fix: prevent script injection in workflows

thpierce · thpierce · commit bee50ee0edad · 2026-02-09T13:12:21.000-08:00
Move github.event references to env vars to prevent script injection vulnerabilities in workflow run steps. This follows the same pattern as the main branch fix in commit 371c614.
diff --git a/.github/workflows/post_release_version_bump.yml b/.github/workflows/post_release_version_bump.yml
@@ -8,6 +8,7 @@ on:
         required: true
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -27,8 +28,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Get current major.minor version from main branch
         id: get_version
@@ -84,8 +85,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Determine release branch and checkout
         run: |
@@ -96,10 +97,10 @@ jobs:
       - name: Update version to next development version in main
         # TODO update version in daily_scan.yml
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
           sed -i "s/public static string version = \".*\";/public static string version = \"${DEV_VERSION}\";/" src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
           sed -i "s/private readonly string version = \".*\";/private readonly string version = \"${DEV_VERSION}\";/" build/Build.InstallationScripts.cs
-          VERSION="${{ github.event.inputs.version }}"
+          VERSION="${{ env.VERSION_INPUT }}"
           git add src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
           git add build/Build.InstallationScripts.cs
           git commit -m "Prepare main for next development cycle: Update version to $DEV_VERSION"
@@ -109,7 +110,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
           gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
                        --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
 
diff --git a/.github/workflows/pre_release_prepare.yml b/.github/workflows/pre_release_prepare.yml
@@ -13,6 +13,8 @@ on:
         default: 'false'
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
+  IS_PATCH_INPUT: ${{ env.IS_PATCH_INPUT }}
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -52,12 +54,12 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Create branches
         run: |
-          IS_PATCH=${{ github.event.inputs.is_patch }}
+          IS_PATCH=${{ env.IS_PATCH_INPUT }}
           if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
             echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
             exit 1
@@ -103,5 +105,5 @@ jobs:
                        --body "This PR updates the version to ${VERSION}.
 
           By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
-                       --head v${{ github.event.inputs.version }}_release \
+                       --head v${{ env.VERSION_INPUT }}_release \
                        --base release/v${MAJOR_MINOR}.x
diff --git a/.github/workflows/release_build.yml b/.github/workflows/release_build.yml
@@ -7,6 +7,7 @@ on:
         required: true
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
   AWS_DEFAULT_REGION: us-east-1
   AWS_PUBLIC_ECR_REGION: us-east-1
   AWS_PRIVATE_ECR_REGION: us-west-2
@@ -89,7 +90,7 @@ jobs:
 
       - name: Upload to Private S3 Bucket
         run: |
-          PREFIX="Release_v${{github.event.inputs.version}}"
+          PREFIX="Release_v${{ env.VERSION_INPUT }}"
 
           find ./artifacts/ -name "*.zip" | while read file; do
           base=$(basename "$file")
@@ -105,32 +106,32 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         run: |
           gh release create --target "$GITHUB_REF_NAME" \
-             --title "Release v${{ github.event.inputs.version }}" \
-             "v${{ github.event.inputs.version }}" \
-              --notes "Release Verions v${{ github.event.inputs.version }}"
+             --title "Release v${{ env.VERSION_INPUT }}" \
+             "v${{ env.VERSION_INPUT }}" \
+              --notes "Release Verions v${{ env.VERSION_INPUT }}"
 
       - name: Upload artifacts and checksum to release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
-          PREFIX="Release_v${{github.event.inputs.version}}_"
+          PREFIX="Release_v${{ env.VERSION_INPUT }}_"
 
           find ./artifacts/ -name "*.zip" | while read file; do
           base=$(basename "$file")
           cp "$file" "$base"
           shasum -a 256 $base > $base.sha256
-          gh release upload "v${{ github.event.inputs.version }}" \
+          gh release upload "v${{ env.VERSION_INPUT }}" \
             $base \
             $base.sha256 \
             --clobber
           done
           shasum -a 256 ./installationScripts/aws-otel-dotnet-install.sh | sed "s|./installationScripts/||" > aws-otel-dotnet-install.sh.sha256
           shasum -a 256 ./installationScripts/AWS.Otel.DotNet.Auto.psm1 | sed "s|./installationScripts/||" > AWS.Otel.DotNet.Auto.psm1.sha256
-          gh release upload "v${{ github.event.inputs.version }}" \
+          gh release upload "v${{ env.VERSION_INPUT }}" \
             ./installationScripts/aws-otel-dotnet-install.sh \
             aws-otel-dotnet-install.sh.sha256 \
             --clobber
-          gh release upload "v${{ github.event.inputs.version }}" \
+          gh release upload "v${{ env.VERSION_INPUT }}" \
             ./installationScripts/AWS.Otel.DotNet.Auto.psm1 \
             AWS.Otel.DotNet.Auto.psm1.sha256 \
             --clobber
@@ -234,38 +235,38 @@ jobs:
         if: runner.os == 'Linux'
         run: |
           set -e
-          docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64 -f ./Dockerfile.linux .
-          docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64
-          docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64
-          docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64
+          docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64 -f ./Dockerfile.linux .
+          docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64
+          docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64
+          docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64
 
       - name: Build Linux arm64 container
         if: runner.os == 'Linux'
         run: |
           set -e
           cp THIRD-PARTY-LICENSES ./arm64/THIRD-PARTY-LICENSES
           cd ./arm64
-          docker build --platform linux/arm64 -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64 -f ../Dockerfile.linux .
-          docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64
-          docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64
-          docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64
+          docker build --platform linux/arm64 -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64 -f ../Dockerfile.linux .
+          docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64
+          docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64
+          docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64
 
       - name: Build Windows container
         if: runner.os == 'Windows'
         run: |
           $osInfo = systeminfo | Select-String "OS Version"
           if ($osInfo -match "10.0.17763") {
             Echo "Build image for Windows Server 2019"
-            docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019 -f ./Dockerfile.windows2019 .
-            docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019
-            docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019
-            docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019
+            docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019 -f ./Dockerfile.windows2019 .
+            docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019
+            docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019
+            docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019
           } elseif ($osInfo -match "10.0.20348") {
             Echo "Build image for Windows Server 2022"
-            docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022 -f ./Dockerfile.windows2022 .
-            docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
-            docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
-            docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
+            docker build -t ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022 -f ./Dockerfile.windows2022 .
+            docker push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
+            docker tag ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
+            docker push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
           } else {
               Echo "Unknown Windows Server version: $osInfo"
               exit 1
@@ -300,15 +301,15 @@ jobs:
 
       - name: Create multi-platform image and push to Amazon private ECR
         run: |
-          docker manifest create ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }} ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
-          docker manifest inspect ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
-          docker manifest push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
+          docker manifest create ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }} ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019 ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
+          docker manifest inspect ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}
+          docker manifest push ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION_INPUT }}
 
       - name: Create multi-platform image and push to Amazon public ECR
         run: |
-          docker manifest create ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }} ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2019 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}-windows2022
-          docker manifest inspect ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
-          docker manifest push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
+          docker manifest create ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }} ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-amd64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-arm64 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2019 ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}-windows2022
+          docker manifest inspect ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}
+          docker manifest push ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION_INPUT }}
 
   build-release-nuget:
     runs-on: windows-latest
@@ -348,7 +349,7 @@ jobs:
         run: >
           dotnet pack
           .\src\AWS.Distro.OpenTelemetry.AutoInstrumentation
-          /p:Version=${{github.event.inputs.version}}
+          /p:Version=${{ env.VERSION_INPUT }}
           --no-build
           -c Release
           -o .\Deployment\nuget-packages
diff --git a/.github/workflows/release_lambda.yml b/.github/workflows/release_lambda.yml
@@ -12,6 +12,8 @@ on:
         default: 'us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1, af-south-1, ap-east-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1, me-south-1'
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
+  AWS_REGION_INPUT: ${{ env.AWS_REGION_INPUT }}
   COMMERCIAL_REGIONS: us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1
   LAYER_NAME: AWSOpenTelemetryDistroDotNet
 
@@ -38,7 +40,7 @@ jobs:
       - name: Set up regions matrix
         id: set-matrix
         run: |
-          IFS=',' read -ra REGIONS <<< "${{ github.event.inputs.aws_region }}"
+          IFS=',' read -ra REGIONS <<< "${{ env.AWS_REGION_INPUT }}"
           MATRIX="["
           for region in "${REGIONS[@]}"; do
             trimmed_region=$(echo "$region" | xargs)
@@ -101,7 +103,7 @@ jobs:
               --compatible-runtimes dotnet6 dotnet8 \
               --compatible-architectures "x86_64" \
               --license-info "Apache-2.0" \
-              --description "AWS Distro of OpenTelemetry Lambda Layer for .Net Runtime v${{ github.event.inputs.version }}" \
+              --description "AWS Distro of OpenTelemetry Lambda Layer for .Net Runtime v${{ env.VERSION_INPUT }}" \
               --query 'LayerVersionArn' \
               --output text
           )
@@ -191,7 +193,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         run: |
           gh release create --target "$GITHUB_REF_NAME" \
-             --title "Release lambda-v${{ github.event.inputs.version }}" \
+             --title "Release lambda-v${{ env.VERSION_INPUT }}" \
              --draft \
-             "lambda-v${{ github.event.inputs.version }}" \
+             "lambda-v${{ env.VERSION_INPUT }}" \
              layer.tf
diff --git a/.github/workflows/unlist_nuget.yml b/.github/workflows/unlist_nuget.yml
@@ -7,6 +7,7 @@ on:
         required: true
 
 env:
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
   AWS_SIGNING_KEY_REGION: us-west-2
 
 permissions:
@@ -35,6 +36,6 @@ jobs:
           --output text
           --query SecretString | ConvertFrom-Json
 
-          nuget delete AWS.Distro.OpenTelemetry.AutoInstrumentation ${{github.event.inputs.version}}
+          nuget delete AWS.Distro.OpenTelemetry.AutoInstrumentation ${{ env.VERSION_INPUT }}
           -Source https://api.nuget.org/v3/index.json
           -ApiKey $nugetKey.Key
