Add no execute changeset test

Author: chrisqm-dev

.github/workflows/deploy.yml

@@ -45,3 +45,52 @@ jobs:
           template: long-running-stack.yaml
           capabilities: "CAPABILITY_IAM"
           timeout-in-minutes: 90
+
+  test-no-execute-changeset:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out repository code
+        uses: actions/checkout@v3
+      - name: Configure AWS credentials from Test account
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_TO_ASSUME }}
+          aws-region: us-east-1
+      - name: Cleanup existing stack if present
+        run: |
+          STACK_NAME="test-no-execute-changeset-${{ github.run_number }}-${{ github.run_attempt }}"
+          if aws cloudformation describe-stacks --stack-name $STACK_NAME 2>/dev/null; then
+            echo "Stack exists, deleting it first..."
+            aws cloudformation delete-stack --stack-name $STACK_NAME
+            aws cloudformation wait stack-delete-complete --stack-name $STACK_NAME
+          fi
+      - name: Deploy with no-execute-changeset=1 (should create stack in REVIEW_IN_PROGRESS)
+        uses: aws-actions/aws-cloudformation-github-deploy@master
+        with:
+          name: test-no-execute-changeset-${{ github.run_number }}-${{ github.run_attempt }}
+          template: no-execute-changeset-test.yaml
+          capabilities: "CAPABILITY_IAM"
+          no-execute-changeset: "1"
+      - name: Verify stack is in REVIEW_IN_PROGRESS status
+        run: |
+          STACK_NAME="test-no-execute-changeset-${{ github.run_number }}-${{ github.run_attempt }}"
+          echo "Checking stack status after deployment with no-execute-changeset=1..."
+          STACK_STATUS=$(aws cloudformation describe-stacks --stack-name $STACK_NAME --query 'Stacks[0].StackStatus' --output text)
+          echo "Stack status: $STACK_STATUS"
+          
+          if [ "$STACK_STATUS" = "REVIEW_IN_PROGRESS" ]; then
+            echo "✅ SUCCESS: Stack is in REVIEW_IN_PROGRESS status as expected"
+          else
+            echo "❌ FAILURE: Stack status is $STACK_STATUS, expected REVIEW_IN_PROGRESS"
+            echo "This indicates the bug is present - the changeset was executed despite no-execute-changeset=1"
+            exit 1
+          fi
+      - name: Cleanup test stack
+        if: always()
+        run: |
+          STACK_NAME="test-no-execute-changeset-${{ github.run_number }}-${{ github.run_attempt }}"
+          if aws cloudformation describe-stacks --stack-name $STACK_NAME 2>/dev/null; then
+            aws cloudformation delete-stack --stack-name $STACK_NAME
+            aws cloudformation wait stack-delete-complete --stack-name $STACK_NAME
+            echo "Test stack cleaned up successfully"
+          fi

no-execute-changeset-test.yaml

@@ -0,0 +1,24 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: 'Simple S3 bucket for testing no-execute-changeset functionality'
+
+Parameters:
+  BucketPrefix:
+    Type: String
+    Default: 'test-no-execute-changeset'
+    Description: 'Prefix for the S3 bucket name'
+
+Resources:
+  TestBucket:
+    Type: AWS::S3::Bucket
+    Properties:
+      BucketName: !Sub '${BucketPrefix}-${AWS::AccountId}-${AWS::Region}'
+      PublicAccessBlockConfiguration:
+        BlockPublicAcls: true
+        BlockPublicPolicy: true
+        IgnorePublicAcls: true
+        RestrictPublicBuckets: true
+
+Outputs:
+  BucketName:
+    Description: 'Name of the created S3 bucket'
+    Value: !Ref TestBucket