fix: prevent script injection in workflows

thpierce · thpierce · commit ac0259db791d · 2026-02-09T11:44:23.000-08:00
Move github.event references to env vars to prevent script injection vulnerabilities in workflow run steps
diff --git a/.github/workflows/post_release_version_bump.yml b/.github/workflows/post_release_version_bump.yml
@@ -8,6 +8,7 @@ on:
         required: true
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -27,8 +28,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Get current major.minor version from main branch
         id: get_version
@@ -84,8 +85,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Determine release branch and checkout
         run: |
@@ -96,10 +97,10 @@ jobs:
       - name: Update version to next development version in main
         # TODO update version in daily_scan.yml
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
           sed -i "s/public static string version = \".*\";/public static string version = \"${DEV_VERSION}\";/" src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
           sed -i "s/private readonly string version = \".*\";/private readonly string version = \"${DEV_VERSION}\";/" build/Build.InstallationScripts.cs
-          VERSION="${{ github.event.inputs.version }}"
+          VERSION="${{ env.VERSION_INPUT }}"
           git add src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
           git add build/Build.InstallationScripts.cs
           git commit -m "Prepare main for next development cycle: Update version to $DEV_VERSION"
@@ -109,7 +110,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
           gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
                        --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
 
diff --git a/.github/workflows/pre_release_prepare.yml b/.github/workflows/pre_release_prepare.yml
@@ -13,6 +13,8 @@ on:
         default: 'false'
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
+  IS_PATCH_INPUT: ${{ env.IS_PATCH_INPUT }}
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -52,12 +54,12 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Create branches
         run: |
-          IS_PATCH=${{ github.event.inputs.is_patch }}
+          IS_PATCH=${{ env.IS_PATCH_INPUT }}
           if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
             echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
             exit 1
@@ -103,5 +105,5 @@ jobs:
                        --body "This PR updates the version to ${VERSION}.
 
           By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
-                       --head v${{ github.event.inputs.version }}_release \
+                       --head v${{ env.VERSION_INPUT }}_release \
                        --base release/v${MAJOR_MINOR}.x
diff --git a/.github/workflows/release_build.yml b/.github/workflows/release_build.yml
@@ -7,6 +7,7 @@ on:
         required: true
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
   AWS_DEFAULT_REGION: us-east-1
   AWS_PUBLIC_ECR_REGION: us-east-1
   AWS_PRIVATE_ECR_REGION: us-west-2
@@ -95,7 +96,7 @@ jobs:
 
       - name: Upload to Private S3 Bucket
         run: |
-          PREFIX="Release_v${{github.event.inputs.version}}"
+          PREFIX="Release_v${{ env.VERSION_INPUT }}"
 
           find ./artifacts/ -name "*.zip" | while read file; do
           base=$(basename "$file")
@@ -111,27 +112,27 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         run: |
           gh release create --target "$GITHUB_REF_NAME" \
-             --title "Release v${{ github.event.inputs.version }}" \
-             "v${{ github.event.inputs.version }}" \
-              --notes "Release Verions v${{ github.event.inputs.version }}"
+             --title "Release v${{ env.VERSION_INPUT }}" \
+             "v${{ env.VERSION_INPUT }}" \
+              --notes "Release Verions v${{ env.VERSION_INPUT }}"
 
       - name: Upload artifacts to release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PREFIX="Release_v${{github.event.inputs.version}}_"
+          PREFIX="Release_v${{ env.VERSION_INPUT }}_"
 
           find ./artifacts/ -name "*.zip" | while read file; do
           base=$(basename "$file")
           cp "$file" "$base"
-          gh release upload "v${{ github.event.inputs.version }}" \
+          gh release upload "v${{ env.VERSION_INPUT }}" \
             $base \
             --clobber
           done
-          gh release upload "v${{ github.event.inputs.version }}" \
+          gh release upload "v${{ env.VERSION_INPUT }}" \
             ./installationScripts/aws-otel-dotnet-install.sh \
             --clobber
-          gh release upload "v${{ github.event.inputs.version }}" \
+          gh release upload "v${{ env.VERSION_INPUT }}" \
             ./installationScripts/AWS.Otel.DotNet.Auto.psm1 \
             --clobber
 
@@ -234,37 +235,37 @@ jobs:
         if: runner.os == 'Linux'
         run: |
           set -e
-          docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64 -f ./Dockerfile.linux .
-          docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64
-          docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64
-          docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64
+          docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64 -f ./Dockerfile.linux .
+          docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64
+          docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64
+          docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64
 
       - name: Build Linux arm64 container
         if: runner.os == 'Linux'
         run: |
           set -e
           cd ./arm64
-          docker build --platform linux/arm64 -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64 -f ../Dockerfile.linux .
-          docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64
-          docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64
-          docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64
+          docker build --platform linux/arm64 -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64 -f ../Dockerfile.linux .
+          docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64
+          docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64
+          docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64
 
       - name: Build Windows container
         if: runner.os == 'Windows'
         run: |
           $osInfo = systeminfo | Select-String "OS Version"
           if ($osInfo -match "10.0.17763") {
             Echo "Build image for Windows Server 2019"
-            docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019 -f ./Dockerfile.windows2019 .
-            docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019
-            docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019
-            docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019
+            docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019 -f ./Dockerfile.windows2019 .
+            docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019
+            docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019
+            docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019
           } elseif ($osInfo -match "10.0.20348") {
             Echo "Build image for Windows Server 2022"
-            docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022 -f ./Dockerfile.windows2022 .
-            docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
-            docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
-            docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
+            docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022 -f ./Dockerfile.windows2022 .
+            docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
+            docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
+            docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
           } else {
               Echo "Unknown Windows Server version: $osInfo"
               exit 1
@@ -299,15 +300,15 @@ jobs:
 
       - name: Create multi-platform image and push to Amazon private ECR
         run: |
-          docker manifest create ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }} ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
-          docker manifest inspect ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
-          docker manifest push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
+          docker manifest create ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }} ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
+          docker manifest inspect ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}
+          docker manifest push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}
 
       - name: Create multi-platform image and push to Amazon public ECR
         run: |
-          docker manifest create ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }} ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
-          docker manifest inspect ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
-          docker manifest push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
+          docker manifest create ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }} ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
+          docker manifest inspect ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}
+          docker manifest push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}
 
   build-release-nuget:
     runs-on: windows-latest
@@ -347,7 +348,7 @@ jobs:
         run: >
           dotnet pack
           .\src\AWS.Distro.OpenTelemetry.AutoInstrumentation
-          /p:Version=${{github.event.inputs.version}}
+          /p:Version=${{ env.VERSION_INPUT }}
           --no-build
           -c Release
           -o .\Deployment\nuget-packages
diff --git a/.github/workflows/unlist_nuget.yml b/.github/workflows/unlist_nuget.yml
@@ -7,6 +7,7 @@ on:
         required: true
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
   AWS_SIGNING_KEY_REGION: us-west-2
 
 permissions:
@@ -35,6 +36,6 @@ jobs:
           --output text
           --query SecretString | ConvertFrom-Json
 
-          nuget delete AWS.Distro.OpenTelemetry.AutoInstrumentation ${{github.event.inputs.version}}
+          nuget delete AWS.Distro.OpenTelemetry.AutoInstrumentation ${{ env.VERSION_INPUT }}
           -Source https://api.nuget.org/v3/index.json
           -ApiKey $nugetKey.Key
