Skip to content

Commit 77d716a

Browse files
author
github-actions
committed
fix: prevent script injection in workflows
1 parent 65a80a6 commit 77d716a

3 files changed

Lines changed: 26 additions & 19 deletions

File tree

.github/workflows/patch-release-build.yml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ on:
1111
description: Comma separated list of commit shas to cherrypick
1212

1313
env:
14+
VERSION: ${{ env.VERSION }}
15+
COMMITS: ${{ env.COMMITS }}
1416
AWS_DEFAULT_REGION: us-east-1
1517

1618
permissions:
@@ -29,9 +31,9 @@ jobs:
2931
name: Parse release branch name
3032
run: |
3133
# Sets the release-branch-name output to the version number with the last non-period element replaced with an 'x' and preprended with v.
32-
echo "release-branch-name=$(echo '${{ github.event.inputs.version }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.x/')" >> $GITHUB_OUTPUT
34+
echo "release-branch-name=$(echo '${{ env.VERSION }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.x/')" >> $GITHUB_OUTPUT
3335
# Sets the release-tag-name output to the version number with the last non-period element replace with a '0' and prepended with v
34-
echo "release-tag-name=$(echo '${{ github.event.inputs.version }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.0/')" >> $GITHUB_OUTPUT
36+
echo "release-tag-name=$(echo '${{ env.VERSION }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.0/')" >> $GITHUB_OUTPUT
3537
- id: checkout-release-branch
3638
name: Check out release branch
3739
# Will fail if there is no release branch yet or succeed otherwise
@@ -82,20 +84,20 @@ jobs:
8284
if: ${{ github.event.inputs.commits != '' }}
8385
run: |
8486
git fetch origin main
85-
echo ${{ github.event.inputs.commits }} | sed -n 1'p' | tr ',' '\n' | while read word; do
87+
echo ${{ env.COMMITS }} | sed -n 1'p' | tr ',' '\n' | while read word; do
8688
# Trim whitespaces and cherrypick
8789
echo $word | sed 's/ *$//g' | sed 's/^ *//g' | git cherry-pick --stdin
8890
done
8991
9092
- name: Build release with Gradle
9193
uses: gradle/gradle-build-action@v2
9294
with:
93-
arguments: build jib final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
95+
arguments: build jib final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ env.VERSION }} --stacktrace
9496
env:
9597
PUBLISH_USERNAME: ${{ secrets.PUBLISH_USERNAME }}
9698
PUBLISH_PASSWORD: ${{ secrets.PUBLISH_PASSWORD }}
9799
GRGIT_USER: ${{ secrets.GITHUB_TOKEN }}
98-
COMMIT_HASH: ${{ github.event.inputs.version }}
100+
COMMIT_HASH: ${{ env.VERSION }}
99101
GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
100102
GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
101103

@@ -105,8 +107,8 @@ jobs:
105107
env:
106108
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
107109
with:
108-
tag_name: v${{ github.event.inputs.version }}
109-
release_name: Release v${{ github.event.inputs.version }}
110+
tag_name: v${{ env.VERSION }}
111+
release_name: Release v${{ env.VERSION }}
110112
draft: true
111113
prerelease: false
112114

@@ -117,6 +119,6 @@ jobs:
117119
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
118120
with:
119121
upload_url: ${{ steps.create_release.outputs.upload_url }}
120-
asset_path: otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar
122+
asset_path: otelagent/build/libs/aws-opentelemetry-agent-${{ env.VERSION }}.jar
121123
asset_name: aws-opentelemetry-agent.jar
122124
asset_content_type: application/java-archive

.github/workflows/release-build.yml

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,8 @@ on:
77
required: true
88

99
env:
10+
VERSION: ${{ env.VERSION }}
11+
AWS_REGION: ${{ env.AWS_REGION }}
1012
AWS_DEFAULT_REGION: us-east-1
1113

1214
permissions:
@@ -44,7 +46,7 @@ jobs:
4446
- name: Build release with Gradle
4547
uses: gradle/gradle-build-action@v2
4648
with:
47-
arguments: build integrationTests final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} -PlocalDocker=true --stacktrace
49+
arguments: build integrationTests final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ env.VERSION }} -PlocalDocker=true --stacktrace
4850
env:
4951
PUBLISH_USERNAME: ${{ secrets.PUBLISH_USERNAME }}
5052
PUBLISH_PASSWORD: ${{ secrets.PUBLISH_PASSWORD }}
@@ -58,8 +60,8 @@ jobs:
5860
env:
5961
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
6062
with:
61-
tag_name: v${{ github.event.inputs.version }}
62-
release_name: Release v${{ github.event.inputs.version }}
63+
tag_name: v${{ env.VERSION }}
64+
release_name: Release v${{ env.VERSION }}
6365
draft: true
6466
prerelease: false
6567

@@ -70,6 +72,6 @@ jobs:
7072
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
7173
with:
7274
upload_url: ${{ steps.create_release.outputs.upload_url }}
73-
asset_path: otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar
75+
asset_path: otelagent/build/libs/aws-opentelemetry-agent-${{ env.VERSION }}.jar
7476
asset_name: aws-opentelemetry-agent.jar
7577
asset_content_type: application/java-archive

.github/workflows/soak-testing.yml

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,9 @@ env:
2525
CPU_LOAD_THRESHOLD: 55
2626
TOTAL_MEMORY_THRESHOLD: 4294967296 # 4 GiB
2727
MAX_BENCHMARKS_TO_KEEP: 100
28+
TARGET_COMMIT_SHA: ${{ env.TARGET_COMMIT_SHA }}
29+
TEST_DURATION_MINUTES_INPUT: ${{ env.TEST_DURATION_MINUTES_INPUT }}
30+
EVENT_NAME: ${{ env.EVENT_NAME }}
2831
# TODO: We might be able to adapt the "Soak Tests" to be "Overhead Tests".
2932
# This means monitoring the Sample App's performance using high levels of TPS
3033
# for the Load Generator over a shorter period of testing time. For example:
@@ -52,16 +55,16 @@ jobs:
5255
# MARK: - GitHub Workflow Event Type Specific Values
5356

5457
- name: Use INPUT as commit SHA
55-
if: ${{ github.event_name == 'workflow_dispatch' }}
58+
if: ${{ env.EVENT_NAME == 'workflow_dispatch' }}
5659
run: |
57-
echo "TARGET_SHA=${{ github.event.inputs.target_commit_sha }}" | tee --append $GITHUB_ENV;
60+
echo "TARGET_SHA=${{ env.TARGET_COMMIT_SHA }}" | tee --append $GITHUB_ENV;
5861
- name: Use LATEST as commit SHA
59-
if: ${{ github.event_name != 'workflow_dispatch' }}
62+
if: ${{ env.EVENT_NAME != 'workflow_dispatch' }}
6063
run: |
6164
echo "TARGET_SHA=${{ github.sha }}" | tee --append $GITHUB_ENV;
6265
- name: Configure Performance Test Duration
6366
run: |
64-
echo "TEST_DURATION_MINUTES=${{ github.event.inputs.test_duration_minutes || env.DEFAULT_TEST_DURATION_MINUTES }}" | tee --append $GITHUB_ENV;
67+
echo "TEST_DURATION_MINUTES=${{ env.TEST_DURATION_MINUTES_INPUT || env.DEFAULT_TEST_DURATION_MINUTES }}" | tee --append $GITHUB_ENV;
6568
- name: Clone This Repo @ ${{ env.TARGET_SHA }}
6669
uses: actions/checkout@v2
6770
with:
@@ -224,14 +227,14 @@ jobs:
224227
# https://github.com/open-telemetry/opentelemetry-python/pull/1478
225228
# comment-always: true
226229
fail-on-alert: true
227-
auto-push: ${{ github.event_name == 'schedule' &&
230+
auto-push: ${{ env.EVENT_NAME == 'schedule' &&
228231
steps.check-already-have-performance-results.outcome == 'failure' &&
229232
github.ref == 'refs/heads/main' }}
230233
gh-pages-branch: gh-pages
231234
benchmark-data-dir-path: soak-tests/per-commit-overall-results
232235
- name: Publish Issue if failed DURING Performance Tests
233236
uses: JasonEtco/create-an-issue@v2
234-
if: ${{ github.event_name == 'schedule' &&
237+
if: ${{ env.EVENT_NAME == 'schedule' &&
235238
steps.check-failure-during-performance-tests.outcome == 'failure' }}
236239
env:
237240
APP_PLATFORM: ${{ matrix.app-platform }}
@@ -242,7 +245,7 @@ jobs:
242245
update_existing: true
243246
- name: Publish Issue if failed AFTER Performance Tests
244247
uses: JasonEtco/create-an-issue@v2
245-
if: ${{ github.event_name == 'schedule' &&
248+
if: ${{ env.EVENT_NAME == 'schedule' &&
246249
steps.check-failure-after-performance-tests.outcome == 'failure' }}
247250
env:
248251
APP_PLATFORM: ${{ matrix.app-platform }}

0 commit comments

Comments
 (0)