feat(test): add integration test suite for CloudFormation template validation

[VirtueMe]

Summary

Adds an integration test suite that deploys real CloudFormation stacks to LocalStack on every PR. This catches a class of bugs that unit tests cannot — circular resource dependencies, invalid ARN references, and misconfigured IAM policies that only manifest when CloudFormation evaluates the full dependency graph.

Fixtures

9 fixtures covering all supported plugin features:

Fixture	Features
basic-state-machine	Standard workflow, Lambda invoke, tags
express-workflow	type: EXPRESS, loggingConfig, tracingConfig
activities	Step Functions activities
cloudwatch-alarms	CloudWatch alarms (5 metrics, SNS topics)
notifications	SNS + SQS execution event notification targets
schedule	Rate-based EventBridge rule + EventBridge Scheduler
cloudwatch-event	EventBridge event pattern rule
api-gateway	HTTP endpoint → Step Functions direct integration
no-output	noOutput: true (suppresses state machine ARN outputs)

Implementation notes

• All fixtures share fixtures/package.json — CI requires only two npm install calls
• fixtures/base.yml holds shared provider, plugins, package, and custom config; each fixture only declares what is unique to it
• package.excludeDevDependencies: false is set in base.yml to prevent Serverless Framework v3 from scanning ~25k node_modules files before packaging, which would exhaust the JS heap
• LocalStack runs in Docker via docker compose; the workflow waits for cloudformation, s3, and stepfunctions to be available before deploying

Status

All CI checks green. Currently validates that all fixtures deploy successfully. CloudFormation template assertion (validating specific generated resources) is out of scope for this PR and tracked separately.

Known broken issues (intentionally not covered)

• Circular dependency calling intrinsic function #470 — circular dependency with !Ref lambda resource
• Using notifications overwrites exisiting resouce permissions. #275 — notifications overwrite existing SNS/SQS policy instead of merging
• Wrong policy state machine generation for lambda arn #302 — wrong IAM policy for Lambda ARN with Fn::Sub

[pkg-pr-new]

Open in StackBlitz

npm i https://pkg.pr.new/serverless-operations/serverless-step-functions@745

commit: 67de367

[zirkelc]

This is really nice!

[VirtueMe]

Note on the dependency changes in this PR

peerDependencies removed

The peerDependency on serverless has been dropped entirely. It was never necessary: this is a Serverless Framework plugin, so the framework is always present in the host project by definition — npm does not need to be told to require it. The practical effect is that users will no longer see spurious peer conflict warnings when their installed framework version drifts from the declared range.

serverless → osls in devDependencies

serverless is replaced with osls (oss-serverless) for two reasons:

1. Node 22 compatibility — the commercial serverless v3 package does not support Node 22. Since chore: drop Node 20 support, bump minimum to Node 22 #737 bumped the minimum to Node 22, osls is a requirement to keep the dev toolchain working.
2. Open-source licensing — the commercial package moved toward a paid/freemium model. oss-serverless is the community-maintained open-source fork of v3, a drop-in compatible replacement with no licensing concerns in CI.

@osls/compose added to dependencies

Used by the Serverless Compose orchestration (serverless-compose.js) to deploy all fixtures in a single command.