From a927e559a70737f2ef54f2264f8a1e81ef552084 Mon Sep 17 00:00:00 2001
From: Aidan Daly <aidandal@amazon.com>
Date: Fri, 5 Jun 2026 19:39:31 +0000
Subject: [PATCH] ci: smoke-test CDK synth to catch cloud-assembly schema
 mismatches
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

#1465 fixed a deploy break that no test caught: aws-cdk-lib@2.258.0 bumped
the cloud-assembly schema to 54, but the bundled CDK reader only read up to
53, so freshly-created projects failed at synth with AssemblyVersionMismatch.

Unit tests run against the pinned shrinkwrap, so they never exercise the
floating aws-cdk-lib range a customer's `npm install` resolves. The existing
sanity check stops at `agentcore create` and never synthesizes. The e2e suite
does synth but only on push-to-main / a weekly cron — the upstream publish
landed between runs.

Add a credential-free `cdk synth` smoke test right after `agentcore create`
in the always-on PR build job. `create` auto-installs the generated CDK app
against the template's floating range (resolving the latest aws-cdk-lib), so
this step writes a manifest at the newest schema and reads it back through the
bundled aws-cdk binary — going red the moment upstream CDK outruns our reader.

Verified: with the pre-#1465 binary (aws-cdk@2.1100.1) against
aws-cdk-lib@2.258.0 this step fails with the exact schema mismatch; with the
shipped 2.1126.0 it passes. synth performs no AWS calls, so no credentials
are required.
---
 .github/workflows/build-and-test.yml | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/.github/workflows/build-and-test.yml b/.github/workflows/build-and-test.yml
index e2ce32033..1323c10f7 100644
--- a/.github/workflows/build-and-test.yml
+++ b/.github/workflows/build-and-test.yml
@@ -56,6 +56,18 @@ jobs:
           agentcore --version
           agentcore create --name sanitytest --language Python --framework Strands --model-provider Bedrock --memory none --json
           test -f sanitytest/agentcore/agentcore.json
+      # Synthesize the generated CDK app against whatever aws-cdk-lib `create` just
+      # resolved from the template's floating range. This is the only CI step that
+      # exercises the cloud-assembly schema write+read path with the LATEST published
+      # aws-cdk-lib, so it catches upstream CDK schema bumps that outrun the bundled
+      # CDK reader (the regression in #1465). Runs without AWS credentials.
+      - name: Smoke-test CDK synth (catches cloud-assembly schema mismatch)
+        if: matrix.node-version == '20.x'
+        working-directory: sanitytest/agentcore/cdk
+        run: |
+          echo '[{"name":"default","account":"000000000000","region":"us-east-1"}]' > ../aws-targets.json
+          npm run cdk -- synth --quiet
+          test -f cdk.out/manifest.json
       - name: Upload tarball artifact
         if: matrix.node-version == '20.x'
         uses: actions/upload-artifact@v7