aws-powertools
diff --git a/‎.github/workflows/auto-merge.yml
+4-4 b/‎.github/workflows/auto-merge.yml
+4-4
diff --git a/‎.github/workflows/build-docs.yml
+2-2 b/‎.github/workflows/build-docs.yml
+2-2
diff --git a/‎.github/workflows/build.yml
+9-4 b/‎.github/workflows/build.yml
+9-4
diff --git a/‎.github/workflows/dispatch_analytics.yml
+1-1 b/‎.github/workflows/dispatch_analytics.yml
+1-1
diff --git a/‎.github/workflows/docs.yml
+2-2 b/‎.github/workflows/docs.yml
+2-2
diff --git a/‎.github/workflows/publish.yml
+5-4 b/‎.github/workflows/publish.yml
+5-4
diff --git a/‎.github/workflows/release-drafter.yml
+1-1 b/‎.github/workflows/release-drafter.yml
+1-1
diff --git a/‎.github/workflows/release-prep.yml
+8-8 b/‎.github/workflows/release-prep.yml
+8-8
diff --git a/‎.github/workflows/run-e2e-tests.yml
+3-3 b/‎.github/workflows/run-e2e-tests.yml
+3-3
diff --git a/‎.github/workflows/secure_workflows.yml
+32 b/‎.github/workflows/secure_workflows.yml
+32
diff --git a/‎.github/workflows/spotbugs.yml
+3-3 b/‎.github/workflows/spotbugs.yml
+3-3
diff --git a/‎.gitignore
+2 b/‎.gitignore
+2
diff --git a/‎README.md
+16-2 b/‎README.md
+16-2
diff --git a/‎docs/index.md
+16-1 b/‎docs/index.md
+16-1
diff --git a/‎examples/pom.xml
+12-4 b/‎examples/pom.xml
+12-4
@@ -17,12 +17,12 @@ jobs:
     runs-on: ubuntu-latest
     if: github.event.workflow_run.event == 'pull_request' && github.event.workflow_run.conclusion == 'success' && github.actor == 'dependabot[bot]'
     steps:
-      - uses: actions/checkout@v3
-      - uses: ahmadnassri/action-workflow-run-wait@v1
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
+      - uses: ahmadnassri/action-workflow-run-wait@2aa3d9e1a12ecaaa9908e368eaf2123bb084323e # v1.4.4
         with:
           timeout: 300000
       - name: 'Download artifact'
-        uses: actions/[email protected]
+        uses: actions/github-script@47f7cf65b5ced0830a325f705cad64f2f58dddf7 # v3.1.0
         with:
           script: |
             var artifacts = await github.actions.listWorkflowRunArtifacts({
@@ -43,7 +43,7 @@ jobs:
             fs.writeFileSync('${{github.workspace}}/pr.zip', Buffer.from(download.data));
       - run: unzip pr.zip
       - name: Create review
-        uses: actions/github-script@v3
+        uses: actions/github-script@47f7cf65b5ced0830a325f705cad64f2f58dddf7 # v3.1.0
         with:
           script: |
             var fs = require('fs');
 
@@ -22,9 +22,9 @@ jobs:
   docs:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: "3.8"
       - name: Capture branch and tag
 
@@ -54,17 +54,22 @@ jobs:
       JAVA: ${{ matrix.java }}
       AWS_REGION: eu-west-1
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Setup java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
           distribution: 'corretto'
           java-version: ${{ matrix.java }}
           cache: 'maven'
       - name: Build with Maven
         run: mvn -B install --file pom.xml
+      - name: Build Gradle Example
+        if: ${{ matrix.java == '8' }} # Gradle example can only be built on Java 8
+        run: |
+          cd examples/powertools-examples-core-utilities/gradle
+          ./gradlew build
       - name: Upload coverage to Codecov
-        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # 3.1.1
+        uses: codecov/codecov-action@d9f34f8cd5cb3b3eb79b3e4b5dae3a16df499a70 # v3.1.1
         if: ${{ matrix.java == '11' }} # publish results once
         with:
           files: ./powertools-cloudformation/target/site/jacoco/jacoco.xml,./powertools-core/target/site/jacoco/jacoco.xml,./powertools-idempotency/target/site/jacoco/jacoco.xml,./powertools-logging/target/site/jacoco/jacoco.xml,./powertools-metrics/target/site/jacoco/jacoco.xml,./powertools-parameters/target/site/jacoco/jacoco.xml,./powertools-serialization/target/site/jacoco/jacoco.xml,./powertools-sqs/target/site/jacoco/jacoco.xml,./powertools-tracing/target/site/jacoco/jacoco.xml,./powertools-validation/target/site/jacoco/jacoco.xml
@@ -78,7 +83,7 @@ jobs:
           mkdir -p ./pr
           echo ${{ github.event.number }}
           echo ${{ github.event.number }} > ./pr/NR
-      - uses: actions/upload-artifact@v2
+      - uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
         name: Upload artifact
         with:
           name: pr
 
@@ -29,7 +29,7 @@ jobs:
     environment: analytics
     steps:
       - name: Configure AWS credentials
-        uses: aws-actions/configure-aws-credentials@e1e17a757e536f70e52b5a12b2e8d1d1c60e04ef
+        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
         with:
           aws-region: eu-central-1
           role-to-assume: ${{ secrets.AWS_ANALYTICS_ROLE_ARN }}
 
@@ -16,9 +16,9 @@ jobs:
     runs-on: ubuntu-latest
     environment: Docs
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Set up Python
-        uses: actions/setup-python@v4
+        uses: actions/setup-python@bd6b4b6205c4dbad673328db7b31b7fab9e241c0 # v4.6.1
         with:
           python-version: "3.8"
       - name: Capture branch and tag
 
@@ -8,15 +8,16 @@ jobs:
   publish:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Set up Maven Central Repository
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
-          distribution: 'zulu'
+          distribution: 'corretto'
           java-version: 8
           server-id: ossrh
           server-username: MAVEN_USERNAME
           server-password: MAVEN_PASSWORD
+          # TODO: use environments https://docs.github.com/en/actions/deployment/targeting-different-environments/using-environments-for-deployment
           gpg-private-key: ${{ secrets.GPG_SIGNING_KEY }} # Value of the GPG private key to import
           gpg-passphrase: GPG_PASSPHRASE # env variable for GPG private key passphrase
       - name: Set release notes tag
@@ -30,7 +31,7 @@ jobs:
           MAVEN_PASSWORD: ${{ secrets.OSSRH_JIRA_PASSWORD }}
           GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
       - name: Close issues related to this release
-        uses: actions/github-script@v5
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410 # v6.4.1
         with:
           script: |
             const post_release = require('.github/workflows/post_release.js')
 
@@ -10,6 +10,6 @@ jobs:
   update_release_draft:
     runs-on: ubuntu-latest
     steps:
-      - uses: release-drafter/release-drafter@v5
+      - uses: release-drafter/release-drafter@569eb7ee3a85817ab916c8f8ff03a5bd96c9c83e # v5.23.0
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
@@ -10,50 +10,50 @@ jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Get current date
         id: date
         run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
       - name: Set current release version env variable
         run: |
           echo "CURRENT_VERSION=$(mvn help:evaluate -Dexpression=project.version -q -DforceStdout)" >> $GITHUB_ENV
       - name: Find and Replace ${{ env.CURRENT_VERSION }} with ${{ github.event.inputs.targetRelease }} in mkdocs.yml
-        uses: jacobtomlinson/gha-find-replace@v2
+        uses: jacobtomlinson/gha-find-replace@f485fdc3f67a6d87ae6e3d11e41f648c26d7aee3 # v2.0.0
         with:
           find: 'version: ${{ env.CURRENT_VERSION }}'
           replace: 'version: ${{ github.event.inputs.targetRelease }}'
           regex: false
           include: "mkdocs.yml"
       - name: Find and Replace ${{ env.CURRENT_VERSION }} with ${{ github.event.inputs.targetRelease }} in main pom.xml
-        uses: jacobtomlinson/gha-find-replace@v2
+        uses: jacobtomlinson/gha-find-replace@f485fdc3f67a6d87ae6e3d11e41f648c26d7aee3 # v2.0.0
         with:
           find: ${{ env.CURRENT_VERSION }}
           replace: ${{ github.event.inputs.targetRelease }}
           regex: false
           include: "pom.xml"
       - name: Find and Replace ${{ env.CURRENT_VERSION }} with ${{ github.event.inputs.targetRelease }} in modules pom.xml
-        uses: jacobtomlinson/gha-find-replace@v2
+        uses: jacobtomlinson/gha-find-replace@f485fdc3f67a6d87ae6e3d11e41f648c26d7aee3 # v2.0.0
         with:
           find: ${{ env.CURRENT_VERSION }}
           replace: ${{ github.event.inputs.targetRelease }}
           regex: false
           include: "**/*pom.xml"
       - name: Find and Replace ${{ env.CURRENT_VERSION }} with ${{ github.event.inputs.targetRelease }} in build.gradle
-        uses: jacobtomlinson/gha-find-replace@v2
+        uses: jacobtomlinson/gha-find-replace@f485fdc3f67a6d87ae6e3d11e41f648c26d7aee3 # v2.0.0
         with:
           find: ${{ env.CURRENT_VERSION }}
           replace: ${{ github.event.inputs.targetRelease }}
           regex: false
           include: "**/*build.gradle"
       - name: Find and Replace ${{ env.CURRENT_VERSION }} with ${{ github.event.inputs.targetRelease }} in README.md
-        uses: jacobtomlinson/gha-find-replace@v2
+        uses: jacobtomlinson/gha-find-replace@f485fdc3f67a6d87ae6e3d11e41f648c26d7aee3 # v2.0.0
         with:
           find: ${{ env.CURRENT_VERSION }}
           replace: ${{ github.event.inputs.targetRelease }}
           regex: false
           include: "README.md"
       - name: Create changelog placeholder for ${{ github.event.inputs.targetRelease }}
-        uses: jacobtomlinson/gha-find-replace@v2
+        uses: jacobtomlinson/gha-find-replace@f485fdc3f67a6d87ae6e3d11e41f648c26d7aee3 # v2.0.0
         with:
           find: '## [Unreleased]'
           replace: |
@@ -66,7 +66,7 @@ jobs:
           regex: false
           include: CHANGELOG.md
       - name: Create Release Pull Request
-        uses: peter-evans/create-pull-request@v3
+        uses: peter-evans/create-pull-request@18f7dc018cc2cd597073088f7c7591b9d1c02672 # v3.14.0
         with:
           commit-message: chore:prep release ${{ github.event.inputs.targetRelease }}
           token: ${{ secrets.RELEASE }}
 
@@ -41,15 +41,15 @@ jobs:
       id-token: write # needed to interact with GitHub's OIDC Token endpoint.
       contents: read
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Setup java
-        uses: actions/setup-java@v3
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
           distribution: 'corretto'
           java-version: ${{ matrix.java }}
           cache: maven
       - name: Setup AWS credentials
-        uses: aws-actions/configure-aws-credentials@v1.6.1
+        uses: aws-actions/configure-aws-credentials@5fd3084fc36e372ff1fff382a39b10d03659f355 # v2.2.0
         with:
           role-to-assume: ${{ secrets.AWS_ROLE_ARN_TO_ASSUME }}
           aws-region: ${{ env.AWS_DEFAULT_REGION }}
 
@@ -0,0 +1,32 @@
+name: Lockdown untrusted workflows
+
+# PROCESS
+#
+# 1. Scans for any external GitHub Action being used without version pinning (@<commit-sha> vs @v3)
+# 2. Scans for insecure practices for inline bash scripts (shellcheck)
+# 3. Fail CI and prevent PRs to be merged if any malpractice is found
+
+# USAGE
+#
+# Always triggered on new PR, PR changes and PR merge.
+
+
+on:
+  push:
+    paths:
+      - ".github/workflows/**"
+  pull_request:
+    paths:
+      - ".github/workflows/**"
+
+jobs:
+  enforce_pinned_workflows:
+    name: Harden Security
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read  # checkout code and subsequently GitHub action workflows
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
+      - name: Ensure 3rd party workflows have SHA pinned
+        uses: zgosalvez/github-actions-ensure-sha-pinned-actions@555a30da2656b4a7cf47b107800bef097723363e # v2.1.3
@@ -23,11 +23,11 @@ jobs:
   codecheck:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9  # v3.5.3
       - name: Setup java JDK 1.8
-        uses: actions/setup-java@v2
+        uses: actions/setup-java@5ffc13f4174014e2d4d4572b3d74c3fa61aeb2c2 # v3.11.0
         with:
-          distribution: 'zulu'
+          distribution: 'corretto'
           java-version: 8
           # https://github.com/jwgmeligmeyling/spotbugs-github-action/issues/6
           # https://github.blog/2020-08-03-github-actions-improvements-for-fork-and-pull-request-workflows/
 
@@ -107,3 +107,5 @@ example/HelloWorldFunction/.gradle
 example/HelloWorldFunction/build
 /example/.gradle/
 /example/.java-version
+.gradle
+build/
@@ -132,11 +132,18 @@ Next, configure the aspectj-maven-plugin to compile-time weave (CTW) the aws-lam
 <summary><b>Gradle - Java 11+</b></summary>
 
 ```groovy
+
         plugins {
             id 'java'
-            id 'io.freefair.aspectj.post-compile-weaving' version '8.1.0'
+            id 'io.freefair.aspectj.post-compile-weaving' version '8.2.2'
         }
         
+        // the freefair aspect plugins targets gradle 8.2.1
+        // https://docs.freefair.io/gradle-plugins/8.2.2/reference/
+        wrapper {
+            gradleVersion = "8.2.1"
+        }   
+
         repositories {
             mavenCentral()
         }
@@ -145,6 +152,7 @@ Next, configure the aspectj-maven-plugin to compile-time weave (CTW) the aws-lam
             aspect 'software.amazon.lambda:powertools-logging:{{ powertools.version }}'
             aspect 'software.amazon.lambda:powertools-tracing:{{ powertools.version }}'
             aspect 'software.amazon.lambda:powertools-metrics:{{ powertools.version }}'
+            implementation "org.aspectj:aspectjrt:1.9.8.RC3"
         }
         
         sourceCompatibility = 11
@@ -161,6 +169,12 @@ Next, configure the aspectj-maven-plugin to compile-time weave (CTW) the aws-lam
             id 'io.freefair.aspectj.post-compile-weaving' version '6.6.3'
         }
         
+        // the freefair aspect plugins targets gradle 7.6.1
+        // https://docs.freefair.io/gradle-plugins/6.6.3/reference/
+        wrapper {
+            gradleVersion = "7.6.1"
+        }
+
         repositories {
             mavenCentral()
         }
@@ -178,7 +192,7 @@ Next, configure the aspectj-maven-plugin to compile-time weave (CTW) the aws-lam
 
 ## Examples
 
-See the **[examples](examples)**  directory for example projects showcasing usage of different utilities.
+See the latest release of the **[examples](https://github.com/aws-powertools/powertools-lambda-java/tree/v1.17.0/examples)** for example projects showcasing usage of different utilities.
 
 Have a demo project to contribute which showcase usage of different utilities from powertools? We are happy to accept it [here](CONTRIBUTING.md#security-issue-notifications).
 
 
@@ -211,10 +211,17 @@ Depending on your version of Java (either Java 1.8 or 11+), the configuration sl
 === "Gradle Java 11+"
 
     ```groovy
+
         plugins {
             id 'java'
-            id 'io.freefair.aspectj.post-compile-weaving' version '8.1.0'
+            id 'io.freefair.aspectj.post-compile-weaving' version '8.2.2'
         }
+
+        // the freefair aspect plugins targets gradle 8.2.1
+        // https://docs.freefair.io/gradle-plugins/8.2.2/reference/
+        wrapper {
+            gradleVersion = "8.2.1"
+        }        
         
         repositories {
             mavenCentral()
@@ -233,10 +240,18 @@ Depending on your version of Java (either Java 1.8 or 11+), the configuration sl
 === "Gradle Java 1.8"
 
     ```groovy
+
         plugins {
             id 'java'
             id 'io.freefair.aspectj.post-compile-weaving' version '6.6.3'
         }
+
+        // the freefair aspect plugins targets gradle 7.6.1
+        // https://docs.freefair.io/gradle-plugins/6.6.3/reference/
+        wrapper {
+            gradleVersion = "7.6.1"
+        }
+
         
         repositories {
             mavenCentral()
 
@@ -40,9 +40,17 @@
         <module>powertools-examples-cloudformation</module>
     </modules>
 
-    <!-- Don't deploy the examples -->
-    <properties>
-        <maven.deploy.skip>true</maven.deploy.skip>
-    </properties>
+    <build>
+        <plugins>
+            <!-- Don't deploy the examples -->
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
 
 </project>