chore: set double quotes to expand strings

Author: dreamorosi

.github/workflows/bootstrap_region.yml

@@ -69,6 +69,7 @@ jobs:
           REGION: ${{ inputs.region }}
         working-directory: build/project
         run: |
+          set -euo pipefail
           npx cdk init app --language=typescript
           AWS_REGION="$REGION" npx cdk bootstrap
 
@@ -104,4 +105,6 @@ jobs:
         env:
           BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }}
           REGION: ${{ inputs.region }}
-        run: balance -read-region us-east-1 -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        run: |
+          set -euo pipefail
+          balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/layer_balance.yml

@@ -66,11 +66,15 @@ jobs:
         if: ${{ inputs.start_at == '' }}
         env:
           REGION: ${{ inputs.region }}
-        run: balance -read-region us-east-1 -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        run: |
+          set -euo pipefail
+          balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
       - id: run-balance-existing
         name: Run Balance (Existing Region)
         if: ${{ inputs.start_at != '' }}
         env:
           REGION: ${{ inputs.region }}
           START_AT: ${{ inputs.start_at }}
-        run: balance -read-region us-east-1 -start-at $START_AT -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        run: |
+          set -euo pipefail
+          balance -read-region us-east-1 -start-at "$START_AT" -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/layers_partition_verify.yml

@@ -94,7 +94,8 @@ jobs:
           VERSION: ${{ inputs.version }}
         # fetch the specific layer version information from the us-east-1 commercial region
         run: |
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION' > AWSLambdaPowertoolsTypeScriptV2.json
+          set -euo pipefail
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json
       - name: Store Metadata
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -139,12 +140,18 @@ jobs:
           VERSION: ${{ inputs.version }}
           PARTITION_VERSION: ${{ inputs.partition_version }}
         run: |
-          echo 'partition_version=$([[ -n "$PARTITION_VERSION" ]] && echo $PARTITION_VERSION || echo $VERSION )' >> "$GITHUB_OUTPUT"
+          set -euo pipefail
+          if [ -n "${PARTITION_VERSION:-}" ]; then
+            echo "partition_version=${PARTITION_VERSION}" >> "$GITHUB_OUTPUT"
+          else
+            echo "partition_version=${VERSION}" >> "$GITHUB_OUTPUT"
+          fi
       - name: Verify Layer
         run: |
-          export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          set -euo pipefail
+          layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
           # Dynamic secret access is safe here - secrets are scoped per environment
-          aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
+          aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > "$layer_output"
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1

.github/workflows/layers_partitions.yml

@@ -102,8 +102,9 @@ jobs:
         env:
           VERSION: ${{ inputs.version }}
         run: |
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION > AWSLambdaPowertoolsTypeScriptV2.json
+          set -euo pipefail
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json
       - name: Store Zip
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -160,17 +161,18 @@ jobs:
       - name: Create Layer
         id: create-layer
         run: |
+          set -euo pipefail
           cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json
-        
-          LAYER_VERSION=$(aws --region ${{ matrix.region}} lambda publish-layer-version \
+
+          LAYER_VERSION=$(aws --region "${{ matrix.region }}" lambda publish-layer-version \
             --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
             --cli-input-json file://./input.json \
             --query 'Version' \
             --output text)
 
           echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
 
-          aws --region ${{ matrix.region}} lambda add-layer-version-permission \
+          aws --region "${{ matrix.region }}" lambda add-layer-version-permission \
             --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \
             --statement-id 'PublicLayer' \
             --action lambda:GetLayerVersion \
@@ -186,9 +188,10 @@ jobs:
           LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
           ENVIRONMENT: ${{ inputs.environment }}
         run: |
-          export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          set -euo pipefail
+          export layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
           # Dynamic secret access is safe here - secrets are scoped per environment
-          aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
+          aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${LAYER_VERSION}" > "$layer_output"
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1

.github/workflows/reusable_publish_docs.yml

@@ -64,24 +64,29 @@ jobs:
           python-version: "3.12"
       - name: Install doc generation dependencies
         run: |
+          set -euo pipefail
           pip install --require-hashes -r docs/requirements.txt
       - name: Git refresh tip (detached mode)
         # Git Detached mode (release notes) doesn't have origin
         if: ${{ inputs.detached_mode }}
         run: |
+          set -euo pipefail
           git config pull.rebase true
-          git config remote.origin.url >&- || git remote add origin https://github.com/"$ORIGIN"
+          git config remote.origin.url >&- || git remote add origin "https://github.com/$ORIGIN"
           git pull origin "$BRANCH"
         env:
           BRANCH: ${{ inputs.git_ref }}
       - name: Normalize Version Number
         env:
           VERSION: ${{ inputs.version }}
-        run: echo "VERSION=$(echo $VERSION | sed 's/v//')" >> $GITHUB_ENV
+        run: |
+          set -euo pipefail
+          echo "VERSION=$(echo "$VERSION" | sed 's/v//')" >> "$GITHUB_ENV"
       - name: Build docs website and API reference
         env:
           ALIAS: ${{ inputs.alias }}
         run: |
+          set -euo pipefail
           rm -rf site
           mkdocs build
       - name: Configure AWS credentials
@@ -101,18 +106,20 @@ jobs:
           ALIAS: ${{ inputs.alias }}
           AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
         run: |
+          set -euo pipefail
           aws s3 sync \
             site/ \
-            s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/
+            "s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/"
       - name: Deploy Docs (Alias)
         env:
           VERSION: ${{ inputs.version }}
           ALIAS: ${{ inputs.alias }}
           AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
         run: |
+          set -euo pipefail
           aws s3 sync \
             site/ \
-            s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/
+            "s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/"
       - name: Deploy Docs (Version JSON)
         env:
           VERSION: ${{ inputs.version }}
@@ -131,11 +138,12 @@ jobs:
         #      - if it's a new version number, we add it at position 0 in the array.
         #   4. Once done, we'll upload it back to S3.
         run: |
+          set -euo pipefail
           aws s3 cp \
-            s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json \
+            "s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json" \
             versions_old.json
-          jq 'del(.[].aliases[] | select(. == "$ALIAS"))' < versions_old.json > versions_proc.json
-          jq '. as $o | [{"title": "$VERSION", "version": "$VERSION", "aliases": ["$ALIAS"]}] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
+          jq --arg ALIAS "$ALIAS" 'del(.[].aliases[] | select(. == $ALIAS))' < versions_old.json > versions_proc.json
+          jq --arg VERSION "$VERSION" --arg ALIAS "$ALIAS" '. as $o | [{"title": $VERSION, "version": $VERSION, "aliases": [$ALIAS]}] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
           aws s3 cp \
             versions.json \
-            s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json
+            "s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json"

.github/workflows/run-e2e-tests.yml

@@ -47,7 +47,8 @@ jobs:
         env:
           PR_NUMBER: ${{ inputs.prNumber }}
         run: |
-          gh pr checkout $PR_NUMBER
+          set -euo pipefail
+          gh pr checkout "$PR_NUMBER"
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:

.github/workflows/update_ssm.yml

@@ -132,11 +132,11 @@ jobs:
           PREFIX: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
           PACKAGE_VERSION: ${{ inputs.package_version }}
         run: |
-          aws ssm put-parameter --name $PREFIX/typescript/generic/all/$PACKAGE_VERSION --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
+          aws ssm put-parameter --name "$PREFIX/typescript/generic/all/$PACKAGE_VERSION" --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
 
       - id: write-latest
         if: inputs.write_latest == true
         env:
           prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
         run: |
-          aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/latest --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
+          aws ssm put-parameter --name "${{ env.prefix }}/typescript/generic/all/latest" --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite