Add static check for github.event.inputs in run steps (#1295)

thpierce · web-flow · commit 2244f92c8ef9 · 2026-01-22T22:35:05.000-08:00
See aws-observability/aws-otel-js-instrumentation#339 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
diff --git a/.github/workflows/pr-build.yml b/.github/workflows/pr-build.yml
@@ -12,6 +12,8 @@ on:
       - "release/v*"
 env:
   TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test-v2
+  USER: ${{ github.event.pull_request.user.login }}
+  LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }}
 
 jobs:
   static-code-checks:
@@ -25,18 +27,18 @@ jobs:
         if: always()
         run: |
           # Check if PR is from workflows bot or dependabot
-          if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then
+          if [[ "${{ env.USER }}" == "aws-application-signals-bot" ]]; then
             echo "Skipping check: PR from aws-application-signals-bot"
             exit 0
           fi
           
-          if [[ "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then
+          if [[ "${{ env.USER }}" == "dependabot[bot]" ]]; then
             echo "Skipping check: PR from dependabot"
             exit 0
           fi
           
           # Check for skip changelog label
-          if echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq -r '.[]' | grep -q "skip changelog"; then
+          if echo '${{ env.LABELS }}' | jq -r '.[]' | grep -q "skip changelog"; then
             echo "Skipping check: skip changelog label found"
             exit 0
           fi
@@ -69,6 +71,31 @@ jobs:
           
           echo "No versioned actions found in changed files"
 
+      - name: Check for github.event in run steps
+        if: always()
+        run: |
+          # Get changed GitHub workflow/action files
+          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}..HEAD | grep -E "^\.github/(workflows|actions)/.*\.ya?ml$" || true)
+          
+          if [ -n "$CHANGED_FILES" ]; then
+            VIOLATIONS=""
+            for file in $CHANGED_FILES; do
+              # Extract all 'run' step values excluding this validation step
+              RUN_STEPS=$(yq eval '.. | select(has("run") and has("name") and .name != "Check for github.event in run steps") | .run' "$file" 2>/dev/null || echo "")
+              if echo "$RUN_STEPS" | grep -q "github\.event\."; then
+                VIOLATIONS="$VIOLATIONS$file: Contains github.event.* in run step\n"
+              fi
+            done
+            
+            if [ -n "$VIOLATIONS" ]; then
+              echo -e "Found github.event.* usage in run steps. This can lead to script injection vulnerabilities:"
+              echo -e "$VIOLATIONS"
+              exit 1
+            fi
+          fi
+          
+          echo "No github.event.inputs usage found in run steps"
+
   testpatch:
     name: Test patches applied to dependencies
     runs-on: aws-otel-java-instrumentation_ubuntu-latest_32-core
@@ -100,7 +127,7 @@ jobs:
 
   build:
     name: Build on ${{ matrix.os }}
-    runs-on: ${{ matrix.os }}
+    runs-on: ${{ matrix.os }}      
     strategy:
       matrix:
         os:
