chore: sanitize CI inputs via env var #4528
Conversation
There was a problem hiding this comment.
Pull Request Overview
This PR sanitizes CI workflow inputs by replacing direct GitHub Actions input references in shell commands with environment variables, improving security by preventing potential injection attacks.
- Replaces
${{ inputs.* }}expressions in shell commands with environment variables - Adds
envblocks to define environment variables from workflow inputs - Updates shell commands to reference environment variables instead of direct inputs
Reviewed Changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
| .github/workflows/update_ssm.yml | Sanitizes SSM parameter names using PREFIX and PACKAGE_VERSION env vars |
| .github/workflows/run-e2e-tests.yml | Sanitizes PR number input for GitHub CLI checkout command |
| .github/workflows/reusable_publish_docs.yml | Sanitizes version input and replaces inline GitHub expressions in jq commands |
| .github/workflows/publish_layer.yml | Sanitizes CDK context parameter using LAYER_VERSION env var |
| .github/workflows/layers_partitions.yml | Sanitizes layer version inputs and environment checks |
| .github/workflows/layers_partition_verify.yml | Sanitizes version and partition version inputs |
| .github/workflows/layer_balance.yml | Sanitizes region and start_at inputs for balance command |
| .github/workflows/bootstrap_region.yml | Sanitizes region input for CDK bootstrap and balance commands |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
pull-request-size
bot
added
size/L
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
|
@sdangol you worked on the secrets access last, can you please check if Copilot's suggestions are appropriate? If not we can dismiss them together with the findings that might pop up after merging. |
|
@dreamorosi Those are the same ones that we had discussed last time about the issue being mitigated by the use of environment specific secrets. So, the findings are a false positive. |
|
Yes, I know, we had to revert them because the solution we came up with didn't work. I was wondering if Copilot's solution is better and might work. |
|
The suggested solution will need some adjustments to make it work like the checking for the |
|
Ok, thanks for checking - I remember you mentioning this in the previous iteration as well. Happy to ignore the suggestions and merge whenever you're ready to approve (tomorrow after the release is fine). |
|
2 participants
Summary
Changes
This PR updates several workflows to use environment variables to temporarily store workflow inputs, before passing them to the command and expanding them as a string. For example,
${{ input.version }}now becomes$VERSIONwith the variable being stored underenv.The PR also adds double quotes in multiple places to ensure string expansion works as intended.
Issue number: closes #4529
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Disclaimer: We value your time and bandwidth. As such, any pull requests created on non-triaged issues might not be successful.