Merge branch 'develop' into impl-prototype-async-execution-resolver

Author: leandrodamascena

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -58,7 +58,6 @@ body:
     attributes:
       label: AWS Lambda function runtime
       options:
-        - "3.8"
         - "3.9"
         - "3.10"
         - "3.11"

.github/ISSUE_TEMPLATE/static_typing.yml

@@ -25,7 +25,6 @@ body:
     attributes:
       label: AWS Lambda function runtime
       options:
-        - "3.8"
         - "3.9"
         - "3.10"
         - "3.11"

.github/workflows/bootstrap_region.yml

@@ -0,0 +1,110 @@
+name: Region Bootstrap
+
+# bootstraps new regions
+#
+# PURPOSE
+# Ensures new regions are deployable in future releases
+#
+# JOB 1 PROCESS
+#
+# 1. Installs CDK
+# 2. Bootstraps region
+#
+# JOB 2 PROCESS
+# 1. Sets up Go
+# 2. Installs the balance script
+# 3. Runs balance script to copy layers between aws regions
+
+on:
+  workflow_dispatch:
+    inputs:
+      environment:
+        type: choice
+        options:
+          - beta
+          - prod
+        description: Deployment environment
+      region:
+        type: string
+        required: true
+        description: AWS region to bootstrap (i.e. eu-west-1)
+
+run-name: Region Bootstrap ${{ inputs.region }}
+
+permissions:
+  contents: read
+
+jobs:
+  cdk:
+    name: Install CDK
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    environment: layer-${{ inputs.environment }}
+    steps:
+      - id: credentials
+        name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: ${{ inputs.region }}
+          role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
+          mask-aws-account-id: true
+      - id: workdir
+        name: Create Workdir
+        run: |
+          mkdir -p build/project
+      - id: cdk-install
+        name: Install CDK
+        working-directory: build
+        run: |
+          npm i aws-cdk
+      - id: cdk-project
+        name: CDK Project
+        working-directory: build/project
+        run: |
+          npx cdk init app --language=typescript
+          AWS_REGION="${{ inputs.region }}" npx cdk bootstrap
+
+  copy_layers:
+    name: Copy Layers
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    strategy:
+      matrix:
+        layer:
+          - AWSLambdaPowertoolsPythonV3-python38-arm64
+          - AWSLambdaPowertoolsPythonV3-python39-arm64
+          - AWSLambdaPowertoolsPythonV3-python310-arm64
+          - AWSLambdaPowertoolsPythonV3-python311-arm64
+          - AWSLambdaPowertoolsPythonV3-python312-arm64
+          - AWSLambdaPowertoolsPythonV3-python313-arm64
+          - AWSLambdaPowertoolsPythonV3-python38-x86_64
+          - AWSLambdaPowertoolsPythonV3-python39-x86_64
+          - AWSLambdaPowertoolsPythonV3-python310-x86_64
+          - AWSLambdaPowertoolsPythonV3-python311-x86_64
+          - AWSLambdaPowertoolsPythonV3-python312-x86_64
+          - AWSLambdaPowertoolsPythonV3-python313-x86_64
+    environment: layer-${{ inputs.environment }}
+    steps:
+      - id: credentials
+        name: AWS Credentials
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
+        with:
+          aws-region: us-east-1
+          role-to-assume: ${{ secrets.REGION_IAM_ROLE }}
+          mask-aws-account-id: true
+      - id: go-setup
+        name: Setup Go
+        uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
+      - id: go-env
+        name: Go Env
+        run: go env
+      - id: go-install-pkg
+        name: Install
+        run: go install github.com/aws-powertools/actions/layer-balancer/cmd/balance@latest
+      - id: run-balance
+        name: Run Balance
+        run: balance -read-region us-east-1 -write-region ${{ inputs.region }} -write-role ${{ secrets.BALANCE_ROLE_ARN }} -layer-name ${{ matrix.layer }} -dry-run=false

.github/workflows/dispatch_analytics.yml

@@ -43,10 +43,11 @@ jobs:
       statuses: read
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
+        uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
         with:
           aws-region: eu-central-1
-          role-to-assume: ${{ secrets.AWS_ANALYTICS_ROLE_ARN }}
+          role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
+          mask-aws-account-id: true
 
       - name: Invoke Lambda function
         run: |

.github/workflows/layer_govcloud.yml

@@ -1,3 +1,5 @@
+name: Layer Deployment (GovCloud)
+
 # GovCloud Layer Publish
 # ---
 # This workflow publishes a specific layer version in an AWS account based on the environment input.
@@ -32,9 +34,11 @@ on:
         type: string
         required: true
 
-name: Layer Deployment (GovCloud)
 run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }}
 
+permissions:
+  contents: read
+
 jobs:
   download:
     runs-on: ubuntu-latest
@@ -44,7 +48,6 @@ jobs:
     strategy:
       matrix:
         layer:
-          - AWSLambdaPowertoolsPythonV3-python38
           - AWSLambdaPowertoolsPythonV3-python39
           - AWSLambdaPowertoolsPythonV3-python310
           - AWSLambdaPowertoolsPythonV3-python311
@@ -66,14 +69,14 @@ jobs:
           aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip
           aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} > ${{ matrix.layer }}_${{ matrix.arch }}.json
       - name: Store Zip
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
           path: ${{ matrix.layer }}_${{ matrix.arch }}.zip
           retention-days: 1
           if-no-files-found: error
       - name: Store Metadata
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.json
           path: ${{ matrix.layer }}_${{ matrix.arch }}.json
@@ -90,7 +93,6 @@ jobs:
     strategy:
       matrix:
         layer:
-          - AWSLambdaPowertoolsPythonV3-python38
           - AWSLambdaPowertoolsPythonV3-python39
           - AWSLambdaPowertoolsPythonV3-python310
           - AWSLambdaPowertoolsPythonV3-python311
@@ -159,7 +161,6 @@ jobs:
     strategy:
       matrix:
         layer:
-          - AWSLambdaPowertoolsPythonV3-python38
           - AWSLambdaPowertoolsPythonV3-python39
           - AWSLambdaPowertoolsPythonV3-python310
           - AWSLambdaPowertoolsPythonV3-python311

.github/workflows/layer_govcloud_python313.yml

@@ -1,3 +1,5 @@
+name: Layer Deployment (GovCloud) - Temporary for Python 3.13
+
 # GovCloud Layer Publish
 # ---
 # This workflow publishes a specific layer version in an AWS account based on the environment input.
@@ -32,9 +34,11 @@ on:
         type: string
         required: true
 
-name: Layer Deployment (GovCloud) - Temporary for Python 3.13
 run-name: Layer Deployment (GovCloud) - ${{ inputs.environment }}
 
+permissions:
+  contents: read
+
 jobs:
   download:
     runs-on: ubuntu-latest
@@ -61,14 +65,14 @@ jobs:
           aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_${{ matrix.arch }}.zip
           aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-${{ matrix.arch }}:${{ inputs.version }} > ${{ matrix.layer }}_${{ matrix.arch }}.json
       - name: Store Zip
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
           path: ${{ matrix.layer }}_${{ matrix.arch }}.zip
           retention-days: 1
           if-no-files-found: error
       - name: Store Metadata
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.json
           path: ${{ matrix.layer }}_${{ matrix.arch }}.json

.github/workflows/layer_govcloud_verify.yml

@@ -28,7 +28,6 @@ jobs:
     strategy:
       matrix:
         layer:
-          - AWSLambdaPowertoolsPythonV3-python38
           - AWSLambdaPowertoolsPythonV3-python39
           - AWSLambdaPowertoolsPythonV3-python310
           - AWSLambdaPowertoolsPythonV3-python311
@@ -59,7 +58,6 @@ jobs:
     strategy:
       matrix:
         layer:
-          - AWSLambdaPowertoolsPythonV3-python38
           - AWSLambdaPowertoolsPythonV3-python39
           - AWSLambdaPowertoolsPythonV3-python310
           - AWSLambdaPowertoolsPythonV3-python311
@@ -91,7 +89,6 @@ jobs:
     strategy:
       matrix:
         layer:
-          - AWSLambdaPowertoolsPythonV3-python38
           - AWSLambdaPowertoolsPythonV3-python39
           - AWSLambdaPowertoolsPythonV3-python310
           - AWSLambdaPowertoolsPythonV3-python311

.github/workflows/layer_rename.yml

@@ -66,14 +66,14 @@ jobs:
           aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-x86:${{ inputs.version }} --query 'Content.Location' | xargs curl -L -o ${{ matrix.layer }}_x86_64.zip
           aws --region us-east-1 lambda get-layer-version-by-arn --arn arn:aws:lambda:us-east-1:017000801446:layer:${{ matrix.layer }}-x86:${{ inputs.version }} > ${{ matrix.layer }}_x86_64.json
       - name: Store Zip
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: ${{ matrix.layer }}_x86_64.zip
           path: ${{ matrix.layer }}_x86_64.zip
           retention-days: 1
           if-no-files-found: error
       - name: Store Metadata
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: ${{ matrix.layer }}_x86_64.json
           path: ${{ matrix.layer }}_x86_64.json

.github/workflows/on_closed_issues.yml

@@ -21,7 +21,7 @@ jobs:
       permissions:
           issues: write  # comment on issues
       steps:
-          - uses: aws-actions/closed-issue-message@37548691e7cc75ba58f85c9f873f9eee43590449
+          - uses: aws-powertools/actions/.github/actions/close-issue-message@428c1934f4b22c0984ff4a39b66c2f70765bbed6
             with:
                 repo-token: "${{ secrets.GITHUB_TOKEN }}"
                 message: |

.github/workflows/ossf_scorecard.yml

@@ -35,7 +35,7 @@ jobs:
           repo_token: ${{ secrets.SCORECARD_TOKEN }}  # read-only fine-grained token to read branch protection settings
 
       - name: "Upload results"
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: SARIF file
           path: results.sarif

.github/workflows/pre-release.yml

@@ -63,8 +63,8 @@ jobs:
       # We use a pinned version of Poetry to be certain it won't modify source code before we create a hash
       - name: Install poetry
         run: |
-          pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
-          pipx inject poetry git+https://github.com/monim67/poetry-bumpversion@315fe3324a699fa12ec20e202eb7375d4327d1c4 # v0.3.1
+          pipx install git+https://github.com/python-poetry/poetry@bd500dd3bdfaec3de6894144c9cedb3a9358be84 # v2.0.1
+          pipx inject poetry git+https://github.com/monim67/poetry-bumpversion@348de6f247222e2953d649932426e63492e0a6bf # v0.3.3
 
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
         with:
@@ -124,7 +124,7 @@ jobs:
         run: cat pyproject.toml
 
       - name: Install poetry
-        run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
+        run: pipx install git+https://github.com/python-poetry/poetry@bd500dd3bdfaec3de6894144c9cedb3a9358be84 # v2.0.1
       - name: Set up Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
@@ -162,7 +162,7 @@ jobs:
           artifact_name: ${{ needs.seal.outputs.artifact_name }}
 
       - name: Install poetry
-        run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
+        run: pipx install git+https://github.com/python-poetry/poetry@bd500dd3bdfaec3de6894144c9cedb3a9358be84 # v2.0.1
       - name: Set up Python
         uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b # v5.3.0
         with:
@@ -232,7 +232,7 @@ jobs:
 
       - name: Upload to PyPi prod
         if: ${{ !inputs.skip_pypi }}
-        uses: pypa/gh-action-pypi-publish@15c56dba361d8335944d31a2ecd17d700fc7bcbc # v1.12.2
+        uses: pypa/gh-action-pypi-publish@67339c736fd9354cd4f8cb0b744f2b82a74b5c70 # v1.12.3
 
   # Creates a PR with the latest version we've just released
   # since our trunk is protected against any direct pushes from automation

.github/workflows/publish_v2_layer.yml

@@ -99,7 +99,7 @@ jobs:
           artifact_name: ${{ inputs.source_code_artifact_name }}
 
       - name: Install poetry
-        run: pipx install git+https://github.com/python-poetry/poetry@68b88e5390720a3dd84f02940ec5200bfce39ac6 # v1.5.0
+        run: pipx install git+https://github.com/python-poetry/poetry@bd500dd3bdfaec3de6894144c9cedb3a9358be84 # v2.0.1
       - name: Setup Node.js
         uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
         with:
@@ -124,7 +124,7 @@ jobs:
 
       - name: Set up Docker Buildx
         id: builder
-        uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
+        uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
         with:
           install: true
           driver: docker
@@ -146,7 +146,7 @@ jobs:
       - name: zip output
         run: zip -r cdk.out.zip cdk.out
       - name: Archive CDK artifacts
-        uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
+        uses: actions/upload-artifact@6f51ac03b9356f520e9adb1b1b7802705f340c2b # v4.5.0
         with:
           name: cdk-layer-artefact
           path: layer/cdk.out.zip