chore: sanitize CI inputs via env var

Author: dreamorosi

.github/workflows/bootstrap_region.yml

@@ -65,10 +65,12 @@ jobs:
           mkdir -p build/project
       - id: cdk-project
         name: CDK Project
+        env:
+          REGION: ${{ inputs.region }}
         working-directory: build/project
         run: |
           npx cdk init app --language=typescript
-          AWS_REGION="${{ inputs.region }}" npx cdk bootstrap
+          AWS_REGION="$REGION" npx cdk bootstrap
 
   copy_layers:
     name: Copy Layers
@@ -101,4 +103,5 @@ jobs:
         name: Run Balance
         env:
           BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }}
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+          REGION: ${{ inputs.region }}
+        run: balance -read-region us-east-1 -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/layer_balance.yml

@@ -64,8 +64,13 @@ jobs:
       - id: run-balance-new-region
         name: Run Balance
         if: ${{ inputs.start_at == '' }}
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        env:
+          REGION: ${{ inputs.region }}
+        run: balance -read-region us-east-1 -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
       - id: run-balance-existing
         name: Run Balance (Existing Region)
         if: ${{ inputs.start_at != '' }}
-        run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        env:
+          REGION: ${{ inputs.region }}
+          START_AT: ${{ inputs.start_at }}
+        run: balance -read-region us-east-1 -start-at $START_AT -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/layers_partition_verify.yml

@@ -90,9 +90,11 @@ jobs:
           aws-region: us-east-1
           mask-aws-account-id: true
       - name: Output AWSLambdaPowertoolsTypeScriptV2
+        env:
+          VERSION: ${{ inputs.version }}
         # fetch the specific layer version information from the us-east-1 commercial region
         run: |
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION' > AWSLambdaPowertoolsTypeScriptV2.json
       - name: Store Metadata
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -133,8 +135,11 @@ jobs:
           audience: ${{ needs.setup.outputs.aud }}
       - id: partition_version
         name: Partition Layer Version
+        env:
+          VERSION: ${{ inputs.version }}
+          PARTITION_VERSION: ${{ inputs.partition_version }}
         run: |
-          echo 'partition_version=$([[ -n "${{ inputs.partition_version}}" ]] && echo ${{ inputs.partition_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT"
+          echo 'partition_version=$([[ -n "$PARTITION_VERSION" ]] && echo $PARTITION_VERSION || echo $VERSION )' >> "$GITHUB_OUTPUT"
       - name: Verify Layer
         run: |
           export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'

.github/workflows/layers_partitions.yml

@@ -99,9 +99,11 @@ jobs:
           aws-region: us-east-1
           mask-aws-account-id: true
       - name: Grab Zip
+        env:
+          VERSION: ${{ inputs.version }}
         run: |
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} > AWSLambdaPowertoolsTypeScriptV2.json
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION > AWSLambdaPowertoolsTypeScriptV2.json
       - name: Store Zip
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -182,6 +184,7 @@ jobs:
       - name: Verify Layer
         env:
           LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
+          ENVIRONMENT: ${{ inputs.environment }}
         run: |
           export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
           # Dynamic secret access is safe here - secrets are scoped per environment
@@ -192,7 +195,7 @@ jobs:
           REMOTE_DESCRIPTION=$(jq -r '.Description' $layer_output)
           LOCAL_DESCRIPTION=$(jq -r '.Description' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_DESCRIPTION" == "$LOCAL_DESCRIPTION" && echo "Version number OK: ${LOCAL_DESCRIPTION}" || exit 1
-          if [ "${{ inputs.environment }}" == "Prod" ]; then
+          if [ "$ENVIRONMENT" == "Prod" ]; then
             REMOTE_LAYER_VERSION=$(jq -r '.LayerVersionArn' $layer_output | sed 's/.*://')
             LOCAL_LAYER_VERSION=$(jq -r '.LayerVersionArn' AWSLambdaPowertoolsTypeScriptV2.json | sed 's/.*://')
             test "$REMOTE_LAYER_VERSION" == "$LOCAL_LAYER_VERSION" && echo "Layer Version number OK: ${LOCAL_LAYER_VERSION}" || exit 1

.github/workflows/publish_layer.yml

@@ -48,7 +48,9 @@ jobs:
       - name: Setup dependencies
         uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
       - name: CDK build
-        run: npm run cdk -w layers -- synth --context PowertoolsPackageVersion=${{ inputs.latest_published_version }} -o cdk.out
+        env:
+          LAYER_VERSION: ${{ inputs.latest_published_version }}
+        run: npm run cdk -w layers -- synth --context PowertoolsPackageVersion=$LAYER_VERSION -o cdk.out
       - name: Zip output
         run: zip -r cdk.out.zip layers/cdk.out
       - name: Archive CDK artifacts

.github/workflows/reusable_publish_docs.yml

@@ -75,7 +75,9 @@ jobs:
         env:
           BRANCH: ${{ inputs.git_ref }}
       - name: Normalize Version Number
-        run: echo "VERSION=$(echo ${{ inputs.version }} | sed 's/v//')" >> $GITHUB_ENV
+        env:
+          VERSION: ${{ inputs.version }}
+        run: echo "VERSION=$(echo $VERSION | sed 's/v//')" >> $GITHUB_ENV
       - name: Build docs website and API reference
         env:
           ALIAS: ${{ inputs.alias }}
@@ -132,8 +134,8 @@ jobs:
           aws s3 cp \
             s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json \
             versions_old.json
-          jq 'del(.[].aliases[] | select(. == "${{ env.ALIAS }}"))' < versions_old.json > versions_proc.json
-          jq '. as $o | [{"title": "${{ env.VERSION }}", "version": "${{ env.VERSION }}", "aliases": ["${{ env.ALIAS }}"] }] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
+          jq 'del(.[].aliases[] | select(. == "$ALIAS"))' < versions_old.json > versions_proc.json
+          jq '. as $o | [{"title": "$VERSION", "version": "$VERSION", "aliases": ["$ALIAS"]}] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
           aws s3 cp \
             versions.json \
             s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json

.github/workflows/run-e2e-tests.yml

@@ -44,8 +44,10 @@ jobs:
       # we checkout the PR at that point in time
       - name: Checkout PR code
         if: ${{ inputs.prNumber != '' }}
+        env:
+          PR_NUMBER: ${{ inputs.prNumber }}
         run: |
-          gh pr checkout ${{ inputs.prNumber }}
+          gh pr checkout $PR_NUMBER
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:

.github/workflows/update_ssm.yml

@@ -129,9 +129,10 @@ jobs:
           mask-aws-account-id: true
       - id: write-version
         env:
-          prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
+          PREFIX: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
+          PACKAGE_VERSION: ${{ inputs.package_version }}
         run: |
-          aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/${{ inputs.package_version }} --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
+          aws ssm put-parameter --name $PREFIX/typescript/generic/all/$PACKAGE_VERSION --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
 
       - id: write-latest
         if: inputs.write_latest == true