Merge branch 'main' into feature/genomics-file-search

Author: WIIASD

.github/CODEOWNERS

@@ -25,7 +25,6 @@ NOTICE                                           @awslabs/mcp-admins
 /src/amazon-neptune-mcp-server                   @awslabs/mcp-admins @awslabs/mcp-maintainers  @bechbd @cornerwings @krlawrence
 /src/amazon-qbusiness-anonymous-mcp-server       @awslabs/mcp-admins @awslabs/mcp-maintainers  @abhjaw
 /src/amazon-qindex-mcp-server                    @awslabs/mcp-admins @awslabs/mcp-maintainers  @tkoba-aws @akhileshamara
-/src/amazon-rekognition-mcp-server               @awslabs/mcp-admins @awslabs/mcp-maintainers  @ayush987goyal
 /src/amazon-sns-sqs-mcp-server                   @awslabs/mcp-admins @awslabs/mcp-maintainers  @kenliao94 @hashimsharkh
 /src/aurora-dsql-mcp-server                      @awslabs/mcp-admins @awslabs/mcp-maintainers  @krokoko # @silver83 @marcbowes @kennthhz
 /src/aws-api-mcp-server                          @awslabs/mcp-admins @awslabs/mcp-maintainers  @awslabs/aws-api-mcp @rshevchuk-git @PCManticore @iddv @arnewouters @bidesh
@@ -47,10 +46,9 @@ NOTICE                                           @awslabs/mcp-admins
 /src/billing-cost-management-mcp-server          @awslabs/mcp-admins @awslabs/mcp-maintainers  @chittev @Rahul-1404
 /src/ccapi-mcp-server                            @awslabs/mcp-admins @awslabs/mcp-maintainers  @novekm
 /src/cdk-mcp-server                              @awslabs/mcp-admins @awslabs/mcp-maintainers  @jimini55
-/src/cfn-mcp-server                              @awslabs/mcp-admins @awslabs/mcp-maintainers  @karamvsingh
+/src/cfn-mcp-server                              @awslabs/mcp-admins @awslabs/mcp-maintainers  @scottschreckengaust @krokoko @alexa-perlov # @karamvsingh
 /src/cloudtrail-mcp-server                       @awslabs/mcp-admins @awslabs/mcp-maintainers  @rokafella
 /src/cloudwatch-appsignals-mcp-server            @awslabs/mcp-admins @awslabs/mcp-maintainers  @yiyuan-he @mxiamxia @iismd17 @syed-ahsan-ishtiaque
-/src/cloudwatch-logs-mcp-server                  @awslabs/mcp-admins @awslabs/mcp-maintainers  @lemmoi @shri-tambe
 /src/cloudwatch-mcp-server                       @awslabs/mcp-admins @awslabs/mcp-maintainers  @gcacace @shri-tambe @agiuliano @goranmod
 /src/code-doc-gen-mcp-server                     @awslabs/mcp-admins @awslabs/mcp-maintainers  @jimini55
 /src/core-mcp-server                             @awslabs/mcp-admins @awslabs/mcp-maintainers  @PaulVincent707
@@ -62,7 +60,7 @@ NOTICE                                           @awslabs/mcp-admins
 /src/elasticache-mcp-server                      @awslabs/mcp-admins @awslabs/mcp-maintainers  @seaofawareness
 /src/finch-mcp-server                            @awslabs/mcp-admins @awslabs/mcp-maintainers  @Shubhranshu153 @pendo324
 /src/frontend-mcp-server                         @awslabs/mcp-admins @awslabs/mcp-maintainers  @jimini55
-/src/git-repo-research-mcp-server                @awslabs/mcp-admins @awslabs/mcp-maintainers  @jonslo
+/src/git-repo-research-mcp-server                @awslabs/mcp-admins @awslabs/mcp-maintainers  @krokoko @theagenticguy
 /src/healthlake-mcp-server                       @awslabs/mcp-admins @awslabs/mcp-maintainers  @aws-steve @awsri
 /src/iam-mcp-server                              @awslabs/mcp-admins @awslabs/mcp-maintainers  @oshardik
 /src/lambda-tool-mcp-server                      @awslabs/mcp-admins @awslabs/mcp-maintainers  @danilop @jsamuel1
@@ -74,7 +72,7 @@ NOTICE                                           @awslabs/mcp-admins
 /src/postgres-mcp-server                         @awslabs/mcp-admins @awslabs/mcp-maintainers  @kennthhz
 /src/prometheus-mcp-server                       @awslabs/mcp-admins @awslabs/mcp-maintainers  @MohamedSherifAbdelsamiea
 /src/redshift-mcp-server                         @awslabs/mcp-admins @awslabs/mcp-maintainers  @grayhemp
-/src/s3-tables-mcp-server                        @awslabs/mcp-admins @awslabs/mcp-maintainers  @gsoundar @gregorywright @Kurtiscwright @hsingh574 @ananthaksr
+/src/s3-tables-mcp-server                        @awslabs/mcp-admins @awslabs/mcp-maintainers  @gsoundar @gregorywright @Kurtiscwright @hsingh574 @ananthaksr @okhomin
 /src/stepfunctions-tool-mcp-server               @awslabs/mcp-admins @awslabs/mcp-maintainers  @mmouniro
 /src/syntheticdata-mcp-server                    @awslabs/mcp-admins @awslabs/mcp-maintainers  @pranjbh
 /src/terraform-mcp-server                        @awslabs/mcp-admins @awslabs/mcp-maintainers  @alexa-perlov

.github/workflows/aws-api-mcp-upgrade-version.yml

@@ -0,0 +1,223 @@
+---
+name: AWS API MCP Server - Upgrade AWS CLI Version
+description: |
+  This workflow upgrades the AWS CLI version in src/aws-api-mcp-server using uv upgrade
+  and creates a pull request with the changes.
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 5 * * *'  # Daily at 6 AM Amsterdam time (UTC+1)
+env:
+  BOT_USER_EMAIL: ${{ vars.BOT_USER_EMAIL || '[email protected]' }}
+  BOT_USER_NAME: ${{ vars.BOT_USER_NAME || 'awslabs-mcp' }}
+permissions:
+  actions: none
+  attestations: none
+  checks: none
+  contents: none
+  deployments: none
+  discussions: none
+  id-token: none
+  issues: none
+  models: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+jobs:
+  upgrade-awscli:
+    name: Upgrade AWS CLI Version
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+      - name: Check and upgrade AWS CLI version
+        id: upgrade
+        working-directory: src/aws-api-mcp-server
+        run: |
+          set -euo pipefail
+
+          # Get current installed version
+          CURRENT_VERSION=$(uv run python -c "from importlib.metadata import version; print(version('awscli'))")
+          echo "::debug::Current AWS CLI version: $CURRENT_VERSION"
+
+          # Get latest version from PyPI
+          LATEST_VERSION=$(uv run --no-project python -c "import urllib.request, json; print(json.loads(urllib.request.urlopen('https://pypi.org/pypi/awscli/json').read())['info']['version'])")
+          echo "::debug::Latest AWS CLI version from PyPI: $LATEST_VERSION"
+
+          # Set version outputs
+          echo "current-version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          echo "latest-version=$LATEST_VERSION" >> $GITHUB_OUTPUT
+
+          # Compare versions
+          if [[ "$CURRENT_VERSION" == "$LATEST_VERSION" ]]; then
+            echo "has-changes=false" >> $GITHUB_OUTPUT
+            echo "::notice::AWS CLI is already up to date (version $CURRENT_VERSION)"
+          else
+            echo "has-changes=true" >> $GITHUB_OUTPUT
+            echo "::notice::Upgrading AWS CLI from $CURRENT_VERSION to $LATEST_VERSION"
+
+            # Remove existing awscli dependency
+            echo "::debug::Removing existing awscli dependency"
+            uv remove awscli
+
+            # Add new version with exact pinning
+            echo "::debug::Adding awscli==$LATEST_VERSION"
+            uv add "awscli==$LATEST_VERSION"
+
+            # Sync dependencies
+            echo "::debug::Syncing dependencies"
+            uv sync
+
+            echo "::debug::AWS CLI upgrade completed"
+          fi
+      - name: Create upgrade branch
+        if: steps.upgrade.outputs.has-changes == 'true'
+        id: create-branch
+        run: |
+          set -euo pipefail
+
+          LATEST_VERSION="${{ steps.upgrade.outputs.latest-version }}"
+          UPGRADE_BRANCH="upgrade/aws-api-mcp-awscli-v$LATEST_VERSION"
+
+          echo "::debug::Creating upgrade branch: $UPGRADE_BRANCH"
+
+          # Configure git user
+          git config --local user.email "${{ env.BOT_USER_EMAIL }}"
+          git config --local user.name "${{ env.BOT_USER_NAME }}"
+
+          # Create and push branch
+          git checkout -b "$UPGRADE_BRANCH"
+          git push --set-upstream origin "$UPGRADE_BRANCH"
+
+          # Verify branch was created
+          if ! git ls-remote --heads origin "$UPGRADE_BRANCH" | grep -q "$UPGRADE_BRANCH"; then
+            echo "::error::Failed to verify branch creation: $UPGRADE_BRANCH" >&2
+            exit 1
+          fi
+
+          echo "upgrade-branch=$UPGRADE_BRANCH" >> $GITHUB_OUTPUT
+          echo "::debug::Successfully created upgrade branch: $UPGRADE_BRANCH"
+      - name: Configure Git and GPG securely
+        if: steps.upgrade.outputs.has-changes == 'true'
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+        run: |
+          set -euo pipefail  # SECURITY: Strict error handling
+
+          # Create secure temporary directory for GPG
+          export GNUPGHOME=$(mktemp -d)
+          chmod 700 "$GNUPGHOME"
+          echo "GNUPGHOME=$GNUPGHOME" >> $GITHUB_ENV
+
+          echo "::debug::Setting up secure GPG environment"
+
+          # Configure git user
+          git config --local user.email "${{ env.BOT_USER_EMAIL }}"
+          git config --local user.name "${{ env.BOT_USER_NAME }}"
+
+          # Import GPG key without exposing secrets in command line
+          echo "$GPG_PRIVATE_KEY" | gpg --batch --import --quiet
+          echo "$GPG_KEY_ID:6:" | gpg --import-ownertrust --quiet
+
+          # Configure git GPG settings
+          git config --global user.signingkey "$GPG_KEY_ID"
+          git config --global commit.gpgsign true
+          git config --global tag.gpgsign true
+
+          # Test GPG functionality
+          echo "test" | gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback \
+            --sign --armor --local-user "$GPG_KEY_ID" <<< "$GPG_PASSPHRASE" > /dev/null
+
+          echo "::debug::GPG configuration completed successfully"
+      - name: Commit and push changes
+        if: steps.upgrade.outputs.has-changes == 'true'
+        env:
+          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          set -euo pipefail
+          echo "::debug::Committing changes"
+
+          # Add only the source directory
+          git add src/aws-api-mcp-server/
+
+          # Cache GPG signature
+          echo "commit" | gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback \
+          --sign --armor --local-user "$GPG_KEY_ID" <<< "$GPG_PASSPHRASE" > /dev/null
+
+          # Create signed commit
+          git commit -m "chore(aws-api-mcp-server): upgrade AWS CLI to v${{ steps.upgrade.outputs.latest-version }}" --sign
+
+          # Pull with rebase to maintain linear history
+          git pull --rebase origin "${{ steps.create-branch.outputs.upgrade-branch }}"
+
+          # Push changes
+          git push origin "${{ steps.create-branch.outputs.upgrade-branch }}"
+
+          echo "::debug::Successfully committed and pushed changes"
+      - name: Create pull request
+        if: steps.upgrade.outputs.has-changes == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          UPGRADE_BRANCH="${{ steps.create-branch.outputs.upgrade-branch }}"
+          BASE_BRANCH="${{ github.ref_name }}"
+
+          echo "::debug::Creating PR from $UPGRADE_BRANCH to $BASE_BRANCH"
+
+          # Validate branch names
+          if [[ ! "$UPGRADE_BRANCH" =~ ^upgrade/aws-api-mcp-awscli-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "::error::Invalid upgrade branch format: $UPGRADE_BRANCH" >&2
+            exit 1
+          fi
+
+          # Create PR with validated content
+          PR_URL="$(gh pr create \
+            --base "$BASE_BRANCH" \
+            --head "$UPGRADE_BRANCH" \
+            --title "chore(aws-api-mcp-server): upgrade AWS CLI to v${{ steps.upgrade.outputs.latest-version }}" \
+            --body "# AWS CLI Version Upgrade
+
+          This PR upgrades the AWS CLI version in the aws-api-mcp-server package.
+
+          ## Changes
+          * Updated AWS CLI from **v${{ steps.upgrade.outputs.current-version }}** to **v${{ steps.upgrade.outputs.latest-version }}**
+
+          ## Checklist
+          - [ ] Dependencies have been upgraded
+          - [ ] Lock file has been updated
+          - [ ] Tests pass with new versions
+
+          ## Acknowledgment
+          By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the [project license](https://github.com/awslabs/mcp/blob/main/LICENSE).")"
+
+          echo "::debug::Successfully created pull request $PR_URL"
+          echo "### :arrow_up: AWS CLI Upgrade Ready" >> $GITHUB_STEP_SUMMARY
+          echo "Pull request $PR_URL created for [$UPGRADE_BRANCH](https://github.com/${{ github.repository }}/tree/$UPGRADE_BRANCH) branch" >> $GITHUB_STEP_SUMMARY
+      - name: Secure GPG cleanup
+        if: always()
+        run: |
+          set +e  # Don't fail on cleanup errors
+          echo "::debug::Performing secure cleanup"
+          if [[ -n "${GNUPGHOME:-}" && -d "$GNUPGHOME" ]]; then
+            rm -rf "$GNUPGHOME"
+            echo "::debug::Cleaned up GPG directory"
+          fi
+          gpgconf --kill gpg-agent 2>/dev/null || true
+          unset GPG_PRIVATE_KEY GPG_PASSPHRASE GPG_KEY_ID GNUPGHOME 2>/dev/null || true
+          echo "::debug::Secure cleanup completed"

.github/workflows/dependency-review-action.yml

@@ -12,7 +12,7 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 #v4.8.0
+        uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a #v4.8.1
         with:
           # https://github.com/actions/dependency-review-action/issues/944
           allow-dependencies-licenses: 'pkg:pypi/[email protected]'

.github/workflows/python.yml

@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
 
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0

.github/workflows/release-initiate-branch.yml

@@ -178,7 +178,7 @@ jobs:
           token: ${{ secrets.BOT_GITHUB_TOKEN }}
           ref: ${{ needs.create-branch.outputs.release-branch }}
       - name: Install uv
-        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
       - name: Bump package version
         run: |
           set -euo pipefail

.github/workflows/release.yml

@@ -350,7 +350,7 @@ jobs:
 
           echo "::debug::Directory validated: $FULL_PATH"
       - name: Install uv
-        uses: astral-sh/setup-uv@eb1897b8dc4b5d5bfe39a428a8f2304605e0983c # v7.0.0
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
       - name: Build package
         working-directory: ${{ env.SRC_DIRECTORY }}/${{ matrix.changed-directory }}
         run: |