aws-powertools
diff --git a/‎.devcontainer/Dockerfile‎
Lines changed: 1 addition & 1 deletion b/‎.devcontainer/Dockerfile‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/bootstrap_region.yml‎
Lines changed: 12 additions & 6 deletions b/‎.github/workflows/bootstrap_region.yml‎
Lines changed: 12 additions & 6 deletions
diff --git a/‎.github/workflows/layer_balance.yml‎
Lines changed: 13 additions & 4 deletions b/‎.github/workflows/layer_balance.yml‎
Lines changed: 13 additions & 4 deletions
diff --git a/‎.github/workflows/layers_partition_verify.yml‎
Lines changed: 18 additions & 6 deletions b/‎.github/workflows/layers_partition_verify.yml‎
Lines changed: 18 additions & 6 deletions
diff --git a/‎.github/workflows/layers_partitions.yml‎
Lines changed: 16 additions & 10 deletions b/‎.github/workflows/layers_partitions.yml‎
Lines changed: 16 additions & 10 deletions
diff --git a/‎.github/workflows/make-release.yml‎
Lines changed: 2 additions & 1 deletion b/‎.github/workflows/make-release.yml‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎.github/workflows/make-version.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/make-version.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/on_merged_pr.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/on_merged_pr.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/ossf_scorecard.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/ossf_scorecard.yml‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/post-release.yml‎
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/post-release.yml‎
Lines changed: 1 addition & 1 deletion
@@ -1,5 +1,5 @@
 # See here for image contents: https://github.com/microsoft/vscode-dev-containers/blob/v0.212.0/containers/javascript-node/.devcontainer/base.Dockerfile
-FROM mcr.microsoft.com/vscode/devcontainers/javascript-node@sha256:eac37fbeb0dd1ded8ae31a93f1f3e0defc413715e7541e2ba5a5c10079777f62
+FROM mcr.microsoft.com/vscode/devcontainers/javascript-node@sha256:9b4b7e41bc59ec3cbb0a2e06a231a067fc013f21187d0931d63db122d0a6eca6
 
 # Install fnm to manage Node.js versions
 RUN curl -fsSL https://fnm.vercel.app/install -o /tmp/install \
 
@@ -47,14 +47,14 @@ jobs:
         with:
           ref: ${{ github.sha }}
       - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: "22"
       - name: Setup dependencies
         uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
       - id: credentials
         name: AWS Credentials
-        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838
         with:
           aws-region: ${{ inputs.region }}
           role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
@@ -65,10 +65,13 @@ jobs:
           mkdir -p build/project
       - id: cdk-project
         name: CDK Project
+        env:
+          REGION: ${{ inputs.region }}
         working-directory: build/project
         run: |
+          set -euo pipefail
           npx cdk init app --language=typescript
-          AWS_REGION="${{ inputs.region }}" npx cdk bootstrap
+          AWS_REGION="$REGION" npx cdk bootstrap
 
   copy_layers:
     name: Copy Layers
@@ -81,14 +84,14 @@ jobs:
     steps:
       - id: credentials
         name: AWS Credentials
-        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838
         with:
           aws-region: us-east-1
           role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
           mask-aws-account-id: true
       - id: go-setup
         name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: '>=1.23.0'
       - id: go-env
@@ -101,4 +104,7 @@ jobs:
         name: Run Balance
         env:
           BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }}
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+          REGION: ${{ inputs.region }}
+        run: |
+          set -euo pipefail
+          balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
@@ -45,14 +45,14 @@ jobs:
     steps:
       - id: credentials
         name: AWS Credentials
-        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838
         with:
           aws-region: us-east-1
           role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
           mask-aws-account-id: true
       - id: go-setup
         name: Setup Go
-        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
+        uses: actions/setup-go@44694675825211faa026b3c33043df3e48a5fa00 # v6.0.0
         with:
           go-version: '>=1.23.0'
       - id: go-env
@@ -64,8 +64,17 @@ jobs:
       - id: run-balance-new-region
         name: Run Balance
         if: ${{ inputs.start_at == '' }}
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        env:
+          REGION: ${{ inputs.region }}
+        run: |
+          set -euo pipefail
+          balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
       - id: run-balance-existing
         name: Run Balance (Existing Region)
         if: ${{ inputs.start_at != '' }}
-        run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        env:
+          REGION: ${{ inputs.region }}
+          START_AT: ${{ inputs.start_at }}
+        run: |
+          set -euo pipefail
+          balance -read-region us-east-1 -start-at "$START_AT" -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
@@ -84,15 +84,18 @@ jobs:
     environment: Prod (Readonly)
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
           aws-region: us-east-1
           mask-aws-account-id: true
       - name: Output AWSLambdaPowertoolsTypeScriptV2
+        env:
+          VERSION: ${{ inputs.version }}
         # fetch the specific layer version information from the us-east-1 commercial region
         run: |
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json
+          set -euo pipefail
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json
       - name: Store Metadata
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -124,7 +127,7 @@ jobs:
         run: |
           echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
           # Dynamic secret access is safe here - secrets are scoped per environment
           role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
@@ -133,13 +136,22 @@ jobs:
           audience: ${{ needs.setup.outputs.aud }}
       - id: partition_version
         name: Partition Layer Version
+        env:
+          VERSION: ${{ inputs.version }}
+          PARTITION_VERSION: ${{ inputs.partition_version }}
         run: |
-          echo 'partition_version=$([[ -n "${{ inputs.partition_version}}" ]] && echo ${{ inputs.partition_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT"
+          set -euo pipefail
+          if [ -n "${PARTITION_VERSION:-}" ]; then
+            echo "partition_version=${PARTITION_VERSION}" >> "$GITHUB_OUTPUT"
+          else
+            echo "partition_version=${VERSION}" >> "$GITHUB_OUTPUT"
+          fi
       - name: Verify Layer
         run: |
-          export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          set -euo pipefail
+          layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
           # Dynamic secret access is safe here - secrets are scoped per environment
-          aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
+          aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > "$layer_output"
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
 
@@ -93,15 +93,18 @@ jobs:
     environment: Prod (Readonly)
     steps:
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
           role-to-assume: ${{ secrets.AWS_IAM_ROLE }}
           aws-region: us-east-1
           mask-aws-account-id: true
       - name: Grab Zip
+        env:
+          VERSION: ${{ inputs.version }}
         run: |
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} > AWSLambdaPowertoolsTypeScriptV2.json
+          set -euo pipefail
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json
       - name: Store Zip
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -148,7 +151,7 @@ jobs:
         run: |
           echo 'CONVERTED_REGION=${{ matrix.region }}' | tr 'a-z\-' 'A-Z_' >> "$GITHUB_OUTPUT"
       - name: Configure AWS Credentials
-        uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 # v5.0.0
         with:
           # Dynamic secret access is safe here - secrets are scoped per environment
           role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
@@ -158,17 +161,18 @@ jobs:
       - name: Create Layer
         id: create-layer
         run: |
+          set -euo pipefail
           cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json
-        
-          LAYER_VERSION=$(aws --region ${{ matrix.region}} lambda publish-layer-version \
+
+          LAYER_VERSION=$(aws --region "${{ matrix.region }}" lambda publish-layer-version \
             --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
             --cli-input-json file://./input.json \
             --query 'Version' \
             --output text)
 
           echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
 
-          aws --region ${{ matrix.region}} lambda add-layer-version-permission \
+          aws --region "${{ matrix.region }}" lambda add-layer-version-permission \
             --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \
             --statement-id 'PublicLayer' \
             --action lambda:GetLayerVersion \
@@ -182,17 +186,19 @@ jobs:
       - name: Verify Layer
         env:
           LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
+          ENVIRONMENT: ${{ inputs.environment }}
         run: |
-          export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          set -euo pipefail
+          export layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
           # Dynamic secret access is safe here - secrets are scoped per environment
-          aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
+          aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${LAYER_VERSION}" > "$layer_output"
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
           REMOTE_DESCRIPTION=$(jq -r '.Description' $layer_output)
           LOCAL_DESCRIPTION=$(jq -r '.Description' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_DESCRIPTION" == "$LOCAL_DESCRIPTION" && echo "Version number OK: ${LOCAL_DESCRIPTION}" || exit 1
-          if [ "${{ inputs.environment }}" == "Prod" ]; then
+          if [ "$ENVIRONMENT" == "Prod" ]; then
             REMOTE_LAYER_VERSION=$(jq -r '.LayerVersionArn' $layer_output | sed 's/.*://')
             LOCAL_LAYER_VERSION=$(jq -r '.LayerVersionArn' AWSLambdaPowertoolsTypeScriptV2.json | sed 's/.*://')
             test "$REMOTE_LAYER_VERSION" == "$LOCAL_LAYER_VERSION" && echo "Layer Version number OK: ${LOCAL_LAYER_VERSION}" || exit 1
 
@@ -48,10 +48,11 @@ jobs:
         with:
           ref: ${{ github.sha }}
       - name: Setup NodeJS
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: "22"
           cache: "npm"
+          registry-url: 'https://registry.npmjs.org'
       - name: Setup auth tokens
         env:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
 
@@ -35,7 +35,7 @@ jobs:
           ref: ${{ github.ref }}
           fetch-depth: 0 # fetch all history, commits and tags, so we can determine the next version
       - name: Setup Node.js
-        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:
           node-version: ${{ env.NODE_VERSION }}
           cache: "npm"
 
@@ -51,7 +51,7 @@ jobs:
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
       - name: "Label PR related issue for release"
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         env:
           PR_NUMBER: ${{ needs.get_pr_details.outputs.prNumber }}
           PR_BODY: ${{ needs.get_pr_details.outputs.prBody }}
 
@@ -43,6 +43,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
+        uses: github/codeql-action/upload-sarif@303c0aef88fc2fe5ff6d63d3b1596bfd83dfa1f9 # v3.29.5
         with:
           sarif_file: results.sarif
@@ -37,7 +37,7 @@ jobs:
           fi
           echo "RELEASE_VERSION=$RELEASE_VERSION" >> $GITHUB_ENV
       - name: Update issues related to release
-        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # v7.0.1
+        uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0
         with:
           github-token: ${{ secrets.GITHUB_TOKEN }}
           script: |