Skip to content

fix: prevent script injection in workflows#341

Closed
thpierce wants to merge 1 commit intorelease/v1.3.xfrom
fix/prevent-script-injection-release-v1.3.x-cherrypick
Closed

fix: prevent script injection in workflows#341
thpierce wants to merge 1 commit intorelease/v1.3.xfrom
fix/prevent-script-injection-release-v1.3.x-cherrypick

Conversation

@thpierce
Copy link
Contributor

@thpierce thpierce commented Feb 9, 2026

Fixes https://t.corp.amazon.com/V1559008677

Cherry-picked from main (371c614) with conflict resolution.

Additional changes beyond cherry-pick:

  • Resolved merge conflicts in workflow files
  • Fixed github.event usage in all affected workflows
  • Added env variables for workflow_dispatch inputs

Move github.event references to env vars to prevent script injection vulnerabilities in workflow run steps.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@thpierce
fix: prevent script injection in workflows
5d06891 
Cherry-picked from main with additional fixes for older workflow files
@thpierce thpierce requested a review from a team as a code owner February 9, 2026 20:54
@thpierce thpierce added the skip changelog doesn't need a CHANGELOG entry label Feb 9, 2026
@thpierce
Copy link
Contributor Author

thpierce commented Feb 9, 2026

Closing to redo

@thpierce thpierce closed this Feb 9, 2026
@thpierce thpierce deleted the fix/prevent-script-injection-release-v1.3.x-cherrypick branch February 9, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

skip changelog doesn't need a CHANGELOG entry

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@thpierce

Comments