aws
diff --git a/‎.github/workflows/ensure-triage-label.yml‎
Lines changed: 24 additions & 0 deletions b/‎.github/workflows/ensure-triage-label.yml‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎.github/workflows/pr-linter.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/pr-linter.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎CHANGELOG.v2.alpha.md‎
Lines changed: 9 additions & 0 deletions b/‎CHANGELOG.v2.alpha.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎CHANGELOG.v2.md‎
Lines changed: 32 additions & 0 deletions b/‎CHANGELOG.v2.md‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎docs/MIXINS_DESIGN_GUIDELINES.md‎
Lines changed: 41 additions & 5 deletions b/‎docs/MIXINS_DESIGN_GUIDELINES.md‎
Lines changed: 41 additions & 5 deletions
diff --git a/‎packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cross-account-pipeline-cfn-action.js.snapshot/CdkPipelineCfnActionStack.assets.json‎
Lines changed: 8 additions & 8 deletions b/‎packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.cross-account-pipeline-cfn-action.js.snapshot/CdkPipelineCfnActionStack.assets.json‎
Lines changed: 8 additions & 8 deletions
@@ -0,0 +1,24 @@
+# Issues created outside GitHub issue templates (e.g., via API or CLI) receive
+# no labels, which causes them to be skipped by the triage pipeline in
+# issue-label-assign.yml. This workflow ensures they get 'needs-triage'.
+name: "Ensure triage label"
+on:
+  issues:
+    types: [opened]
+
+jobs:
+  ensure-triage-label:
+    if: join(github.event.issue.labels.*.name, '') == ''
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+    steps:
+      - uses: actions/github-script@v8
+        with:
+          script: |
+            await github.rest.issues.addLabels({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              issue_number: context.issue.number,
+              labels: ['needs-triage']
+            });
@@ -36,7 +36,7 @@ jobs:
     steps:
       - name: "Download workflow_run artifact"
         if: github.event_name == 'workflow_run'
-        uses: dawidd6/action-download-artifact@v19
+        uses: dawidd6/action-download-artifact@v20
         continue-on-error: true
         with:
           run_id: ${{ github.event.workflow_run.id }}
 
@@ -2,6 +2,15 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.248.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.247.0-alpha.0...v2.248.0-alpha.0) (2026-04-02)
+
+## [2.247.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.246.0-alpha.0...v2.247.0-alpha.0) (2026-04-02)
+
+
+### Features
+
+* **mediapackagev2-alpha:** new L2 construct ([#37279](https://github.com/aws/aws-cdk/issues/37279)) ([7debfb9](https://github.com/aws/aws-cdk/commit/7debfb9c5e807fac5df6e9e0ea3097d72325ffbc))
+
 ## [2.246.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.245.0-alpha.0...v2.246.0-alpha.0) (2026-03-31)
 
 ## [2.245.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.244.0-alpha.0...v2.245.0-alpha.0) (2026-03-27)
 
@@ -2,6 +2,38 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.248.0](https://github.com/aws/aws-cdk/compare/v2.247.0...v2.248.0) (2026-04-02)
+
+
+### Bug Fixes
+
+* **eks:** downgrade isolated subnet validation from error to warning ([#37500](https://github.com/aws/aws-cdk/issues/37500)) ([470856c](https://github.com/aws/aws-cdk/commit/470856cadcee34b2ec5e0620fab63838c223fd97)), closes [#37491](https://github.com/aws/aws-cdk/issues/37491)
+
+## [2.247.0](https://github.com/aws/aws-cdk/compare/v2.246.0...v2.247.0) (2026-04-02)
+
+
+### ⚠ BREAKING CHANGES
+
+* ** L1 resources are automatically generated from public CloudFormation Resource Schemas. They are built to closely reflect the real state of CloudFormation. Sometimes these updates can contain changes that are incompatible with previous types, but more accurately reflect reality. In this release we have changed:
+
+aws-bedrockagentcore: AWS::BedrockAgentCore::OnlineEvaluationConfig: ExecutionStatus attribute removed.
+aws-appstream: AWS::AppStream::ImageBuilder: Name property is now immutable.
+aws-eks: AWS::EKS::Capability: EKS_CAPABILITY_ACK_S3_LOGS vended log type removed.
+
+### Features
+
+* update L1 CloudFormation resource definitions ([#37410](https://github.com/aws/aws-cdk/issues/37410)) ([bd2c318](https://github.com/aws/aws-cdk/commit/bd2c3187323c7bcf8a19943f86682c14c601d1a9))
+* **apigatewayv2:** add role support for lambda authorizers ([#35706](https://github.com/aws/aws-cdk/issues/35706)) ([2fb2f16](https://github.com/aws/aws-cdk/commit/2fb2f1650e957979e5ebf8292df3a95d41baa4ff)), closes [#35696](https://github.com/aws/aws-cdk/issues/35696)
+* **batch:** skip unregister job definition on update ([#36011](https://github.com/aws/aws-cdk/issues/36011)) ([2fb2240](https://github.com/aws/aws-cdk/commit/2fb2240d2b2ca922e0603c3e341bb61ce9131155))
+* **elasticloadbalancingv2:** jwt verification for application load balancer ([#36099](https://github.com/aws/aws-cdk/issues/36099)) ([aacd28a](https://github.com/aws/aws-cdk/commit/aacd28aac59dbf42973302e3165140d944356b32)), closes [#36096](https://github.com/aws/aws-cdk/issues/36096)
+
+
+### Bug Fixes
+
+* bump brace-expansion from 5.0.3 to 5.0.5 to address CVE-2026-33750 ([#37379](https://github.com/aws/aws-cdk/issues/37379)) ([69cf4c9](https://github.com/aws/aws-cdk/commit/69cf4c9c44c610eb029d92e355efcf6e7f931ed2))
+* prevent prototype pollution in 2 APIs ([#37453](https://github.com/aws/aws-cdk/issues/37453)) ([1016537](https://github.com/aws/aws-cdk/commit/101653766cab8a8112608e170f5e07f5b962ba49))
+* **aws-cdk-lib:** condensed stack trace hides namespaced package name ([#37413](https://github.com/aws/aws-cdk/issues/37413)) ([cb8e7fb](https://github.com/aws/aws-cdk/commit/cb8e7fbc9fc10682d505b2cdba1a7ce173b0dfd3))
+
 ## [2.246.0](https://github.com/aws/aws-cdk/compare/v2.245.0...v2.246.0) (2026-03-31)
 
 
 
@@ -23,12 +23,24 @@ Mixins are appropriate when:
 - You want to allow users to compose features independently of the L2
   construct's props.
 
-Mixins are _not_ appropriate when the feature serves an external consumer rather
-than the target resource (use a Facade). For example, granting a role access to
-a bucket is about the role's needs, not the bucket's behavior.
+Mixins are _not_ appropriate when:
+
+- The feature serves an external consumer rather than the target resource (use
+  a Facade). For example, granting a role access to a bucket is about the
+  role's needs, not the bucket's behavior.
+- The feature advertises a capability to other constructs (use a Trait).
+- You need to change the optionality of construct properties or change construct defaults.
+- The feature should remain a normal construct property and the implementation
+  is primarily passing values through to the L1 resource. In that case, use
+  `CfnPropsMixin` in the L2 glue code instead of writing a standalone mixin.
 
 Mixins are _not_ a replacement for construct properties. They cannot change the
-optionality of properties or change defaults.
+optionality of construct properties or change construct defaults.
+Applying a mixin is an explicit user action. A mixin may, however, define
+its own inputs/props with default values that control the mixin's behavior
+once applied. For example, `BucketVersioning` defaults to enabling versioning
+when constructed without an explicit argument, but it does not change the
+`Bucket` construct's own default behavior.
 
 ## Base Class
 
@@ -136,6 +148,21 @@ supports(construct: IConstruct): construct is CfnBucket {
 When applied to an L2 construct via `.with()`, the mixin framework
 automatically delegates to the L1 default child.
 
+### Auxiliary Resources
+
+A mixin may create auxiliary resources when the feature requires additional
+infrastructure beyond directly configuring the target resource.
+An auxiliary resource is any construct created by the mixin whose sole purpose
+is to support the target resource's own behavior or lifecycle.
+
+Examples include:
+- Custom resource handlers (e.g., auto-delete objects handler in `BucketAutoDeleteObjects`)
+- Delivery sources and destinations (e.g., vended log delivery configuration in LogsDelivery Mixins)
+- Policy resources (e.g., bucket policy statements in `BucketPolicyStatements`)
+
+Auxiliary resources must serve the primary resource itself. If the additional
+resource primarily serves an external consumer, the feature belongs in a Facade, not a Mixin.
+
 ### Validation
 
 Mixins have two distinct phases: initialization and application. During
@@ -304,4 +331,13 @@ Mixins are accessed through the `mixins` namespace export:
 ## README Documentation
 
 Each service module with mixins must include a `## Mixins` section in its
-README documenting each mixin with a brief description and usage example.
+README documenting each mixin with:
+
+- a brief description of what the mixin does
+- a usage code example
+- the behavioral impact of applying the mixin
+
+The documented impact must describe what changes occur when the
+mixin is applied, including any modified L1 properties, lifecycle
+or deletion behavior changes, validation constraints, and any
+permissions, policy, or deployment-time implications.