chore: sanitize CI inputs via env var

.github/workflows/bootstrap_region.yml

@@ -65,10 +65,13 @@ jobs:
           mkdir -p build/project
       - id: cdk-project
         name: CDK Project
+        env:
+          REGION: ${{ inputs.region }}
         working-directory: build/project
         run: |
+          set -euo pipefail
           npx cdk init app --language=typescript
-          AWS_REGION="${{ inputs.region }}" npx cdk bootstrap
+          AWS_REGION="$REGION" npx cdk bootstrap
 
   copy_layers:
     name: Copy Layers
@@ -101,4 +104,7 @@ jobs:
         name: Run Balance
         env:
           BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }}
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+          REGION: ${{ inputs.region }}
+        run: |
+          set -euo pipefail
+          balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/layer_balance.yml

@@ -64,8 +64,17 @@ jobs:
       - id: run-balance-new-region
         name: Run Balance
         if: ${{ inputs.start_at == '' }}
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        env:
+          REGION: ${{ inputs.region }}
+        run: |
+          set -euo pipefail
+          balance -read-region us-east-1 -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
       - id: run-balance-existing
         name: Run Balance (Existing Region)
         if: ${{ inputs.start_at != '' }}
-        run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        env:
+          REGION: ${{ inputs.region }}
+          START_AT: ${{ inputs.start_at }}
+        run: |
+          set -euo pipefail
+          balance -read-region us-east-1 -start-at "$START_AT" -write-region "$REGION" -write-role "$BALANCE_ROLE_ARN" -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/layers_partition_verify.yml

@@ -90,9 +90,12 @@
           aws-region: us-east-1
           mask-aws-account-id: true
       - name: Output AWSLambdaPowertoolsTypeScriptV2
+        env:
+          VERSION: ${{ inputs.version }}
         # fetch the specific layer version information from the us-east-1 commercial region
         run: |
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn 'arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }}' > AWSLambdaPowertoolsTypeScriptV2.json
+          set -euo pipefail
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json
       - name: Store Metadata
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -133,13 +136,22 @@
           audience: ${{ needs.setup.outputs.aud }}
       - id: partition_version
         name: Partition Layer Version
+        env:
+          VERSION: ${{ inputs.version }}
+          PARTITION_VERSION: ${{ inputs.partition_version }}
         run: |
-          echo 'partition_version=$([[ -n "${{ inputs.partition_version}}" ]] && echo ${{ inputs.partition_version}} || echo ${{ inputs.version }} )' >> "$GITHUB_OUTPUT"
+          set -euo pipefail
+          if [ -n "${PARTITION_VERSION:-}" ]; then
+            echo "partition_version=${PARTITION_VERSION}" >> "$GITHUB_OUTPUT"
+          else
+            echo "partition_version=${VERSION}" >> "$GITHUB_OUTPUT"
+          fi
       - name: Verify Layer
         run: |
-          export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          set -euo pipefail
+          layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
           # Dynamic secret access is safe here - secrets are scoped per environment
-          aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
+          aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > "$layer_output"
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1

.github/workflows/layers_partitions.yml

@@ -99,9 +99,12 @@
           aws-region: us-east-1
           mask-aws-account-id: true
       - name: Grab Zip
+        env:
+          VERSION: ${{ inputs.version }}
         run: |
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
-          aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.version }} > AWSLambdaPowertoolsTypeScriptV2.json
+          set -euo pipefail
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" --query 'Content.Location' | xargs curl -L -o AWSLambdaPowertoolsTypeScriptV2.zip
+          aws --region us-east-1 lambda get-layer-version-by-arn --arn "arn:aws:lambda:us-east-1:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${VERSION}" > AWSLambdaPowertoolsTypeScriptV2.json
       - name: Store Zip
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
@@ -158,17 +161,18 @@
       - name: Create Layer
         id: create-layer
         run: |
+          set -euo pipefail
           cat AWSLambdaPowertoolsTypeScriptV2.json | jq '{"LayerName": "AWSLambdaPowertoolsTypeScriptV2", "Description": .Description, "CompatibleRuntimes": .CompatibleRuntimes, "LicenseInfo": .LicenseInfo}' > input.json
-        
-          LAYER_VERSION=$(aws --region ${{ matrix.region}} lambda publish-layer-version \
+
+          LAYER_VERSION=$(aws --region "${{ matrix.region }}" lambda publish-layer-version \
             --zip-file fileb://./AWSLambdaPowertoolsTypeScriptV2.zip \
             --cli-input-json file://./input.json \
             --query 'Version' \
             --output text)
 
           echo "LAYER_VERSION=$LAYER_VERSION" >> "$GITHUB_OUTPUT"
 
-          aws --region ${{ matrix.region}} lambda add-layer-version-permission \
+          aws --region "${{ matrix.region }}" lambda add-layer-version-permission \
             --layer-name 'AWSLambdaPowertoolsTypeScriptV2' \
             --statement-id 'PublicLayer' \
             --action lambda:GetLayerVersion \
@@ -182,17 +186,19 @@
       - name: Verify Layer
         env:
           LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
+          ENVIRONMENT: ${{ inputs.environment }}
         run: |
-          export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          set -euo pipefail
+          export layer_output="AWSLambdaPowertoolsTypeScriptV2-${{ matrix.region }}.json"
           # Dynamic secret access is safe here - secrets are scoped per environment
-          aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
+          aws --region "${{ matrix.region }}" lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region }}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${LAYER_VERSION}" > "$layer_output"
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_SHA" == "$LOCAL_SHA" && echo "SHA OK: ${LOCAL_SHA}" || exit 1
           REMOTE_DESCRIPTION=$(jq -r '.Description' $layer_output)
           LOCAL_DESCRIPTION=$(jq -r '.Description' AWSLambdaPowertoolsTypeScriptV2.json)
           test "$REMOTE_DESCRIPTION" == "$LOCAL_DESCRIPTION" && echo "Version number OK: ${LOCAL_DESCRIPTION}" || exit 1
-          if [ "${{ inputs.environment }}" == "Prod" ]; then
+          if [ "$ENVIRONMENT" == "Prod" ]; then
             REMOTE_LAYER_VERSION=$(jq -r '.LayerVersionArn' $layer_output | sed 's/.*://')
             LOCAL_LAYER_VERSION=$(jq -r '.LayerVersionArn' AWSLambdaPowertoolsTypeScriptV2.json | sed 's/.*://')
             test "$REMOTE_LAYER_VERSION" == "$LOCAL_LAYER_VERSION" && echo "Layer Version number OK: ${LOCAL_LAYER_VERSION}" || exit 1

.github/workflows/publish_layer.yml

@@ -48,7 +48,9 @@ jobs:
       - name: Setup dependencies
         uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
       - name: CDK build
-        run: npm run cdk -w layers -- synth --context PowertoolsPackageVersion=${{ inputs.latest_published_version }} -o cdk.out
+        env:
+          LAYER_VERSION: ${{ inputs.latest_published_version }}
+        run: npm run cdk -w layers -- synth --context PowertoolsPackageVersion=$LAYER_VERSION -o cdk.out
       - name: Zip output
         run: zip -r cdk.out.zip layers/cdk.out
       - name: Archive CDK artifacts

.github/workflows/reusable_publish_docs.yml

@@ -64,22 +64,29 @@ jobs:
           python-version: "3.12"
       - name: Install doc generation dependencies
         run: |
+          set -euo pipefail
           pip install --require-hashes -r docs/requirements.txt
       - name: Git refresh tip (detached mode)
         # Git Detached mode (release notes) doesn't have origin
         if: ${{ inputs.detached_mode }}
         run: |
+          set -euo pipefail
           git config pull.rebase true
-          git config remote.origin.url >&- || git remote add origin https://github.com/"$ORIGIN"
+          git config remote.origin.url >&- || git remote add origin "https://github.com/$ORIGIN"
           git pull origin "$BRANCH"
         env:
           BRANCH: ${{ inputs.git_ref }}
       - name: Normalize Version Number
-        run: echo "VERSION=$(echo ${{ inputs.version }} | sed 's/v//')" >> $GITHUB_ENV
+        env:
+          VERSION: ${{ inputs.version }}
+        run: |
+          set -euo pipefail
+          echo "VERSION=$(echo "$VERSION" | sed 's/v//')" >> "$GITHUB_ENV"
       - name: Build docs website and API reference
         env:
           ALIAS: ${{ inputs.alias }}
         run: |
+          set -euo pipefail
           rm -rf site
           mkdocs build
       - name: Configure AWS credentials
@@ -99,18 +106,20 @@ jobs:
           ALIAS: ${{ inputs.alias }}
           AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
         run: |
+          set -euo pipefail
           aws s3 sync \
             site/ \
-            s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/
+            "s3://$AWS_DOCS_BUCKET/lambda-typescript/$VERSION/"
       - name: Deploy Docs (Alias)
         env:
           VERSION: ${{ inputs.version }}
           ALIAS: ${{ inputs.alias }}
           AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
         run: |
+          set -euo pipefail
           aws s3 sync \
             site/ \
-            s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/
+            "s3://$AWS_DOCS_BUCKET/lambda-typescript/$ALIAS/"
       - name: Deploy Docs (Version JSON)
         env:
           VERSION: ${{ inputs.version }}
@@ -129,11 +138,12 @@ jobs:
         #      - if it's a new version number, we add it at position 0 in the array.
         #   4. Once done, we'll upload it back to S3.
         run: |
+          set -euo pipefail
           aws s3 cp \
-            s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json \
+            "s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json" \
             versions_old.json
-          jq 'del(.[].aliases[] | select(. == "${{ env.ALIAS }}"))' < versions_old.json > versions_proc.json
-          jq '. as $o | [{"title": "${{ env.VERSION }}", "version": "${{ env.VERSION }}", "aliases": ["${{ env.ALIAS }}"] }] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
+          jq --arg ALIAS "$ALIAS" 'del(.[].aliases[] | select(. == $ALIAS))' < versions_old.json > versions_proc.json
+          jq --arg VERSION "$VERSION" --arg ALIAS "$ALIAS" '. as $o | [{"title": $VERSION, "version": $VERSION, "aliases": [$ALIAS]}] as $n | $n | if .[0].title | test("[a-z]+") or any($o[].title == $n[0].title;.) then [($o | .[] | select(.title == $n[0].title).aliases += $n[0].aliases | . )] else $n + $o end' < versions_proc.json > versions.json
           aws s3 cp \
             versions.json \
-            s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json
+            "s3://$AWS_DOCS_BUCKET/lambda-typescript/versions.json"

.github/workflows/run-e2e-tests.yml

@@ -44,8 +44,11 @@ jobs:
       # we checkout the PR at that point in time
       - name: Checkout PR code
         if: ${{ inputs.prNumber != '' }}
+        env:
+          PR_NUMBER: ${{ inputs.prNumber }}
         run: |
-          gh pr checkout ${{ inputs.prNumber }}
+          set -euo pipefail
+          gh pr checkout "$PR_NUMBER"
       - name: Setup Node.js
         uses: actions/setup-node@a0853c24544627f65ddf259abe73b1d18a591444 # v5.0.0
         with:

.github/workflows/update_ssm.yml

@@ -129,13 +129,14 @@ jobs:
           mask-aws-account-id: true
       - id: write-version
         env:
-          prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
+          PREFIX: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
+          PACKAGE_VERSION: ${{ inputs.package_version }}
         run: |
-          aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/${{ inputs.package_version }} --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
+          aws ssm put-parameter --name "$PREFIX/typescript/generic/all/$PACKAGE_VERSION" --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
 
       - id: write-latest
         if: inputs.write_latest == true
         env:
           prefix: ${{ inputs.environment == 'beta' && '/aws/service/powertools/beta' || '/aws/service/powertools' }}
         run: |
-          aws ssm put-parameter --name ${{ env.prefix }}/typescript/generic/all/latest --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite
+          aws ssm put-parameter --name "${{ env.prefix }}/typescript/generic/all/latest" --value "arn:aws:lambda:${{ matrix.region }}:094274105915:layer:AWSLambdaPowertoolsTypeScriptV2:${{ inputs.layer-version }}" --type String --overwrite