ericbn
diff --git a/‎.github/workflows/layer_govcloud.yml
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/layer_govcloud.yml
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/layer_govcloud_python313.yml
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/layer_govcloud_python313.yml
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/pre-release.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/pre-release.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/publish_v2_layer.yml
Lines changed: 4 additions & 4 deletions b/‎.github/workflows/publish_v2_layer.yml
Lines changed: 4 additions & 4 deletions
diff --git a/‎.github/workflows/publish_v3_layer.yml
Lines changed: 44 additions & 35 deletions b/‎.github/workflows/publish_v3_layer.yml
Lines changed: 44 additions & 35 deletions
diff --git a/‎.github/workflows/quality_check.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/quality_check.yml
Lines changed: 1 addition & 1 deletion
diff --git a/‎.github/workflows/quality_code_cdk_constructor.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/quality_code_cdk_constructor.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/release-v3.yml
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/release-v3.yml
Lines changed: 6 additions & 0 deletions
diff --git a/‎.github/workflows/reusable_deploy_v2_layer_stack.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/reusable_deploy_v2_layer_stack.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/reusable_deploy_v2_sar.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/reusable_deploy_v2_sar.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/reusable_deploy_v3_layer_stack.yml
Lines changed: 2 additions & 2 deletions b/‎.github/workflows/reusable_deploy_v3_layer_stack.yml
Lines changed: 2 additions & 2 deletions
diff --git a/‎.github/workflows/reusable_deploy_v3_sar.yml
Lines changed: 13 additions & 15 deletions b/‎.github/workflows/reusable_deploy_v3_sar.yml
Lines changed: 13 additions & 15 deletions
diff --git a/‎.github/workflows/run-e2e-tests.yml
Lines changed: 1 addition & 1 deletion b/‎.github/workflows/run-e2e-tests.yml
Lines changed: 1 addition & 1 deletion
@@ -104,11 +104,11 @@ jobs:
     environment: GovCloud ${{ inputs.environment }} (East)
     steps:
       - name: Download Zip
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
       - name: Download Metadata
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.json
       - name: Verify Layer Signature
@@ -173,11 +173,11 @@ jobs:
       name: GovCloud ${{ inputs.environment }} (West)
     steps:
       - name: Download Zip
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
       - name: Download Metadata
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.json
       - name: Verify Layer Signature
 
@@ -96,11 +96,11 @@ jobs:
     environment: GovCloud ${{ inputs.environment }} (East)
     steps:
       - name: Download Zip
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
       - name: Download Metadata
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.json
       - name: Verify Layer Signature
@@ -161,11 +161,11 @@ jobs:
       name: GovCloud ${{ inputs.environment }} (West)
     steps:
       - name: Download Zip
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.zip
       - name: Download Metadata
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ matrix.layer }}_${{ matrix.arch }}.json
       - name: Verify Layer Signature
 
@@ -255,7 +255,7 @@ jobs:
           artifact_name: ${{ needs.seal.outputs.artifact_name }}
 
       - name: Download provenance
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{needs.provenance.outputs.provenance-name}}
 
 
@@ -101,7 +101,7 @@ jobs:
       - name: Install poetry
         run: pipx install git+https://github.com/python-poetry/poetry@bd500dd3bdfaec3de6894144c9cedb3a9358be84 # v2.0.1
       - name: Setup Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: "16.12"
       - name: Setup python
@@ -117,14 +117,14 @@ jobs:
           pip install --require-hashes -r requirements.txt
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v2.0.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v2.0.0
         with:
           platforms: arm64
         # NOTE: we need QEMU to build Layer against a different architecture (e.g., ARM)
 
       - name: Set up Docker Buildx
         id: builder
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
         with:
           install: true
           driver: docker
@@ -258,7 +258,7 @@ jobs:
           artifact_name: ${{ inputs.source_code_artifact_name }}
 
       - name: Download CDK layer artifacts
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           path: cdk-layer-stack
           pattern: cdk-layer-stack-*  # merge all Layer artifacts created per region earlier (reusable_deploy_v2_layer_stack.yml; step "Save Layer ARN artifact")
 
@@ -49,6 +49,11 @@ on:
         default: false
         type: boolean
         required: false
+      skip_lambda_layer:
+        description: "Skip publishing Lambda Layers as it can publish duplicated versions of the same layer. Useful for semi-failed releases"
+        type: boolean
+        required: false
+
   workflow_call:
     inputs:
       latest_published_version:
@@ -72,6 +77,11 @@ on:
         description: "Sealed source code integrity hash"
         type: string
         required: true
+      skip_lambda_layer:
+        description: "Skip publishing Lambda Layers as it can publish duplicated versions of the same layer. Useful for semi-failed releases"
+        default: false
+        type: boolean
+        required: false
 
 permissions:
   contents: read
@@ -113,7 +123,7 @@ jobs:
           pipx install git+https://github.com/python-poetry/poetry@bd500dd3bdfaec3de6894144c9cedb3a9358be84 # v2.0.1
           pipx inject poetry git+https://github.com/python-poetry/poetry-plugin-export@8c83d26603ca94f2e203bfded7b6d7f530960e06 # v1.8.0
       - name: Setup Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: "18.20.4"
       - name: Setup python
@@ -129,14 +139,14 @@ jobs:
           pip install --require-hashes -r requirements.txt
 
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v2.0.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v2.0.0
         with:
           platforms: arm64
         # NOTE: we need QEMU to build Layer against a different architecture (e.g., ARM)
 
       - name: Set up Docker Buildx
         id: builder
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
         with:
           install: true
           driver: docker
@@ -180,6 +190,7 @@ jobs:
       source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
   prod:
+    if: ${{ !inputs.skip_lambda_layer }}
     needs: beta
     # lower privilege propagated from parent workflow (release-v3.yml)
     permissions:
@@ -195,41 +206,39 @@ jobs:
       source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
       source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
-  # UNCOMMENT sar-beta JOB
-  #sar-beta:
-  #  needs: beta  # canaries run on Layer Beta env
-  #  permissions:
+  sar-beta:
+    needs: beta  # canaries run on Layer Beta env
+    permissions:
       # lower privilege propagated from parent workflow (release.yml)
-  #    id-token: write
-  #    contents: read
-  #    pull-requests: none
-  #    pages: none
-  #  uses: ./.github/workflows/reusable_deploy_v3_sar.yml
-  #  secrets: inherit
-  #  with:
-  #    stage: "BETA"
-  #    environment: "layer-beta"
-  #    package-version: ${{ inputs.latest_published_version }}
-  #    source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
-  #    source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
+      id-token: write
+      contents: read
+      pull-requests: none
+      pages: none
+    uses: ./.github/workflows/reusable_deploy_v3_sar.yml
+    secrets: inherit
+    with:
+      stage: "BETA"
+      environment: "layer-beta"
+      package-version: ${{ inputs.latest_published_version }}
+      source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
+      source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
-  # UNCOMMENT sar-prod JOB
-  #sar-prod:
-  #  needs: sar-beta
-  #  permissions:
+  sar-prod:
+    needs: sar-beta
+    permissions:
       # lower privilege propagated from parent workflow (release.yml)
-  #    id-token: write
-  #    contents: read
-  #    pull-requests: none
-  #    pages: none
-  #  uses: ./.github/workflows/reusable_deploy_v3_sar.yml
-  #  secrets: inherit
-  #  with:
-  #    stage: "PROD"
-  #    environment: "layer-prod"
-  #    package-version: ${{ inputs.latest_published_version }}
-  #    source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
-  #    source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
+      id-token: write
+      contents: read
+      pull-requests: none
+      pages: none
+    uses: ./.github/workflows/reusable_deploy_v3_sar.yml
+    secrets: inherit
+    with:
+      stage: "PROD"
+      environment: "layer-prod"
+      package-version: ${{ inputs.latest_published_version }}
+      source_code_artifact_name: ${{ inputs.source_code_artifact_name }}
+      source_code_integrity_hash: ${{ inputs.source_code_integrity_hash }}
 
 
   # Updating the documentation with the latest Layer ARNs is a two-phase process
 
@@ -76,7 +76,7 @@ jobs:
       - name: Complexity baseline
         run: make complexity-baseline
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@13ce06bfc6bbe3ecf90edbbf1bc32fe5978ca1d3 # 5.3.1
+        uses: codecov/codecov-action@0565863a31f2c772f9f0395002a31e3f06189574 # 5.4.0
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           file: ./coverage.xml
 
@@ -51,13 +51,13 @@ jobs:
           python-version: ${{ matrix.python-version }}
           cache: "poetry"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@4574d27a4764455b42196d70a065bc6853246a25 # v2.0.0
+        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v2.0.0
         with:
           platforms: arm64
         # NOTE: we need QEMU to build Layer against a different architecture (e.g., ARM)
       - name: Set up Docker Buildx
         id: builder
-        uses: docker/setup-buildx-action@f7ce87c1d6bead3e36075b2ce75da1f6cc28aaca # v3.9.0
+        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
         with:
           install: true
           driver: docker
 
@@ -48,6 +48,11 @@ on:
         default: false
         type: boolean
         required: false
+      skip_lambda_layer:
+        description: "Skip publishing Lambda Layers as it can publish duplicated versions of the same layer. Useful for semi-failed releases"
+        default: false
+        type: boolean
+        required: false
       skip_code_quality:
         description: "Skip tests, linting, and baseline. Only use if release fail for reasons beyond our control and you need a quick release."
         default: false
@@ -350,6 +355,7 @@ jobs:
       pre_release: ${{ inputs.pre_release }}
       source_code_artifact_name: ${{ needs.seal.outputs.artifact_name }}
       source_code_integrity_hash: ${{ needs.seal.outputs.integrity_hash }}
+      skip_lambda_layer: ${{ inputs.skip_lambda_layer }}
 
   post_release:
     needs: [seal, release, publish_layer]
 
@@ -159,7 +159,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
           mask-aws-account-id: true
       - name: Setup Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: "16.12"
       - name: Setup python
@@ -181,7 +181,7 @@ jobs:
       - name: install deps
         run: poetry install
       - name: Download artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ inputs.artefact-name }}
           path: layer
 
@@ -113,11 +113,11 @@ jobs:
           mask-aws-account-id: true
 
       - name: Setup Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Download artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: ${{ inputs.artefact-name }}
       - name: Unzip artefact
 
@@ -167,7 +167,7 @@ jobs:
           role-to-assume: ${{ secrets.AWS_LAYERS_ROLE_ARN }}
           mask-aws-account-id: true
       - name: Setup Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: "18.20.4"
       - name: Setup python
@@ -189,7 +189,7 @@ jobs:
       - name: install deps
         run: poetry install
       - name: Download artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: cdk-layer-artifact-py${{ matrix.python-version }}
           path: layer_v3
 
@@ -106,14 +106,14 @@ jobs:
           aws-session-token: ${{ env.AWS_SESSION_TOKEN }}
           role-duration-seconds: 1200
           aws-region: ${{ env.AWS_REGION }}
-          role-to-assume: ${{ secrets.AWS_SAR_V2_ROLE_ARN }}
+          role-to-assume: ${{ secrets.AWS_SAR_V3_ROLE_ARN }}
           mask-aws-account-id: true
       - name: Setup Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: ${{ env.NODE_VERSION }}
       - name: Download artifact
-        uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8
+        uses: actions/download-artifact@cc203385981b70ca67e1cc392babf9cc229d5806 # v4.1.9
         with:
           name: cdk-layer-artifact-py${{ matrix.python-version }}
       - name: Unzip artefact
@@ -127,25 +127,22 @@ jobs:
           if [[ "${{ inputs.stage }}" == "BETA" ]]; then
             SAR_NAME="test-${SAR_NAME}"
           fi
-          ARCH_NAME=$(echo ${{ matrix.architecture }} | tr -d '_')
+          ARCH_NAME=$(echo ${{ matrix.architecture }} | tr '_' '-')
           SAR_NAME="${SAR_NAME}-python${{env.PYTHON_VERSION}}-${ARCH_NAME}"
           echo SAR_NAME="${SAR_NAME}" >> "$GITHUB_ENV"
-      - name: Normalize semantic version
-        id: semantic-version # v2.0.0a0 -> v2.0.0-a0
-        env:
-          VERSION: ${{ inputs.package-version }}
-        run: |
-          # VERSION="${VERSION/a/-a}"
-          VERSION="3.0.0"
-          echo "VERSION=${VERSION}" >> "$GITHUB_OUTPUT"
       - name: Prepare SAR App
-        env:
-          VERSION: ${{ steps.semantic-version.outputs.VERSION }}
         run: |
           # From the generated LayerStack cdk.out artifact, find the layer asset path for the correct architecture.
           # We'll use this as the source directory of our SAR. This way we are re-using the same layer asset for our SAR.
           PYTHON_VERSION=$(echo ${{ matrix.python-version }} | tr -d '.')
-          asset=$(jq -jc '.Resources[] | select(.Properties.CompatibleArchitectures == ["${{ matrix.architecture }}"]) | .Metadata."aws:asset:path"' "cdk.out/LayerV3Stack-python${PYTHON_VERSION}.template.json")
+          asset_cdk=$(jq -jc '.Resources[] | select(.Properties.CompatibleArchitectures == ["${{ matrix.architecture }}"]) | .Metadata."aws:asset:path"' "cdk.out/LayerV3Stack-python${PYTHON_VERSION}.template.json")
+
+          echo "Normalizing the asset variable"
+          asset=$(echo $asset_cdk | sed -E 's/^(asset\.[^.]+).*\1/\1/')
+
+          VERSION=$(echo ${{ inputs.package-version }} | sed 's/^v//')
+          echo $asset
+          echo $VERSION
 
           # fill in the SAR SAM template
           sed \
@@ -165,6 +162,7 @@ jobs:
 
           # Package the SAR to our SAR S3 bucket, and publish it
           sam package --template-file template.yml --output-template-file packaged.yml --s3-bucket ${{ secrets.AWS_SAR_S3_BUCKET_V3 }}
+          cat packaged.yml
           sam publish --template packaged.yml --region "$AWS_REGION"
       - name: Deploy BETA canary
         if: ${{ inputs.stage == 'BETA' }}
 
@@ -62,7 +62,7 @@ jobs:
           architecture: "x64"
           cache: "poetry"
       - name: Setup Node.js
-        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
+        uses: actions/setup-node@cdca7365b2dadb8aad0a33bc7601856ffabcc48e # v4.3.0
         with:
           node-version: "20.10.0"
       - name: Install CDK CLI