feat(s3-deployment): add architecture property to BucketDeployment

[badmintoncryer]

Issue # (if applicable)

Closes #29996.

Reason for this change

BucketDeployment does not expose an architecture property, so users cannot use ARM_64 (Graviton) Lambda.

Description of changes

• Add optional architecture prop to BucketDeploymentProps and pass through to singleton handler
• Include architecture in singleton UUID to isolate different configs
• Add compatibleArchitectures: [X86_64, ARM_64] to AwsCliLayer
• Update README with usage example

Describe any new or updated permissions being added

N/A

Description of how you validated changes

Added both unit and integration tests.

Note on snapshot changes

Adding compatibleArchitectures to AwsCliLayer causes CompatibleArchitectures property to appear in every AWS::Lambda::LayerVersion resource generated by AwsCliLayer. Since AwsCliLayer is used across many modules (s3-deployment, eks, eks-v2, stepfunctions-tasks, codepipeline-actions, dynamodb, elasticloadbalancingv2, etc.), this results in 203 snapshot file updates (103 template.json + 100 tree.json).

The actual change per resource is minimal — only adding the metadata property:

"CompatibleArchitectures": ["x86_64", "arm64"]

This does not cause resource replacement or any runtime behavior change. CompatibleArchitectures is an informational property that CloudFormation uses only for validation.

Checklist

• My code adheres to the CONTRIBUTING GUIDE and DESIGN GUIDELINES

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[aws-cdk-automation]

(This review is outdated)

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ❌️	Skipped	Failed
Security Guardian Results

Test	Result
No test annotations available

• View Security Guardian Results

[github-actions]

⚠️ Experimental Feature: This security report is currently in experimental phase. Results may include false positives and the rules are being actively refined.
This security report is NOT a review blocker. Please try merge from main to avoid findings unrelated to the PR.

---

	Tests	Passed ☑️	Skipped	Failed ❌️
Security Guardian Results with resolved templates	2520 ran	2514 passed		6 failed

Test	Result
Security Guardian Results with resolved templates
packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-commands.js.snapshot/aws-cdk-codepipeline-commands.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-ec2-deploy-ssm-managed.js.snapshot/aws-cdk-codepipeline-ec2-deploy-ssm-managed-node.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-ec2-deploy.js.snapshot/aws-cdk-codepipeline-ec2-deploy.template.json
ec2-no-open-security-groups.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-codepipeline-actions/test/integ.pipeline-ecr-image-scan-action.js.snapshot/codepipeline-ecr-image-scan-action.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-eks-v2/test/integ.eks-cluster-imported.js.snapshot/aws-cdk-eks-import-cluster-test.template.json
iam-role-root-principal-needs-conditions.guard	❌ failure
packages/@aws-cdk-testing/framework-integ/test/aws-elasticloadbalancingv2/test/integ.alb-mtls.js.snapshot/alb-mtls-test-stack.template.json
ec2-no-open-security-groups.guard	❌ failure

• View Security Guardian Results with resolved templates

✅ Updated pull request passes all PRLinter validations. Dismissing previous PRLinter review.