feat(cli): make ecr images immutable when created from cdk bootstrap (#19937)

As CDK creates images always with different name/tag, it can be ensured that those are not changed at the repository side.

Changes default functionality without offering immutability setting

[`AWS::ECR::Repository.ImageTagMutability`](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ecr-repository.html#cfn-ecr-repository-imagetagmutability)

Fixes #18376

----

### All Submissions:

* [x] Have you followed the guidelines in our [Contributing guide?](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md)

### Adding new Unconventional Dependencies:

* [ ] This PR adds new unconventional dependencies following the process described [here](https://github.com/aws/aws-cdk/blob/master/CONTRIBUTING.md/#adding-new-unconventional-dependencies)

### New Features

* [x] Have you added the new feature to an [integration test](https://github.com/aws/aws-cdk/blob/master/INTEGRATION_TESTS.md)?
	* [x] Did you use `yarn integ` to deploy the infrastructure and generate the snapshot (i.e. `yarn integ` without `--dry-run`)?

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: Hi-Fi

packages/aws-cdk/README.md

@@ -510,10 +510,11 @@ $ cdk destroy --app='node bin/main.js' MyStackName
 
 ### `cdk bootstrap`
 
-Deploys a `CDKToolkit` CloudFormation stack into the specified environment(s), that provides an S3 bucket that
-`cdk deploy` will use to store synthesized templates and the related assets, before triggering a CloudFormation stack
-update. The name of the deployed stack can be configured using the `--toolkit-stack-name` argument. The S3 Bucket
-Public Access Block Configuration can be configured using the `--public-access-block-configuration` argument.
+Deploys a `CDKToolkit` CloudFormation stack into the specified environment(s), that provides an S3 bucket 
+and ECR reposity that `cdk deploy` will use to store synthesized templates and the related assets, before 
+triggering a CloudFormation stack update. The name of the deployed stack can be configured using the 
+`--toolkit-stack-name` argument. The S3 Bucket Public Access Block Configuration can be configured using 
+the `--public-access-block-configuration` argument. ECR uses immutable tags for images.
 
 ```console
 $ # Deploys to all environments

packages/aws-cdk/lib/api/bootstrap/bootstrap-template.yaml

@@ -202,6 +202,7 @@ Resources:
   ContainerAssetsRepository:
     Type: AWS::ECR::Repository
     Properties:
+      ImageTagMutability: IMMUTABLE
       ImageScanningConfiguration:
         ScanOnPush: true
       RepositoryName:
@@ -509,7 +510,7 @@ Resources:
       Type: String
       Name:
         Fn::Sub: '/cdk-bootstrap/${Qualifier}/version'
-      Value: '12'
+      Value: '13'
 Outputs:
   BucketName:
     Description: The name of the S3 bucket owned by the CDK toolkit stack

packages/aws-cdk/package.json

@@ -13,7 +13,7 @@
     "lint": "cdk-lint",
     "pkglint": "pkglint -f",
     "test": "cdk-test",
-    "integ": "jest --testMatch '**/?(*.)+(integ-test).js'",
+    "integ": "jest --testMatch '**/?(*.)+(integtest).js'",
     "package": "cdk-package",
     "build+test+package": "yarn build+test && yarn package",
     "build+test": "yarn build && yarn test",

packages/aws-cdk/test/integ/cli/bootstrapping.integtest.ts

@@ -252,3 +252,27 @@ integTest('can deploy modern-synthesized stack even if bootstrap stack name is u
     ],
   });
 }));
+
+integTest('create ECR with tag IMMUTABILITY to set on', withDefaultFixture(async (fixture) => {
+  const bootstrapStackName = fixture.bootstrapStackName;
+
+  await fixture.cdkBootstrapModern({
+    verbose: true,
+    toolkitStackName: bootstrapStackName,
+  });
+
+  const response = await fixture.aws.cloudFormation('describeStackResources', {
+    StackName: bootstrapStackName,
+  });
+  const ecrResource = response.StackResources?.find(resource => resource.LogicalResourceId === 'ContainerAssetsRepository');
+  expect(ecrResource).toBeDefined();
+
+  const ecrResponse = await fixture.aws.ecr('describeRepositories', {
+    repositoryNames: [
+      // This is set, as otherwise we don't end up here
+      ecrResource?.PhysicalResourceId ?? '',
+    ],
+  });
+
+  expect(ecrResponse.repositories?.[0].imageTagMutability).toEqual('IMMUTABLE');
+}));