chore(release): 2.194.0 (#34335)

See [CHANGELOG](https://github.com/aws/aws-cdk/blob/bump/2.194.0/CHANGELOG.md)

Author: mergify[bot]

.github/workflows/security-guardian.yml

@@ -9,59 +9,25 @@ jobs:
       - name: Checkout
         uses: actions/checkout@v4
         with:
-          fetch-depth: 0  # Fetches full history
+          fetch-depth: 0  # Required to enable full git diff
 
-      - name: Get list of changed .template.json files
-        id: filter_files
-        run: |
-          echo "Getting changed CloudFormation templates..."
-          mkdir -p changed_templates
-
-          git fetch origin main --depth=1
-
-          base_sha="${{ github.event.pull_request.base.sha }}"
-          head_sha="${{ github.event.pull_request.head.sha }}"
-          if [[ -z "$base_sha" ]]; then base_sha=$(git merge-base origin/main HEAD); fi
-          if [[ -z "$head_sha" ]]; then head_sha=HEAD; fi
-
-          git diff --name-status "$base_sha" "$head_sha" \
-            | grep -E '^(A|M)\s+.*\.template\.json$' \
-            | awk '{print $2}' > changed_files.txt || true
-
-          while IFS= read -r file; do
-            if [ -f "$file" ]; then
-              safe_name=$(echo "$file" | sed 's|/|_|g')
-              cp "$file" "changed_templates/$safe_name"
-            else
-              echo "::warning::Changed file not found in workspace: $file"
-            fi
-          done < changed_files.txt
-
-          if [ -s changed_files.txt ]; then
-            echo "files_changed=true" >> $GITHUB_OUTPUT
-          else
-            echo "files_changed=false" >> $GITHUB_OUTPUT
-          fi
-  
       - name: Install cfn-guard
-        if: steps.filter_files.outputs.files_changed == 'true'
         run: |
           mkdir -p $HOME/.local/bin
           curl -L -o cfn-guard.tar.gz https://github.com/aws-cloudformation/cloudformation-guard/releases/latest/download/cfn-guard-v3-x86_64-ubuntu-latest.tar.gz
           tar -xzf cfn-guard.tar.gz
           mv cfn-guard-v3-*/cfn-guard $HOME/.local/bin/cfn-guard
           chmod +x $HOME/.local/bin/cfn-guard
           echo "$HOME/.local/bin" >> $GITHUB_PATH
-  
+
       - name: Install & Build security-guardian
-        if: steps.filter_files.outputs.files_changed == 'true'
         run: yarn install --frozen-lockfile && cd tools/@aws-cdk/security-guardian && yarn build
 
-      - name: Run cfn-guard if templates changed
-        if: steps.filter_files.outputs.files_changed == 'true'
+      - name: Run Security Guardian
         uses: ./tools/@aws-cdk/security-guardian
         with:
-          data_directory: './changed_templates'
-          rule_set_path: './tools/@aws-cdk/security-guardian/rules/trust_scope_rules.guard'
+          base_sha: ${{ github.event.pull_request.base.sha }}
+          head_sha: ${{ github.event.pull_request.head.sha }}
+          rule_set_path: './tools/@aws-cdk/security-guardian/rules'
           show_summary: 'fail'
-          output_format: 'single-line-summary'
+          output_format: 'json'

CHANGELOG.v2.alpha.md

@@ -2,6 +2,8 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [2.194.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.193.0-alpha.0...v2.194.0-alpha.0) (2025-05-01)
+
 ## [2.193.0-alpha.0](https://github.com/aws/aws-cdk/compare/v2.192.0-alpha.0...v2.193.0-alpha.0) (2025-04-30)