Maintenance: update bootstrap region automation to remove pinned/aliased dependencies

[dreamorosi]

Summary

Some of the changes introduced in #3438 lowered our OpenSSF Scorecard due to both pinned dependencies and actions using the latest tag instead of a commit hash.

Specifically, the two are:

• the shared GitHub Action here
• the CDK version here

Which correspond to these two alerts:

• https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/77
• https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/76

Note that neither of them involves code that we ship to customers, this is only automation used for us to bootstrap new regions we use to deploy resources.

Why is this needed?

So we can restore our OpenSSF Scorecard score.

Which area does this relate to?

Other

Solution

The first should use a commit hash, similar to what we do here.

The second one should use the CDK version already present in the monorepo rather than install a different one.

Acknowledgment

• This request meets Powertools for AWS Lambda (TypeScript) Tenets
• Should this be considered in other Powertools for AWS Lambda languages? i.e. Python, Java, and .NET

Future readers

Please react with 👍 and your use case to help us understand customer demand.

[github-actions]

⚠️ COMMENT VISIBILITY WARNING ⚠️

This issue is now closed. Please be mindful that future comments are hard for our team to see.

If you need more assistance, please either tag a team member or open a new issue that references this one.

If you wish to keep having a conversation with other community members under this issue feel free to do so.

[dreamorosi]

Reopening because the changes fixed only one of the two. The https://github.com/aws-powertools/powertools-lambda-typescript/security/code-scanning/77 one is still open.

@sthulb could you please help me understand where is the hash missing? Please don't just dismiss it, thank you.