projen-modules 1.0.154__py3-none-any.whl → 1.1.0__py3-none-any.whl

projen_modules/__init__.py

@@ -177,7 +177,7 @@ class CdkTypeScriptApp(
         eslint: typing.Optional[builtins.bool] = None,
         eslint_options: typing.Optional[typing.Union[_projen_javascript_04054675.EslintOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         experimental_integ_runner: typing.Optional[builtins.bool] = None,
-        feature_flags: typing.Optional[builtins.bool] = None,
+        feature_flags: typing.Optional[_projen_awscdk_04054675.ICdkFeatureFlags] = None,
         github: typing.Optional[builtins.bool] = None,
         github_options: typing.Optional[typing.Union[_projen_github_04054675.GitHubOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         gitignore: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -214,6 +214,7 @@ class CdkTypeScriptApp(
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         outdir: typing.Optional[builtins.str] = None,
         package: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_projen_javascript_04054675.NodePackageManager] = None,
@@ -246,6 +247,7 @@ class CdkTypeScriptApp(
         releasable_commits: typing.Optional[_projen_04054675.ReleasableCommits] = None,
         release: typing.Optional[builtins.bool] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_projen_release_04054675.BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
@@ -254,6 +256,7 @@ class CdkTypeScriptApp(
         release_to_npm: typing.Optional[builtins.bool] = None,
         release_trigger: typing.Optional[_projen_release_04054675.ReleaseTrigger] = None,
         release_workflow: typing.Optional[builtins.bool] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_projen_github_workflows_04054675.JobStep, typing.Dict[builtins.str, typing.Any]]]] = None,
         renovatebot: typing.Optional[builtins.bool] = None,
@@ -328,8 +331,8 @@ class CdkTypeScriptApp(
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
         :param clobber: (experimental) Add a ``clobber`` task which resets the repo to origin. Default: - true, but false for subprojects
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param commit_generated: (experimental) Whether to commit the managed files by default. Default: true
         :param constructs_version: (experimental) Minimum version of the ``constructs`` library to depend on. Default: - for CDK 1.x the default is "3.2.27", for CDK 2.x the default is "10.0.5".
         :param context: (experimental) Additional context to include in ``cdk.json``. Default: - no additional context
@@ -351,10 +354,10 @@ class CdkTypeScriptApp(
         :param edge_lambda_auto_discover: (experimental) Automatically adds an ``cloudfront.experimental.EdgeFunction`` for each ``.edge-lambda.ts`` handler in your source tree. If this is disabled, you can manually add an ``awscdk.AutoDiscover`` component to your project. Default: true
         :param entrypoint: (experimental) Module entrypoint (``main`` in ``package.json``). Set to an empty string to not include ``main`` in your package.json. Default: "lib/index.js"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param experimental_integ_runner: (experimental) Enable experimental support for the AWS CDK integ-runner. Default: false
-        :param feature_flags: (experimental) Include all feature flags in cdk.json. Default: true
+        :param feature_flags: (experimental) Feature flags that should be enabled in ``cdk.json``. Make sure to double-check any changes to feature flags in ``cdk.json`` before deploying. Unexpected changes may cause breaking changes in your CDK app. You can overwrite any feature flag by passing it into the context field. Default: - no feature flags are enabled by default
         :param github: (experimental) Enable GitHub integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
         :param github_options: (experimental) Options for GitHub integration. Default: - see GitHubOptions
         :param gitignore: (experimental) Additional entries to .gitignore.
@@ -391,6 +394,7 @@ class CdkTypeScriptApp(
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param outdir: (experimental) The root directory of the project. Relative to this directory, all files are synthesized. If this project has a parent, this directory is relative to the parent directory and it cannot be the same as the parent or any of it's other subprojects. Default: "."
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
@@ -423,6 +427,7 @@ class CdkTypeScriptApp(
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release: (experimental) Add release management to this project. Default: - true (false for subprojects)
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
@@ -431,6 +436,7 @@ class CdkTypeScriptApp(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
         :param renovatebot: (experimental) Use renovatebot to handle dependency upgrades. Default: false
@@ -457,7 +463,7 @@ class CdkTypeScriptApp(
         :param watch_includes: (experimental) Glob patterns to include in ``cdk watch``. Default: []
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
         :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
@@ -568,6 +574,7 @@ class CdkTypeScriptApp(
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             outdir=outdir,
             package=package,
             package_manager=package_manager,
@@ -600,6 +607,7 @@ class CdkTypeScriptApp(
             releasable_commits=releasable_commits,
             release=release,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
@@ -608,6 +616,7 @@ class CdkTypeScriptApp(
             release_to_npm=release_to_npm,
             release_trigger=release_trigger,
             release_workflow=release_workflow,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             renovatebot=renovatebot,
@@ -764,6 +773,7 @@ class CdkTypeScriptApp(
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "outdir": "outdir",
         "package": "package",
         "package_manager": "packageManager",
@@ -796,6 +806,7 @@ class CdkTypeScriptApp(
         "releasable_commits": "releasableCommits",
         "release": "release",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
@@ -804,6 +815,7 @@ class CdkTypeScriptApp(
         "release_to_npm": "releaseToNpm",
         "release_trigger": "releaseTrigger",
         "release_workflow": "releaseWorkflow",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "renovatebot": "renovatebot",
@@ -908,7 +920,7 @@ class CdkTypeScriptAppOptions:
         eslint: typing.Optional[builtins.bool] = None,
         eslint_options: typing.Optional[typing.Union[_projen_javascript_04054675.EslintOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         experimental_integ_runner: typing.Optional[builtins.bool] = None,
-        feature_flags: typing.Optional[builtins.bool] = None,
+        feature_flags: typing.Optional[_projen_awscdk_04054675.ICdkFeatureFlags] = None,
         github: typing.Optional[builtins.bool] = None,
         github_options: typing.Optional[typing.Union[_projen_github_04054675.GitHubOptions, typing.Dict[builtins.str, typing.Any]]] = None,
         gitignore: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -945,6 +957,7 @@ class CdkTypeScriptAppOptions:
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         outdir: typing.Optional[builtins.str] = None,
         package: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_projen_javascript_04054675.NodePackageManager] = None,
@@ -977,6 +990,7 @@ class CdkTypeScriptAppOptions:
         releasable_commits: typing.Optional[_projen_04054675.ReleasableCommits] = None,
         release: typing.Optional[builtins.bool] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_projen_release_04054675.BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
@@ -985,6 +999,7 @@ class CdkTypeScriptAppOptions:
         release_to_npm: typing.Optional[builtins.bool] = None,
         release_trigger: typing.Optional[_projen_release_04054675.ReleaseTrigger] = None,
         release_workflow: typing.Optional[builtins.bool] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_projen_github_workflows_04054675.JobStep, typing.Dict[builtins.str, typing.Any]]]] = None,
         renovatebot: typing.Optional[builtins.bool] = None,
@@ -1060,8 +1075,8 @@ class CdkTypeScriptAppOptions:
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
         :param clobber: (experimental) Add a ``clobber`` task which resets the repo to origin. Default: - true, but false for subprojects
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param commit_generated: (experimental) Whether to commit the managed files by default. Default: true
         :param constructs_version: (experimental) Minimum version of the ``constructs`` library to depend on. Default: - for CDK 1.x the default is "3.2.27", for CDK 2.x the default is "10.0.5".
         :param context: (experimental) Additional context to include in ``cdk.json``. Default: - no additional context
@@ -1083,10 +1098,10 @@ class CdkTypeScriptAppOptions:
         :param edge_lambda_auto_discover: (experimental) Automatically adds an ``cloudfront.experimental.EdgeFunction`` for each ``.edge-lambda.ts`` handler in your source tree. If this is disabled, you can manually add an ``awscdk.AutoDiscover`` component to your project. Default: true
         :param entrypoint: (experimental) Module entrypoint (``main`` in ``package.json``). Set to an empty string to not include ``main`` in your package.json. Default: "lib/index.js"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param experimental_integ_runner: (experimental) Enable experimental support for the AWS CDK integ-runner. Default: false
-        :param feature_flags: (experimental) Include all feature flags in cdk.json. Default: true
+        :param feature_flags: (experimental) Feature flags that should be enabled in ``cdk.json``. Make sure to double-check any changes to feature flags in ``cdk.json`` before deploying. Unexpected changes may cause breaking changes in your CDK app. You can overwrite any feature flag by passing it into the context field. Default: - no feature flags are enabled by default
         :param github: (experimental) Enable GitHub integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
         :param github_options: (experimental) Options for GitHub integration. Default: - see GitHubOptions
         :param gitignore: (experimental) Additional entries to .gitignore.
@@ -1123,6 +1138,7 @@ class CdkTypeScriptAppOptions:
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param outdir: (experimental) The root directory of the project. Relative to this directory, all files are synthesized. If this project has a parent, this directory is relative to the parent directory and it cannot be the same as the parent or any of it's other subprojects. Default: "."
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
@@ -1155,6 +1171,7 @@ class CdkTypeScriptAppOptions:
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release: (experimental) Add release management to this project. Default: - true (false for subprojects)
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
@@ -1163,6 +1180,7 @@ class CdkTypeScriptAppOptions:
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
         :param renovatebot: (experimental) Use renovatebot to handle dependency upgrades. Default: false
@@ -1189,7 +1207,7 @@ class CdkTypeScriptAppOptions:
         :param watch_includes: (experimental) Glob patterns to include in ``cdk watch``. Default: []
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
         :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
@@ -1367,6 +1385,7 @@ class CdkTypeScriptAppOptions:
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument outdir", value=outdir, expected_type=type_hints["outdir"])
             check_type(argname="argument package", value=package, expected_type=type_hints["package"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
@@ -1399,6 +1418,7 @@ class CdkTypeScriptAppOptions:
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release", value=release, expected_type=type_hints["release"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
@@ -1407,6 +1427,7 @@ class CdkTypeScriptAppOptions:
             check_type(argname="argument release_to_npm", value=release_to_npm, expected_type=type_hints["release_to_npm"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
             check_type(argname="argument release_workflow", value=release_workflow, expected_type=type_hints["release_workflow"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument renovatebot", value=renovatebot, expected_type=type_hints["renovatebot"])
@@ -1644,6 +1665,8 @@ class CdkTypeScriptAppOptions:
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if outdir is not None:
             self._values["outdir"] = outdir
         if package is not None:
@@ -1708,6 +1731,8 @@ class CdkTypeScriptAppOptions:
             self._values["release"] = release
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -1724,6 +1749,8 @@ class CdkTypeScriptAppOptions:
             self._values["release_trigger"] = release_trigger
         if release_workflow is not None:
             self._values["release_workflow"] = release_workflow
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -2285,7 +2312,7 @@ class CdkTypeScriptAppOptions:
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -2296,9 +2323,9 @@ class CdkTypeScriptAppOptions:
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -2573,7 +2600,7 @@ class CdkTypeScriptAppOptions:
     def eslint(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Setup eslint.
 
-        :default: true
+        :default: - true, unless biome is enabled
 
         :stability: experimental
         '''
@@ -2605,15 +2632,17 @@ class CdkTypeScriptAppOptions:
         return typing.cast(typing.Optional[builtins.bool], result)
 
     @builtins.property
-    def feature_flags(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Include all feature flags in cdk.json.
+    def feature_flags(
+        self,
+    ) -> typing.Optional[_projen_awscdk_04054675.ICdkFeatureFlags]:
+        '''(experimental) Feature flags that should be enabled in ``cdk.json``. Make sure to double-check any changes to feature flags in ``cdk.json`` before deploying. Unexpected changes may cause breaking changes in your CDK app. You can overwrite any feature flag by passing it into the context field.
 
-        :default: true
+        :default: - no feature flags are enabled by default
 
         :stability: experimental
         '''
         result = self._values.get("feature_flags")
-        return typing.cast(typing.Optional[builtins.bool], result)
+        return typing.cast(typing.Optional[_projen_awscdk_04054675.ICdkFeatureFlags], result)
 
     @builtins.property
     def github(self) -> typing.Optional[builtins.bool]:
@@ -3082,6 +3111,17 @@ class CdkTypeScriptAppOptions:
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def outdir(self) -> typing.Optional[builtins.str]:
         '''(experimental) The root directory of the project. Relative to this directory, all files are synthesized.
@@ -3485,6 +3525,23 @@ class CdkTypeScriptAppOptions:
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _projen_release_04054675.BranchOptions]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -3589,6 +3646,19 @@ class CdkTypeScriptAppOptions:
         result = self._values.get("release_workflow")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -3914,7 +3984,7 @@ class CdkTypeScriptAppOptions:
     ) -> typing.Optional[_projen_github_04054675.GitIdentity]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -4153,6 +4223,7 @@ class JsiiProject(
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         outdir: typing.Optional[builtins.str] = None,
         package: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_projen_javascript_04054675.NodePackageManager] = None,
@@ -4190,6 +4261,7 @@ class JsiiProject(
         releasable_commits: typing.Optional[_projen_04054675.ReleasableCommits] = None,
         release: typing.Optional[builtins.bool] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_projen_release_04054675.BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
@@ -4198,6 +4270,7 @@ class JsiiProject(
         release_to_npm: typing.Optional[builtins.bool] = None,
         release_trigger: typing.Optional[_projen_release_04054675.ReleaseTrigger] = None,
         release_workflow: typing.Optional[builtins.bool] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_projen_github_workflows_04054675.JobStep, typing.Dict[builtins.str, typing.Any]]]] = None,
         renovatebot: typing.Optional[builtins.bool] = None,
@@ -4261,8 +4334,8 @@ class JsiiProject(
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
         :param clobber: (experimental) Add a ``clobber`` task which resets the repo to origin. Default: - true, but false for subprojects
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param commit_generated: (experimental) Whether to commit the managed files by default. Default: true
         :param compat: (experimental) Automatically run API compatibility test against the latest version published to npm after compilation. - You can manually run compatibility tests using ``yarn compat`` if this feature is disabled. - You can ignore compatibility failures by adding lines to a ".compatignore" file. Default: false
         :param compat_ignore: (experimental) Name of the ignore file for API compatibility tests. Default: ".compatignore"
@@ -4286,7 +4359,7 @@ class JsiiProject(
         :param dotnet: 
         :param entrypoint: (experimental) Module entrypoint (``main`` in ``package.json``). Set to an empty string to not include ``main`` in your package.json. Default: "lib/index.js"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param exclude_typescript: (experimental) Accepts a list of glob patterns. Files matching any of those patterns will be excluded from the TypeScript compiler input. By default, jsii will include all *.ts files (except .d.ts files) in the TypeScript compiler input. This can be problematic for example when the package's build or test procedure generates .ts files that cannot be compiled with jsii's compiler settings.
         :param github: (experimental) Enable GitHub integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
@@ -4299,7 +4372,7 @@ class JsiiProject(
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
-        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "~5.6.0"
+        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "~5.8.0"
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
@@ -4322,6 +4395,7 @@ class JsiiProject(
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param outdir: (experimental) The root directory of the project. Relative to this directory, all files are synthesized. If this project has a parent, this directory is relative to the parent directory and it cannot be the same as the parent or any of it's other subprojects. Default: "."
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
@@ -4359,6 +4433,7 @@ class JsiiProject(
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release: (experimental) Add release management to this project. Default: - true (false for subprojects)
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
@@ -4367,6 +4442,7 @@ class JsiiProject(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
         :param renovatebot: (experimental) Use renovatebot to handle dependency upgrades. Default: false
@@ -4391,7 +4467,7 @@ class JsiiProject(
         :param vscode: (experimental) Enable VSCode integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
         :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
@@ -4491,6 +4567,7 @@ class JsiiProject(
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             outdir=outdir,
             package=package,
             package_manager=package_manager,
@@ -4528,6 +4605,7 @@ class JsiiProject(
             releasable_commits=releasable_commits,
             release=release,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
@@ -4536,6 +4614,7 @@ class JsiiProject(
             release_to_npm=release_to_npm,
             release_trigger=release_trigger,
             release_workflow=release_workflow,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             renovatebot=renovatebot,
@@ -4679,6 +4758,7 @@ class JsiiProject(
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "outdir": "outdir",
         "package": "package",
         "package_manager": "packageManager",
@@ -4716,6 +4796,7 @@ class JsiiProject(
         "releasable_commits": "releasableCommits",
         "release": "release",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
@@ -4724,6 +4805,7 @@ class JsiiProject(
         "release_to_npm": "releaseToNpm",
         "release_trigger": "releaseTrigger",
         "release_workflow": "releaseWorkflow",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "renovatebot": "renovatebot",
@@ -4852,6 +4934,7 @@ class JsiiProjectOptions:
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         outdir: typing.Optional[builtins.str] = None,
         package: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_projen_javascript_04054675.NodePackageManager] = None,
@@ -4889,6 +4972,7 @@ class JsiiProjectOptions:
         releasable_commits: typing.Optional[_projen_04054675.ReleasableCommits] = None,
         release: typing.Optional[builtins.bool] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_projen_release_04054675.BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
@@ -4897,6 +4981,7 @@ class JsiiProjectOptions:
         release_to_npm: typing.Optional[builtins.bool] = None,
         release_trigger: typing.Optional[_projen_release_04054675.ReleaseTrigger] = None,
         release_workflow: typing.Optional[builtins.bool] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_projen_github_workflows_04054675.JobStep, typing.Dict[builtins.str, typing.Any]]]] = None,
         renovatebot: typing.Optional[builtins.bool] = None,
@@ -4961,8 +5046,8 @@ class JsiiProjectOptions:
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
         :param clobber: (experimental) Add a ``clobber`` task which resets the repo to origin. Default: - true, but false for subprojects
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param commit_generated: (experimental) Whether to commit the managed files by default. Default: true
         :param compat: (experimental) Automatically run API compatibility test against the latest version published to npm after compilation. - You can manually run compatibility tests using ``yarn compat`` if this feature is disabled. - You can ignore compatibility failures by adding lines to a ".compatignore" file. Default: false
         :param compat_ignore: (experimental) Name of the ignore file for API compatibility tests. Default: ".compatignore"
@@ -4986,7 +5071,7 @@ class JsiiProjectOptions:
         :param dotnet: 
         :param entrypoint: (experimental) Module entrypoint (``main`` in ``package.json``). Set to an empty string to not include ``main`` in your package.json. Default: "lib/index.js"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param exclude_typescript: (experimental) Accepts a list of glob patterns. Files matching any of those patterns will be excluded from the TypeScript compiler input. By default, jsii will include all *.ts files (except .d.ts files) in the TypeScript compiler input. This can be problematic for example when the package's build or test procedure generates .ts files that cannot be compiled with jsii's compiler settings.
         :param github: (experimental) Enable GitHub integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
@@ -4999,7 +5084,7 @@ class JsiiProjectOptions:
         :param jest: (experimental) Setup jest unit tests. Default: true
         :param jest_options: (experimental) Jest options. Default: - default options
         :param jsii_release_version: (experimental) Version requirement of ``publib`` which is used to publish modules to npm. Default: "latest"
-        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "~5.6.0"
+        :param jsii_version: (experimental) Version of the jsii compiler to use. Set to "*" if you want to manually manage the version of jsii in your project by managing updates to ``package.json`` on your own. NOTE: The jsii compiler releases since 5.0.0 are not semantically versioned and should remain on the same minor, so we recommend using a ``~`` dependency (e.g. ``~5.0.0``). Default: "~5.8.0"
         :param keywords: (experimental) Keywords to include in ``package.json``.
         :param libdir: (experimental) Typescript artifacts output directory. Default: "lib"
         :param license: (experimental) License's SPDX identifier. See https://github.com/projen/projen/tree/main/license-text for a list of supported licenses. Use the ``licensed`` option if you want to no license to be specified. Default: "Apache-2.0"
@@ -5022,6 +5107,7 @@ class JsiiProjectOptions:
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param outdir: (experimental) The root directory of the project. Relative to this directory, all files are synthesized. If this project has a parent, this directory is relative to the parent directory and it cannot be the same as the parent or any of it's other subprojects. Default: "."
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
@@ -5059,6 +5145,7 @@ class JsiiProjectOptions:
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release: (experimental) Add release management to this project. Default: - true (false for subprojects)
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
@@ -5067,6 +5154,7 @@ class JsiiProjectOptions:
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
         :param renovatebot: (experimental) Use renovatebot to handle dependency upgrades. Default: false
@@ -5091,7 +5179,7 @@ class JsiiProjectOptions:
         :param vscode: (experimental) Enable VSCode integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
         :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
@@ -5268,6 +5356,7 @@ class JsiiProjectOptions:
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument outdir", value=outdir, expected_type=type_hints["outdir"])
             check_type(argname="argument package", value=package, expected_type=type_hints["package"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
@@ -5305,6 +5394,7 @@ class JsiiProjectOptions:
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release", value=release, expected_type=type_hints["release"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
@@ -5313,6 +5403,7 @@ class JsiiProjectOptions:
             check_type(argname="argument release_to_npm", value=release_to_npm, expected_type=type_hints["release_to_npm"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
             check_type(argname="argument release_workflow", value=release_workflow, expected_type=type_hints["release_workflow"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument renovatebot", value=renovatebot, expected_type=type_hints["renovatebot"])
@@ -5524,6 +5615,8 @@ class JsiiProjectOptions:
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if outdir is not None:
             self._values["outdir"] = outdir
         if package is not None:
@@ -5598,6 +5691,8 @@ class JsiiProjectOptions:
             self._values["release"] = release
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -5614,6 +5709,8 @@ class JsiiProjectOptions:
             self._values["release_trigger"] = release_trigger
         if release_workflow is not None:
             self._values["release_workflow"] = release_workflow
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -6049,7 +6146,7 @@ class JsiiProjectOptions:
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -6060,9 +6157,9 @@ class JsiiProjectOptions:
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -6358,7 +6455,7 @@ class JsiiProjectOptions:
     def eslint(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Setup eslint.
 
-        :default: true
+        :default: - true, unless biome is enabled
 
         :stability: experimental
         '''
@@ -6506,10 +6603,10 @@ class JsiiProjectOptions:
         and should remain on the same minor, so we recommend using a ``~`` dependency
         (e.g. ``~5.0.0``).
 
-        :default: "~5.6.0"
+        :default: "~5.8.0"
 
         :stability: experimental
-        :pjnew: "~5.8.0"
+        :pjnew: "~5.9.0"
         '''
         result = self._values.get("jsii_version")
         return typing.cast(typing.Optional[builtins.str], result)
@@ -6831,6 +6928,17 @@ class JsiiProjectOptions:
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def outdir(self) -> typing.Optional[builtins.str]:
         '''(experimental) The root directory of the project. Relative to this directory, all files are synthesized.
@@ -7290,6 +7398,23 @@ class JsiiProjectOptions:
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _projen_release_04054675.BranchOptions]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -7394,6 +7519,19 @@ class JsiiProjectOptions:
         result = self._values.get("release_workflow")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -7694,7 +7832,7 @@ class JsiiProjectOptions:
     ) -> typing.Optional[_projen_github_04054675.GitIdentity]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -7871,6 +8009,7 @@ class NpmPackage(
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         outdir: typing.Optional[builtins.str] = None,
         package: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_projen_javascript_04054675.NodePackageManager] = None,
@@ -7903,6 +8042,7 @@ class NpmPackage(
         releasable_commits: typing.Optional[_projen_04054675.ReleasableCommits] = None,
         release: typing.Optional[builtins.bool] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_projen_release_04054675.BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
@@ -7911,6 +8051,7 @@ class NpmPackage(
         release_to_npm: typing.Optional[builtins.bool] = None,
         release_trigger: typing.Optional[_projen_release_04054675.ReleaseTrigger] = None,
         release_workflow: typing.Optional[builtins.bool] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_projen_github_workflows_04054675.JobStep, typing.Dict[builtins.str, typing.Any]]]] = None,
         renovatebot: typing.Optional[builtins.bool] = None,
@@ -7970,8 +8111,8 @@ class NpmPackage(
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
         :param clobber: (experimental) Add a ``clobber`` task which resets the repo to origin. Default: - true, but false for subprojects
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param commit_generated: (experimental) Whether to commit the managed files by default. Default: true
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
@@ -7990,7 +8131,7 @@ class NpmPackage(
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint: (experimental) Module entrypoint (``main`` in ``package.json``). Set to an empty string to not include ``main`` in your package.json. Default: "lib/index.js"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param github: (experimental) Enable GitHub integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
         :param github_options: (experimental) Options for GitHub integration. Default: - see GitHubOptions
@@ -8024,6 +8165,7 @@ class NpmPackage(
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param outdir: (experimental) The root directory of the project. Relative to this directory, all files are synthesized. If this project has a parent, this directory is relative to the parent directory and it cannot be the same as the parent or any of it's other subprojects. Default: "."
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
@@ -8056,6 +8198,7 @@ class NpmPackage(
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release: (experimental) Add release management to this project. Default: - true (false for subprojects)
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
@@ -8064,6 +8207,7 @@ class NpmPackage(
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
         :param renovatebot: (experimental) Use renovatebot to handle dependency upgrades. Default: false
@@ -8087,7 +8231,7 @@ class NpmPackage(
         :param vscode: (experimental) Enable VSCode integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
         :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
@@ -8177,6 +8321,7 @@ class NpmPackage(
             npm_registry=npm_registry,
             npm_registry_url=npm_registry_url,
             npm_token_secret=npm_token_secret,
+            npm_trusted_publishing=npm_trusted_publishing,
             outdir=outdir,
             package=package,
             package_manager=package_manager,
@@ -8209,6 +8354,7 @@ class NpmPackage(
             releasable_commits=releasable_commits,
             release=release,
             release_branches=release_branches,
+            release_environment=release_environment,
             release_every_commit=release_every_commit,
             release_failure_issue=release_failure_issue,
             release_failure_issue_label=release_failure_issue_label,
@@ -8217,6 +8363,7 @@ class NpmPackage(
             release_to_npm=release_to_npm,
             release_trigger=release_trigger,
             release_workflow=release_workflow,
+            release_workflow_env=release_workflow_env,
             release_workflow_name=release_workflow_name,
             release_workflow_setup_steps=release_workflow_setup_steps,
             renovatebot=renovatebot,
@@ -8349,6 +8496,7 @@ class NpmPackage(
         "npm_registry": "npmRegistry",
         "npm_registry_url": "npmRegistryUrl",
         "npm_token_secret": "npmTokenSecret",
+        "npm_trusted_publishing": "npmTrustedPublishing",
         "outdir": "outdir",
         "package": "package",
         "package_manager": "packageManager",
@@ -8381,6 +8529,7 @@ class NpmPackage(
         "releasable_commits": "releasableCommits",
         "release": "release",
         "release_branches": "releaseBranches",
+        "release_environment": "releaseEnvironment",
         "release_every_commit": "releaseEveryCommit",
         "release_failure_issue": "releaseFailureIssue",
         "release_failure_issue_label": "releaseFailureIssueLabel",
@@ -8389,6 +8538,7 @@ class NpmPackage(
         "release_to_npm": "releaseToNpm",
         "release_trigger": "releaseTrigger",
         "release_workflow": "releaseWorkflow",
+        "release_workflow_env": "releaseWorkflowEnv",
         "release_workflow_name": "releaseWorkflowName",
         "release_workflow_setup_steps": "releaseWorkflowSetupSteps",
         "renovatebot": "renovatebot",
@@ -8506,6 +8656,7 @@ class NpmPackageOptions:
         npm_registry: typing.Optional[builtins.str] = None,
         npm_registry_url: typing.Optional[builtins.str] = None,
         npm_token_secret: typing.Optional[builtins.str] = None,
+        npm_trusted_publishing: typing.Optional[builtins.bool] = None,
         outdir: typing.Optional[builtins.str] = None,
         package: typing.Optional[builtins.bool] = None,
         package_manager: typing.Optional[_projen_javascript_04054675.NodePackageManager] = None,
@@ -8538,6 +8689,7 @@ class NpmPackageOptions:
         releasable_commits: typing.Optional[_projen_04054675.ReleasableCommits] = None,
         release: typing.Optional[builtins.bool] = None,
         release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_projen_release_04054675.BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+        release_environment: typing.Optional[builtins.str] = None,
         release_every_commit: typing.Optional[builtins.bool] = None,
         release_failure_issue: typing.Optional[builtins.bool] = None,
         release_failure_issue_label: typing.Optional[builtins.str] = None,
@@ -8546,6 +8698,7 @@ class NpmPackageOptions:
         release_to_npm: typing.Optional[builtins.bool] = None,
         release_trigger: typing.Optional[_projen_release_04054675.ReleaseTrigger] = None,
         release_workflow: typing.Optional[builtins.bool] = None,
+        release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
         release_workflow_name: typing.Optional[builtins.str] = None,
         release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_projen_github_workflows_04054675.JobStep, typing.Dict[builtins.str, typing.Any]]]] = None,
         renovatebot: typing.Optional[builtins.bool] = None,
@@ -8606,8 +8759,8 @@ class NpmPackageOptions:
         :param check_licenses: (experimental) Configure which licenses should be deemed acceptable for use by dependencies. This setting will cause the build to fail, if any prohibited or not allowed licenses ares encountered. Default: - no license checks are run during the build and all licenses will be accepted
         :param clobber: (experimental) Add a ``clobber`` task which resets the repo to origin. Default: - true, but false for subprojects
         :param code_artifact_options: (experimental) Options for npm packages using AWS CodeArtifact. This is required if publishing packages to, or installing scoped packages from AWS CodeArtifact Default: - undefined
-        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``. Default: false
-        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories. Default: - if this option is not specified, only public repositories are supported
+        :param code_cov: (experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``. Default: false
+        :param code_cov_token_secret: (experimental) Define the secret name for a specified https://codecov.io/ token. Default: - OIDC auth is used
         :param commit_generated: (experimental) Whether to commit the managed files by default. Default: true
         :param copyright_owner: (experimental) License copyright owner. Default: - defaults to the value of authorName or "" if ``authorName`` is undefined.
         :param copyright_period: (experimental) The copyright years to put in the LICENSE file. Default: - current year
@@ -8626,7 +8779,7 @@ class NpmPackageOptions:
         :param docs_directory: (experimental) Docs directory. Default: "docs"
         :param entrypoint: (experimental) Module entrypoint (``main`` in ``package.json``). Set to an empty string to not include ``main`` in your package.json. Default: "lib/index.js"
         :param entrypoint_types: (experimental) The .d.ts file that includes the type declarations for this module. Default: - .d.ts file derived from the project's entrypoint (usually lib/index.d.ts)
-        :param eslint: (experimental) Setup eslint. Default: true
+        :param eslint: (experimental) Setup eslint. Default: - true, unless biome is enabled
         :param eslint_options: (experimental) Eslint options. Default: - opinionated default options
         :param github: (experimental) Enable GitHub integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
         :param github_options: (experimental) Options for GitHub integration. Default: - see GitHubOptions
@@ -8660,6 +8813,7 @@ class NpmPackageOptions:
         :param npm_registry: (deprecated) The host name of the npm registry to publish to. Cannot be set together with ``npmRegistryUrl``.
         :param npm_registry_url: (experimental) The base URL of the npm package registry. Must be a URL (e.g. start with "https://" or "http://") Default: "https://registry.npmjs.org"
         :param npm_token_secret: (experimental) GitHub secret which contains the NPM token to use when publishing packages. Default: "NPM_TOKEN"
+        :param npm_trusted_publishing: (experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work. Default: - false
         :param outdir: (experimental) The root directory of the project. Relative to this directory, all files are synthesized. If this project has a parent, this directory is relative to the parent directory and it cannot be the same as the parent or any of it's other subprojects. Default: "."
         :param package: (experimental) Defines a ``package`` task that will produce an npm tarball under the artifacts directory (e.g. ``dist``). Default: true
         :param package_manager: (experimental) The Node Package Manager used to execute scripts. Default: NodePackageManager.YARN_CLASSIC
@@ -8692,6 +8846,7 @@ class NpmPackageOptions:
         :param releasable_commits: (experimental) Find commits that should be considered releasable Used to decide if a release is required. Default: ReleasableCommits.everyCommit()
         :param release: (experimental) Add release management to this project. Default: - true (false for subprojects)
         :param release_branches: (experimental) Defines additional release branches. A workflow will be created for each release branch which will publish releases from commits in this branch. Each release branch *must* be assigned a major version number which is used to enforce that versions published from that branch always use that major version. If multiple branches are used, the ``majorVersion`` field must also be provided for the default branch. Default: - no additional branches are used for release. you can use ``addBranch()`` to add additional branches.
+        :param release_environment: (experimental) The GitHub Actions environment used for the release. This can be used to add an explicit approval step to the release or limit who can initiate a release through environment protection rules. When multiple artifacts are released, the environment can be overwritten on a per artifact basis. Default: - no environment used, unless set at the artifact level
         :param release_every_commit: (deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``. Default: true
         :param release_failure_issue: (experimental) Create a github issue on every failed publishing task. Default: false
         :param release_failure_issue_label: (experimental) The label to apply to issues indicating publish failures. Only applies if ``releaseFailureIssue`` is true. Default: "failed-release"
@@ -8700,6 +8855,7 @@ class NpmPackageOptions:
         :param release_to_npm: (experimental) Automatically release to npm when new versions are introduced. Default: false
         :param release_trigger: (experimental) The release trigger to use. Default: - Continuous releases (``ReleaseTrigger.continuous()``)
         :param release_workflow: (deprecated) DEPRECATED: renamed to ``release``. Default: - true if not a subproject
+        :param release_workflow_env: (experimental) Build environment variables for release workflows. Default: {}
         :param release_workflow_name: (experimental) The name of the default release workflow. Default: "release"
         :param release_workflow_setup_steps: (experimental) A set of workflow steps to execute in order to setup the workflow container.
         :param renovatebot: (experimental) Use renovatebot to handle dependency upgrades. Default: false
@@ -8723,7 +8879,7 @@ class NpmPackageOptions:
         :param vscode: (experimental) Enable VSCode integration. Enabled by default for root projects. Disabled for non-root projects. Default: true
         :param workflow_bootstrap_steps: (experimental) Workflow steps to use in order to bootstrap this repo. Default: "yarn install --frozen-lockfile && yarn projen"
         :param workflow_container_image: (experimental) Container image to use for GitHub workflows. Default: - default image
-        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - GitHub Actions
+        :param workflow_git_identity: (experimental) The git identity to use in workflows. Default: - default GitHub Actions user
         :param workflow_node_version: (experimental) The node version used in GitHub Actions workflows. Always use this option if your GitHub Actions workflows require a specific to run. Default: - ``minNodeVersion`` if set, otherwise ``lts/*``.
         :param workflow_package_cache: (experimental) Enable Node.js package cache in GitHub workflows. Default: false
         :param workflow_runs_on: (experimental) Github Runner selection labels. Default: ["ubuntu-latest"]
@@ -8878,6 +9034,7 @@ class NpmPackageOptions:
             check_type(argname="argument npm_registry", value=npm_registry, expected_type=type_hints["npm_registry"])
             check_type(argname="argument npm_registry_url", value=npm_registry_url, expected_type=type_hints["npm_registry_url"])
             check_type(argname="argument npm_token_secret", value=npm_token_secret, expected_type=type_hints["npm_token_secret"])
+            check_type(argname="argument npm_trusted_publishing", value=npm_trusted_publishing, expected_type=type_hints["npm_trusted_publishing"])
             check_type(argname="argument outdir", value=outdir, expected_type=type_hints["outdir"])
             check_type(argname="argument package", value=package, expected_type=type_hints["package"])
             check_type(argname="argument package_manager", value=package_manager, expected_type=type_hints["package_manager"])
@@ -8910,6 +9067,7 @@ class NpmPackageOptions:
             check_type(argname="argument releasable_commits", value=releasable_commits, expected_type=type_hints["releasable_commits"])
             check_type(argname="argument release", value=release, expected_type=type_hints["release"])
             check_type(argname="argument release_branches", value=release_branches, expected_type=type_hints["release_branches"])
+            check_type(argname="argument release_environment", value=release_environment, expected_type=type_hints["release_environment"])
             check_type(argname="argument release_every_commit", value=release_every_commit, expected_type=type_hints["release_every_commit"])
             check_type(argname="argument release_failure_issue", value=release_failure_issue, expected_type=type_hints["release_failure_issue"])
             check_type(argname="argument release_failure_issue_label", value=release_failure_issue_label, expected_type=type_hints["release_failure_issue_label"])
@@ -8918,6 +9076,7 @@ class NpmPackageOptions:
             check_type(argname="argument release_to_npm", value=release_to_npm, expected_type=type_hints["release_to_npm"])
             check_type(argname="argument release_trigger", value=release_trigger, expected_type=type_hints["release_trigger"])
             check_type(argname="argument release_workflow", value=release_workflow, expected_type=type_hints["release_workflow"])
+            check_type(argname="argument release_workflow_env", value=release_workflow_env, expected_type=type_hints["release_workflow_env"])
             check_type(argname="argument release_workflow_name", value=release_workflow_name, expected_type=type_hints["release_workflow_name"])
             check_type(argname="argument release_workflow_setup_steps", value=release_workflow_setup_steps, expected_type=type_hints["release_workflow_setup_steps"])
             check_type(argname="argument renovatebot", value=renovatebot, expected_type=type_hints["renovatebot"])
@@ -9111,6 +9270,8 @@ class NpmPackageOptions:
             self._values["npm_registry_url"] = npm_registry_url
         if npm_token_secret is not None:
             self._values["npm_token_secret"] = npm_token_secret
+        if npm_trusted_publishing is not None:
+            self._values["npm_trusted_publishing"] = npm_trusted_publishing
         if outdir is not None:
             self._values["outdir"] = outdir
         if package is not None:
@@ -9175,6 +9336,8 @@ class NpmPackageOptions:
             self._values["release"] = release
         if release_branches is not None:
             self._values["release_branches"] = release_branches
+        if release_environment is not None:
+            self._values["release_environment"] = release_environment
         if release_every_commit is not None:
             self._values["release_every_commit"] = release_every_commit
         if release_failure_issue is not None:
@@ -9191,6 +9354,8 @@ class NpmPackageOptions:
             self._values["release_trigger"] = release_trigger
         if release_workflow is not None:
             self._values["release_workflow"] = release_workflow
+        if release_workflow_env is not None:
+            self._values["release_workflow_env"] = release_workflow_env
         if release_workflow_name is not None:
             self._values["release_workflow_name"] = release_workflow_name
         if release_workflow_setup_steps is not None:
@@ -9588,7 +9753,7 @@ class NpmPackageOptions:
 
     @builtins.property
     def code_cov(self) -> typing.Optional[builtins.bool]:
-        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v4 A secret is required for private repos. Configured with ``@codeCovTokenSecret``.
+        '''(experimental) Define a GitHub workflow step for sending code coverage metrics to https://codecov.io/ Uses codecov/codecov-action@v5 By default, OIDC auth is used. Alternatively a token can be provided via ``codeCovTokenSecret``.
 
         :default: false
 
@@ -9599,9 +9764,9 @@ class NpmPackageOptions:
 
     @builtins.property
     def code_cov_token_secret(self) -> typing.Optional[builtins.str]:
-        '''(experimental) Define the secret name for a specified https://codecov.io/ token A secret is required to send coverage for private repositories.
+        '''(experimental) Define the secret name for a specified https://codecov.io/ token.
 
-        :default: - if this option is not specified, only public repositories are supported
+        :default: - OIDC auth is used
 
         :stability: experimental
         '''
@@ -9840,7 +10005,7 @@ class NpmPackageOptions:
     def eslint(self) -> typing.Optional[builtins.bool]:
         '''(experimental) Setup eslint.
 
-        :default: true
+        :default: - true, unless biome is enabled
 
         :stability: experimental
         '''
@@ -10281,6 +10446,17 @@ class NpmPackageOptions:
         result = self._values.get("npm_token_secret")
         return typing.cast(typing.Optional[builtins.str], result)
 
+    @builtins.property
+    def npm_trusted_publishing(self) -> typing.Optional[builtins.bool]:
+        '''(experimental) Use trusted publishing for publishing to npmjs.com Needs to be pre-configured on npm.js to work.
+
+        :default: - false
+
+        :stability: experimental
+        '''
+        result = self._values.get("npm_trusted_publishing")
+        return typing.cast(typing.Optional[builtins.bool], result)
+
     @builtins.property
     def outdir(self) -> typing.Optional[builtins.str]:
         '''(experimental) The root directory of the project. Relative to this directory, all files are synthesized.
@@ -10684,6 +10860,23 @@ class NpmPackageOptions:
         result = self._values.get("release_branches")
         return typing.cast(typing.Optional[typing.Mapping[builtins.str, _projen_release_04054675.BranchOptions]], result)
 
+    @builtins.property
+    def release_environment(self) -> typing.Optional[builtins.str]:
+        '''(experimental) The GitHub Actions environment used for the release.
+
+        This can be used to add an explicit approval step to the release
+        or limit who can initiate a release through environment protection rules.
+
+        When multiple artifacts are released, the environment can be overwritten
+        on a per artifact basis.
+
+        :default: - no environment used, unless set at the artifact level
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_environment")
+        return typing.cast(typing.Optional[builtins.str], result)
+
     @builtins.property
     def release_every_commit(self) -> typing.Optional[builtins.bool]:
         '''(deprecated) Automatically release new versions every commit to one of branches in ``releaseBranches``.
@@ -10788,6 +10981,19 @@ class NpmPackageOptions:
         result = self._values.get("release_workflow")
         return typing.cast(typing.Optional[builtins.bool], result)
 
+    @builtins.property
+    def release_workflow_env(
+        self,
+    ) -> typing.Optional[typing.Mapping[builtins.str, builtins.str]]:
+        '''(experimental) Build environment variables for release workflows.
+
+        :default: {}
+
+        :stability: experimental
+        '''
+        result = self._values.get("release_workflow_env")
+        return typing.cast(typing.Optional[typing.Mapping[builtins.str, builtins.str]], result)
+
     @builtins.property
     def release_workflow_name(self) -> typing.Optional[builtins.str]:
         '''(experimental) The name of the default release workflow.
@@ -11078,7 +11284,7 @@ class NpmPackageOptions:
     ) -> typing.Optional[_projen_github_04054675.GitIdentity]:
         '''(experimental) The git identity to use in workflows.
 
-        :default: - GitHub Actions
+        :default: - default GitHub Actions user
 
         :stability: experimental
         '''
@@ -12747,7 +12953,7 @@ def _typecheckingstub__3a6354f4c0532263f309ca59025d89b070b95588f76bd5815340cc71a
     eslint: typing.Optional[builtins.bool] = None,
     eslint_options: typing.Optional[typing.Union[_projen_javascript_04054675.EslintOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     experimental_integ_runner: typing.Optional[builtins.bool] = None,
-    feature_flags: typing.Optional[builtins.bool] = None,
+    feature_flags: typing.Optional[_projen_awscdk_04054675.ICdkFeatureFlags] = None,
     github: typing.Optional[builtins.bool] = None,
     github_options: typing.Optional[typing.Union[_projen_github_04054675.GitHubOptions, typing.Dict[builtins.str, typing.Any]]] = None,
     gitignore: typing.Optional[typing.Sequence[builtins.str]] = None,
@@ -12784,6 +12990,7 @@ def _typecheckingstub__3a6354f4c0532263f309ca59025d89b070b95588f76bd5815340cc71a
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     outdir: typing.Optional[builtins.str] = None,
     package: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_projen_javascript_04054675.NodePackageManager] = None,
@@ -12816,6 +13023,7 @@ def _typecheckingstub__3a6354f4c0532263f309ca59025d89b070b95588f76bd5815340cc71a
     releasable_commits: typing.Optional[_projen_04054675.ReleasableCommits] = None,
     release: typing.Optional[builtins.bool] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_projen_release_04054675.BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
@@ -12824,6 +13032,7 @@ def _typecheckingstub__3a6354f4c0532263f309ca59025d89b070b95588f76bd5815340cc71a
     release_to_npm: typing.Optional[builtins.bool] = None,
     release_trigger: typing.Optional[_projen_release_04054675.ReleaseTrigger] = None,
     release_workflow: typing.Optional[builtins.bool] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_projen_github_workflows_04054675.JobStep, typing.Dict[builtins.str, typing.Any]]]] = None,
     renovatebot: typing.Optional[builtins.bool] = None,
@@ -12972,6 +13181,7 @@ def _typecheckingstub__bcc0f0f3d874afabc142961b7ca192083fcad906385166f2e47f7e739
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     outdir: typing.Optional[builtins.str] = None,
     package: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_projen_javascript_04054675.NodePackageManager] = None,
@@ -13009,6 +13219,7 @@ def _typecheckingstub__bcc0f0f3d874afabc142961b7ca192083fcad906385166f2e47f7e739
     releasable_commits: typing.Optional[_projen_04054675.ReleasableCommits] = None,
     release: typing.Optional[builtins.bool] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_projen_release_04054675.BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
@@ -13017,6 +13228,7 @@ def _typecheckingstub__bcc0f0f3d874afabc142961b7ca192083fcad906385166f2e47f7e739
     release_to_npm: typing.Optional[builtins.bool] = None,
     release_trigger: typing.Optional[_projen_release_04054675.ReleaseTrigger] = None,
     release_workflow: typing.Optional[builtins.bool] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_projen_github_workflows_04054675.JobStep, typing.Dict[builtins.str, typing.Any]]]] = None,
     renovatebot: typing.Optional[builtins.bool] = None,
@@ -13141,6 +13353,7 @@ def _typecheckingstub__b17dce6f2f04ceb519c781a818d66bcf4fef528d5b613028b126fd373
     npm_registry: typing.Optional[builtins.str] = None,
     npm_registry_url: typing.Optional[builtins.str] = None,
     npm_token_secret: typing.Optional[builtins.str] = None,
+    npm_trusted_publishing: typing.Optional[builtins.bool] = None,
     outdir: typing.Optional[builtins.str] = None,
     package: typing.Optional[builtins.bool] = None,
     package_manager: typing.Optional[_projen_javascript_04054675.NodePackageManager] = None,
@@ -13173,6 +13386,7 @@ def _typecheckingstub__b17dce6f2f04ceb519c781a818d66bcf4fef528d5b613028b126fd373
     releasable_commits: typing.Optional[_projen_04054675.ReleasableCommits] = None,
     release: typing.Optional[builtins.bool] = None,
     release_branches: typing.Optional[typing.Mapping[builtins.str, typing.Union[_projen_release_04054675.BranchOptions, typing.Dict[builtins.str, typing.Any]]]] = None,
+    release_environment: typing.Optional[builtins.str] = None,
     release_every_commit: typing.Optional[builtins.bool] = None,
     release_failure_issue: typing.Optional[builtins.bool] = None,
     release_failure_issue_label: typing.Optional[builtins.str] = None,
@@ -13181,6 +13395,7 @@ def _typecheckingstub__b17dce6f2f04ceb519c781a818d66bcf4fef528d5b613028b126fd373
     release_to_npm: typing.Optional[builtins.bool] = None,
     release_trigger: typing.Optional[_projen_release_04054675.ReleaseTrigger] = None,
     release_workflow: typing.Optional[builtins.bool] = None,
+    release_workflow_env: typing.Optional[typing.Mapping[builtins.str, builtins.str]] = None,
     release_workflow_name: typing.Optional[builtins.str] = None,
     release_workflow_setup_steps: typing.Optional[typing.Sequence[typing.Union[_projen_github_workflows_04054675.JobStep, typing.Dict[builtins.str, typing.Any]]]] = None,
     renovatebot: typing.Optional[builtins.bool] = None,