Merge b3fe6c2880 into 9df4ea095f

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.14.0 to 2.14.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](20cf305ff2...e3f713f2d8)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.14.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

.github/workflows/dependencies.yml

@@ -13,7 +13,7 @@ jobs:
       contents: write # this is needed to push commits and branches
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 

.github/workflows/installer.yml

@@ -26,7 +26,7 @@ jobs:
           - macos-latest
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 
@@ -47,7 +47,7 @@ jobs:
       - test
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 

.github/workflows/main.yml

@@ -24,7 +24,7 @@ jobs:
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 

.github/workflows/project.yml

@@ -17,7 +17,7 @@ jobs:
     if: github.repository == 'ohmyzsh/ohmyzsh'
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
       - name: Authenticate as @ohmyzsh

.github/workflows/scorecard.yml

@@ -36,7 +36,7 @@ jobs:
 
     steps:
       - name: Harden the runner (Audit all outbound calls)
-        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        uses: step-security/harden-runner@e3f713f2d8f53843e71c69a996d56f51aa9adfb9 # v2.14.1
         with:
           egress-policy: audit
 
@@ -60,6 +60,6 @@ jobs:
           retention-days: 5
 
       - name: "Upload to code-scanning"
-        uses: github/codeql-action/upload-sarif@19b2f06db2b6f5108140aeb04014ef02b648f789 # v4.31.11
+        uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
         with:
           sarif_file: results.sarif

plugins/aws/aws.plugin.zsh

@@ -42,7 +42,7 @@ function asp() {
   export AWS_PROFILE=$1
   export AWS_EB_PROFILE=$1
 
-  export AWS_PROFILE_REGION=$(aws configure get region)
+  export AWS_PROFILE_REGION=$(_aws_get_profile_region "$1")
 
   _aws_update_state
 
@@ -239,9 +239,52 @@ function aws_regions() {
 }
 
 function aws_profiles() {
-  aws --no-cli-pager configure list-profiles 2> /dev/null && return
+  local config_file="${AWS_CONFIG_FILE:-$HOME/.aws/config}"
-  [[ -r "${AWS_CONFIG_FILE:-$HOME/.aws/config}" ]] || return 1
+  local credentials_file="${AWS_SHARED_CREDENTIALS_FILE:-$HOME/.aws/credentials}"
-  grep --color=never -Eo '\[.*\]' "${AWS_CONFIG_FILE:-$HOME/.aws/config}" | sed -E 's/^[[:space:]]*\[(profile)?[[:space:]]*([^[:space:]]+)\][[:space:]]*$/\2/g'
+  local profiles=()
+
+  # Parse config file: match [default], [profile name], but not [sso-session ...] etc.
+  # Pattern handles optional whitespace around brackets and profile keyword
+  if [[ -r "$config_file" ]]; then
+    profiles+=($(grep --color=never -Eo '\[.*\]' "$config_file" \
+      | sed -nE 's/^[[:space:]]*\[(profile[[:space:]]+)?([^[:space:]]+)[[:space:]]*\]$/\2/p' \
+      | grep -v '^sso-session$'))
+  fi
+
+  # Parse credentials file (profiles have [name] format, no "profile" prefix)
+  if [[ -r "$credentials_file" ]]; then
+    profiles+=($(grep --color=never -Eo '\[.*\]' "$credentials_file" \
+      | sed -nE 's/^[[:space:]]*\[([^[:space:]]+)[[:space:]]*\]$/\1/p'))
+  fi
+
+  # Return unique profiles, or fall back to AWS CLI
+  if [[ ${#profiles[@]} -gt 0 ]]; then
+    printf '%s\n' "${profiles[@]}" | sort -u
+  else
+    aws --no-cli-pager configure list-profiles 2>/dev/null
+  fi
+}
+
+# Fast region lookup by parsing config file directly, with fallback to AWS CLI
+function _aws_get_profile_region() {
+  local profile="${1:-$AWS_PROFILE}"
+  local config_file="${AWS_CONFIG_FILE:-$HOME/.aws/config}"
+  local region=""
+
+  # Try fast config file parsing first
+  if [[ -r "$config_file" ]]; then
+    region=$(awk -v profile="$profile" '
+      /^\[/ { in_profile = ($0 ~ "\\[(profile )?[ ]*"profile"[ ]*\\]") }
+      in_profile && /^[ ]*region[ ]*=/ { gsub(/^[ ]*region[ ]*=[ ]*/, ""); gsub(/[ ]*$/, ""); print; exit }
+    ' "$config_file")
+  fi
+
+  # Fallback to AWS CLI if fast method didn't find region
+  if [[ -z "$region" ]]; then
+    region=$(aws configure get region --profile "$profile" 2>/dev/null)
+  fi
+
+  echo "$region"
 }
 
 function _aws_regions() {