.createComment({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
body: commentBody,
});

try {
const labelsToAdd = ['major-update', 'needs-review'];
for (const label of labelsToAdd) {
try {
await github.rest.issues.getLabel({ owner: context.repo.owner, repo: context.repo.repo, name: label });
} catch {
const colors = { 'major-update': 'B60205', 'needs-review': 'FBCA04' };
await github.rest.issues.createLabel({
owner: context.repo.owner, repo: context.repo.repo,
name: label, color: colors[label] || 'EDEDED',
});
}
}
await github.rest.issues.addLabels({
owner: context.repo.owner,
repo: context.repo.repo,
issue_number: context.payload.pull_request.number,
labels: labelsToAdd,
});
} catch (err) {
core.warning(`Could not add labels: ${err.message}`);
}
11 changes: 6 additions & 5 deletions .github/workflows/e2e-tests-full.yml
Original file line number Diff line number Diff line change
Expand Up @@ -28,28 +28,29 @@ jobs:
matrix:
cdk-source: [npm, main]
steps:
- uses: actions/checkout@v6
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
ref: ${{ github.event_name == 'workflow_dispatch' && github.ref || 'main' }}
- uses: actions/setup-node@v6
persist-credentials: false
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
with:
node-version: '20.x'
cache: 'npm'
- name: Configure git
run: |
git config --global user.email "ci@amazon.com"
git config --global user.name "CI"
- uses: astral-sh/setup-uv@v7
- uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v6
uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6
with:
role-to-assume: ${{ secrets.E2E_AWS_ROLE_ARN }}
aws-region: ${{ inputs.aws_region || 'us-east-1' }}
- name: Get AWS Account ID
id: aws
run: echo "account_id=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_OUTPUT"
- name: Get API keys from Secrets Manager
uses: aws-actions/aws-secretsmanager-get-secrets@v3
uses: aws-actions/aws-secretsmanager-get-secrets@2cb1a461cbd4865ac4299648312e4704c646cd53 # v3
with:
secret-ids: |
E2E,${{ secrets.E2E_SECRET_ARN }}
Expand Down
Loading