fix(cli): --require-approval any-change only asks for confirmation on broadening changes

[iliapolo]

Fixes #1236

Problem

The value of --require-approval is not being passed to the CliIoHost, which defaults it to RequireApproval.BROADENING.

Solution

The correct requireApproval value is already being passed to deploy, so we just need to propagate it into the CliIoHost via the setter. This isn't ideal because it prevents concurrent deployments with different requireApproval values, but the CLI can't do that anyway so its not an actual issue.

Checklist

• This change contains a major version upgrade for a dependency and I confirm all breaking changes are addressed
  • Release notes for the new version:

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[iliapolo]

This is something the original issue creator mention and indeed seems like a bug. Looks like we are missing some tests here but I'd like to not delay this fix for it.

[iliapolo]

See

aws-cdk-cli/packages/aws-cdk/lib/cli/io-host/cli-io-host.ts

Lines 383 to 393 in ad90be6

	switch (this.requireDeployApproval) {
	// Never require approval
	case RequireApproval.NEVER:
	return true;
	// Always require approval
	case RequireApproval.ANYCHANGE:
	return false;
	// Require approval if changes include broadening permissions
	case RequireApproval.BROADENING:
	return ['none', 'non-broadening'].includes(msg.data?.permissionChangeType);
	}

[kaizencc]

this is fine and im approving. but i feel like passing the requireApproval property to the iohost should happen when we define requireApproval on line 428 rather than here.

const requireApproval = options.requireApproval ?? RequireApproval.BROADENING;
this.ioHost.requireDeployApproval = requireApproval;

and then maybe that can be a helper function to make those actions atomic.

[iliapolo]

Makes sense.

[codecov-commenter]

Codecov Report

❌ Patch coverage is 90.00000% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 88.09%. Comparing base (ad90be6) to head (66b49c9).
⚠️ Report is 17 commits behind head on main.

Files with missing lines	Patch %	Lines
packages/aws-cdk/lib/cli/cdk-toolkit.ts	88.88%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1246      +/-   ##
==========================================
+ Coverage   87.96%   88.09%   +0.12%     
==========================================
  Files          74       74              
  Lines       10363    10371       +8     
  Branches     1385     1388       +3     
==========================================
+ Hits         9116     9136      +20     
+ Misses       1221     1209      -12     
  Partials       26       26              

Flag	Coverage Δ
suite.unit	88.09% <90.00%> (+0.12%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.