Skip to content

Commit e155e72

Browse files
dreamorosidreamorosi
authored
chore: sanitize CI inputs via env var (#4528)
1 parent 4daeaad commit e155e72

File tree

8 files changed

+78
-29
lines changed

8 files changed

+78
-29
lines changed

.github/workflows/bootstrap_region.yml

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -65,10 +65,13 @@ jobs:
6565
mkdir -p build/project
6666
- id: cdk-project
6767
name: CDK Project
68+
env:
69+
REGION: ${{ inputs.region }}
6870
working-directory: build/project
6971
run: |
72+
set -euo pipefail
7073
npx cdk init app --language=typescript
71-
AWS_REGION="${{ inputs.region }}" npx cdk bootstrap
74+
AWS_REGION="$REGION" npx cdk bootstrap
7275
7376
copy_layers:
7477
name: Copy Layers
@@ -101,4 +104,7 @@ jobs:
101104
name: Run Balance
102105
env:
103106
BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }}
104-
run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
107+
REGION: ${{ inputs.region }}
108+
run: |
109+
set -euo pipefail
110+
balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/layer_balance.yml

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -64,8 +64,17 @@ jobs:
6464
- id: run-balance-new-region
6565
name: Run Balance
6666
if: ${{ inputs.start_at == '' }}
67-
run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
67+
env:
68+
REGION: ${{ inputs.region }}
69+
run: |
70+
set -euo pipefail
71+
balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
6872
- id: run-balance-existing
6973
name: Run Balance (Existing Region)
7074
if: ${{ inputs.start_at != '' }}
71-
run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
75+
env:
76+
REGION: ${{ inputs.region }}
77+
START_AT: ${{ inputs.start_at }}
78+
run: |
79+
set -euo pipefail
80+
balance -read-region us-east-1 -start-at "$START_AT" -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/layers_partition_verify.yml

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -90,9 +90,12 @@ jobs:
9090
aws-region: us-east-1
9191
mask-aws-account-id: true
9292
- name: Output AWSLambdaPowertoolsTypeScriptV2
93+
env:
94+
VERSION: ${{ inputs.version }}
9395
# fetch the specific layer version information from the us-east-1 commercial region
9496
run: |
95-
aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json
97+
set -euo pipefail
98+
aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json
9699
- name: Store Metadata
97100
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
98101
with:
@@ -133,13 +136,22 @@ jobs:
133136
audience: ${{ needs.setup.outputs.aud }}
134137
- id: partition_version
135138
name: Partition Layer Version
139+
env:
140+
VERSION: ${{ inputs.version }}
141+
PARTITION_VERSION: ${{ inputs.partition_version }}
136142
run: |
137-
echo 'partition_version=$([[ -n "${{ inputs.partition_version}}" ]] && echo ${{ inputs.partition_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT"
143+
set -euo pipefail
144+
if [ -n "${PARTITION_VERSION:-}" ]; then
145+
echo "partition_version=${PARTITION_VERSION}" >> "$GITHUB_OUTPUT"
146+
else
147+
echo "partition_version=${VERSION}" >> "$GITHUB_OUTPUT"
148+
fi
138149
- name: Verify Layer
139150
run: |
140-
export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
151+
set -euo pipefail
152+
layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
141153
# Dynamic secret access is safe here - secrets are scoped per environment
142-
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
154+
aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > "$layer_output"
143155
REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
144156
LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
145157
test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1

.github/workflows/layers_partitions.yml

Lines changed: 14 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -99,9 +99,12 @@ jobs:
9999
aws-region: us-east-1
100100
mask-aws-account-id: true
101101
- name: Grab Zip
102+
env:
103+
VERSION: ${{ inputs.version }}
102104
run: |
103-
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
104-
aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} > AWSLambdaPowertoolsTypeScriptV2.json
105+
set -euo pipefail
106+
aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
107+
aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json
105108
- name: Store Zip
106109
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
107110
with:
@@ -158,17 +161,18 @@ jobs:
158161
- name: Create Layer
159162
id: create-layer
160163
run: |
164+
set -euo pipefail
161165
cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json
162-
163-
LAYER_VERSION=$(aws --region ${{ matrix.region}} lambda publish-layer-version \
166+
167+
LAYER_VERSION=$(aws --region "${{ matrix.region }}" lambda publish-layer-version \
164168
--zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
165169
--cli-input-json file://./input.json \
166170
--query 'Version' \
167171
--output text)
168172
169173
echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
170174
171-
aws --region ${{ matrix.region}} lambda add-layer-version-permission \
175+
aws --region "${{ matrix.region }}" lambda add-layer-version-permission \
172176
--layer-name 'AWSLambdaPowertoolsTypeScriptV2' \
173177
--statement-id 'PublicLayer' \
174178
--action lambda:GetLayerVersion \
@@ -182,17 +186,19 @@ jobs:
182186
- name: Verify Layer
183187
env:
184188
LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
189+
ENVIRONMENT: ${{ inputs.environment }}
185190
run: |
186-
export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
191+
set -euo pipefail
192+
export layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
187193
# Dynamic secret access is safe here - secrets are scoped per environment
188-
aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
194+
aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${LAYER_VERSION}" > "$layer_output"
189195
REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
190196
LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
191197
test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
192198
REMOTE_DESCRIPTION=$(jq -r '.Description' $layer_output)
193199
LOCAL_DESCRIPTION=$(jq -r '.Description' AWSLambdaPowertoolsTypeScriptV2.json)
194200
test "$REMOTE_DESCRIPTION" == "$LOCAL_DESCRIPTION" && echo "Version number OK: ${LOCAL_DESCRIPTION}" || exit 1
195-
if [ "${{ inputs.environment }}" == "Prod" ]; then
201+
if [ "$ENVIRONMENT" == "Prod" ]; then
196202
REMOTE_LAYER_VERSION=$(jq -r '.LayerVersionArn' $layer_output | sed 's/.*://')
197203
LOCAL_LAYER_VERSION=$(jq -r '.LayerVersionArn' AWSLambdaPowertoolsTypeScriptV2.json | sed 's/.*://')
198204
test "$REMOTE_LAYER_VERSION" == "$LOCAL_LAYER_VERSION" && echo "Layer Version number OK: ${LOCAL_LAYER_VERSION}" || exit 1

.github/workflows/publish_layer.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,9 @@ jobs:
4848
- name: Setup dependencies
4949
uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
5050
- name: CDK build
51-
run: npm run cdk -w layers -- synth --context PowertoolsPackageVersion=${{ inputs.latest_published_version }} -o cdk.out
51+
env:
52+
LAYER_VERSION: ${{ inputs.latest_published_version }}
53+
run: npm run cdk -w layers -- synth --context PowertoolsPackageVersion=$LAYER_VERSION -o cdk.out
5254
- name: Zip output
5355
run: zip -r cdk.out.zip layers/cdk.out
5456
- name: Archive CDK artifacts

.github/workflows/reusable_publish_docs.yml

Lines changed: 18 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -64,22 +64,29 @@ jobs:
6464
python-version: "3.12"
6565
- name: Install doc generation dependencies
6666
run: |
67+
set -euo pipefail
6768
pip install --require-hashes -r docs/requirements.txt
6869
- name: Git refresh tip (detached mode)
6970
# Git Detached mode (release notes) doesn't have origin
7071
if: ${{ inputs.detached_mode }}
7172
run: |
73+
set -euo pipefail
7274
git config pull.rebase true
73-
git config remote.origin.url >&- || git remote add origin https://github.com/"$ORIGIN"
75+
git config remote.origin.url >&- || git remote add origin "https://github.com/$ORIGIN"
7476
git pull origin "$BRANCH"
7577
env:
7678
BRANCH: ${{ inputs.git_ref }}
7779
- name: Normalize Version Number
78-
run: echo "VERSION=$(echo ${{ inputs.version }} | sed 's/v//')" >> $GITHUB_ENV
80+
env:
81+
VERSION: ${{ inputs.version }}
82+
run: |
83+
set -euo pipefail
84+
echo "VERSION=$(echo "$VERSION" | sed 's/v//')" >> "$GITHUB_ENV"
7985
- name: Build docs website and API reference
8086
env:
8187
ALIAS: ${{ inputs.alias }}
8288
run: |
89+
set -euo pipefail
8390
rm -rf site
8491
mkdocs build
8592
- name: Configure AWS credentials
@@ -99,18 +106,20 @@ jobs:
99106
ALIAS: ${{ inputs.alias }}
100107
AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
101108
run: |
109+
set -euo pipefail
102110
aws s3 sync \
103111
site/ \
104-
s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/
112+
"s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/"
105113
- name: Deploy Docs (Alias)
106114
env:
107115
VERSION: ${{ inputs.version }}
108116
ALIAS: ${{ inputs.alias }}
109117
AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
110118
run: |
119+
set -euo pipefail
111120
aws s3 sync \
112121
site/ \
113-
s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/
122+
"s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/"
114123
- name: Deploy Docs (Version JSON)
115124
env:
116125
VERSION: ${{ inputs.version }}
@@ -129,11 +138,12 @@ jobs:
129138
# - if it's a new version number, we add it at position 0 in the array.
130139
# 4. Once done, we'll upload it back to S3.
131140
run: |
141+
set -euo pipefail
132142
aws s3 cp \
133-
s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json \
143+
"s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json" \
134144
versions_old.json
135-
jq 'del(.[].aliases[] | select(. == "${{ env.ALIAS }}"))' < versions_old.json > versions_proc.json
136-
jq '. as $o | [{"title": "${{ env.VERSION }}", "version": "${{ env.VERSION }}", "aliases": ["${{ env.ALIAS }}"] }] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
145+
jq --arg ALIAS "$ALIAS" 'del(.[].aliases[] | select(. == $ALIAS))' < versions_old.json > versions_proc.json
146+
jq --arg VERSION "$VERSION" --arg ALIAS "$ALIAS" '. as $o | [{"title": $VERSION, "version": $VERSION, "aliases": [$ALIAS]}] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
137147
aws s3 cp \
138148
versions.json \
139-
s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json
149+
"s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json"

.github/workflows/run-e2e-tests.yml

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -44,8 +44,11 @@ jobs:
4444
# we checkout the PR at that point in time
4545
- name: Checkout PR code
4646
if: ${{ inputs.prNumber != '' }}
47+
env:
48+
PR_NUMBER: ${{ inputs.prNumber }}
4749
run: |
48-
gh pr checkout ${{ inputs.prNumber }}
50+
set -euo pipefail
51+
gh pr checkout "$PR_NUMBER"
4952
- name: Setup Node.js
5053
uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
5154
with:

.github/workflows/update_ssm.yml

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -129,13 +129,14 @@ jobs:
129129
mask-aws-account-id: true
130130
- id: write-version
131131
env:
132-
prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
132+
PREFIX: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
133+
PACKAGE_VERSION: ${{ inputs.package_version }}
133134
run: |
134-
aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/${{ inputs.package_version }} --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
135+
aws ssm put-parameter --name "$PREFIX/typescript/generic/all/$PACKAGE_VERSION" --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
135136
136137
- id: write-latest
137138
if: inputs.write_latest == true
138139
env:
139140
prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
140141
run: |
141-
aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/latest --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
142+
aws ssm put-parameter --name "${{ env.prefix }}/typescript/generic/all/latest" --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite

0 commit comments

Comments
 (0)