Merge branch 'main' into event-handler/response-resolver-logic

Author: dreamorosi

.github/scripts/update_layer_arn.sh

@@ -8,7 +8,7 @@
 # see .github/workflows/publish_layer.yml
 
 
-# Get the new version number from the first command-line argument
+# Get the new layer version from the first command-line argument
 new_version=$1
 if [ -z "$new_version" ]; then
     echo "Usage: $0 <new_version>"

.github/workflows/bootstrap_region.yml

@@ -99,4 +99,6 @@ jobs:
         run: go install github.com/aws-powertools/actions/layer-balancer/cmd/balance@29979bc5339bf54f76a11ac36ff67701986bb0f0
       - id: run-balance
         name: Run Balance
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        env:
+          BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }}
+        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/dependency-review.yml

@@ -19,4 +19,4 @@ jobs:
       - name: 'Checkout Repository'
         uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: 'Dependency Review'
-        uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
+        uses: actions/dependency-review-action@bc41886e18ea39df68b1b1245f4184881938e050 # v4.7.2

.github/workflows/dispatch_analytics.yml

@@ -40,6 +40,8 @@ jobs:
       contents: read
       id-token: write
     environment: layer-${{ inputs.environment }}
+    env:
+      BALANCE_ROLE_ARN: ${{ secrets.BALANCE_ROLE_ARN }}
     steps:
       - id: credentials
         name: AWS Credentials
@@ -62,8 +64,8 @@ jobs:
       - id: run-balance-new-region
         name: Run Balance
         if: ${{ inputs.start_at == '' }}
-        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
       - id: run-balance-existing
         name: Run Balance (Existing Region)
         if: ${{ inputs.start_at != '' }}
-        run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false
+        run: balance -read-region us-east-1 -start-at ${{ inputs.start_at }} -write-region ${{ inputs.region }} -write-role $BALANCE_ROLE_ARN -layer-name AWSLambdaPowertoolsTypeScriptV2 -dry-run=false

.github/workflows/layer_balance.yml

@@ -1,6 +1,14 @@
 # Partition Layer Verification
 # ---
 # This workflow queries the Partition layer info in production only
+#
+# CodeQL Security Note:
+# This workflow uses dynamic secret access via secrets[format(...)] which triggers
+# an "Excessive Secrets Exposure" alert. However, this is safe because:
+# - Secrets are scoped per environment (China/GovCloud Gamma/Prod)
+# - Each job only accesses secrets for its specific partition and region
+# - No global secrets array containing mixed credentials (API keys, PEM files, etc.)
+# - The secrets object is already minimally scoped to the environment being used
 
 on:
   workflow_dispatch:
@@ -102,7 +110,7 @@ jobs:
     permissions:
       id-token: write
       contents: read
-    # Environment should interperlate as "GovCloud Prod" or "China Beta"
+    # Environment should interpolate as "GovCloud Prod" or "China Beta"
     environment: ${{ inputs.partition }} ${{ inputs.environment }}
     strategy:
       matrix:
@@ -118,6 +126,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
         with:
+          # Dynamic secret access is safe here - secrets are scoped per environment
           role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
           aws-region: ${{ matrix.region}}
           mask-aws-account-id: true
@@ -129,6 +138,7 @@ jobs:
       - name: Verify Layer
         run: |
           export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          # Dynamic secret access is safe here - secrets are scoped per environment
           aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn "arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ steps.partition_version.outputs.partition_version }}" > $layer_output
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)

.github/workflows/layers_partition_verify.yml

@@ -15,6 +15,14 @@
 # 1. After the `make-release` workflow finishes and the PR for the documentation update gets created, trigger this workflow manually via `workflow_dispatch` with environment, version, and partition inputs for each Gamma and Prod environment in the China and GovCloud partitions
 # 2. Monitor deployment progress and verify successful layer publication across all target regions
 # 3. Once this workflow is completed, the PR for the documentation update can me merged
+#
+# CodeQL Security Note:
+# This workflow uses dynamic secret access via secrets[format(...)] which triggers
+# an "Excessive Secrets Exposure" alert. However, this is safe because:
+# - Secrets are scoped per environment (China/GovCloud Gamma/Prod)
+# - Each job only accesses secrets for its specific partition and region
+# - No global secrets array containing mixed credentials (API keys, PEM files, etc.)
+# - The secrets object is already minimally scoped to the environment being used
 
 on:
   workflow_dispatch:
@@ -142,6 +150,7 @@ jobs:
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@7474bc4690e29a8392af63c5b98e7449536d5c3a # v4.3.1
         with:
+          # Dynamic secret access is safe here - secrets are scoped per environment
           role-to-assume: ${{ secrets[format('IAM_ROLE_{0}', steps.transform.outputs.CONVERTED_REGION)] }}
           aws-region: ${{ matrix.region}}
           mask-aws-account-id: true
@@ -175,6 +184,7 @@ jobs:
           LAYER_VERSION: ${{ steps.create-layer.outputs.LAYER_VERSION }}
         run: |
           export layer_output='AWSLambdaPowertoolsTypeScriptV2-${{matrix.region}}.json'
+          # Dynamic secret access is safe here - secrets are scoped per environment
           aws --region ${{ matrix.region}} lambda get-layer-version-by-arn --arn 'arn:${{ needs.setup.outputs.partition }}:lambda:${{ matrix.region}}:${{ secrets[format('AWS_ACCOUNT_{0}', steps.transform.outputs.CONVERTED_REGION)] }}:layer:AWSLambdaPowertoolsTypeScriptV2:${{ env.LAYER_VERSION }}' > $layer_output
           REMOTE_SHA=$(jq -r '.Content.CodeSha256' $layer_output)
           LOCAL_SHA=$(jq -r '.Content.CodeSha256' AWSLambdaPowertoolsTypeScriptV2.json)

.github/workflows/layers_partitions.yml

@@ -17,13 +17,7 @@ name: Make Release
 # 4. Merge the PR created by the `publish_layer` workflow to update the documentation
 # 5. Update draft release notes with the latest changes and publish the release on GitHub
 
-on:
-  workflow_dispatch:
-    inputs:
-      layer_documentation_version:
-        description: "Lambda layer version to be updated in our documentation. e.g. if the current layer number is 3, this value must be 4."
-        type: string
-        required: true
+on: workflow_dispatch
 
 permissions:
   contents: read
@@ -59,8 +53,10 @@ jobs:
           node-version: "22"
           cache: "npm"
       - name: Setup auth tokens
+        env:
+          NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
         run: |
-          npm set "//registry.npmjs.org/:_authToken=${{ secrets.NPM_TOKEN }}"
+          npm set "//registry.npmjs.org/:_authToken=$NPM_TOKEN"
       - name: Setup dependencies
         uses: aws-powertools/actions/.github/actions/cached-node-modules@29979bc5339bf54f76a11ac36ff67701986bb0f0
       - name: Publish to npm
@@ -97,13 +93,15 @@ jobs:
   # publish_layer -> reusable_deploy_layer_stack -> reusable_update_layer_arn_docs
   publish_layer:
     needs: publish-npm
-    secrets: inherit
+    secrets:
+      AWS_LAYERS_BETA_ROLE_ARN: ${{ secrets.AWS_LAYERS_BETA_ROLE_ARN }}
+      AWS_LAYERS_PROD_ROLE_ARN: ${{ secrets.AWS_LAYERS_PROD_ROLE_ARN }}
+      TOKEN_GITHUB: ${{ secrets.GITHUB_TOKEN }}
     permissions:
       id-token: write
       contents: write
       pages: write
       pull-requests: write
     uses: ./.github/workflows/publish_layer.yml
     with:
-      latest_published_version: ${{ needs.publish-npm.outputs.RELEASE_VERSION }}
-      layer_documentation_version: ${{ inputs.layer_documentation_version }}
+      latest_published_version: ${{ needs.publish-npm.outputs.RELEASE_VERSION }}

.github/workflows/make-release.yml

@@ -16,7 +16,9 @@ jobs:
     permissions:
       id-token: write  # trade JWT token for AWS credentials in AWS Docs account
       contents: read  # read from this repo to publish docs
-    secrets: inherit
+    secrets:
+      AWS_DOCS_ROLE_ARN: ${{ secrets.AWS_DOCS_ROLE_ARN }}
+      AWS_DOCS_BUCKET: ${{ secrets.AWS_DOCS_BUCKET }}
     uses: ./.github/workflows/reusable_publish_docs.yml
     with:
       version: main

.github/workflows/on_doc_merge.yml

@@ -43,6 +43,6 @@ jobs:
 
       # Upload the results to GitHub's code scanning dashboard.
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@96f518a34f7a870018057716cc4d7a5c014bd61c # v3.29.5
+        uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
         with:
           sarif_file: results.sarif