Skip to content

Commit 37d73c3

Browse files
author
github-actions
committed
fix: prevent script injection in workflows
1 parent e45a245 commit 37d73c3

4 files changed

Lines changed: 42 additions & 33 deletions

File tree

.github/workflows/patch-release-build.yml

Lines changed: 14 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ on:
1111
description: Comma separated list of commit shas to cherrypick
1212

1313
env:
14+
VERSION: ${{ env.VERSION }}
15+
COMMITS: ${{ env.COMMITS }}
1416
AWS_DEFAULT_REGION: us-east-1
1517
TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test-v2
1618

@@ -30,9 +32,9 @@ jobs:
3032
name: Parse release branch name
3133
run: |
3234
# Sets the release-branch-name output to the version number with the last non-period element replaced with an 'x' and preprended with v.
33-
echo "release-branch-name=$(echo '${{ github.event.inputs.version }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.x/')" >> $GITHUB_OUTPUT
35+
echo "release-branch-name=$(echo '${{ env.VERSION }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.x/')" >> $GITHUB_OUTPUT
3436
# Sets the release-tag-name output to the version number with the last non-period element replace with a '0' and prepended with v
35-
echo "release-tag-name=$(echo '${{ github.event.inputs.version }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.0/')" >> $GITHUB_OUTPUT
37+
echo "release-tag-name=$(echo '${{ env.VERSION }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.0/')" >> $GITHUB_OUTPUT
3638
- id: checkout-release-branch
3739
name: Check out release branch
3840
# Will fail if there is no release branch yet or succeed otherwise
@@ -84,15 +86,15 @@ jobs:
8486
if: ${{ github.event.inputs.commits != '' }}
8587
run: |
8688
git fetch origin main
87-
echo ${{ github.event.inputs.commits }} | sed -n 1'p' | tr ',' '\n' | while read word; do
89+
echo ${{ env.COMMITS }} | sed -n 1'p' | tr ',' '\n' | while read word; do
8890
# Trim whitespaces and cherrypick
8991
echo $word | sed 's/ *$//g' | sed 's/^ *//g' | git cherry-pick --stdin
9092
done
9193
9294
- name: Build release with Gradle
9395
uses: gradle/gradle-build-action@v3
9496
with:
95-
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ github.event.inputs.version }} --stacktrace
97+
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ env.VERSION }} --stacktrace
9698

9799
- name: Configure AWS Credentials
98100
uses: aws-actions/configure-aws-credentials@v4
@@ -117,30 +119,30 @@ jobs:
117119
uses: docker/build-push-action@v5
118120
with:
119121
push: false
120-
build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
122+
build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
121123
context: .
122124
platforms: linux/amd64
123125
tags: ${{ env.TEST_TAG }}
124126
load: true
125127

126128
- name: Test docker image
127129
shell: bash
128-
run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ github.event.inputs.version }}"
130+
run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ env.VERSION }}"
129131

130132
- name: Build and push image
131133
uses: docker/build-push-action@v5
132134
with:
133135
push: true
134-
build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
136+
build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
135137
context: .
136138
platforms: linux/amd64,linux/arm64
137139
tags: |
138-
public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v${{ github.event.inputs.version }}
140+
public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v${{ env.VERSION }}
139141
140142
- name: Build and Publish release with Gradle
141143
uses: gradle/gradle-build-action@v3
142144
with:
143-
arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
145+
arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ env.VERSION }} --stacktrace
144146
env:
145147
PUBLISH_TOKEN_USERNAME: ${{ secrets.PUBLISH_TOKEN_USERNAME }}
146148
PUBLISH_TOKEN_PASSWORD: ${{ secrets.PUBLISH_TOKEN_PASSWORD }}
@@ -152,9 +154,9 @@ jobs:
152154
env:
153155
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
154156
run: |
155-
cp "otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar" aws-opentelemetry-agent.jar
157+
cp "otelagent/build/libs/aws-opentelemetry-agent-${{ env.VERSION }}.jar" aws-opentelemetry-agent.jar
156158
gh release create --target "$GITHUB_REF_NAME" \
157-
--title "Release v${{ github.event.inputs.version }}" \
159+
--title "Release v${{ env.VERSION }}" \
158160
--draft \
159-
"v${{ github.event.inputs.version }}" \
161+
"v${{ env.VERSION }}" \
160162
aws-opentelemetry-agent.jar

.github/workflows/release-build.yml

Lines changed: 12 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ on:
77
required: true
88

99
env:
10+
VERSION: ${{ env.VERSION }}
11+
AWS_REGION: ${{ env.AWS_REGION }}
1012
AWS_PUBLIC_ECR_REGION: us-east-1
1113
AWS_PRIVATE_ECR_REGION: us-west-2
1214
TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test-v2
@@ -50,7 +52,7 @@ jobs:
5052
- name: Build release with Gradle
5153
uses: gradle/gradle-build-action@v3
5254
with:
53-
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ github.event.inputs.version }} --stacktrace
55+
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ env.VERSION }} --stacktrace
5456

5557
- name: Configure AWS Credentials
5658
uses: aws-actions/configure-aws-credentials@v4
@@ -86,31 +88,31 @@ jobs:
8688
uses: docker/build-push-action@v5
8789
with:
8890
push: false
89-
build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
91+
build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
9092
context: .
9193
platforms: linux/amd64
9294
tags: ${{ env.TEST_TAG }}
9395
load: true
9496

9597
- name: Test docker image
9698
shell: bash
97-
run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ github.event.inputs.version }}"
99+
run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ env.VERSION }}"
98100

99101
- name: Build and push image
100102
uses: docker/build-push-action@v5
101103
with:
102104
push: true
103-
build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
105+
build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
104106
context: .
105107
platforms: linux/amd64,linux/arm64
106108
tags: |
107-
${{ env.PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
108-
${{ env.PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
109+
${{ env.PUBLIC_REPOSITORY }}:v${{ env.VERSION }}
110+
${{ env.PRIVATE_REPOSITORY }}:v${{ env.VERSION }}
109111
110112
- name: Build and Publish release with Gradle
111113
uses: gradle/gradle-build-action@v3
112114
with:
113-
arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
115+
arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ env.VERSION }} --stacktrace
114116
env:
115117
PUBLISH_TOKEN_USERNAME: ${{ secrets.PUBLISH_TOKEN_USERNAME }}
116118
PUBLISH_TOKEN_PASSWORD: ${{ secrets.PUBLISH_TOKEN_PASSWORD }}
@@ -122,7 +124,7 @@ jobs:
122124
- name: Get SHA256 checksum of release artifact
123125
id: get_sha256
124126
run: |
125-
cp "otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar" ${{ env.ARTIFACT_NAME }}
127+
cp "otelagent/build/libs/aws-opentelemetry-agent-${{ env.VERSION }}.jar" ${{ env.ARTIFACT_NAME }}
126128
shasum -a 256 ${{ env.ARTIFACT_NAME }} > ${{ env.ARTIFACT_NAME }}.sha256
127129
128130
- name: Create release
@@ -136,9 +138,9 @@ jobs:
136138
shasum -a 256 layer_artifact/layer.zip > layer_artifact/layer.zip.sha256
137139
138140
gh release create --target "$GITHUB_REF_NAME" \
139-
--title "Release v${{ github.event.inputs.version }}" \
141+
--title "Release v${{ env.VERSION }}" \
140142
--draft \
141-
"v${{ github.event.inputs.version }}" \
143+
"v${{ env.VERSION }}" \
142144
${{ env.ARTIFACT_NAME }} \
143145
${{ env.ARTIFACT_NAME }}.sha256 \
144146
layer_artifact/layer.zip \

.github/workflows/release-lambda.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ on:
1212
default: 'us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1, af-south-1, ap-east-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1, me-south-1'
1313

1414
env:
15+
VERSION: ${{ env.VERSION }}
16+
AWS_REGION: ${{ env.AWS_REGION }}
1517
COMMERCIAL_REGIONS: us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1
1618
LAYER_NAME: AWSOpenTelemetryDistroJava
1719

@@ -28,7 +30,7 @@ jobs:
2830
- name: Set up regions matrix
2931
id: set-matrix
3032
run: |
31-
IFS=',' read -ra REGIONS <<< "${{ github.event.inputs.aws_region }}"
33+
IFS=',' read -ra REGIONS <<< "${{ env.AWS_REGION }}"
3234
MATRIX="["
3335
for region in "${REGIONS[@]}"; do
3436
trimmed_region=$(echo "$region" | xargs)
@@ -203,7 +205,7 @@ jobs:
203205
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
204206
- name: Create Release Notes
205207
run: |
206-
echo "AWS OpenTelemetry Lambda Layer for Java version ${{ github.event.inputs.version }}-${{ steps.commit.outputs.sha_short }}" > release_notes.md
208+
echo "AWS OpenTelemetry Lambda Layer for Java version ${{ env.VERSION }}-${{ steps.commit.outputs.sha_short }}" > release_notes.md
207209
echo "" >> release_notes.md
208210
echo "" >> release_notes.md
209211
echo "See new Lambda Layer ARNs:" >> release_notes.md
@@ -217,10 +219,10 @@ jobs:
217219
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
218220
run: |
219221
gh release create --target "$GITHUB_REF_NAME" \
220-
--title "Release lambda-v${{ github.event.inputs.version }}-${{ steps.commit.outputs.sha_short }}" \
222+
--title "Release lambda-v${{ env.VERSION }}-${{ steps.commit.outputs.sha_short }}" \
221223
--notes-file release_notes.md \
222224
--draft \
223-
"lambda-v${{ github.event.inputs.version }}-${{ steps.commit.outputs.sha_short }}" \
225+
"lambda-v${{ env.VERSION }}-${{ steps.commit.outputs.sha_short }}" \
224226
layer_arns.tf layer.zip
225227
echo Removing release_notes.md ...
226228
rm -f release_notes.md

.github/workflows/soak-testing.yml

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,9 @@ env:
2525
CPU_LOAD_THRESHOLD: 55
2626
TOTAL_MEMORY_THRESHOLD: 4294967296 # 4 GiB
2727
MAX_BENCHMARKS_TO_KEEP: 100
28+
TARGET_COMMIT_SHA: ${{ env.TARGET_COMMIT_SHA }}
29+
TEST_DURATION_MINUTES_INPUT: ${{ env.TEST_DURATION_MINUTES_INPUT }}
30+
EVENT_NAME: ${{ env.EVENT_NAME }}
2831
# TODO: We might be able to adapt the "Soak Tests" to be "Overhead Tests".
2932
# This means monitoring the Sample App's performance using high levels of TPS
3033
# for the Load Generator over a shorter period of testing time. For example:
@@ -52,16 +55,16 @@ jobs:
5255
# MARK: - GitHub Workflow Event Type Specific Values
5356

5457
- name: Use INPUT as commit SHA
55-
if: ${{ github.event_name == 'workflow_dispatch' }}
58+
if: ${{ env.EVENT_NAME == 'workflow_dispatch' }}
5659
run: |
57-
echo "TARGET_SHA=${{ github.event.inputs.target_commit_sha }}" | tee --append $GITHUB_ENV;
60+
echo "TARGET_SHA=${{ env.TARGET_COMMIT_SHA }}" | tee --append $GITHUB_ENV;
5861
- name: Use LATEST as commit SHA
59-
if: ${{ github.event_name != 'workflow_dispatch' }}
62+
if: ${{ env.EVENT_NAME != 'workflow_dispatch' }}
6063
run: |
6164
echo "TARGET_SHA=${{ github.sha }}" | tee --append $GITHUB_ENV;
6265
- name: Configure Performance Test Duration
6366
run: |
64-
echo "TEST_DURATION_MINUTES=${{ github.event.inputs.test_duration_minutes || env.DEFAULT_TEST_DURATION_MINUTES }}" | tee --append $GITHUB_ENV;
67+
echo "TEST_DURATION_MINUTES=${{ env.TEST_DURATION_MINUTES_INPUT || env.DEFAULT_TEST_DURATION_MINUTES }}" | tee --append $GITHUB_ENV;
6568
- name: Clone This Repo @ ${{ env.TARGET_SHA }}
6669
uses: actions/checkout@v4
6770
with:
@@ -224,14 +227,14 @@ jobs:
224227
# https://github.com/open-telemetry/opentelemetry-python/pull/1478
225228
# comment-always: true
226229
fail-on-alert: true
227-
auto-push: ${{ github.event_name == 'schedule' &&
230+
auto-push: ${{ env.EVENT_NAME == 'schedule' &&
228231
steps.check-already-have-performance-results.outcome == 'failure' &&
229232
github.ref == 'refs/heads/main' }}
230233
gh-pages-branch: gh-pages
231234
benchmark-data-dir-path: soak-tests/per-commit-overall-results
232235
- name: Publish Issue if failed DURING Performance Tests
233236
uses: JasonEtco/create-an-issue@v2
234-
if: ${{ github.event_name == 'schedule' &&
237+
if: ${{ env.EVENT_NAME == 'schedule' &&
235238
steps.check-failure-during-performance-tests.outcome == 'failure' }}
236239
env:
237240
APP_PLATFORM: ${{ matrix.app-platform }}
@@ -242,7 +245,7 @@ jobs:
242245
update_existing: true
243246
- name: Publish Issue if failed AFTER Performance Tests
244247
uses: JasonEtco/create-an-issue@v2
245-
if: ${{ github.event_name == 'schedule' &&
248+
if: ${{ env.EVENT_NAME == 'schedule' &&
246249
steps.check-failure-after-performance-tests.outcome == 'failure' }}
247250
env:
248251
APP_PLATFORM: ${{ matrix.app-platform }}

0 commit comments

Comments
 (0)