ci: fix broken Slack notification workflows (incoming-webhook)

.github/workflows/e2e-tests-full.yml

@@ -5,11 +5,12 @@ on:
       aws_region:
         description: 'AWS region for deployment'
         default: 'us-east-1'
+        type: string
   schedule:
-    - cron: '0 14 * * 1' # Every Monday at 9 AM EST (14:00 UTC)
+    - cron: '0 14 * * 1' # Mondays 14:00 UTC (09:00 EST / 10:00 EDT — cron does not observe DST)
 
 concurrency:
-  group: e2e-${{ github.event.pull_request.number || github.ref }}
+  group: e2e-full-${{ github.ref }}
   cancel-in-progress: false
 
 permissions:
@@ -21,6 +22,10 @@ jobs:
     runs-on: ubuntu-latest
     environment: e2e-testing
     timeout-minutes: 60
+    env:
+      # Single source for the AWS region default. On `workflow_dispatch` the
+      # input applies; on `schedule` `inputs` is empty so the fallback applies.
+      AWS_REGION: ${{ inputs.aws_region || 'us-east-1' }}
     strategy:
       fail-fast: false
       matrix:
@@ -40,10 +45,10 @@ jobs:
           git config --global user.name "CI"
       - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6
+        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
         with:
           role-to-assume: ${{ secrets.E2E_AWS_ROLE_ARN }}
-          aws-region: ${{ inputs.aws_region || 'us-east-1' }}
+          aws-region: ${{ env.AWS_REGION }}
       - name: Get AWS Account ID
         id: aws
         run: echo "account_id=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_OUTPUT"
@@ -58,21 +63,31 @@ jobs:
       - name: Build CDK package from main
         if: matrix.cdk-source == 'main'
         run: |
-          git clone --depth 1 "https://x-access-token:${CDK_REPO_TOKEN}@github.com/${CDK_REPO}.git" /tmp/cdk-repo
+          set -euo pipefail
+          [ -n "${CDK_REPO_TOKEN:-}" ] && [ -n "${CDK_REPO:-}" ] || { echo "::error::Required secrets CDK_REPO_NAME and CDK_REPO_TOKEN are not configured"; exit 1; }
+          git clone --depth 1 --branch main "https://x-access-token:${CDK_REPO_TOKEN}@github.com/${CDK_REPO}.git" /tmp/cdk-repo
           cd /tmp/cdk-repo
           npm ci
           npm run build
-          TARBALL=$(npm pack --pack-destination "$RUNNER_TEMP" | tail -1)
-          echo "CDK_TARBALL=$RUNNER_TEMP/$TARBALL" >> "$GITHUB_ENV"
+          TARBALL="$(npm pack --json --pack-destination "$RUNNER_TEMP" | jq -r '.[0].filename')"
+          [ -n "$TARBALL" ] && [ "$TARBALL" != "null" ] || { echo "::error::npm pack produced no tarball"; exit 1; }
+          CDK_TARBALL="$RUNNER_TEMP/$TARBALL"
+          # Fail loud: a missing tarball would silently fall back to the published
+          # CDK in installCdkTarball(), defeating the `main` matrix leg.
+          [ -f "$CDK_TARBALL" ] || { echo "::error::CDK tarball not found at '$CDK_TARBALL'"; exit 1; }
+          echo "CDK_TARBALL=$CDK_TARBALL" >> "$GITHUB_ENV"
         env:
           CDK_REPO_TOKEN: ${{ secrets.CDK_REPO_TOKEN }}
           CDK_REPO: ${{ secrets.CDK_REPO_NAME }}
       - name: Install CLI globally
-        run: npm install -g "$(npm pack | tail -1)"
+        run: |
+          set -euo pipefail
+          TARBALL="$(npm pack --json | jq -r '.[0].filename')"
+          [ -n "$TARBALL" ] && [ "$TARBALL" != "null" ] || { echo "::error::npm pack produced no tarball"; exit 1; }
+          npm install -g "./$TARBALL"
       - name: Run E2E tests (${{ matrix.cdk-source }})
         env:
           AWS_ACCOUNT_ID: ${{ steps.aws.outputs.account_id }}
-          AWS_REGION: ${{ inputs.aws_region || 'us-east-1' }}
           ANTHROPIC_API_KEY: ${{ env.E2E_ANTHROPIC_API_KEY }}
           OPENAI_API_KEY: ${{ env.E2E_OPENAI_API_KEY }}
           GEMINI_API_KEY: ${{ env.E2E_GEMINI_API_KEY }}

.github/workflows/e2e-tests.yml

@@ -9,6 +9,7 @@ on:
       aws_region:
         description: 'AWS region for deployment'
         default: 'us-east-1'
+        type: string
 
 concurrency:
   group: e2e-${{ inputs.pr_number || github.ref }}
@@ -23,6 +24,11 @@ jobs:
     runs-on: ubuntu-latest
     environment: e2e-testing
     timeout-minutes: 30
+    env:
+      # Single source for the AWS region default. This workflow is
+      # dispatch-only, so the input always applies; the fallback guards the
+      # case where the optional `aws_region` input is left blank on dispatch.
+      AWS_REGION: ${{ inputs.aws_region || 'us-east-1' }}
     strategy:
       fail-fast: false
       matrix:
@@ -55,10 +61,10 @@ jobs:
           git config --global user.name "CI"
       - uses: astral-sh/setup-uv@37802adc94f370d6bfd71619e3f0bf239e1f3b78 # v7
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6
+        uses: aws-actions/configure-aws-credentials@d979d5b3a71173a29b74b5b88418bfda9437d885 # v6.1.1
         with:
           role-to-assume: ${{ secrets.E2E_AWS_ROLE_ARN }}
-          aws-region: ${{ inputs.aws_region || 'us-east-1' }}
+          aws-region: ${{ env.AWS_REGION }}
       - name: Get AWS Account ID
         id: aws
         run: echo "account_id=$(aws sts get-caller-identity --query Account --output text)" >> "$GITHUB_OUTPUT"
@@ -74,28 +80,42 @@ jobs:
       - name: Build CDK package from main
         if: matrix.cdk-source == 'main'
         run: |
-          git clone --depth 1 "https://x-access-token:${CDK_REPO_TOKEN}@github.com/${CDK_REPO}.git" /tmp/cdk-repo
+          set -euo pipefail
+          [ -n "${CDK_REPO_TOKEN:-}" ] && [ -n "${CDK_REPO:-}" ] || { echo "::error::Required secrets CDK_REPO_NAME and CDK_REPO_TOKEN are not configured"; exit 1; }
+          git clone --depth 1 --branch main "https://x-access-token:${CDK_REPO_TOKEN}@github.com/${CDK_REPO}.git" /tmp/cdk-repo
           cd /tmp/cdk-repo
           npm ci
           npm run build
-          TARBALL=$(npm pack --pack-destination "$RUNNER_TEMP" | tail -1)
-          echo "CDK_TARBALL=$RUNNER_TEMP/$TARBALL" >> "$GITHUB_ENV"
+          TARBALL="$(npm pack --json --pack-destination "$RUNNER_TEMP" | jq -r '.[0].filename')"
+          [ -n "$TARBALL" ] && [ "$TARBALL" != "null" ] || { echo "::error::npm pack produced no tarball"; exit 1; }
+          CDK_TARBALL="$RUNNER_TEMP/$TARBALL"
+          # Fail loud: a missing tarball would silently fall back to the published
+          # CDK in installCdkTarball(), defeating the `main` matrix leg.
+          [ -f "$CDK_TARBALL" ] || { echo "::error::CDK tarball not found at '$CDK_TARBALL'"; exit 1; }
+          echo "CDK_TARBALL=$CDK_TARBALL" >> "$GITHUB_ENV"
         env:
           CDK_REPO_TOKEN: ${{ secrets.CDK_REPO_TOKEN }}
           CDK_REPO: ${{ secrets.CDK_REPO_NAME }}
 
       - run: npm ci
       - run: npm run build
       - name: Install CLI globally
-        run: npm install -g "$(npm pack | tail -1)"
+        run: |
+          set -euo pipefail
+          TARBALL="$(npm pack --json | jq -r '.[0].filename')"
+          [ -n "$TARBALL" ] && [ "$TARBALL" != "null" ] || { echo "::error::npm pack produced no tarball"; exit 1; }
+          npm install -g "./$TARBALL"
       - name: Run E2E tests (${{ matrix.cdk-source }})
         env:
           AWS_ACCOUNT_ID: ${{ steps.aws.outputs.account_id }}
-          AWS_REGION: ${{ inputs.aws_region || 'us-east-1' }}
           ANTHROPIC_API_KEY: ${{ env.E2E_ANTHROPIC_API_KEY }}
           OPENAI_API_KEY: ${{ env.E2E_OPENAI_API_KEY }}
           GEMINI_API_KEY: ${{ env.E2E_GEMINI_API_KEY }}
           CDK_TARBALL: ${{ env.CDK_TARBALL }}
-        # Only run Bedrock tests on PRs to avoid creating ApiKeyCredentialProviders,
-        # which have a 50-resource account limit and accumulate from interrupted runs.
+        # This manual/dispatch workflow runs the lighter Bedrock-related e2e subset
+        # to keep the per-PR run fast, rather than the full suite (which runs in
+        # e2e-tests-full.yml). The args below are vitest substring path filters, so
+        # this matches every test file whose path contains `strands-bedrock` or
+        # `langgraph-bedrock` (e.g. strands-bedrock, strands-bedrock-memory,
+        # container-strands-bedrock, langgraph-bedrock), not just two suites.
         run: npx vitest run --project e2e strands-bedrock langgraph-bedrock

.github/workflows/slack-issue-notification.yml

@@ -12,15 +12,9 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Send issue details to Slack
-        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
+        uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
         with:
-          webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
-          webhook-type: webhook-trigger
+          webhook: ${{ secrets.SLACK_WEBHOOK_OSS_ALERTS }}
+          webhook-type: incoming-webhook
           payload: |
-            issue_title: "${{ github.event.issue.title }}"
-            issue_number: "${{ github.event.issue.number }}"
-            issue_url: "${{ github.event.issue.html_url }}"
-            issue_author: "${{ github.event.issue.user.login }}"
-            issue_body: ${{ toJSON(github.event.issue.body) }}
-            repository: "${{ github.repository }}"
-            created_at: "${{ github.event.issue.created_at }}"
+            { "text": ${{ toJSON(format(':inbox_tray: *New issue in {0}*: #{1} {2} (by {3})\n{4}', github.repository, github.event.issue.number, github.event.issue.title, github.event.issue.user.login, github.event.issue.html_url)) }} }

.github/workflows/slack-open-prs-notification.yml

@@ -2,7 +2,7 @@ name: Slack Open PRs Notification
 
 on:
   schedule:
-    - cron: '0 13 * * *' # 8:00 AM EST (13:00 UTC)
+    - cron: '0 13 * * *' # 13:00 UTC daily (08:00 EST / 09:00 EDT — cron does not observe DST)
   workflow_dispatch:
 
 permissions:
@@ -17,35 +17,36 @@ jobs:
         uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
         with:
           script: |
-            const { data: prs } = await github.rest.pulls.list({
+            const prs = await github.paginate(github.rest.pulls.list, {
               owner: context.repo.owner,
               repo: context.repo.repo,
               state: 'open',
+              per_page: 100,
             });
 
             const count = prs.length;
 
             // Format each PR with plain text and bare URL (Slack auto-links URLs)
             const prList = prs.map(pr =>
-              `• #${pr.number} - ${pr.title} (by ${pr.user.login})\n  ${pr.html_url}`
+              `• #${pr.number} - ${pr.title} (by ${pr.user?.login ?? 'unknown'})\n  ${pr.html_url}`
             ).join('\n');
 
             core.setOutput('count', count);
 
             // Use GITHUB_OUTPUT delimiter for multiline support
+            const crypto = require('crypto');
+            const delimiter = `PRLIST_${crypto.randomUUID()}`;
             const fs = require('fs');
             fs.appendFileSync(
               process.env.GITHUB_OUTPUT,
-              `pr_list<<PRLIST_EOF\n${prList}\nPRLIST_EOF\n`
+              `pr_list<<${delimiter}\n${prList}\n${delimiter}\n`
             );
 
       - name: Send open PRs summary to Slack
-        uses: slackapi/slack-github-action@af78098f536edbc4de71162a307590698245be95 # v3.0.1
+        if: ${{ steps.open-prs.outputs.count != '0' }}
+        uses: slackapi/slack-github-action@b0fa283ad8fea605de13dc3f449259339835fc52 # v2.1.0
         with:
-          webhook: ${{ secrets.SLACK_OPEN_PRS_WEBHOOK_URL }}
-          webhook-type: webhook-trigger
+          webhook: ${{ secrets.SLACK_WEBHOOK_OSS_ALERTS }}
+          webhook-type: incoming-webhook
           payload: |
-            pr_count: "${{ steps.open-prs.outputs.count }}"
-            pr_list: ${{ toJSON(steps.open-prs.outputs.pr_list) }}
-            repository: "${{ github.repository }}"
-            repository_url: "https://github.com/${{ github.repository }}/pulls"
+            { "text": ${{ toJSON(format(':bar_chart: *Open PRs in {0}* ({1}): https://github.com/{0}/pulls\n{2}', github.repository, steps.open-prs.outputs.count, steps.open-prs.outputs.pr_list)) }} }