fix: prevent script injection in workflows

Cherry-picked from main with additional fixes for older workflow files

Author: thpierce

.github/workflows/post-release-version-bump.yml

@@ -0,0 +1,149 @@
+name: Post Release - Prepare Main for Next Development Cycle
+
+on:
+  workflow_dispatch:
+    inputs:
+      version:
+        description: 'Version number (e.g., 1.0.1)'
+        required: true
+      is_patch:
+        description: 'Is this a patch? (true or false)'
+        required: true
+        default: 'false'
+
+env:
+  AWS_DEFAULT_REGION: us-east-1
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
+  IS_PATCH_INPUT: ${{ env.IS_PATCH_INPUT }}
+
+permissions:
+  id-token: write
+  contents: write
+  pull-requests: write
+
+jobs:
+  check-version:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        with:
+          ref: main
+          fetch-depth: 0
+
+      - name: Extract Major.Minor Version and setup Env variable
+        run: |
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+
+      - name: Get current major.minor version from main branch
+        id: get_version
+        run: |
+          CURRENT_VERSION=$(grep 'public static string version' src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs | sed -E 's/    public static string version = "([0-9]+\.[0-9]+)\.[0-9]+.*";/\1/')
+          echo "CURRENT_MAJOR_MINOR_VERSION=$CURRENT_VERSION" >> $GITHUB_ENV
+
+      - name: Set major and minor for current version
+        run: |
+          echo "CURRENT_MAJOR=$(echo $CURRENT_MAJOR_MINOR_VERSION | cut -d. -f1)" >> $GITHUB_ENV
+          echo "CURRENT_MINOR=$(echo $CURRENT_MAJOR_MINOR_VERSION | cut -d. -f2)" >> $GITHUB_ENV
+
+      - name: Set major and minor for input version
+        run: |
+          echo "INPUT_MAJOR=$(echo $MAJOR_MINOR | cut -d. -f1)" >> $GITHUB_ENV
+          echo "INPUT_MINOR=$(echo $MAJOR_MINOR | cut -d. -f2)" >> $GITHUB_ENV
+
+      - name: Compare major.minor version and skip if behind
+        run: |
+          if [ "$CURRENT_MAJOR" -gt "$INPUT_MAJOR" ] || { [ "$CURRENT_MAJOR" -eq "$INPUT_MAJOR" ] && [ "$CURRENT_MINOR" -gt "$INPUT_MINOR" ]; }; then
+            echo "Input version is behind main's current major.minor version, don't need to update major version"
+            exit 1
+          fi
+
+  prepare-main:
+    runs-on: ubuntu-latest
+    needs: check-version
+    steps:
+      - name: Configure AWS credentials for BOT secrets
+        uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
+        with:
+          role-to-assume: ${{ secrets.AWS_ROLE_ARN_SECRETS_MANAGER }}
+          aws-region: ${{ env.AWS_DEFAULT_REGION }}
+
+      - name: Get Bot secrets
+        uses: aws-actions/aws-secretsmanager-get-secrets@a9a7eb4e2f2871d30dc5b892576fde60a2ecc802 #v2.0.10
+        id: bot_secrets
+        with:
+          secret-ids: |
+            BOT_TOKEN ,${{ secrets.BOT_TOKEN_SECRET_ARN }}
+          parse-json-secrets: true
+
+      - name: Setup Git
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 #v5.0.0
+        with:
+          fetch-depth: 0
+          token: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
+
+      - name: Configure Git
+        run: |
+          git config user.name "github-actions"
+          git config user.email "github-actions@github.com"
+
+      - name: Extract Major.Minor Version and setup Env variable
+        run: |
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+
+      - name: Determine release branch and checkout
+        run: |
+          RELEASE_BRANCH="release/v${MAJOR_MINOR}.x"
+          git fetch origin $RELEASE_BRANCH
+          git checkout -b "prepare-main-for-next-dev-cycle-${VERSION}" origin/$RELEASE_BRANCH
+
+      - name: Update version to next development version in main
+        run: |
+          DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
+          sed -i "s/public static string version = \".*\";/public static string version = \"${DEV_VERSION}\";/" src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
+          sed -i "s/private readonly string version = \".*\";/private readonly string version = \"${DEV_VERSION}\";/" build/Build.InstallationScripts.cs
+          VERSION="${{ env.VERSION_INPUT }}"
+          sed -i -e 's/dotnet:v.*"/dotnet:v'$VERSION'"/' .github/workflows/daily-scan.yml
+
+          # for patch releases, avoid merge conflict by manually resolving CHANGELOG with main
+          if [[ "${{ env.IS_PATCH_INPUT }}" == "true" ]]; then
+            # Copy the patch release entries
+            sed -n "/^## v${VERSION}/,/^## v[0-9]/p" CHANGELOG.md | sed '$d' > /tmp/patch_release_section.txt
+            git fetch origin main
+            git show origin/main:CHANGELOG.md > CHANGELOG.md
+            # Insert the patch release entries after Unreleased
+            awk -i inplace '/^## v[0-9]/ && !inserted { system("cat /tmp/patch_release_section.txt"); inserted=1 } {print}' CHANGELOG.md
+          fi
+
+          git add src/AWS.Distro.OpenTelemetry.AutoInstrumentation/Version.cs
+          git add build/Build.InstallationScripts.cs
+          git add .github/workflows/daily-scan.yml
+          git add CHANGELOG.md
+          git commit -m "Prepare main for next development cycle: Update version to $DEV_VERSION"
+          git push --set-upstream origin "prepare-main-for-next-dev-cycle-${VERSION}"
+
+      - name: Create Pull Request to main
+        env:
+          GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
+        run: |
+          DEV_VERSION="${{ env.VERSION_INPUT }}.dev0"
+          gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
+                       --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
+
+          This PR should only be merge when release for version v$VERSION is success.
+
+          By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
+                       --head prepare-main-for-next-dev-cycle-${VERSION} \
+                       --base main
+
+      - name: Force our CHANGELOG to override merge conflicts
+        run: |
+          git merge origin/main || true
+          git checkout --ours CHANGELOG.md
+          git add CHANGELOG.md
+          if ! git diff --quiet --cached; then
+            git commit -m "Force our CHANGELOG to override merge conflicts"
+            git push origin "prepare-main-for-next-dev-cycle-${VERSION}"
+          fi

.github/workflows/pre_release_prepare.yml

@@ -14,8 +14,13 @@ on:
 
 env:
   AWS_DEFAULT_REGION: us-east-1
+<<<<<<< HEAD:.github/workflows/pre_release_prepare.yml
   VERSION: ${{ inputs.version }}
   IS_PATCH: ${{ inputs.is_patch }}
+=======
+  VERSION_INPUT: ${{ env.VERSION_INPUT }}
+  IS_PATCH_INPUT: ${{ env.IS_PATCH_INPUT }}
+>>>>>>> 371c614 (fix: prevent script injection in workflows (#318)):.github/workflows/pre-release-prepare.yml
 
 permissions:
   contents: write
@@ -54,12 +59,21 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
+<<<<<<< HEAD:.github/workflows/pre_release_prepare.yml
           echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
           echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Create branches
         run: |
           IS_PATCH=${{ env.IS_PATCH }}
+=======
+          echo "VERSION=${{ env.VERSION_INPUT }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION_INPUT }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+
+      - name: Create branches
+        run: |
+          IS_PATCH=${{ env.IS_PATCH_INPUT }}
+>>>>>>> 371c614 (fix: prevent script injection in workflows (#318)):.github/workflows/pre-release-prepare.yml
           if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
             echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
             exit 1
@@ -105,5 +119,9 @@ jobs:
                        --body "This PR updates the version to ${VERSION}.
           
           By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
+<<<<<<< HEAD:.github/workflows/pre_release_prepare.yml
                        --head v${{ env.VERSION }}_release \
+=======
+                       --head v${{ env.VERSION_INPUT }}_release \
+>>>>>>> 371c614 (fix: prevent script injection in workflows (#318)):.github/workflows/pre-release-prepare.yml
                        --base release/v${MAJOR_MINOR}.x