fix: prevent script injection in workflows

thpierce · thpierce · commit 60d174f78e8f · 2026-02-09T13:12:40.000-08:00
Move github.event references to env vars to prevent script injection vulnerabilities in workflow run steps. This follows the same pattern as the main branch fix in commit 371c614.
diff --git a/.github/workflows/post-release-version-bump.yml b/.github/workflows/post-release-version-bump.yml
@@ -12,6 +12,8 @@ on:
         default: 'false'
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
+  IS_PATCH_INPUT: ${{ env.IS_PATCH_INPUT }}
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -31,8 +33,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Get current major.minor version from main branch
         id: get_version
@@ -88,8 +90,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Determine release branch and checkout
         run: |
@@ -99,14 +101,14 @@ jobs:
 
       - name: Update version to next development version in main
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
           sed -i "s/public static string version = \".*\";/public static string version = \"${DEV_VERSION}\";/" src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
           sed -i "s/private readonly string version = \".*\";/private readonly string version = \"${DEV_VERSION}\";/" build/Build.InstallationScripts.cs
-          VERSION="${{ github.event.inputs.version }}"
+          VERSION="${{ env.VERSION_INPUT }}"
           sed -i -e 's/dotnet:v.*"/dotnet:v'$VERSION'"/' .github/workflows/daily-scan.yml
 
           # for patch releases, avoid merge conflict by manually resolving CHANGELOG with main
-          if [[ "${{ github.event.inputs.is_patch }}" == "true" ]]; then
+          if [[ "${{ env.IS_PATCH_INPUT }}" == "true" ]]; then
             # Copy the patch release entries
             sed -n "/^## v${VERSION}/,/^## v[0-9]/p" CHANGELOG.md | sed '$d' > /tmp/patch_release_section.txt
             git fetch origin main
@@ -126,7 +128,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
           gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
                        --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
 
diff --git a/.github/workflows/pre-release-prepare.yml b/.github/workflows/pre-release-prepare.yml
@@ -13,6 +13,8 @@ on:
         default: 'false'
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
+  IS_PATCH_INPUT: ${{ env.IS_PATCH_INPUT }}
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -52,12 +54,12 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Create branches
         run: |
-          IS_PATCH=${{ github.event.inputs.is_patch }}
+          IS_PATCH=${{ env.IS_PATCH_INPUT }}
           if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
             echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
             exit 1
@@ -110,5 +112,5 @@ jobs:
                        --body "This PR updates the version to ${VERSION}.
 
           By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
-                       --head v${{ github.event.inputs.version }}_release \
+                       --head v${{ env.VERSION_INPUT }}_release \
                        --base release/v${MAJOR_MINOR}.x
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -11,6 +11,8 @@ on:
         default: 'us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1, af-south-1, ap-east-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1, me-south-1, ap-southeast-5, ap-southeast-7, mx-central-1, ca-west-1, cn-north-1, cn-northwest-1'
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
+  AWS_REGION_INPUT: ${{ env.AWS_REGION_INPUT }}
   AWS_DEFAULT_REGION: us-east-1
   AWS_PUBLIC_ECR_REGION: us-east-1
   AWS_PRIVATE_ECR_REGION: us-west-2
@@ -77,7 +79,7 @@ jobs:
           
       - name: Pack nugets
         env:
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: >
           dotnet pack
           .\src\AWS.Distro.OpenTelemetry.AutoInstrumentation
@@ -155,18 +157,18 @@ jobs:
         if: runner.os == 'Linux'
         uses: ./.github/actions/build-and-scan-image
         with:
-          image-name: ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
+          image-name: ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}
 
       - name: Build and scan Windows image
         if: runner.os == 'Windows'
         uses: ./.github/actions/build-and-scan-image
         with:
-          image-name: ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
+          image-name: ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
 
       - name: Push Linux x64 Image
         if: runner.os == 'Linux'
         env:
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: |
           set -e
           docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-amd64
@@ -176,7 +178,7 @@ jobs:
       - name: Push Linux arm64 Image
         if: runner.os == 'Linux'
         env:
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: |
           set -e
           docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-arm64
@@ -186,7 +188,7 @@ jobs:
       - name: Push Windows Images
         if: runner.os == 'Windows'
         env:
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: |
           $osInfo = systeminfo | Select-String "OS Version"
           if ($osInfo -match "10.0.20348") {
@@ -228,15 +230,15 @@ jobs:
 
       - name: Create multi-platform image and push to Amazon private ECR
         env:
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: |
           docker manifest create ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-amd64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-arm64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION-windows2022
           docker manifest inspect ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION
           docker manifest push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v$VERSION
 
       - name: Create multi-platform image and push to Amazon public ECR
         env:
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: |
           docker manifest create ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION-windows2022
           docker manifest inspect ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v$VERSION
@@ -251,7 +253,7 @@ jobs:
       - name: Set up regions matrix
         id: set-matrix
         env:
-          AWS_REGIONS: ${{ github.event.inputs.aws_region }}
+          AWS_REGIONS: ${{ env.AWS_REGION_INPUT }}
         run: |
           IFS=',' read -ra REGIONS <<< "$AWS_REGIONS"
           MATRIX="["
@@ -307,7 +309,7 @@ jobs:
           name: aws-distro-opentelemetry-dotnet-instrumentation-linux-glibc-x64.zip
       - name: publish
         env:
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: |
           aws s3 mb s3://${{ env.BUCKET_NAME }}
           aws s3 cp aws-distro-opentelemetry-dotnet-instrumentation-linux-glibc-x64.zip s3://${{ env.BUCKET_NAME }}
@@ -476,7 +478,7 @@ jobs:
 
       - name: Upload to Private S3 Bucket
         env:
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: |
           PREFIX="Release_v$VERSION"
 
@@ -492,7 +494,7 @@ jobs:
         id: create_release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: |
           # Extract version from Build.cs
           OTEL_INSTRUMENTATION_VERSION=$(grep "OpenTelemetryAutoInstrumentationDefaultVersion = " build/Build.cs | sed 's/.*= "\(.*\)";/\1/' | sed 's/^v//')
@@ -544,7 +546,7 @@ jobs:
       - name: Upload artifacts and checksum to release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION_INPUT }}
         run: |
           find ./artifacts/ -name "*.zip" | while read file; do
           base=$(basename "$file")
diff --git a/.github/workflows/release-udp-exporter.yml b/.github/workflows/release-udp-exporter.yml
@@ -13,6 +13,7 @@ permissions:
   contents: write
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
   AWS_SIGNING_KEY_REGION: us-west-2
 
 jobs:
@@ -62,7 +63,7 @@ jobs:
         run: >
           dotnet pack
           .\exporters\AWS.Distro.OpenTelemetry.Exporter.Xray.Udp
-          /p:Version=${{github.event.inputs.version}}
+          /p:Version=${{ env.VERSION_INPUT }}
           --no-build
           -c Release
           -o .\Deployment\nuget-packages
@@ -95,18 +96,18 @@ jobs:
       - name: Create Release Notes
         run: |
           @"
-          # AWS Distro for OpenTelemetry X-Ray UDP Exporter v${{ github.event.inputs.version }}
+          # AWS Distro for OpenTelemetry X-Ray UDP Exporter v${{ env.VERSION_INPUT }}
 
           ## Overview
           This release contains the AWS Distro for OpenTelemetry X-Ray UDP Exporter for .NET.
 
           ## Package Information
           - Package Name: AWS.Distro.OpenTelemetry.Exporter.Xray.Udp
-          - Version: ${{ github.event.inputs.version }}
+          - Version: ${{ env.VERSION_INPUT }}
 
           ## NuGet Package
           The package is available on NuGet.org:
-          https://www.nuget.org/packages/AWS.Distro.OpenTelemetry.Exporter.Xray.Udp/${{ github.event.inputs.version }}
+          https://www.nuget.org/packages/AWS.Distro.OpenTelemetry.Exporter.Xray.Udp/${{ env.VERSION_INPUT }}
 
           ## Release Notes
           - This exporter allows you to send OpenTelemetry traces to the AWS X-Ray daemon over UDP
@@ -116,25 +117,25 @@ jobs:
         run: |
           New-Item -Path .\Deployment\release-assets -ItemType Directory -Force
           Copy-Item -Path .\Deployment\nuget-packages\* -Destination .\Deployment\release-assets\
-          Compress-Archive -Path .\Deployment\release-assets\* -DestinationPath .\udp-exporter-${{ github.event.inputs.version }}.zip
+          Compress-Archive -Path .\Deployment\release-assets\* -DestinationPath .\udp-exporter-${{ env.VERSION_INPUT }}.zip
 
       - name: Create SHA256 hash for release package
         run: |
           # Create SHA256 hash file
-          $hash = Get-FileHash -Path .\udp-exporter-${{ github.event.inputs.version }}.zip -Algorithm SHA256
-          $hash.Hash | Out-File -FilePath .\udp-exporter-${{ github.event.inputs.version }}.zip.sha256 -Encoding utf8
+          $hash = Get-FileHash -Path .\udp-exporter-${{ env.VERSION_INPUT }}.zip -Algorithm SHA256
+          $hash.Hash | Out-File -FilePath .\udp-exporter-${{ env.VERSION_INPUT }}.zip.sha256 -Encoding utf8
 
       - name: Create GH release (draft)
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           gh release create `
             --target "$env:GITHUB_REF_NAME" `
-            --title "Release ADOT X-Ray UDP Exporter v${{ github.event.inputs.version }}" `
+            --title "Release ADOT X-Ray UDP Exporter v${{ env.VERSION_INPUT }}" `
             --notes-file release_notes.md `
             --draft `
-            "Exporter.Xray.Udp-${{ github.event.inputs.version }}" `
-            .\udp-exporter-${{ github.event.inputs.version }}.zip
-            .\udp-exporter-${{ github.event.inputs.version }}.zip.sha256
+            "Exporter.Xray.Udp-${{ env.VERSION_INPUT }}" `
+            .\udp-exporter-${{ env.VERSION_INPUT }}.zip
+            .\udp-exporter-${{ env.VERSION_INPUT }}.zip.sha256
 
           Remove-Item -Path release_notes.md -Force
diff --git a/.github/workflows/unlist-nuget.yml b/.github/workflows/unlist-nuget.yml
@@ -7,6 +7,7 @@ on:
         required: true
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
   AWS_SIGNING_KEY_REGION: us-west-2
 
 permissions:
@@ -35,6 +36,6 @@ jobs:
           --output text
           --query SecretString | ConvertFrom-Json
 
-          nuget delete AWS.Distro.OpenTelemetry.AutoInstrumentation ${{github.event.inputs.version}}
+          nuget delete AWS.Distro.OpenTelemetry.AutoInstrumentation ${{ env.VERSION_INPUT }}
           -Source https://api.nuget.org/v3/index.json
           -ApiKey $nugetKey.Key
