From 285bfc207e279e712c61b2200cfcac5d3b705e6f Mon Sep 17 00:00:00 2001 From: Andrea Amorosi Date: Mon, 22 Sep 2025 16:38:28 +0200 Subject: [PATCH 1/2] chore: sanitize CI inputs via env var --- .github/workflows/bootstrap_region.yml | 7 +++++-- .github/workflows/layer_balance.yml | 9 +++++++-- .github/workflows/layers_partition_verify.yml | 9 +++++++-- .github/workflows/layers_partitions.yml | 9 ++++++--- .github/workflows/publish_layer.yml | 4 +++- .github/workflows/reusable_publish_docs.yml | 8 +++++--- .github/workflows/run-e2e-tests.yml | 4 +++- .github/workflows/update_ssm.yml | 5 +++-- 8 files changed, 39 insertions(+), 16 deletions(-) diff --git a/.github/workflows/bootstrap_region.yml b/.github/workflows/bootstrap_region.yml index f9ab180956..229a67eaac 100644 --- a/.github/workflows/bootstrap_region.yml +++ b/.github/workflows/bootstrap_region.yml @@ -65,10 +65,12 @@ jobs: mkdir -p build/project - id: cdk-project name: CDK Project + env: + REGION: ${{ inputs.region }} working-directory: build/project run: | npx cdk init app --language=typescript - AWS_REGION="${{ inputs.region }}" npx cdk bootstrap + AWS_REGION="$REGION" npx cdk bootstrap copy_layers: name: Copy Layers @@ -101,4 +103,5 @@ jobs: name: Run Balance env: BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }} - run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false + REGION: ${{ inputs.region }} + run: balance -read-region us-east-1 -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false diff --git a/.github/workflows/layer_balance.yml b/.github/workflows/layer_balance.yml index 1e6c6a7e89..965ba7c7e5 100644 --- a/.github/workflows/layer_balance.yml +++ b/.github/workflows/layer_balance.yml @@ -64,8 +64,13 @@ jobs: - id: run-balance-new-region name: Run Balance if: ${{ inputs.start_at == '' }} - run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false + env: + REGION: ${{ inputs.region }} + run: balance -read-region us-east-1 -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false - id: run-balance-existing name: Run Balance (Existing Region) if: ${{ inputs.start_at != '' }} - run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false + env: + REGION: ${{ inputs.region }} + START_AT: ${{ inputs.start_at }} + run: balance -read-region us-east-1 -start-at $START_AT -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false diff --git a/.github/workflows/layers_partition_verify.yml b/.github/workflows/layers_partition_verify.yml index 7370d375f7..d20d31f72a 100644 --- a/.github/workflows/layers_partition_verify.yml +++ b/.github/workflows/layers_partition_verify.yml @@ -90,9 +90,11 @@ jobs: aws-region: us-east-1 mask-aws-account-id: true - name: Output AWSLambdaPowertoolsTypeScriptV2 + env: + VERSION: ${{ inputs.version }} # fetch the specific layer version information from the us-east-1 commercial region run: | - aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json + aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION' > AWSLambdaPowertoolsTypeScriptV2.json - name: Store Metadata uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -133,8 +135,11 @@ jobs: audience: ${{ needs.setup.outputs.aud }} - id: partition_version name: Partition Layer Version + env: + VERSION: ${{ inputs.version }} + PARTITION_VERSION: ${{ inputs.partition_version }} run: | - echo 'partition_version=$([[ -n "${{ inputs.partition_version}}" ]] && echo ${{ inputs.partition_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT" + echo 'partition_version=$([[ -n "$PARTITION_VERSION" ]] && echo $PARTITION_VERSION || echo $VERSION )' >> "$GITHUB_OUTPUT" - name: Verify Layer run: | export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' diff --git a/.github/workflows/layers_partitions.yml b/.github/workflows/layers_partitions.yml index 211e05ad13..6886b91068 100644 --- a/.github/workflows/layers_partitions.yml +++ b/.github/workflows/layers_partitions.yml @@ -99,9 +99,11 @@ jobs: aws-region: us-east-1 mask-aws-account-id: true - name: Grab Zip + env: + VERSION: ${{ inputs.version }} run: | - aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip - aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} > AWSLambdaPowertoolsTypeScriptV2.json + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip + aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION > AWSLambdaPowertoolsTypeScriptV2.json - name: Store Zip uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -182,6 +184,7 @@ jobs: - name: Verify Layer env: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} + ENVIRONMENT: ${{ inputs.environment }} run: | export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' # Dynamic secret access is safe here - secrets are scoped per environment @@ -192,7 +195,7 @@ jobs: REMOTE_DESCRIPTION=$(jq -r '.Description' $layer_output) LOCAL_DESCRIPTION=$(jq -r '.Description' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_DESCRIPTION" == "$LOCAL_DESCRIPTION" && echo "Version number OK: ${LOCAL_DESCRIPTION}" || exit 1 - if [ "${{ inputs.environment }}" == "Prod" ]; then + if [ "$ENVIRONMENT" == "Prod" ]; then REMOTE_LAYER_VERSION=$(jq -r '.LayerVersionArn' $layer_output | sed 's/.*://') LOCAL_LAYER_VERSION=$(jq -r '.LayerVersionArn' AWSLambdaPowertoolsTypeScriptV2.json | sed 's/.*://') test "$REMOTE_LAYER_VERSION" == "$LOCAL_LAYER_VERSION" && echo "Layer Version number OK: ${LOCAL_LAYER_VERSION}" || exit 1 diff --git a/.github/workflows/publish_layer.yml b/.github/workflows/publish_layer.yml index 9f7bb569b3..35f4763a27 100644 --- a/.github/workflows/publish_layer.yml +++ b/.github/workflows/publish_layer.yml @@ -48,7 +48,9 @@ jobs: - name: Setup dependencies uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0 - name: CDK build - run: npm run cdk -w layers -- synth --context PowertoolsPackageVersion=${{ inputs.latest_published_version }} -o cdk.out + env: + LAYER_VERSION: ${{ inputs.latest_published_version }} + run: npm run cdk -w layers -- synth --context PowertoolsPackageVersion=$LAYER_VERSION -o cdk.out - name: Zip output run: zip -r cdk.out.zip layers/cdk.out - name: Archive CDK artifacts diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml index 708175c164..0c64ecc3cf 100644 --- a/.github/workflows/reusable_publish_docs.yml +++ b/.github/workflows/reusable_publish_docs.yml @@ -75,7 +75,9 @@ jobs: env: BRANCH: ${{ inputs.git_ref }} - name: Normalize Version Number - run: echo "VERSION=$(echo ${{ inputs.version }} | sed 's/v//')" >> $GITHUB_ENV + env: + VERSION: ${{ inputs.version }} + run: echo "VERSION=$(echo $VERSION | sed 's/v//')" >> $GITHUB_ENV - name: Build docs website and API reference env: ALIAS: ${{ inputs.alias }} @@ -132,8 +134,8 @@ jobs: aws s3 cp \ s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json \ versions_old.json - jq 'del(.[].aliases[] | select(. == "${{ env.ALIAS }}"))' < versions_old.json > versions_proc.json - jq '. as $o | [{"title": "${{ env.VERSION }}", "version": "${{ env.VERSION }}", "aliases": ["${{ env.ALIAS }}"] }] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json + jq 'del(.[].aliases[] | select(. == "$ALIAS"))' < versions_old.json > versions_proc.json + jq '. as $o | [{"title": "$VERSION", "version": "$VERSION", "aliases": ["$ALIAS"]}] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json aws s3 cp \ versions.json \ s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index 2a5c1f7f7b..bb6cd98340 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -44,8 +44,10 @@ jobs: # we checkout the PR at that point in time - name: Checkout PR code if: ${{ inputs.prNumber != '' }} + env: + PR_NUMBER: ${{ inputs.prNumber }} run: | - gh pr checkout ${{ inputs.prNumber }} + gh pr checkout $PR_NUMBER - name: Setup Node.js uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: diff --git a/.github/workflows/update_ssm.yml b/.github/workflows/update_ssm.yml index ae7282b15e..823c3e7e7f 100644 --- a/.github/workflows/update_ssm.yml +++ b/.github/workflows/update_ssm.yml @@ -129,9 +129,10 @@ jobs: mask-aws-account-id: true - id: write-version env: - prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }} + PREFIX: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }} + PACKAGE_VERSION: ${{ inputs.package_version }} run: | - aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/${{ inputs.package_version }} --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite + aws ssm put-parameter --name $PREFIX/typescript/generic/all/$PACKAGE_VERSION --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite - id: write-latest if: inputs.write_latest == true From 08ba14378d8842545f92284d5ef1e7f78a26f157 Mon Sep 17 00:00:00 2001 From: Andrea Amorosi Date: Mon, 22 Sep 2025 17:11:09 +0200 Subject: [PATCH 2/2] chore: set double quotes to expand strings --- .github/workflows/bootstrap_region.yml | 5 +++- .github/workflows/layer_balance.yml | 8 +++++-- .github/workflows/layers_partition_verify.yml | 15 ++++++++---- .github/workflows/layers_partitions.yml | 17 +++++++------ .github/workflows/reusable_publish_docs.yml | 24 ++++++++++++------- .github/workflows/run-e2e-tests.yml | 3 ++- .github/workflows/update_ssm.yml | 4 ++-- 7 files changed, 51 insertions(+), 25 deletions(-) diff --git a/.github/workflows/bootstrap_region.yml b/.github/workflows/bootstrap_region.yml index 229a67eaac..b0f879148f 100644 --- a/.github/workflows/bootstrap_region.yml +++ b/.github/workflows/bootstrap_region.yml @@ -69,6 +69,7 @@ jobs: REGION: ${{ inputs.region }} working-directory: build/project run: | + set -euo pipefail npx cdk init app --language=typescript AWS_REGION="$REGION" npx cdk bootstrap @@ -104,4 +105,6 @@ jobs: env: BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }} REGION: ${{ inputs.region }} - run: balance -read-region us-east-1 -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false + run: | + set -euo pipefail + balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false diff --git a/.github/workflows/layer_balance.yml b/.github/workflows/layer_balance.yml index 965ba7c7e5..06804a4b87 100644 --- a/.github/workflows/layer_balance.yml +++ b/.github/workflows/layer_balance.yml @@ -66,11 +66,15 @@ jobs: if: ${{ inputs.start_at == '' }} env: REGION: ${{ inputs.region }} - run: balance -read-region us-east-1 -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false + run: | + set -euo pipefail + balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false - id: run-balance-existing name: Run Balance (Existing Region) if: ${{ inputs.start_at != '' }} env: REGION: ${{ inputs.region }} START_AT: ${{ inputs.start_at }} - run: balance -read-region us-east-1 -start-at $START_AT -write-region $REGION -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false + run: | + set -euo pipefail + balance -read-region us-east-1 -start-at "$START_AT" -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false diff --git a/.github/workflows/layers_partition_verify.yml b/.github/workflows/layers_partition_verify.yml index d20d31f72a..82eddb210e 100644 --- a/.github/workflows/layers_partition_verify.yml +++ b/.github/workflows/layers_partition_verify.yml @@ -94,7 +94,8 @@ jobs: VERSION: ${{ inputs.version }} # fetch the specific layer version information from the us-east-1 commercial region run: | - aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION' > AWSLambdaPowertoolsTypeScriptV2.json + set -euo pipefail + aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json - name: Store Metadata uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -139,12 +140,18 @@ jobs: VERSION: ${{ inputs.version }} PARTITION_VERSION: ${{ inputs.partition_version }} run: | - echo 'partition_version=$([[ -n "$PARTITION_VERSION" ]] && echo $PARTITION_VERSION || echo $VERSION )' >> "$GITHUB_OUTPUT" + set -euo pipefail + if [ -n "${PARTITION_VERSION:-}" ]; then + echo "partition_version=${PARTITION_VERSION}" >> "$GITHUB_OUTPUT" + else + echo "partition_version=${VERSION}" >> "$GITHUB_OUTPUT" + fi - name: Verify Layer run: | - export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + set -euo pipefail + layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json" # Dynamic secret access is safe here - secrets are scoped per environment - aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output + aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > "$layer_output" REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1 diff --git a/.github/workflows/layers_partitions.yml b/.github/workflows/layers_partitions.yml index 6886b91068..246771a50b 100644 --- a/.github/workflows/layers_partitions.yml +++ b/.github/workflows/layers_partitions.yml @@ -102,8 +102,9 @@ jobs: env: VERSION: ${{ inputs.version }} run: | - aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip - aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:$VERSION > AWSLambdaPowertoolsTypeScriptV2.json + set -euo pipefail + aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip + aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json - name: Store Zip uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 with: @@ -160,9 +161,10 @@ jobs: - name: Create Layer id: create-layer run: | + set -euo pipefail cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json - - LAYER_VERSION=$(aws --region ${{ matrix.region}} lambda publish-layer-version \ + + LAYER_VERSION=$(aws --region "${{ matrix.region }}" lambda publish-layer-version \ --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \ --cli-input-json file://./input.json \ --query 'Version' \ @@ -170,7 +172,7 @@ jobs: echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT" - aws --region ${{ matrix.region}} lambda add-layer-version-permission \ + aws --region "${{ matrix.region }}" lambda add-layer-version-permission \ --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \ --statement-id 'PublicLayer' \ --action lambda:GetLayerVersion \ @@ -186,9 +188,10 @@ jobs: LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }} ENVIRONMENT: ${{ inputs.environment }} run: | - export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json' + set -euo pipefail + export layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json" # Dynamic secret access is safe here - secrets are scoped per environment - aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output + aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${LAYER_VERSION}" > "$layer_output" REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output) LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json) test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1 diff --git a/.github/workflows/reusable_publish_docs.yml b/.github/workflows/reusable_publish_docs.yml index 0c64ecc3cf..b2f67a70bd 100644 --- a/.github/workflows/reusable_publish_docs.yml +++ b/.github/workflows/reusable_publish_docs.yml @@ -64,24 +64,29 @@ jobs: python-version: "3.12" - name: Install doc generation dependencies run: | + set -euo pipefail pip install --require-hashes -r docs/requirements.txt - name: Git refresh tip (detached mode) # Git Detached mode (release notes) doesn't have origin if: ${{ inputs.detached_mode }} run: | + set -euo pipefail git config pull.rebase true - git config remote.origin.url >&- || git remote add origin https://github.com/"$ORIGIN" + git config remote.origin.url >&- || git remote add origin "https://github.com/$ORIGIN" git pull origin "$BRANCH" env: BRANCH: ${{ inputs.git_ref }} - name: Normalize Version Number env: VERSION: ${{ inputs.version }} - run: echo "VERSION=$(echo $VERSION | sed 's/v//')" >> $GITHUB_ENV + run: | + set -euo pipefail + echo "VERSION=$(echo "$VERSION" | sed 's/v//')" >> "$GITHUB_ENV" - name: Build docs website and API reference env: ALIAS: ${{ inputs.alias }} run: | + set -euo pipefail rm -rf site mkdocs build - name: Configure AWS credentials @@ -101,18 +106,20 @@ jobs: ALIAS: ${{ inputs.alias }} AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }} run: | + set -euo pipefail aws s3 sync \ site/ \ - s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/ + "s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/" - name: Deploy Docs (Alias) env: VERSION: ${{ inputs.version }} ALIAS: ${{ inputs.alias }} AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }} run: | + set -euo pipefail aws s3 sync \ site/ \ - s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/ + "s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/" - name: Deploy Docs (Version JSON) env: VERSION: ${{ inputs.version }} @@ -131,11 +138,12 @@ jobs: # - if it's a new version number, we add it at position 0 in the array. # 4. Once done, we'll upload it back to S3. run: | + set -euo pipefail aws s3 cp \ - s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json \ + "s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json" \ versions_old.json - jq 'del(.[].aliases[] | select(. == "$ALIAS"))' < versions_old.json > versions_proc.json - jq '. as $o | [{"title": "$VERSION", "version": "$VERSION", "aliases": ["$ALIAS"]}] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json + jq --arg ALIAS "$ALIAS" 'del(.[].aliases[] | select(. == $ALIAS))' < versions_old.json > versions_proc.json + jq --arg VERSION "$VERSION" --arg ALIAS "$ALIAS" '. as $o | [{"title": $VERSION, "version": $VERSION, "aliases": [$ALIAS]}] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json aws s3 cp \ versions.json \ - s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json + "s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json" diff --git a/.github/workflows/run-e2e-tests.yml b/.github/workflows/run-e2e-tests.yml index bb6cd98340..6d28f1f807 100644 --- a/.github/workflows/run-e2e-tests.yml +++ b/.github/workflows/run-e2e-tests.yml @@ -47,7 +47,8 @@ jobs: env: PR_NUMBER: ${{ inputs.prNumber }} run: | - gh pr checkout $PR_NUMBER + set -euo pipefail + gh pr checkout "$PR_NUMBER" - name: Setup Node.js uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0 with: diff --git a/.github/workflows/update_ssm.yml b/.github/workflows/update_ssm.yml index 823c3e7e7f..157fa6ac55 100644 --- a/.github/workflows/update_ssm.yml +++ b/.github/workflows/update_ssm.yml @@ -132,11 +132,11 @@ jobs: PREFIX: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }} PACKAGE_VERSION: ${{ inputs.package_version }} run: | - aws ssm put-parameter --name $PREFIX/typescript/generic/all/$PACKAGE_VERSION --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite + aws ssm put-parameter --name "$PREFIX/typescript/generic/all/$PACKAGE_VERSION" --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite - id: write-latest if: inputs.write_latest == true env: prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }} run: | - aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/latest --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite + aws ssm put-parameter --name "${{ env.prefix }}/typescript/generic/all/latest" --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite