Merge branch 'main' into remove-integ

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -12,6 +12,14 @@ body:
       description: What is the problem? A clear and concise description of the bug.
     validations:
       required: true
+  - type: checkboxes
+    id: regression
+    attributes:
+      label: Regression Issue
+      description: What is a regression? If it worked in a previous version but doesn't in the latest version, it's considered a regression. In this case, please provide specific version number in the report.
+      options:
+        - label: Select this option if this issue appears to be a regression.
+          required: false
   - type: textarea
     id: expected
     attributes:

.github/workflows/automerge-approved-prs.yml

@@ -0,0 +1,32 @@
+on:
+  pull_request_review:
+    types: submitted
+
+jobs:
+  approved_pr:
+    name: Automerge approved PRs
+    permissions:
+      contents: write
+      pull-requests: write
+      id-token: write
+    if: ${{ github.event.review.state == 'approved' && github.repository == 'aws-actions/configure-aws-credentials' && (github.event.review.author_association == 'OWNER' || github.event.review.author_association == 'MEMBER' || github.event.review.user.login == 'aws-sdk-osds') }}
+    runs-on: ubuntu-latest
+    steps:
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: ${{ secrets.SECRETS_AWS_PACKAGING_ROLE_TO_ASSUME }}
+          role-duration-seconds: 900
+          role-session-name: SecretsManagerFetch
+      - name: Get bot user token
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          parse-json-secrets: true
+          secret-ids: |
+            ${{ secrets.OSDS_PACKAGING_ROLE }}
+      - name: Enable PR automerge
+        run: gh pr merge --auto --squash "$PR_URL"
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ env.OSDS_ACCESS_TOKEN }}

.github/workflows/cawsc-test.yml

@@ -0,0 +1,20 @@
+name: Test Configure AWS Credential
+on:
+  workflow_dispatch:
+
+jobs:
+  cawsc:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+    steps:
+      - name: CAWSC
+        uses: aws-actions/configure-aws-credentials@main
+        with:
+          aws-region: us-west-2
+          role-to-assume: ${{ secrets.SECRETS_AWS_PACKAGING_ROLE_TO_ASSUME }}
+          role-duration-seconds: 900
+          role-session-name: TestCAWSC
+      - name: Whoami
+        run: |
+          aws sts get-caller-identity

.github/workflows/dependabot-autoapprove.yml

@@ -0,0 +1,41 @@
+name: Dependabot auto-approve
+on:
+  pull_request:
+  workflow_dispatch:
+
+permissions:
+  pull-requests: write
+  id-token: write
+  contents: read
+jobs:
+  dependabot:
+    runs-on: ubuntu-latest
+    if: ${{ github.event.pull_request.user.login == 'dependabot[bot]' && github.repository == 'aws-actions/configure-aws-credentials' }}
+    steps:
+      - name: Get Metadata
+        id: dependabot-metadata
+        uses: dependabot/fetch-metadata@v2
+      - uses: actions/checkout@v4
+        name: Clone repo
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-region: us-west-2
+          role-to-assume: ${{ secrets.SECRETS_AWS_PACKAGING_ROLE_TO_ASSUME }}
+          role-duration-seconds: 900
+      - name: Get bot user token
+        uses: aws-actions/aws-secretsmanager-get-secrets@v2
+        with:
+          parse-json-secrets: true
+          secret-ids: |
+            ${{ secrets.OSDS_PACKAGING_ROLE }}
+      - name: Approve PR if not already approved
+        run: |
+          gh pr checkout "$PR_URL"
+          if [ "$(gh pr status --json reviewDecision - q .currentBranch.reviewDecision)" != "APPROVED" ]; then
+            gh pr review "$PR_URL" --approve
+          else echo "PR already approved"
+          fi
+        env:
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          GITHUB_TOKEN: ${{ env.OSDS_ACCESS_TOKEN }}

.github/workflows/issue-regression-labeler.yml

@@ -0,0 +1,32 @@
+# Apply potential regression label on issues
+name: issue-regression-label
+on:
+  issues:
+    types: [opened, edited]
+jobs:
+  add-regression-label:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+    - name: Fetch template body
+      id: check_regression
+      uses: actions/github-script@v7
+      env: 
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        TEMPLATE_BODY: ${{ github.event.issue.body }}
+      with:
+        script: |
+          const regressionPattern = /\[x\] Select this option if this issue appears to be a regression\./i;
+          const template = `${process.env.TEMPLATE_BODY}`
+          const match = regressionPattern.test(template);
+          core.setOutput('is_regression', match);
+    - name: Manage regression label
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      run: |
+        if [ "${{ steps.check_regression.outputs.is_regression }}" == "true" ]; then
+          gh issue edit ${{ github.event.issue.number }} --add-label "potential-regression" -R ${{ github.repository }}
+        else
+          gh issue edit ${{ github.event.issue.number }} --remove-label "potential-regression" -R ${{ github.repository }}
+        fi

.github/workflows/package-dist.yml

@@ -39,7 +39,7 @@ jobs:
         with:
           parse-json-secrets: true
           secret-ids: |
-            OSDS,arn:aws:secretsmanager:us-west-2:206735643321:secret:github-aws-sdk-osds-automation-gebs9n
+            ${{ secrets.OSDS_PACKAGING_ROLE }}
       - name: Commit
         run: |
           echo "::add-mask::${{ env.OSDS_ACCESS_TOKEN }}"
@@ -48,4 +48,4 @@ jobs:
           git remote set-url origin https://${{ env.OSDS_ACCESS_TOKEN }}@github.com/aws-actions/configure-aws-credentials.git
           git add dist
           git commit -m "chore: Update dist" || echo "No changes to commit"
-          git push origin
+          git push --force origin

.github/workflows/release-please.yml

@@ -0,0 +1,43 @@
+---
+  name: Release Please
+  on:
+    push:
+      branches:
+        - main
+
+  permissions:
+    id-token: write
+    contents: write
+    pull-requests: write
+
+  jobs:
+    release-please:
+      runs-on: ubuntu-latest
+      steps:
+        - name: Checkout Repository
+          uses: actions/checkout@v4
+          with:
+            fetch-depth: 0
+
+        - name: Configure AWS Credentials
+          uses: aws-actions/configure-aws-credentials@v4
+          with:
+            aws-region: us-west-2
+            role-to-assume: ${{ secrets.SECRETS_AWS_PACKAGING_ROLE_TO_ASSUME }}
+            role-duration-seconds: 900
+            role-session-name: ${{ github.run_id }}
+
+        - name: Get git credentials
+          uses: aws-actions/aws-secretsmanager-get-secrets@v2
+          with:
+            parse-json-secrets: true
+            secret-ids: |
+              ${{ secrets.OSDS_PACKAGING_ROLE }}
+
+        - name: Run release-please
+          uses: googleapis/release-please-action@v4
+          with:
+            release-type: node
+            token: ${{ env.OSDS_ACCESS_TOKEN }}
+            config-file: release-please-config.json
+            manifest-file: .release-please-manifest.json