feat: add boto3 and botocore automated dependency update github worklflows

.github/workflows/sync_release_to_main.yml

@@ -0,0 +1,104 @@
+name: Sync release branch to main branch
+on:
+  push:
+    branches:
+      - release
+  workflow_dispatch:
+permissions:
+  contents: write
+  pull-requests: write
+jobs:
+  sync-branches:
+    runs-on: ubuntu-latest
+    name: Checkout main head and merge in release
+    permissions:
+      contents: write
+      pull-requests: write
+    strategy:
+      fail-fast: true
+    outputs:
+      pull-request-number: ${{ steps.create-pull-request.outputs.pull-request-number }}
+
+    steps:
+    - uses: actions/checkout@v6
+      with:
+        submodules: false
+        fetch-depth: 0
+        fetch-tags: true
+        ref: main
+
+    - name: Get autopilot release head commit, just for cosmetic purposes (logging)
+      id: get-autopilot-release-head-commit
+      run: |
+
+        git config --global user.name "${GITHUB_ACTOR}"
+        git config --global user.email "${GITHUB_ACTOR}@users.noreply.github.com"
+
+        git checkout release && git submodule init && git submodule update && export autopilot_release_head_commit=$(git rev-parse release) && echo "autopilot_release_head_commit=${autopilot_release_head_commit:0:7}" >> "$GITHUB_OUTPUT"
+
+        cat $GITHUB_OUTPUT
+
+    - name: Get boto3 version used by release HEAD
+      id: get-head-boto3-version-info
+      run: |
+        cd iam-policy-autopilot-policy-generation/resources/config/sdks/boto3 && echo "boto3_version=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" && cd ../../../../..
+
+        cat $GITHUB_OUTPUT
+
+    - name: Get botocore version used by release HEAD
+      id: get-head-botocore-version-info
+      run: |
+        cd iam-policy-autopilot-policy-generation/resources/config/sdks/botocore-data && echo "botocore_version=$(git rev-parse HEAD)" >> "$GITHUB_OUTPUT" && cd ../../../../..
+
+        cat $GITHUB_OUTPUT
+
+    - name: Pull submodule versions from release, and synchronize
+      run: |
+        git checkout main && git submodule init && git submodule update
+
+        cd iam-policy-autopilot-policy-generation/resources/config/sdks/boto3 && git fetch --all && git checkout $BOTO3_RELEASE_HEAD_COMMIT && cd ../../../../.. && git add iam-policy-autopilot-policy-generation/resources/config/sdks/boto3
+
+        cd iam-policy-autopilot-policy-generation/resources/config/sdks/botocore-data && git fetch --all && git checkout $BOTOCORE_RELEASE_HEAD_COMMIT && cd ../../../../.. && git add iam-policy-autopilot-policy-generation/resources/config/sdks/botocore-data
+
+      env: 
+        BOTO3_RELEASE_HEAD_COMMIT: ${{ steps.get-head-boto3-version-info.outputs.boto3_version }}
+        BOTOCORE_RELEASE_HEAD_COMMIT: ${{ steps.get-head-botocore-version-info.outputs.botocore_version }}
+        AUTOPILOT_RELEASE_HEAD_COMMIT: ${{ steps.get-autopilot-release-head-commit.outputs.autopilot_release_head_commit }}
+
+
+    - name: Create pull request to sync from release to main
+      uses: peter-evans/create-pull-request@v8
+      id: create-pull-request
+      with:
+        commit-message: |
+          chore: sync release branch submodule versions at commit ${{ steps.get-autopilot-release-head-commit.outputs.autopilot_release_head_commit }} to main branch
+        branch: sync-release-branch
+        sign-commits: true
+        title: | 
+          chore: sync release branch submodule versions at commit ${{ steps.get-autopilot-release-head-commit.outputs.autopilot_release_head_commit }} to main branch
+        body: |
+          chore: sync release branch submodule versions at commit ${{ steps.get-autopilot-release-head-commit.outputs.autopilot_release_head_commit }} to main branch
+
+    - name: Enable Pull Request Automerge for that submitted PR
+      run: |
+        if [[ "$PR_NUMBER" != "" ]]; then 
+          git status && gh pr merge --merge --auto "$PR_NUMBER"
+        fi 
+      env:
+        GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        PR_NUMBER: ${{steps.create-pull-request.outputs.pull-request-number}}
+
+  # The PR in the previous step was submitted on behalf of the github-actions actor. We now use our own PAT from our own account, to submit an approval on that PR. 
+  #   With auto-merge enabled, this will result in the PR being automatically merged.
+  auto-approve:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    needs: [sync-branches]
+    if: needs.sync-branches.outputs.pull-request-number != ''
+    steps:
+      - name: Auto approve PR requests from github actions
+        uses: hmarr/auto-approve-action@v4
+        with:
+          pull-request-number:  ${{ needs.sync-branches.outputs.pull-request-number }}
+          github-token: ${{ secrets.CUSTOM_GITHUB_ACTION_PAT }}

Cargo.toml

@@ -29,6 +29,7 @@ ast-grep-core = "0.39"
 schemars = { version = "^1", features = ["derive"] }
 rust-embed = { version = "8.9", features = ["compression", "include-exclude"] }
 reqwest = { version = "0.12.4", features = ["rustls-tls"], default-features = false }
+openssl = { version = "0.10", features = ["vendored"] }
 
 # Native async runtime and parallel processing
 tokio = { version = "1.0", features = ["fs", "rt", "rt-multi-thread", "macros", "signal"] }
@@ -46,7 +47,7 @@ criterion = "0.5"
 proptest = "1.0"
 
 # CLI-specific dependencies
-clap = { version = "4.5", features = ["derive", "env"] }
+clap = { version = "4.5", features = ["derive", "env", "cargo"] }
 env_logger = "0.11"
 log = "0.4"
 walkdir = "2.0"
@@ -64,7 +65,9 @@ serial_test = "3.0"
 atty = "0.2"
 chrono = { version = "0.4", features = ["serde"] }
 uuid = { version = "1.8", features = ["v4"] }
-sha2 = "0.10"
+aws-lc-rs = "1.15.2"
+git2 = "0.20.3"
+relative-path = "2.0.1"
 url = "2.5"
 percent-encoding = "2.3"
 aws-sdk-iam = "1.89.0"

iam-policy-autopilot-cli/src/commands.rs

@@ -4,10 +4,10 @@
 
 use crate::{output, types::ExitCode};
 use iam_policy_autopilot_access_denied::{ApplyError, ApplyOptions, DenialType};
-
 fn is_tty() -> bool {
     atty::is(atty::Stream::Stdin) && atty::is(atty::Stream::Stderr)
 }
+use clap::crate_version;
 
 /// Returns Some(true) if user confirmed, Some(false) if declined, None if not in TTY.
 fn prompt_yes_no() -> Option<bool> {
@@ -143,6 +143,31 @@ async fn fix_access_denied_with_service(
     }
 }
 
+pub fn print_version_info(debug: bool) -> anyhow::Result<()> {
+    println!("{}", crate_version!());
+    if debug {
+        let boto3_version_metadata =
+            iam_policy_autopilot_policy_generation::api::get_boto3_version_info()?;
+        let botocore_version_metadata =
+            iam_policy_autopilot_policy_generation::api::get_botocore_version_info()?;
+        println!(
+            "boto3 version: commit_id={}, commit_tag={}, data_hash={}",
+            boto3_version_metadata.git_commit_hash,
+            boto3_version_metadata.git_tag.unwrap_or("None".to_string()),
+            boto3_version_metadata.data_hash
+        );
+        println!(
+            "botocore version: commit_id={}, commit_tag={}, data_hash={}",
+            botocore_version_metadata.git_commit_hash,
+            botocore_version_metadata
+                .git_tag
+                .unwrap_or("None".to_string()),
+            botocore_version_metadata.data_hash
+        );
+    }
+    Ok(())
+}
+
 fn handle_apply_error(apply_error: ApplyError) -> ExitCode {
     match apply_error {
         ApplyError::UnsupportedDenialType => {

iam-policy-autopilot-cli/src/main.rs

@@ -36,6 +36,8 @@ mod types;
 use iam_policy_autopilot_mcp_server::{start_mcp_server, McpTransport};
 use types::ExitCode;
 
+use crate::commands::print_version_info;
+
 /// Default port for mcp server for Http Transport
 static MCP_HTTP_DEFAULT_PORT: u16 = 8001;
 
@@ -112,6 +114,7 @@ required for the operations you perform (e.g., KMS actions for S3 encryption).";
     name = "iam-policy-autopilot",
     author,
     version,
+    disable_version_flag = true,
     about = "Generate IAM policies from source code and fix AccessDenied errors",
     long_about = "Unified tool that combines IAM policy generation from source code analysis \
 with automatic AccessDenied error fixing. Supports three main operations:\n\n\
@@ -349,6 +352,16 @@ for direct integration with IDEs and tools. 'http' starts an HTTP server for net
 Only used when --transport=http. The server will bind to 127.0.0.1 (localhost) on the specified port.")]
         port: u16,
     },
+
+    #[command(
+        about = "Print version information.",
+        short_flag = 'V',
+        long_flag = "version"
+    )]
+    Version {
+        #[arg(short = 'd', long = "debug", default_value_t = false, hide = true)]
+        debug: bool,
+    },
 }
 
 /// Initialize logging based on configuration
@@ -611,6 +624,14 @@ async fn main() {
                 }
             }
         }
+
+        Commands::Version { debug } => match print_version_info(debug) {
+            Ok(()) => ExitCode::Success,
+            Err(e) => {
+                print_cli_command_error(e);
+                ExitCode::Error
+            }
+        },
     };
 
     process::exit(code.into());

iam-policy-autopilot-policy-generation/Cargo.toml

@@ -27,6 +27,11 @@ serde_json.workspace = true
 tokio.workspace = true
 async-trait.workspace = true
 strsim.workspace = true
+aws-lc-rs.workspace = true
+git2.workspace = true
+relative-path.workspace = true
+openssl.workspace = true
+
 
 # Build dependencies
 [build-dependencies]
@@ -40,6 +45,10 @@ tokio-util.workspace = true
 # JSON processing
 serde_json.workspace = true
 
+aws-lc-rs.workspace = true
+git2.workspace = true
+relative-path.workspace = true
+
 [features]
 default = []
 integ-test = []