Skip to content

Commit 5d06891

Browse files
thpiercethpierce
committed
fix: prevent script injection in workflows
Cherry-picked from main with additional fixes for older workflow files
1 parent d18baa8 commit 5d06891

File tree

6 files changed

+783
-43
lines changed

6 files changed

+783
-43
lines changed

.github/workflows/post_release_version_bump.yml

Lines changed: 25 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ on:
99

1010
env:
1111
AWS_DEFAULT_REGION: us-east-1
12+
VERSION_INPUT: ${{ env.VERSION_INPUT }}
13+
IS_PATCH_INPUT: ${{ github.event.inputs.is_patch }}
1214

1315
permissions:
1416
id-token: write
@@ -27,8 +29,8 @@ jobs:
2729

2830
- name: Extract Major.Minor Version and setup Env variable
2931
run: |
30-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
31-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
32+
echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
33+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
3234
3335
- name: Get current major.minor version from main branch
3436
id: get_version
@@ -84,8 +86,8 @@ jobs:
8486
8587
- name: Extract Major.Minor Version and setup Env variable
8688
run: |
87-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
88-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
89+
echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
90+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
8991
9092
- name: Determine release branch and checkout
9193
run: |
@@ -96,10 +98,26 @@ jobs:
9698
- name: Update version to next development version in main
9799
# TODO update version in daily_scan.yml
98100
run: |
99-
DEV_VERSION="${{ github.event.inputs.version }}.dev0"
101+
DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
100102
sed -i "s/public static string version = \".*\";/public static string version = \"${DEV_VERSION}\";/" src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
101103
sed -i "s/private readonly string version = \".*\";/private readonly string version = \"${DEV_VERSION}\";/" build/Build.InstallationScripts.cs
102-
VERSION="${{ github.event.inputs.version }}"
104+
<<<<<<< HEAD:.github/workflows/post_release_version_bump.yml
105+
VERSION="${{ env.VERSION_INPUT }}"
106+
=======
107+
VERSION="${{ env.VERSION_INPUT }}"
108+
sed -i -e 's/dotnet:v.*"/dotnet:v'$VERSION'"/' .github/workflows/daily-scan.yml
109+
110+
# for patch releases, avoid merge conflict by manually resolving CHANGELOG with main
111+
if [[ "${{ env.IS_PATCH_INPUT }}" == "true" ]]; then
112+
# Copy the patch release entries
113+
sed -n "/^## v${VERSION}/,/^## v[0-9]/p" CHANGELOG.md | sed '$d' > /tmp/patch_release_section.txt
114+
git fetch origin main
115+
git show origin/main:CHANGELOG.md > CHANGELOG.md
116+
# Insert the patch release entries after Unreleased
117+
awk -i inplace '/^## v[0-9]/ && !inserted { system("cat /tmp/patch_release_section.txt"); inserted=1 } {print}' CHANGELOG.md
118+
fi
119+
120+
>>>>>>> 371c614 (fix: prevent script injection in workflows (#318)):.github/workflows/post-release-version-bump.yml
103121
git add src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
104122
git add build/Build.InstallationScripts.cs
105123
git commit -m "Prepare main for next development cycle: Update version to $DEV_VERSION"
@@ -109,7 +127,7 @@ jobs:
109127
env:
110128
GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
111129
run: |
112-
DEV_VERSION="${{ github.event.inputs.version }}.dev0"
130+
DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
113131
gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
114132
--body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
115133

.github/workflows/pre_release_prepare.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -14,6 +14,8 @@ on:
1414

1515
env:
1616
AWS_DEFAULT_REGION: us-east-1
17+
VERSION_INPUT: ${{ env.VERSION_INPUT }}
18+
IS_PATCH_INPUT: ${{ env.IS_PATCH_INPUT }}
1719

1820
permissions:
1921
contents: write
@@ -52,12 +54,12 @@ jobs:
5254
5355
- name: Extract Major.Minor Version and setup Env variable
5456
run: |
55-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
56-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
57+
echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
58+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
5759
5860
- name: Create branches
5961
run: |
60-
IS_PATCH=${{ github.event.inputs.is_patch }}
62+
IS_PATCH=${{ env.IS_PATCH_INPUT }}
6163
if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
6264
echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
6365
exit 1
@@ -103,5 +105,5 @@ jobs:
103105
--body "This PR updates the version to ${VERSION}.
104106
105107
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
106-
--head v${{ github.event.inputs.version }}_release \
108+
--head v${{ env.VERSION_INPUT }}_release \
107109
--base release/v${MAJOR_MINOR}.x

0 commit comments

Comments
 (0)