Skip to content

Commit 262377d

Browse files
thpiercethpierce
committed
fix: prevent script injection in workflows
Move github.event references to env vars to prevent script injection vulnerabilities in workflow run steps
1 parent 271275b commit 262377d

File tree

6 files changed

+55
-42
lines changed

6 files changed

+55
-42
lines changed

.github/workflows/post-release-version-bump.yml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ on:
1212
default: 'false'
1313

1414
env:
15+
VERSION_INPUT: ${{ env.VERSION_INPUT }}
16+
IS_PATCH_INPUT: ${{ env.IS_PATCH_INPUT }}
1517
AWS_DEFAULT_REGION: us-east-1
1618

1719
permissions:
@@ -31,8 +33,8 @@ jobs:
3133

3234
- name: Extract Major.Minor Version and setup Env variable
3335
run: |
34-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
35-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
36+
echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
37+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
3638
3739
- name: Get current major.minor version from main branch
3840
id: get_version
@@ -88,8 +90,8 @@ jobs:
8890
8991
- name: Extract Major.Minor Version and setup Env variable
9092
run: |
91-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
92-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
93+
echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
94+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
9395
9496
- name: Determine release branch and checkout
9597
run: |
@@ -99,14 +101,14 @@ jobs:
99101
100102
- name: Update version to next development version in main
101103
run: |
102-
DEV_VERSION="${{ github.event.inputs.version }}.dev0"
104+
DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
103105
sed -i "s/public static string version = \".*\";/public static string version = \"${DEV_VERSION}\";/" src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
104106
sed -i "s/private readonly string version = \".*\";/private readonly string version = \"${DEV_VERSION}\";/" build/Build.InstallationScripts.cs
105-
VERSION="${{ github.event.inputs.version }}"
107+
VERSION="${{ env.VERSION_INPUT }}"
106108
sed -i -e 's/dotnet:v.*"/dotnet:v'$VERSION'"/' .github/workflows/daily-scan.yml
107109
108110
# for patch releases, avoid merge conflict by manually resolving CHANGELOG with main
109-
if [[ "${{ github.event.inputs.is_patch }}" == "true" ]]; then
111+
if [[ "${{ env.IS_PATCH_INPUT }}" == "true" ]]; then
110112
# Copy the patch release entries
111113
sed -n "/^## v${VERSION}/,/^## v[0-9]/p" CHANGELOG.md | sed '$d' > /tmp/patch_release_section.txt
112114
git fetch origin main
@@ -126,7 +128,7 @@ jobs:
126128
env:
127129
GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
128130
run: |
129-
DEV_VERSION="${{ github.event.inputs.version }}.dev0"
131+
DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
130132
gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
131133
--body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
132134

.github/workflows/pr-build.yml

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,11 @@ permissions:
1515
contents: read
1616
id-token: write
1717

18+
env:
19+
USER: ${{ env.USER }}
20+
LABELS: ${{ env.LABELS }}
21+
NUMBER: ${{ env.NUMBER }}
22+
1823
jobs:
1924
static-code-checks:
2025
runs-on: ubuntu-latest
@@ -27,18 +32,18 @@ jobs:
2732
if: always()
2833
run: |
2934
# Check if PR is from workflows bot or dependabot
30-
if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then
35+
if [[ "${{ env.USER }}" == "aws-application-signals-bot" ]]; then
3136
echo "Skipping check: PR from aws-application-signals-bot"
3237
exit 0
3338
fi
3439
35-
if [[ "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then
40+
if [[ "${{ env.USER }}" == "dependabot[bot]" ]]; then
3641
echo "Skipping check: PR from dependabot"
3742
exit 0
3843
fi
3944
4045
# Check for skip changelog label
41-
if echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq -r '.[]' | grep -q "skip changelog"; then
46+
if echo '${{ env.LABELS }}' | jq -r '.[]' | grep -q "skip changelog"; then
4247
echo "Skipping check: skip changelog label found"
4348
exit 0
4449
fi
@@ -205,13 +210,13 @@ jobs:
205210
if: runner.os == 'Linux'
206211
uses: ./.github/actions/build-and-scan-image
207212
with:
208-
image-name: adot-autoinstrumentation-dotnet:pr-${{ github.event.number }}
213+
image-name: adot-autoinstrumentation-dotnet:pr-${{ env.NUMBER }}
209214

210215
- name: Build and scan Windows image
211216
if: runner.os == 'Windows'
212217
uses: ./.github/actions/build-and-scan-image
213218
with:
214-
image-name: adot-autoinstrumentation-dotnet:pr-${{ github.event.number }}-windows2022
219+
image-name: adot-autoinstrumentation-dotnet:pr-${{ env.NUMBER }}-windows2022
215220

216221
contract-test:
217222
runs-on: ubuntu-latest

.github/workflows/pre-release-prepare.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,8 @@ on:
1313
default: 'false'
1414

1515
env:
16+
VERSION_INPUT: ${{ env.VERSION_INPUT }}
17+
IS_PATCH_INPUT: ${{ env.IS_PATCH_INPUT }}
1618
AWS_DEFAULT_REGION: us-east-1
1719

1820
permissions:
@@ -52,12 +54,12 @@ jobs:
5254
5355
- name: Extract Major.Minor Version and setup Env variable
5456
run: |
55-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
56-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
57+
echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
58+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
5759
5860
- name: Create branches
5961
run: |
60-
IS_PATCH=${{ github.event.inputs.is_patch }}
62+
IS_PATCH=${{ env.IS_PATCH_INPUT }}
6163
if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
6264
echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
6365
exit 1
@@ -110,5 +112,5 @@ jobs:
110112
--body "This PR updates the version to ${VERSION}.
111113
112114
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
113-
--head v${{ github.event.inputs.version }}_release \
115+
--head v${{ env.VERSION_INPUT }}_release \
114116
--base release/v${MAJOR_MINOR}.x

.github/workflows/release-build.yml

Lines changed: 15 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ on:
1111
default: 'us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1, af-south-1, ap-east-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1, me-south-1, ap-southeast-5, ap-southeast-7, mx-central-1, ca-west-1, cn-north-1, cn-northwest-1'
1212

1313
env:
14+
VERSION_INPUT: ${{ env.VERSION_INPUT }}
15+
AWS_REGION_INPUT: ${{ env.AWS_REGION_INPUT }}
1416
AWS_DEFAULT_REGION: us-east-1
1517
AWS_PUBLIC_ECR_REGION: us-east-1
1618
AWS_PRIVATE_ECR_REGION: us-west-2
@@ -77,7 +79,7 @@ jobs:
7779
7880
- name: Pack nugets
7981
env:
80-
VERSION: ${{ github.event.inputs.version }}
82+
VERSION: ${{ env.VERSION_INPUT }}
8183
run: >
8284
dotnet pack
8385
.\src\AWS.Distro.OpenTelemetry.AutoInstrumentation
@@ -156,18 +158,18 @@ jobs:
156158
if: runner.os == 'Linux'
157159
uses: ./.github/actions/build-and-scan-image
158160
with:
159-
image-name: ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
161+
image-name: ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}
160162

161163
- name: Build and scan Windows image
162164
if: runner.os == 'Windows'
163165
uses: ./.github/actions/build-and-scan-image
164166
with:
165-
image-name: ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
167+
image-name: ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
166168

167169
- name: Push Linux x64 Image
168170
if: runner.os == 'Linux'
169171
env:
170-
VERSION: ${{ github.event.inputs.version }}
172+
VERSION: ${{ env.VERSION_INPUT }}
171173
run: |
172174
set -e
173175
docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-amd64
@@ -177,7 +179,7 @@ jobs:
177179
- name: Build Linux arm64 container
178180
if: runner.os == 'Linux'
179181
env:
180-
VERSION: ${{ github.event.inputs.version }}
182+
VERSION: ${{ env.VERSION_INPUT }}
181183
run: |
182184
set -e
183185
docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-arm64
@@ -187,7 +189,7 @@ jobs:
187189
- name: Build Windows container
188190
if: runner.os == 'Windows'
189191
env:
190-
VERSION: ${{ github.event.inputs.version }}
192+
VERSION: ${{ env.VERSION_INPUT }}
191193
run: |
192194
$osInfo = systeminfo | Select-String "OS Version"
193195
if ($osInfo -match "10.0.20348") {
@@ -229,15 +231,15 @@ jobs:
229231

230232
- name: Create multi-platform image and push to Amazon private ECR
231233
env:
232-
VERSION: ${{ github.event.inputs.version }}
234+
VERSION: ${{ env.VERSION_INPUT }}
233235
run: |
234236
docker manifest create ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-amd64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-arm64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-windows2022
235237
docker manifest inspect ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION
236238
docker manifest push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION
237239
238240
- name: Create multi-platform image and push to Amazon public ECR
239241
env:
240-
VERSION: ${{ github.event.inputs.version }}
242+
VERSION: ${{ env.VERSION_INPUT }}
241243
run: |
242244
docker manifest create ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION-windows2022
243245
docker manifest inspect ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION
@@ -252,7 +254,7 @@ jobs:
252254
- name: Set up regions matrix
253255
id: set-matrix
254256
env:
255-
AWS_REGIONS: ${{ github.event.inputs.aws_region }}
257+
AWS_REGIONS: ${{ env.AWS_REGION_INPUT }}
256258
run: |
257259
IFS=',' read -ra REGIONS <<< "$AWS_REGIONS"
258260
MATRIX="["
@@ -308,7 +310,7 @@ jobs:
308310
name: aws-distro-opentelemetry-dotnet-instrumentation-linux-glibc-x64.zip
309311
- name: publish
310312
env:
311-
VERSION: ${{ github.event.inputs.version }}
313+
VERSION: ${{ env.VERSION_INPUT }}
312314
run: |
313315
aws s3 mb s3://${{ env.BUCKET_NAME }}
314316
aws s3 cp aws-distro-opentelemetry-dotnet-instrumentation-linux-glibc-x64.zip s3://${{ env.BUCKET_NAME }}
@@ -477,7 +479,7 @@ jobs:
477479

478480
- name: Upload to Private S3 Bucket
479481
env:
480-
VERSION: ${{ github.event.inputs.version }}
482+
VERSION: ${{ env.VERSION_INPUT }}
481483
run: |
482484
PREFIX="Release_v$VERSION"
483485
@@ -493,7 +495,7 @@ jobs:
493495
id: create_release
494496
env:
495497
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
496-
VERSION: ${{ github.event.inputs.version }}
498+
VERSION: ${{ env.VERSION_INPUT }}
497499
run: |
498500
# Extract version from Build.cs
499501
OTEL_INSTRUMENTATION_VERSION=$(grep "OpenTelemetryAutoInstrumentationDefaultVersion = " build/Build.cs | sed 's/.*= "\(.*\)";/\1/' | sed 's/^v//')
@@ -545,7 +547,7 @@ jobs:
545547
- name: Upload artifacts and checksum to release
546548
env:
547549
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
548-
VERSION: ${{ github.event.inputs.version }}
550+
VERSION: ${{ env.VERSION_INPUT }}
549551
run: |
550552
find ./artifacts/ -name "*.zip" | while read file; do
551553
base=$(basename "$file")

.github/workflows/release-udp-exporter.yml

Lines changed: 12 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ permissions:
1313
contents: write
1414

1515
env:
16+
VERSION_INPUT: ${{ env.VERSION_INPUT }}
1617
AWS_SIGNING_KEY_REGION: us-west-2
1718

1819
jobs:
@@ -62,7 +63,7 @@ jobs:
6263
run: >
6364
dotnet pack
6465
.\exporters\AWS.Distro.OpenTelemetry.Exporter.Xray.Udp
65-
/p:Version=${{github.event.inputs.version}}
66+
/p:Version=${{ env.VERSION_INPUT }}
6667
--no-build
6768
-c Release
6869
-o .\Deployment\nuget-packages
@@ -95,18 +96,18 @@ jobs:
9596
- name: Create Release Notes
9697
run: |
9798
@"
98-
# AWS Distro for OpenTelemetry X-Ray UDP Exporter v${{ github.event.inputs.version }}
99+
# AWS Distro for OpenTelemetry X-Ray UDP Exporter v${{ env.VERSION_INPUT }}
99100
100101
## Overview
101102
This release contains the AWS Distro for OpenTelemetry X-Ray UDP Exporter for .NET.
102103
103104
## Package Information
104105
- Package Name: AWS.Distro.OpenTelemetry.Exporter.Xray.Udp
105-
- Version: ${{ github.event.inputs.version }}
106+
- Version: ${{ env.VERSION_INPUT }}
106107
107108
## NuGet Package
108109
The package is available on NuGet.org:
109-
https://www.nuget.org/packages/AWS.Distro.OpenTelemetry.Exporter.Xray.Udp/${{ github.event.inputs.version }}
110+
https://www.nuget.org/packages/AWS.Distro.OpenTelemetry.Exporter.Xray.Udp/${{ env.VERSION_INPUT }}
110111
111112
## Release Notes
112113
- This exporter allows you to send OpenTelemetry traces to the AWS X-Ray daemon over UDP
@@ -116,25 +117,25 @@ jobs:
116117
run: |
117118
New-Item -Path .\Deployment\release-assets -ItemType Directory -Force
118119
Copy-Item -Path .\Deployment\nuget-packages\* -Destination .\Deployment\release-assets\
119-
Compress-Archive -Path .\Deployment\release-assets\* -DestinationPath .\udp-exporter-${{ github.event.inputs.version }}.zip
120+
Compress-Archive -Path .\Deployment\release-assets\* -DestinationPath .\udp-exporter-${{ env.VERSION_INPUT }}.zip
120121
121122
- name: Create SHA256 hash for release package
122123
run: |
123124
# Create SHA256 hash file
124-
$hash = Get-FileHash -Path .\udp-exporter-${{ github.event.inputs.version }}.zip -Algorithm SHA256
125-
$hash.Hash | Out-File -FilePath .\udp-exporter-${{ github.event.inputs.version }}.zip.sha256 -Encoding utf8
125+
$hash = Get-FileHash -Path .\udp-exporter-${{ env.VERSION_INPUT }}.zip -Algorithm SHA256
126+
$hash.Hash | Out-File -FilePath .\udp-exporter-${{ env.VERSION_INPUT }}.zip.sha256 -Encoding utf8
126127
127128
- name: Create GH release (draft)
128129
env:
129130
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
130131
run: |
131132
gh release create `
132133
--target "$env:GITHUB_REF_NAME" `
133-
--title "Release ADOT X-Ray UDP Exporter v${{ github.event.inputs.version }}" `
134+
--title "Release ADOT X-Ray UDP Exporter v${{ env.VERSION_INPUT }}" `
134135
--notes-file release_notes.md `
135136
--draft `
136-
"Exporter.Xray.Udp-${{ github.event.inputs.version }}" `
137-
.\udp-exporter-${{ github.event.inputs.version }}.zip
138-
.\udp-exporter-${{ github.event.inputs.version }}.zip.sha256
137+
"Exporter.Xray.Udp-${{ env.VERSION_INPUT }}" `
138+
.\udp-exporter-${{ env.VERSION_INPUT }}.zip
139+
.\udp-exporter-${{ env.VERSION_INPUT }}.zip.sha256
139140
140141
Remove-Item -Path release_notes.md -Force

.github/workflows/unlist-nuget.yml

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ on:
77
required: true
88

99
env:
10+
VERSION_INPUT: ${{ env.VERSION_INPUT }}
1011
AWS_SIGNING_KEY_REGION: us-west-2
1112

1213
permissions:
@@ -35,6 +36,6 @@ jobs:
3536
--output text
3637
--query SecretString | ConvertFrom-Json
3738
38-
nuget delete AWS.Distro.OpenTelemetry.AutoInstrumentation ${{github.event.inputs.version}}
39+
nuget delete AWS.Distro.OpenTelemetry.AutoInstrumentation ${{ env.VERSION_INPUT }}
3940
-Source https://api.nuget.org/v3/index.json
4041
-ApiKey $nugetKey.Key

0 commit comments

Comments
 (0)