chore(release): 2.186.0 (#33921)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.186.0/CHANGELOG.md)

Author: mergify[bot]

.github/ISSUE_TEMPLATE/bug-report.yml

@@ -12,7 +12,7 @@ body:
 
         **⚠️ Please read this before filling out the form below:**  
         If the bug you are reporting is a security-related issue or a security vulnerability,
-        please report it via [Report a security vulnerability](https://github.com/aws/aws-cdk/security/advisories/new) instead of this template.
+        please report it via [Report a security vulnerability](https://github.com/aws/aws-cdk/security/policy) instead of this template.
   - type: textarea
     id: description
     attributes:

.github/codeql/codeql-config.yml

@@ -0,0 +1,4 @@
+# example: https://github.com/github/codeql-action/blob/main/.github/codeql/codeql-config.yml
+name: "CodeQL config"
+paths-ignore:
+  - '**/*.snapshot/**/asset*/index.js'

.github/dependabot.yml

@@ -11,33 +11,3 @@ updates:
     labels:
       - "auto-approve"
     open-pull-requests-limit: 5
-  - package-ecosystem: "pip"
-    directory: "/packages/@aws-cdk/lambda-layer-awscli"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "auto-approve"
-    open-pull-requests-limit: 5
-
-  # Non-TypeScript init template dependency updates
-  - package-ecosystem: "pip"
-    directory: "/packages/aws-cdk/lib/init-templates"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "auto-approve"
-    open-pull-requests-limit: 5
-  - package-ecosystem: "maven"
-    directory: "/packages/aws-cdk/lib/init-templates"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "auto-approve"
-    open-pull-requests-limit: 5
-  - package-ecosystem: "nuget"
-    directory: "/packages/aws-cdk/lib/init-templates"
-    schedule:
-      interval: "weekly"
-    labels:
-      - "auto-approve"
-    open-pull-requests-limit: 5

.github/workflows/README.md

@@ -128,3 +128,8 @@ Owner: CDK Support team
 
 [project-prioritization-needs-attention.yml](project-prioritization-needs-attention.yml): GitHub action that runs every day to update Needs Attention field in the prioritization project board.
 Owner: CDK Support team
+
+### PR Prioritization AddedOn update
+
+[project-prioritization-added-on.yml](project-prioritization-added-on.yml): GitHub action that runs every day to update AddedOn field in the prioritization project board.
+Owner: CDK Support team

.github/workflows/analytics-metadata-updater.yml

@@ -7,7 +7,7 @@ on:
 
 jobs:
   update-analytics-metadata:
-    if: github.repository == 'aws/aws-cdk'
+    if: github.repository == 'aws/aws-cdk' && github.actor == 'aws-cdk-automation'
     runs-on: ubuntu-latest
     permissions:
       contents: write

.github/workflows/codeql.yml

@@ -46,6 +46,7 @@ jobs:
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
+        config-file: ./.github/codeql/codeql-config.yml
         # If you wish to specify custom queries, you can do so here or in a config file.
         # By default, queries listed here will override any specified in a config file.
         # Prefix the list here with "+" to use these queries and those in the config file.

.github/workflows/enum-auto-updater.yml

@@ -0,0 +1,78 @@
+name: CDK Enums Auto Updater
+on:
+  workflow_dispatch:
+
+jobs:
+  update-l2-enums:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Check Out
+        uses: actions/checkout@v4
+        
+      - name: Set up Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "*"
+        env:
+          NODE_OPTIONS: "--max-old-space-size=8196 --experimental-worker ${NODE_OPTIONS:-}"
+
+      - name: Install dependencies
+        run: yarn install --frozen-lockfile && cd tools/@aws-cdk/enum-updater && yarn build
+
+      - name: Identify Missing Values and Apply Code Changes
+        run: |
+          cd tools/@aws-cdk/enum-updater
+          ./bin/update-missing-enums
+
+      - name: Check for changes
+        id: git-check
+        run: |
+          if [[ -n "$(git status --porcelain)" ]]; then
+            echo "changes=true" >> $GITHUB_OUTPUT
+          else
+            echo "changes=false" >> $GITHUB_OUTPUT
+          fi
+  
+      - name: Commit & Push changes
+        if: steps.git-check.outputs.changes == 'true'
+        run: |
+          git config --global user.name 'aws-cdk-automation'
+          git config --global user.email '[email protected]'
+          
+          # Iterate through each module directory that has changes
+          for module in $(git diff --name-only | grep -E '^packages/(@aws-cdk|aws-cdk-lib)/.*' | sed -E 's|^packages/(@aws-cdk\|aws-cdk-lib)/([^/]+).*|\2|' | sort -u); do
+            moduleName=$(basename $module)
+          
+            # Check for existing PR with the same name
+            prExists=$(gh pr list --state open --search "feat(${moduleName#aws-}): add new enum values for ${moduleName#aws-}" --json number,title -q '.[].number')
+          
+            # If a PR exists, close it and continue
+            if [[ -n "$prExists" ]]; then
+              echo "PR already exists for module ${moduleName#aws-}, closing the existing PR."
+              gh pr close "$prExists" --confirm  # Close the PR by its number
+            fi
+          
+            # Create a new branch for the module
+            branchName="enum-update/${moduleName#aws-}"
+            git checkout -b "$branchName"
+            
+            # Stage, commit, and push changes for the module
+            git add "packages/$module"  # Add only changes for this module
+            git commit -m "chore(${moduleName#aws-}): add new enum values for ${moduleName#aws-}"
+            git push origin "$branchName"
+          
+          # Create a new pull request
+          gh pr create --title "chore(${moduleName#aws-}): add new enum values for ${moduleName#aws-}" \
+           --body "This PR updates the enum values for ${moduleName#aws-}." \
+           --base main \
+           --head "$branchName"
+           --label "contribution/core,pr-linter/exempt-integ-test,pr-linter/exempt-readme,pr-linter/exempt-test" \
+           --reviewer "aws-cdk-team" \
+          done
+        
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/lambda-runtime-tests.yml

@@ -6,7 +6,7 @@ on:
 
 jobs:
   update-lambda-tests:
-    if: github.repository == 'aws/aws-cdk'
+    if: github.repository == 'aws/aws-cdk' && github.actor == 'aws-cdk-automation'
     runs-on: ubuntu-latest
     permissions:
       contents: write

.github/workflows/project-prioritization-added-on.yml

@@ -0,0 +1,21 @@
+name: PR Prioritization AddedOn update
+
+on:
+  schedule:
+    - cron: '0 */6 * * 1-5'  # Runs every 6 hours during weekdays
+  workflow_dispatch:        # Manual trigger
+
+jobs:
+  update_added_on:
+    if: github.repository == 'aws/aws-cdk'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name:  Update AddedOn field
+        uses: actions/github-script@v7
+        with:
+          github-token: ${{ secrets.PROJEN_GITHUB_TOKEN }}
+          script: |
+            const script = require('./scripts/prioritization/update-added-on.js')
+            await script({github})

.github/workflows/yarn-upgrade.yml

@@ -39,10 +39,6 @@ jobs:
       - name: Install Tools
         run: |-
           npm -g install lerna npm-check-updates
-      - name: Build Integ Runner
-        run: |
-          export NODE_OPTIONS="--max-old-space-size=8196 --experimental-worker ${NODE_OPTIONS:-}"
-          npx lerna run build --scope @aws-cdk/integ-runner
       - name: List Mono-Repo Packages
         id: list-packages
         # These need to be ignored from the `ncu` runs!
@@ -77,9 +73,6 @@ jobs:
       - name: Run "yarn upgrade"
         run: yarn upgrade
 
-      - name: Regenerate Integ Runner attributions
-        run: cd packages/@aws-cdk/integ-runner && yarn pkglint
-
       # Next, create and upload the changes as a patch file. This will later be downloaded to create a pull request
       # Creating a pull request requires write permissions and it's best to keep write privileges isolated.
       - name: Create Patch