By default, all Github actions have read permissions via the standard
`GITHUB_TOKEN`. For jobs that require write permission, explicitly
add the necessary permissions.

In the case of the 'Yarn Upgrade' Github action, separated the
'upgrade' step and the 'pull request' step into separate
jobs to build a better security boundary between the two.

Inspired from: https://github.com/projen/projen/blob/a4f875d07b57f8f8247b9352e34c3c83759afe82/.github/workflows/upgrade-dependencies.yml

The previous commit incorrectly removed this token and used the default
Github token. Github prevents subsequent Github actions to be triggered
if the default token is used.

Switch it back.

See CHANGELOG

…14742)

Resolve #11626

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Ran npm-check-updates and yarn upgrade to keep the `yarn.lock` file up-to-date.

Adds go `app` init template for cdk v2. References aws-cdk-go v2
and constructs v10.

Testing: Checked out the v2-main branch and added this init template to
the CLI. Changed the version of `packages/aws-cdk/package.json` from
`0.0.0` to `2.0.0-rc.4` and ran `buildup`. Then ran `cdk init
--language=go` against local build of CLI and verified that `cdk ls` and
`cdk synth` both output correctly using both local cli and `npx
cdk@next`.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Closes #14757

The repo for cfn-lint was previously cfn-python-lint. This is now
changed to cfn-lint, causing the bump job to fail.

Fix up the repo name.


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Co-authored-by: AWS CDK Team <aws-cdk@amazon.com>

…14754)

The role created by `CustomResourceProvider` is a `CfnResource` with a manual type, not a `CfnRole` to avoid a cyclical dependency. But since `PermissionBoundary` assumes all role/user resources in scope are instances of `CfnRole` or `CfnUser`, a permission boundary is not correctly applied to the custom resource's role (or any other role or user created directly through `CfnResource`).

This PR solves the above problem by adding extra conditionals for the `CfnResource` case and adds permission boundaries through the `addPropertyOverride` escape hatch.

fixes #13310

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…ent (#14699)

The error from the Cognito service:

> Value 'phone_number_verified' at 'schema.1.member.name' failed to
> satisfy constraint: Member must have length less than or equal to 20

The attributes 'phone_number_verified' and 'email_verified' were
incorrectly modeled as standard attributes in the CDK.
When specified, Cognito interprets these as custom attributes, and
applies the corresponding validation. Hence, the above error message.

These two attributes are actually Cognito built-in attributes (not
documented as such as of the time of this commit). Users cannot specify
or configure these as part of user pool creation.
They can only be modified after creation using the Cognito IdP control
plane APIs, ex: AdminUpdateUserAttributes API.

see https://docs.aws.amazon.com/cognito/latest/developerguide/user-pool-settings-attributes.html
internal ref: t.corp/D23141918

closes #14175


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

If the principal passed to Function.addPermission has conditions
        associated with it (ie., PrincipalWithConditions) and the
        conditions are supported by CfnPermission (ie.,
        aws:SourceAccount and aws:SourceArn), then the values will be
        passed to their corresponding CfnPermission parameter.

fixes #8116


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

This adds the IAM grant `grantStreamAggregatedResources` to VirtualNodes and VirtualGateways. Example below

```ts
const gateway = new appmesh.VirtualGateway(stack, 'testGateway', { mesh: mesh });
const envoyUser = new iam.User(stack, 'envoyUser');

/**
 * This will grant `grantStreamAggregatedResources` ONLY for this gateway.
 */
gateway.grantStreamAggregatedResources(envoyUser)
``` 

resolves #11639


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…hesis step (#14793)

Documents the action the user should take to prevent #9217.

The problem here is that, for any app that does asset bundling or uses constructs like `NodeJsFunction` (or its counterparts in other languages), the CodeBuild project has to be configured to run in privileged mode. But the only way to check whether the app uses these things is to run it and check the generated cloud assembly, which will fail if the privileged flag is not set.

The only way to break out of this circular dependency would be to perform some sort of static analysis in the app before running it, or perhaps creating some concept of dry-run, in which the app just reports what it would do without actually doing it. But these solutions would be very complex to implement and probably not worth it. So we're resorting to ask the user to tell the CDK what to do.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…4729)

Fixes #10782

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

In a previous commit - 8395d9d - the timeout for a single test was
increased to 1 hour since it was noticed to fail consistently.

Since then, other tests have also failed intermittently due to
CloudFormation actions taking longer than expected in some regions.

Increase the timeout for all tests to 1 hour when executing in
CodeBuild. To keep the dev-test cycle reasonable, maintain a 10 minute
timeout when developing outside of CodeBuild.

Follow-up to #13181 where a Lambda was added to this package.

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…yment (#14586)

Function hash calculations include properties such as
`ReservedConcurrentExecutions`, `Tags` and `DependsOn` which do not
affect lambda versions.

The change is to only use specific properties in the `Properties` section
of `AWS::Lambda::Function` for hash calculation.

We record and classify the current set of properties for the resource
type `AWS::Lambda::Function`. Any unclassified property will error out.
To support escape hatches, a `Function.classifyVersionProperty()` API
is introduced.

However, this change causes logical for the `Version` resource to
change. Since the lambda service does not allow duplicate versions,
users will see deployment failures without additional changes to the
`Function` resouce. Hence, keep all this logic behind a feature flag that
users can opt into.

fixes #11537

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

…global Tables (#14054)

The custom resource implementation uses IAM managed policies. There's a
limit of 10 managed policies per role in IAM. Throw if we reach this limit.

The long term solution is to implement a L2 for [`AWS::DynamoDB::GlobalTable`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-dynamodb-globaltable.html).

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

feat(ecs-service-extensions): allow taskRole to be passed in on creation of an ECS service

Previously, the actual linter is modeled as a regular npm package named
'prlint' and a shim module named 'prlinter' existed that exposed this as
a Github action package.

This extra layer of indirection is not very useful until we have another
use case where the linter will be used outside of Github Actions.

For the forseeable future, this will be only used via Github Actions.
Remove this extra layer to simplify.

…refer to JsonPath (#14126)

Updates the TaskEnvironmentVariable interface member documentation to refer to JsonPath class's static methods as helpers to specify a value from the Task's JSON path.

Related to #3445


----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

@iRoachie 

I think this is the proper type here?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Switch package to typescript so we get type safety and all the
typescript goodness.