Use intermediate environment variable in actions (#134)

ahsan-z-khan · web-flow · commit 2cf5b6ff2718 · 2025-08-29T08:59:45.000-07:00
diff --git a/.github/workflows/build-neuron-jax-training-dlc.yaml b/.github/workflows/build-neuron-jax-training-dlc.yaml
@@ -32,30 +32,37 @@ jobs:
 
       - name: Detect changed versions
         id: changes
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          JAX_VERSIONS: ${{ github.event.inputs.jax_versions }}
+          BASE_REF: ${{ github.base_ref }}
+          SHA: ${{ github.sha }}
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            # Use manual input versions
-            versions="${{ github.event.inputs.jax_versions }}"
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            # Use manual input versions with validation
             matrix_json="[]"
-            IFS=',' read -ra VERSION_ARRAY <<< "$versions"
+            IFS=',' read -ra VERSION_ARRAY <<< "$JAX_VERSIONS"
             for version in "${VERSION_ARRAY[@]}"; do
               version=$(echo "$version" | xargs) # trim whitespace
-              path="docker/jax/training/$version"
-              if [ -f "$path/Dockerfile.neuronx" ]; then
-                matrix_json=$(echo "$matrix_json" | jq ". + [{\"version\": \"$version\", \"path\": \"$path\"}]")
+              # Validate version format (only allow alphanumeric, dots, and hyphens)
+              if [[ "$version" =~ ^[a-zA-Z0-9.-]+$ ]]; then
+                path="docker/jax/training/$version"
+                if [ -f "$path/Dockerfile.neuronx" ]; then
+                  matrix_json=$(echo "$matrix_json" | jq --arg v "$version" --arg p "$path" '. + [{"version": $v, "path": $p}]')
+                fi
               fi
             done
           else
             # Detect changed Dockerfile paths
-            changed_paths=$(git diff --name-only origin/${{ github.base_ref }} ${{ github.sha }} \
+            changed_paths=$(git diff --name-only "origin/$BASE_REF" "$SHA" \
               | grep '^docker/jax/training/.*/Dockerfile.neuronx$' \
               | xargs -n1 dirname \
               | sort -u)
             
             matrix_json="[]"
             for path in $changed_paths; do
               version=$(basename "$path")
-              matrix_json=$(echo "$matrix_json" | jq ". + [{\"version\": \"$version\", \"path\": \"$path\"}]")
+              matrix_json=$(echo "$matrix_json" | jq --arg v "$version" --arg p "$path" '. + [{"version": $v, "path": $p}]')
             done
           fi
 
@@ -86,8 +93,10 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Copy common files next to Dockerfile
+        env:
+          MATRIX_PATH: ${{ matrix.path }}
         run: |
-          cp -r docker/common/* ${{ matrix.path }}/
+          cp -r docker/common/* "$MATRIX_PATH"/
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
diff --git a/.github/workflows/build-neuron-pytorch-inference-dlc.yaml b/.github/workflows/build-neuron-pytorch-inference-dlc.yaml
@@ -32,30 +32,37 @@ jobs:
 
       - name: Detect changed versions
         id: changes
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          PYTORCH_VERSIONS: ${{ github.event.inputs.pytorch_versions }}
+          BASE_REF: ${{ github.base_ref }}
+          SHA: ${{ github.sha }}
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            # Use manual input versions
-            versions="${{ github.event.inputs.pytorch_versions }}"
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            # Use manual input versions with validation
             matrix_json="[]"
-            IFS=',' read -ra VERSION_ARRAY <<< "$versions"
+            IFS=',' read -ra VERSION_ARRAY <<< "$PYTORCH_VERSIONS"
             for version in "${VERSION_ARRAY[@]}"; do
               version=$(echo "$version" | xargs) # trim whitespace
-              path="docker/pytorch/inference/$version"
-              if [ -f "$path/Dockerfile.neuronx" ]; then
-                matrix_json=$(echo "$matrix_json" | jq ". + [{\"version\": \"$version\", \"path\": \"$path\"}]")
+              # Validate version format (only allow alphanumeric, dots, and hyphens)
+              if [[ "$version" =~ ^[a-zA-Z0-9.-]+$ ]]; then
+                path="docker/pytorch/inference/$version"
+                if [ -f "$path/Dockerfile.neuronx" ]; then
+                  matrix_json=$(echo "$matrix_json" | jq --arg v "$version" --arg p "$path" '. + [{"version": $v, "path": $p}]')
+                fi
               fi
             done
           else
             # Detect changed Dockerfile paths
-            changed_paths=$(git diff --name-only origin/${{ github.base_ref }} ${{ github.sha }} \
+            changed_paths=$(git diff --name-only "origin/$BASE_REF" "$SHA" \
               | grep '^docker/pytorch/inference/.*/Dockerfile.neuronx$' \
               | xargs -n1 dirname \
               | sort -u)
             
             matrix_json="[]"
             for path in $changed_paths; do
               version=$(basename "$path")
-              matrix_json=$(echo "$matrix_json" | jq ". + [{\"version\": \"$version\", \"path\": \"$path\"}]")
+              matrix_json=$(echo "$matrix_json" | jq --arg v "$version" --arg p "$path" '. + [{"version": $v, "path": $p}]')
             done
           fi
 
@@ -86,8 +93,10 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Copy common files next to Dockerfile
+        env:
+          MATRIX_PATH: ${{ matrix.path }}
         run: |
-          cp -r docker/common/* ${{ matrix.path }}/
+          cp -r docker/common/* "$MATRIX_PATH"/
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
diff --git a/.github/workflows/build-neuron-pytorch-training-dlc.yaml b/.github/workflows/build-neuron-pytorch-training-dlc.yaml
@@ -32,30 +32,37 @@ jobs:
 
       - name: Detect changed versions
         id: changes
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          PYTORCH_VERSIONS: ${{ github.event.inputs.pytorch_versions }}
+          BASE_REF: ${{ github.base_ref }}
+          SHA: ${{ github.sha }}
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            # Use manual input versions
-            versions="${{ github.event.inputs.pytorch_versions }}"
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            # Use manual input versions with validation
             matrix_json="[]"
-            IFS=',' read -ra VERSION_ARRAY <<< "$versions"
+            IFS=',' read -ra VERSION_ARRAY <<< "$PYTORCH_VERSIONS"
             for version in "${VERSION_ARRAY[@]}"; do
               version=$(echo "$version" | xargs) # trim whitespace
-              path="docker/pytorch/training/$version"
-              if [ -f "$path/Dockerfile.neuronx" ]; then
-                matrix_json=$(echo "$matrix_json" | jq ". + [{\"version\": \"$version\", \"path\": \"$path\"}]")
+              # Validate version format (only allow alphanumeric, dots, and hyphens)
+              if [[ "$version" =~ ^[a-zA-Z0-9.-]+$ ]]; then
+                path="docker/pytorch/training/$version"
+                if [ -f "$path/Dockerfile.neuronx" ]; then
+                  matrix_json=$(echo "$matrix_json" | jq --arg v "$version" --arg p "$path" '. + [{"version": $v, "path": $p}]')
+                fi
               fi
             done
           else
             # Detect changed Dockerfile paths
-            changed_paths=$(git diff --name-only origin/${{ github.base_ref }} ${{ github.sha }} \
+            changed_paths=$(git diff --name-only "origin/$BASE_REF" "$SHA" \
               | grep '^docker/pytorch/training/.*/Dockerfile.neuronx$' \
               | xargs -n1 dirname \
               | sort -u)
             
             matrix_json="[]"
             for path in $changed_paths; do
               version=$(basename "$path")
-              matrix_json=$(echo "$matrix_json" | jq ". + [{\"version\": \"$version\", \"path\": \"$path\"}]")
+              matrix_json=$(echo "$matrix_json" | jq --arg v "$version" --arg p "$path" '. + [{"version": $v, "path": $p}]')
             done
           fi
 
@@ -86,8 +93,10 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Copy common files next to Dockerfile
+        env:
+          MATRIX_PATH: ${{ matrix.path }}
         run: |
-          cp -r docker/common/* ${{ matrix.path }}/
+          cp -r docker/common/* "$MATRIX_PATH"/
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
diff --git a/.github/workflows/build-neuron-vllm-inference-dlc.yaml b/.github/workflows/build-neuron-vllm-inference-dlc.yaml
@@ -32,30 +32,37 @@ jobs:
 
       - name: Detect changed versions
         id: changes
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          VLLM_VERSIONS: ${{ github.event.inputs.vllm_versions }}
+          BASE_REF: ${{ github.base_ref }}
+          SHA: ${{ github.sha }}
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            # Use manual input versions
-            versions="${{ github.event.inputs.vllm_versions }}"
+          if [ "$EVENT_NAME" = "workflow_dispatch" ]; then
+            # Use manual input versions with validation
             matrix_json="[]"
-            IFS=',' read -ra VERSION_ARRAY <<< "$versions"
+            IFS=',' read -ra VERSION_ARRAY <<< "$VLLM_VERSIONS"
             for version in "${VERSION_ARRAY[@]}"; do
               version=$(echo "$version" | xargs) # trim whitespace
-              path="docker/vllm/inference/$version"
-              if [ -f "$path/Dockerfile.neuronx" ]; then
-                matrix_json=$(echo "$matrix_json" | jq ". + [{\"version\": \"$version\", \"path\": \"$path\"}]")
+              # Validate version format (only allow alphanumeric, dots, and hyphens)
+              if [[ "$version" =~ ^[a-zA-Z0-9.-]+$ ]]; then
+                path="docker/vllm/inference/$version"
+                if [ -f "$path/Dockerfile.neuronx" ]; then
+                  matrix_json=$(echo "$matrix_json" | jq --arg v "$version" --arg p "$path" '. + [{"version": $v, "path": $p}]')
+                fi
               fi
             done
           else
             # Detect changed Dockerfile paths
-            changed_paths=$(git diff --name-only origin/${{ github.base_ref }} ${{ github.sha }} \
+            changed_paths=$(git diff --name-only "origin/$BASE_REF" "$SHA" \
               | grep '^docker/vllm/inference/.*/Dockerfile.neuronx$' \
               | xargs -n1 dirname \
               | sort -u)
             
             matrix_json="[]"
             for path in $changed_paths; do
               version=$(basename "$path")
-              matrix_json=$(echo "$matrix_json" | jq ". + [{\"version\": \"$version\", \"path\": \"$path\"}]")
+              matrix_json=$(echo "$matrix_json" | jq --arg v "$version" --arg p "$path" '. + [{"version": $v, "path": $p}]')
             done
           fi
 
@@ -86,8 +93,10 @@ jobs:
         uses: actions/checkout@v5
 
       - name: Copy common files next to Dockerfile
+        env:
+          MATRIX_PATH: ${{ matrix.path }}
         run: |
-          cp -r docker/common/* ${{ matrix.path }}/
+          cp -r docker/common/* "$MATRIX_PATH"/
 
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
