awslabs
diff --git a/‎.github/CODEOWNERS‎
Lines changed: 3 additions & 5 deletions b/‎.github/CODEOWNERS‎
Lines changed: 3 additions & 5 deletions
diff --git a/‎.github/workflows/aws-api-mcp-upgrade-version.yml‎
Lines changed: 224 additions & 0 deletions b/‎.github/workflows/aws-api-mcp-upgrade-version.yml‎
Lines changed: 224 additions & 0 deletions
diff --git a/‎.github/workflows/checkov.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/checkov.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/dependency-review-action.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/dependency-review-action.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/python.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/python.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/release-initiate-branch.yml‎
Lines changed: 5 additions & 3 deletions b/‎.github/workflows/release-initiate-branch.yml‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/release.yml‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/stale.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/stale.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/trivy.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/trivy.yml‎
Lines changed: 1 addition & 1 deletion
@@ -25,7 +25,6 @@ NOTICE                                           @awslabs/mcp-admins
 /src/amazon-neptune-mcp-server                   @awslabs/mcp-admins @awslabs/mcp-maintainers  @bechbd @cornerwings @krlawrence
 /src/amazon-qbusiness-anonymous-mcp-server       @awslabs/mcp-admins @awslabs/mcp-maintainers  @abhjaw
 /src/amazon-qindex-mcp-server                    @awslabs/mcp-admins @awslabs/mcp-maintainers  @tkoba-aws @akhileshamara
-/src/amazon-rekognition-mcp-server               @awslabs/mcp-admins @awslabs/mcp-maintainers  @ayush987goyal
 /src/amazon-sns-sqs-mcp-server                   @awslabs/mcp-admins @awslabs/mcp-maintainers  @kenliao94 @hashimsharkh
 /src/aurora-dsql-mcp-server                      @awslabs/mcp-admins @awslabs/mcp-maintainers  @krokoko # @silver83 @marcbowes @kennthhz
 /src/aws-api-mcp-server                          @awslabs/mcp-admins @awslabs/mcp-maintainers  @awslabs/aws-api-mcp @rshevchuk-git @PCManticore @iddv @arnewouters @bidesh
@@ -47,10 +46,9 @@ NOTICE                                           @awslabs/mcp-admins
 /src/billing-cost-management-mcp-server          @awslabs/mcp-admins @awslabs/mcp-maintainers  @chittev @Rahul-1404
 /src/ccapi-mcp-server                            @awslabs/mcp-admins @awslabs/mcp-maintainers  @novekm
 /src/cdk-mcp-server                              @awslabs/mcp-admins @awslabs/mcp-maintainers  @jimini55
-/src/cfn-mcp-server                              @awslabs/mcp-admins @awslabs/mcp-maintainers  @karamvsingh
+/src/cfn-mcp-server                              @awslabs/mcp-admins @awslabs/mcp-maintainers  @scottschreckengaust @krokoko @alexa-perlov # @karamvsingh
 /src/cloudtrail-mcp-server                       @awslabs/mcp-admins @awslabs/mcp-maintainers  @rokafella
 /src/cloudwatch-appsignals-mcp-server            @awslabs/mcp-admins @awslabs/mcp-maintainers  @yiyuan-he @mxiamxia @iismd17 @syed-ahsan-ishtiaque
-/src/cloudwatch-logs-mcp-server                  @awslabs/mcp-admins @awslabs/mcp-maintainers  @lemmoi @shri-tambe
 /src/cloudwatch-mcp-server                       @awslabs/mcp-admins @awslabs/mcp-maintainers  @gcacace @shri-tambe @agiuliano @goranmod
 /src/code-doc-gen-mcp-server                     @awslabs/mcp-admins @awslabs/mcp-maintainers  @jimini55
 /src/core-mcp-server                             @awslabs/mcp-admins @awslabs/mcp-maintainers  @PaulVincent707
@@ -62,7 +60,7 @@ NOTICE                                           @awslabs/mcp-admins
 /src/elasticache-mcp-server                      @awslabs/mcp-admins @awslabs/mcp-maintainers  @seaofawareness
 /src/finch-mcp-server                            @awslabs/mcp-admins @awslabs/mcp-maintainers  @Shubhranshu153 @pendo324
 /src/frontend-mcp-server                         @awslabs/mcp-admins @awslabs/mcp-maintainers  @jimini55
-/src/git-repo-research-mcp-server                @awslabs/mcp-admins @awslabs/mcp-maintainers  @jonslo
+/src/git-repo-research-mcp-server                @awslabs/mcp-admins @awslabs/mcp-maintainers  @krokoko @theagenticguy
 /src/healthlake-mcp-server                       @awslabs/mcp-admins @awslabs/mcp-maintainers  @aws-steve @awsri
 /src/iam-mcp-server                              @awslabs/mcp-admins @awslabs/mcp-maintainers  @oshardik
 /src/lambda-tool-mcp-server                      @awslabs/mcp-admins @awslabs/mcp-maintainers  @danilop @jsamuel1
@@ -74,7 +72,7 @@ NOTICE                                           @awslabs/mcp-admins
 /src/postgres-mcp-server                         @awslabs/mcp-admins @awslabs/mcp-maintainers  @kennthhz
 /src/prometheus-mcp-server                       @awslabs/mcp-admins @awslabs/mcp-maintainers  @MohamedSherifAbdelsamiea
 /src/redshift-mcp-server                         @awslabs/mcp-admins @awslabs/mcp-maintainers  @grayhemp
-/src/s3-tables-mcp-server                        @awslabs/mcp-admins @awslabs/mcp-maintainers  @gsoundar @gregorywright @Kurtiscwright @hsingh574 @ananthaksr
+/src/s3-tables-mcp-server                        @awslabs/mcp-admins @awslabs/mcp-maintainers  @gsoundar @gregorywright @Kurtiscwright @hsingh574 @ananthaksr @okhomin
 /src/stepfunctions-tool-mcp-server               @awslabs/mcp-admins @awslabs/mcp-maintainers  @mmouniro
 /src/syntheticdata-mcp-server                    @awslabs/mcp-admins @awslabs/mcp-maintainers  @pranjbh
 /src/terraform-mcp-server                        @awslabs/mcp-admins @awslabs/mcp-maintainers  @alexa-perlov
 
@@ -0,0 +1,224 @@
+---
+name: AWS API MCP Server - Upgrade AWS CLI Version
+description: |
+  This workflow upgrades the AWS CLI version in src/aws-api-mcp-server using uv upgrade
+  and creates a pull request with the changes.
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 5 * * *'  # Daily at 6 AM Amsterdam time (UTC+1)
+env:
+  BOT_USER_EMAIL: ${{ vars.BOT_USER_EMAIL || '[email protected]' }}
+  BOT_USER_NAME: ${{ vars.BOT_USER_NAME || 'awslabs-mcp' }}
+permissions:
+  actions: none
+  attestations: none
+  checks: none
+  contents: none
+  deployments: none
+  discussions: none
+  id-token: none
+  issues: none
+  models: none
+  packages: none
+  pages: none
+  pull-requests: none
+  repository-projects: none
+  security-events: none
+  statuses: none
+jobs:
+  upgrade-awscli:
+    name: Upgrade AWS CLI Version
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: write
+      pull-requests: write
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          token: ${{ secrets.BOT_GITHUB_TOKEN }}
+      - name: Install uv
+        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+      - name: Check and upgrade AWS CLI version
+        id: upgrade
+        working-directory: src/aws-api-mcp-server
+        run: |
+          set -euo pipefail
+
+          # Get current installed version
+          CURRENT_VERSION=$(uv run python -c "from importlib.metadata import version; print(version('awscli'))")
+          echo "::debug::Current AWS CLI version: $CURRENT_VERSION"
+
+          # Get latest version from PyPI
+          LATEST_VERSION=$(uv run --no-project python -c "import urllib.request, json; print(json.loads(urllib.request.urlopen('https://pypi.org/pypi/awscli/json').read())['info']['version'])")
+          echo "::debug::Latest AWS CLI version from PyPI: $LATEST_VERSION"
+
+          # Set version outputs
+          echo "current-version=$CURRENT_VERSION" >> $GITHUB_OUTPUT
+          echo "latest-version=$LATEST_VERSION" >> $GITHUB_OUTPUT
+
+          # Compare versions
+          if [[ "$CURRENT_VERSION" == "$LATEST_VERSION" ]]; then
+            echo "has-changes=false" >> $GITHUB_OUTPUT
+            echo "::notice::AWS CLI is already up to date (version $CURRENT_VERSION)"
+          else
+            echo "has-changes=true" >> $GITHUB_OUTPUT
+            echo "::notice::Upgrading AWS CLI from $CURRENT_VERSION to $LATEST_VERSION"
+
+            # Remove existing awscli dependency
+            echo "::debug::Removing existing awscli dependency"
+            uv remove awscli
+
+            # Add new version with exact pinning
+            echo "::debug::Adding awscli==$LATEST_VERSION"
+            uv add "awscli==$LATEST_VERSION"
+
+            # Sync dependencies
+            echo "::debug::Syncing dependencies"
+            uv sync
+
+            echo "::debug::AWS CLI upgrade completed"
+          fi
+      - name: Create upgrade branch
+        if: steps.upgrade.outputs.has-changes == 'true'
+        id: create-branch
+        run: |
+          set -euo pipefail
+
+          LATEST_VERSION="${{ steps.upgrade.outputs.latest-version }}"
+          UPGRADE_BRANCH="upgrade/aws-api-mcp-awscli-v$LATEST_VERSION"
+
+          echo "::debug::Creating upgrade branch: $UPGRADE_BRANCH"
+
+          # Configure git user
+          git config --local user.email "${{ env.BOT_USER_EMAIL }}"
+          git config --local user.name "${{ env.BOT_USER_NAME }}"
+
+          # Create and push branch
+          git checkout -b "$UPGRADE_BRANCH"
+          git push --set-upstream origin "$UPGRADE_BRANCH"
+
+          # Verify branch was created
+          if ! git ls-remote --heads origin "$UPGRADE_BRANCH" | grep -q "$UPGRADE_BRANCH"; then
+            echo "::error::Failed to verify branch creation: $UPGRADE_BRANCH" >&2
+            exit 1
+          fi
+
+          echo "upgrade-branch=$UPGRADE_BRANCH" >> $GITHUB_OUTPUT
+          echo "::debug::Successfully created upgrade branch: $UPGRADE_BRANCH"
+      - name: Configure Git and GPG securely
+        if: steps.upgrade.outputs.has-changes == 'true'
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+        run: |
+          set -euo pipefail  # SECURITY: Strict error handling
+
+          # Create secure temporary directory for GPG
+          export GNUPGHOME=$(mktemp -d)
+          chmod 700 "$GNUPGHOME"
+          echo "GNUPGHOME=$GNUPGHOME" >> $GITHUB_ENV
+
+          echo "::debug::Setting up secure GPG environment"
+
+          # Configure git user
+          git config --local user.email "${{ env.BOT_USER_EMAIL }}"
+          git config --local user.name "${{ env.BOT_USER_NAME }}"
+
+          # Import GPG key without exposing secrets in command line
+          echo "$GPG_PRIVATE_KEY" | gpg --batch --import --quiet
+          echo "$GPG_KEY_ID:6:" | gpg --import-ownertrust --quiet
+
+          # Configure git GPG settings
+          git config --global user.signingkey "$GPG_KEY_ID"
+          git config --global commit.gpgsign true
+          git config --global tag.gpgsign true
+
+          # Test GPG functionality
+          echo "test" | gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback \
+            --sign --armor --local-user "$GPG_KEY_ID" <<< "$GPG_PASSPHRASE" > /dev/null
+
+          echo "::debug::GPG configuration completed successfully"
+      - name: Commit and push changes
+        if: steps.upgrade.outputs.has-changes == 'true'
+        env:
+          GPG_KEY_ID: ${{ secrets.GPG_KEY_ID }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
+        run: |
+          set -euo pipefail
+          echo "::debug::Committing changes"
+
+          # Add only the source directory
+          git add src/aws-api-mcp-server/
+
+          # Cache GPG signature
+          echo "commit" | gpg --batch --yes --passphrase-fd 0 --pinentry-mode loopback \
+          --sign --armor --local-user "$GPG_KEY_ID" <<< "$GPG_PASSPHRASE" > /dev/null
+
+          # Create signed commit
+          git commit -m "chore(aws-api-mcp-server): upgrade AWS CLI to v${{ steps.upgrade.outputs.latest-version }}" --sign
+
+          # Pull with rebase to maintain linear history
+          git pull --rebase origin "${{ steps.create-branch.outputs.upgrade-branch }}"
+
+          # Push changes
+          git push origin "${{ steps.create-branch.outputs.upgrade-branch }}"
+
+          echo "::debug::Successfully committed and pushed changes"
+      - name: Create pull request
+        if: steps.upgrade.outputs.has-changes == 'true'
+        env:
+          GITHUB_TOKEN: ${{ secrets.BOT_GITHUB_TOKEN }}
+        run: |
+          set -euo pipefail
+
+          UPGRADE_BRANCH="${{ steps.create-branch.outputs.upgrade-branch }}"
+          BASE_BRANCH="${{ github.ref_name }}"
+
+          echo "::debug::Creating PR from $UPGRADE_BRANCH to $BASE_BRANCH"
+
+          # Validate branch names
+          if [[ ! "$UPGRADE_BRANCH" =~ ^upgrade/aws-api-mcp-awscli-v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+            echo "::error::Invalid upgrade branch format: $UPGRADE_BRANCH" >&2
+            exit 1
+          fi
+
+          # Create PR with validated content
+          PR_URL="$(gh pr create \
+            --base "$BASE_BRANCH" \
+            --head "$UPGRADE_BRANCH" \
+            --title "chore(aws-api-mcp-server): upgrade AWS CLI to v${{ steps.upgrade.outputs.latest-version }}" \
+            --label "aws-api-mcp" \
+            --body "# AWS CLI Version Upgrade
+
+          This PR upgrades the AWS CLI version in the aws-api-mcp-server package.
+
+          ## Changes
+          * Updated AWS CLI from **v${{ steps.upgrade.outputs.current-version }}** to **v${{ steps.upgrade.outputs.latest-version }}**
+
+          ## Checklist
+          - [ ] Dependencies have been upgraded
+          - [ ] Lock file has been updated
+          - [ ] Tests pass with new versions
+
+          ## Acknowledgment
+          By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of the [project license](https://github.com/awslabs/mcp/blob/main/LICENSE).")"
+
+          echo "::debug::Successfully created pull request $PR_URL"
+          echo "### :arrow_up: AWS CLI Upgrade Ready" >> $GITHUB_STEP_SUMMARY
+          echo "Pull request $PR_URL created for [$UPGRADE_BRANCH](https://github.com/${{ github.repository }}/tree/$UPGRADE_BRANCH) branch" >> $GITHUB_STEP_SUMMARY
+      - name: Secure GPG cleanup
+        if: always()
+        run: |
+          set +e  # Don't fail on cleanup errors
+          echo "::debug::Performing secure cleanup"
+          if [[ -n "${GNUPGHOME:-}" && -d "$GNUPGHOME" ]]; then
+            rm -rf "$GNUPGHOME"
+            echo "::debug::Cleaned up GPG directory"
+          fi
+          gpgconf --kill gpg-agent 2>/dev/null || true
+          unset GPG_PRIVATE_KEY GPG_PASSPHRASE GPG_KEY_ID GNUPGHOME 2>/dev/null || true
+          echo "::debug::Secure cleanup completed"
@@ -28,7 +28,7 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
 
       - name: Checkov GitHub Action
-        uses: bridgecrewio/checkov-action@4f9f1bef9f759c19c966f39c0638ea427d776f4d # v12.3060.0
+        uses: bridgecrewio/checkov-action@cba89e33f08479973cadc681333ffe84f7c8e824 # v12.3064.0
         with:
           # This will add both a CLI output to the console and create a results.sarif file
           output_format: cli,sarif
 
@@ -12,7 +12,7 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@56339e523c0409420f6c2c9a2f4292bbb3c07dd3 #v4.8.0
+        uses: actions/dependency-review-action@40c09b7dc99638e5ddb0bfd91c1673effc064d8a #v4.8.1
         with:
           # https://github.com/actions/dependency-review-action/issues/944
           allow-dependencies-licenses: 'pkg:pypi/[email protected]'
 
@@ -78,7 +78,7 @@ jobs:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
 
       - name: Set up Python
         uses: actions/setup-python@e797f83bcb11b83ae66e0230d6156d7c80228e7c # v6.0.0
 
@@ -178,14 +178,16 @@ jobs:
           token: ${{ secrets.BOT_GITHUB_TOKEN }}
           ref: ${{ needs.create-branch.outputs.release-branch }}
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
       - name: Bump package version
         run: |
           set -euo pipefail
           echo "${{ toJson(needs.look-for-changes.outputs.changed-directories) }}" | \
             jq -r '.[]' | \
-            xargs -I{} \
-            bash -c 'uv run --script .github/workflows/release.py bump-package --directory="$SRC_DIRECTORY/{}" && if [ -f "$SRC_DIRECTORY/{}/pyproject.toml" ]; then uv sync --directory="$SRC_DIRECTORY/{}";fi;' bash
+            xargs -I{} -L 1 -S 1024 \
+            bash -c '(uv run --script .github/workflows/release.py bump-package --directory="$SRC_DIRECTORY/{}" && if [ -f "$SRC_DIRECTORY/{}/pyproject.toml" ]; then uv sync --directory="$SRC_DIRECTORY/{}";fi;) || echo "
+            NOTE: skipped $SRC_DIRECTORY/{}; either deleted or not a Python project...
+            "' bash
           echo "::debug::Version bumps completed"
       - name: Configure Git and GPG securely
         env:
 
@@ -303,7 +303,7 @@ jobs:
       # Clear up space for specific large projects
       - name: Clear Up Space (Aggressively) for Specific Projects
         if: contains(fromJson('["core-mcp-server"]'), matrix.changed-directory)
-        uses: awslabs/mcp/.github/actions/clear-space-ubuntu-latest-agressively@9ac9729e875ab99608ba7c0419f60fdb27c27602
+        uses: awslabs/mcp/.github/actions/clear-space-ubuntu-latest-agressively@c2d7bf853b8e31f22697101601bd4a0438c09f13
       #TODO: remove local action checkout when working...
       - name: Checkout repository
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
@@ -350,7 +350,7 @@ jobs:
 
           echo "::debug::Directory validated: $FULL_PATH"
       - name: Install uv
-        uses: astral-sh/setup-uv@d0cc045d04ccac9d8b7881df0226f9e82c39688e # v6.8.0
+        uses: astral-sh/setup-uv@3259c6206f993105e3a61b142c2d97bf4b9ef83d # v7.1.0
       - name: Build package
         working-directory: ${{ env.SRC_DIRECTORY }}/${{ matrix.changed-directory }}
         run: |
 
@@ -12,7 +12,7 @@ jobs:
       issues: write
       pull-requests: write
     steps:
-      - uses: actions/stale@3a9db7e6a41a89f618792c92c0e97cc736e1b13f # v10.0.0
+      - uses: actions/stale@5f858e3efba33a5ca4407a664cc011ad407f2008 # v10.1.0
         with:
           days-before-stale: -1
           days-before-close: -1
 
@@ -46,7 +46,7 @@ jobs:
     steps:
       - name: Clear Up Space (Agressively) for Trivy Scans that Run Out of Space
         if: contains(toJson('["src/core-mcp-server"]'), matrix.dockerfile)
-        uses: awslabs/mcp/.github/actions/clear-space-ubuntu-latest-agressively@9ac9729e875ab99608ba7c0419f60fdb27c27602
+        uses: awslabs/mcp/.github/actions/clear-space-ubuntu-latest-agressively@c2d7bf853b8e31f22697101601bd4a0438c09f13
 
       - name: Get Checkout Depth
         id: checkout-depth