Skip to content

Commit 8b9cc1f

Browse files
author
github-actions
committed
fix: prevent script injection in workflows
1 parent 846ba45 commit 8b9cc1f

5 files changed

Lines changed: 55 additions & 44 deletions

File tree

.github/workflows/patch-release-build.yml

Lines changed: 14 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ on:
1111
description: Comma separated list of commit shas to cherrypick
1212

1313
env:
14+
VERSION: ${{ env.VERSION }}
15+
COMMITS: ${{ env.COMMITS }}
1416
AWS_DEFAULT_REGION: us-east-1
1517
TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test-v2
1618

@@ -30,9 +32,9 @@ jobs:
3032
name: Parse release branch name
3133
run: |
3234
# Sets the release-branch-name output to the version number with the last non-period element replaced with an 'x' and preprended with v.
33-
echo "release-branch-name=$(echo '${{ github.event.inputs.version }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.x/')" >> $GITHUB_OUTPUT
35+
echo "release-branch-name=$(echo '${{ env.VERSION }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.x/')" >> $GITHUB_OUTPUT
3436
# Sets the release-tag-name output to the version number with the last non-period element replace with a '0' and prepended with v
35-
echo "release-tag-name=$(echo '${{ github.event.inputs.version }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.0/')" >> $GITHUB_OUTPUT
37+
echo "release-tag-name=$(echo '${{ env.VERSION }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.0/')" >> $GITHUB_OUTPUT
3638
- id: checkout-release-branch
3739
name: Check out release branch
3840
# Will fail if there is no release branch yet or succeed otherwise
@@ -84,14 +86,14 @@ jobs:
8486
if: ${{ github.event.inputs.commits != '' }}
8587
run: |
8688
git fetch origin main
87-
echo ${{ github.event.inputs.commits }} | sed -n 1'p' | tr ',' '\n' | while read word; do
89+
echo ${{ env.COMMITS }} | sed -n 1'p' | tr ',' '\n' | while read word; do
8890
# Trim whitespaces and cherrypick
8991
echo $word | sed 's/ *$//g' | sed 's/^ *//g' | git cherry-pick --stdin
9092
done
9193
- name: Build release with Gradle
9294
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 #v3.5.0
9395
with:
94-
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ github.event.inputs.version }} --stacktrace
96+
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ env.VERSION }} --stacktrace
9597

9698
- name: Configure AWS Credentials
9799
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
@@ -116,30 +118,30 @@ jobs:
116118
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
117119
with:
118120
push: false
119-
build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
121+
build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
120122
context: .
121123
platforms: linux/amd64
122124
tags: ${{ env.TEST_TAG }}
123125
load: true
124126

125127
- name: Test docker image
126128
shell: bash
127-
run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ github.event.inputs.version }}"
129+
run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ env.VERSION }}"
128130

129131
- name: Build and push image
130132
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
131133
with:
132134
push: true
133-
build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
135+
build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
134136
context: .
135137
platforms: linux/amd64,linux/arm64
136138
tags: |
137-
public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v${{ github.event.inputs.version }}
139+
public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v${{ env.VERSION }}
138140
139141
- name: Build and Publish release with Gradle
140142
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 #v3.5.0
141143
with:
142-
arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
144+
arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ env.VERSION }} --stacktrace
143145
env:
144146
PUBLISH_TOKEN_USERNAME: ${{ secrets.PUBLISH_TOKEN_USERNAME }}
145147
PUBLISH_TOKEN_PASSWORD: ${{ secrets.PUBLISH_TOKEN_PASSWORD }}
@@ -151,9 +153,9 @@ jobs:
151153
env:
152154
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
153155
run: |
154-
cp "otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar" aws-opentelemetry-agent.jar
156+
cp "otelagent/build/libs/aws-opentelemetry-agent-${{ env.VERSION }}.jar" aws-opentelemetry-agent.jar
155157
gh release create --target "$GITHUB_REF_NAME" \
156-
--title "Release v${{ github.event.inputs.version }}" \
158+
--title "Release v${{ env.VERSION }}" \
157159
--draft \
158-
"v${{ github.event.inputs.version }}" \
160+
"v${{ env.VERSION }}" \
159161
aws-opentelemetry-agent.jar

.github/workflows/post-release-version-bump.yml

Lines changed: 10 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ on:
1212
default: 'false'
1313

1414
env:
15+
VERSION: ${{ env.VERSION }}
16+
IS_PATCH: ${{ env.IS_PATCH }}
1517
AWS_DEFAULT_REGION: us-east-1
1618

1719
permissions:
@@ -31,8 +33,8 @@ jobs:
3133

3234
- name: Extract Major.Minor Version and setup Env variable
3335
run: |
34-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
35-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
36+
echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
37+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
3638
3739
- name: Get current major.minor version from main branch
3840
id: get_version
@@ -89,8 +91,8 @@ jobs:
8991
9092
- name: Extract Major.Minor Version and setup Env variable
9193
run: |
92-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
93-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
94+
echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
95+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
9496
9597
- name: Determine release branch and checkout
9698
run: |
@@ -100,13 +102,13 @@ jobs:
100102
101103
- name: Update version to next development version in main
102104
run: |
103-
DEV_VERSION="${{ github.event.inputs.version }}-SNAPSHOT"
105+
DEV_VERSION="${{ env.VERSION }}-SNAPSHOT"
104106
sed -i'' -e "s/val adotVersion = \".*\"/val adotVersion = \"${DEV_VERSION}\"/" version.gradle.kts
105-
VERSION="${{ github.event.inputs.version }}"
107+
VERSION="${{ env.VERSION }}"
106108
sed -i'' -e 's/adot-autoinstrumentation-java:v2.*"/adot-autoinstrumentation-java:v'$VERSION'"/' .github/workflows/daily-scan.yml
107109
108110
# for patch releases, avoid merge conflict by manually resolving CHANGELOG with main
109-
if [[ "${{ github.event.inputs.is_patch }}" == "true" ]]; then
111+
if [[ "${{ env.IS_PATCH }}" == "true" ]]; then
110112
# Copy the patch release entries
111113
sed -n "/^## v${VERSION}/,/^## v[0-9]/p" CHANGELOG.md | sed '$d' > /tmp/patch_release_section.txt
112114
git fetch origin main
@@ -125,7 +127,7 @@ jobs:
125127
env:
126128
GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
127129
run: |
128-
DEV_VERSION="${{ github.event.inputs.version }}-SNAPSHOT"
130+
DEV_VERSION="${{ env.VERSION }}-SNAPSHOT"
129131
gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
130132
--body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
131133

.github/workflows/pre-release-prepare.yml

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,8 @@ on:
1212
default: 'false'
1313

1414
env:
15+
VERSION: ${{ env.VERSION }}
16+
IS_PATCH: ${{ env.IS_PATCH }}
1517
AWS_DEFAULT_REGION: us-east-1
1618

1719
permissions:
@@ -51,12 +53,12 @@ jobs:
5153
5254
- name: Extract Major.Minor Version and setup Env variable
5355
run: |
54-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
55-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
56+
echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
57+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
5658
5759
- name: Create branches
5860
run: |
59-
IS_PATCH=${{ github.event.inputs.is_patch }}
61+
IS_PATCH=${{ env.IS_PATCH }}
6062
if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
6163
echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
6264
exit 1
@@ -95,7 +97,7 @@ jobs:
9597
git push origin "v${VERSION}_release"
9698
9799
- name: Update CHANGELOG for release
98-
if: github.event.inputs.is_patch != 'true'
100+
if: env.IS_PATCH != 'true'
99101
run: |
100102
sed -i "s/## Unreleased/## Unreleased\n\n## v${VERSION} - $(date +%Y-%m-%d)/" CHANGELOG.md
101103
git add CHANGELOG.md
@@ -110,5 +112,5 @@ jobs:
110112
--body "This PR updates the version to ${VERSION}.
111113
112114
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
113-
--head v${{ github.event.inputs.version }}_release \
115+
--head v${{ env.VERSION }}_release \
114116
--base release/v${MAJOR_MINOR}.x

.github/workflows/release-build.yml

Lines changed: 14 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,8 @@ on:
1111
default: 'us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1, af-south-1, ap-east-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1, me-south-1, ap-southeast-5, ap-southeast-7, mx-central-1, ca-west-1, cn-north-1, cn-northwest-1'
1212

1313
env:
14+
VERSION: ${{ env.VERSION }}
15+
AWS_REGION: ${{ env.AWS_REGION }}
1416
AWS_PUBLIC_ECR_REGION: us-east-1
1517
AWS_PRIVATE_ECR_REGION: us-west-2
1618
TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test-v2
@@ -76,13 +78,13 @@ jobs:
7678
- name: Build release with Gradle
7779
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 #v3.5.0
7880
with:
79-
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ github.event.inputs.version }} --stacktrace
81+
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ env.VERSION }} --stacktrace
8082

8183
- name: Upload SDK artifact
8284
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 #v4.6.2
8385
with:
8486
name: ${{ env.ARTIFACT_NAME }}
85-
path: otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar
87+
path: otelagent/build/libs/aws-opentelemetry-agent-${{ env.VERSION }}.jar
8688

8789
build-layer:
8890
needs: build-sdk
@@ -93,7 +95,7 @@ jobs:
9395
- name: Set up regions matrix
9496
id: set-matrix
9597
env:
96-
AWS_REGIONS: ${{ github.event.inputs.aws_region }}
98+
AWS_REGIONS: ${{ env.AWS_REGION }}
9799
run: |
98100
IFS=',' read -ra REGIONS <<< "$AWS_REGIONS"
99101
MATRIX="["
@@ -157,7 +159,7 @@ jobs:
157159
- name: Build release with Gradle
158160
uses: gradle/gradle-build-action@a8f75513eafdebd8141bd1cd4e30fcd194af8dfa #v2
159161
with:
160-
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ github.event.inputs.version }} --stacktrace
162+
arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ env.VERSION }} --stacktrace
161163

162164
- name: Configure AWS Credentials for public ECR
163165
uses: aws-actions/configure-aws-credentials@a03048d87541d1d9fcf2ecf528a4a65ba9bd7838 #v5.0.0
@@ -193,33 +195,33 @@ jobs:
193195
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
194196
with:
195197
push: false
196-
build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
198+
build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
197199
context: .
198200
platforms: linux/amd64
199201
tags: ${{ env.TEST_TAG }}
200202
load: true
201203

202204
- name: Test docker image
203205
env:
204-
VERSION: ${{ github.event.inputs.version }}
206+
VERSION: ${{ env.VERSION }}
205207
shell: bash
206208
run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "$VERSION"
207209

208210
- name: Build and push image
209211
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 #v6.18.0
210212
with:
211213
push: true
212-
build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
214+
build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
213215
context: .
214216
platforms: linux/amd64,linux/arm64
215217
tags: |
216-
${{ env.PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
217-
${{ env.PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
218+
${{ env.PUBLIC_REPOSITORY }}:v${{ env.VERSION }}
219+
${{ env.PRIVATE_REPOSITORY }}:v${{ env.VERSION }}
218220
219221
- name: Build and Publish release with Gradle
220222
uses: gradle/actions/setup-gradle@d9c87d481d55275bb5441eef3fe0e46805f9ef70 #v3.5.0
221223
with:
222-
arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
224+
arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ env.VERSION }} --stacktrace
223225
env:
224226
PUBLISH_TOKEN_USERNAME: ${{ secrets.PUBLISH_TOKEN_USERNAME }}
225227
PUBLISH_TOKEN_PASSWORD: ${{ secrets.PUBLISH_TOKEN_PASSWORD }}
@@ -403,7 +405,7 @@ jobs:
403405

404406
- name: Rename artifacts
405407
env:
406-
VERSION: ${{ github.event.inputs.version }}
408+
VERSION: ${{ env.VERSION }}
407409
run: |
408410
cp "aws-opentelemetry-agent-$VERSION.jar" ${{ env.ARTIFACT_NAME }}
409411
cp aws-opentelemetry-java-layer.zip layer.zip
@@ -413,7 +415,7 @@ jobs:
413415
id: create_release
414416
env:
415417
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
416-
VERSION: ${{ github.event.inputs.version }}
418+
VERSION: ${{ env.VERSION }}
417419
run: |
418420
# Extract versions from dependency files
419421
OTEL_INSTRUMENTATION_VERSION=$(grep "val otelVersion" dependencyManagement/build.gradle.kts | sed 's/.*= "\([^"]*\)".*/\1/')

.github/workflows/soak-testing.yml

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -25,6 +25,9 @@ env:
2525
CPU_LOAD_THRESHOLD: 55
2626
TOTAL_MEMORY_THRESHOLD: 4294967296 # 4 GiB
2727
MAX_BENCHMARKS_TO_KEEP: 100
28+
TARGET_COMMIT_SHA: ${{ env.TARGET_COMMIT_SHA }}
29+
TEST_DURATION_MINUTES_INPUT: ${{ env.TEST_DURATION_MINUTES_INPUT }}
30+
EVENT_NAME: ${{ env.EVENT_NAME }}
2831
# TODO: We might be able to adapt the "Soak Tests" to be "Overhead Tests".
2932
# This means monitoring the Sample App's performance using high levels of TPS
3033
# for the Load Generator over a shorter period of testing time. For example:
@@ -52,16 +55,16 @@ jobs:
5255
# MARK: - GitHub Workflow Event Type Specific Values
5356

5457
- name: Use INPUT as commit SHA
55-
if: ${{ github.event_name == 'workflow_dispatch' }}
58+
if: ${{ env.EVENT_NAME == 'workflow_dispatch' }}
5659
run: |
57-
echo "TARGET_SHA=${{ github.event.inputs.target_commit_sha }}" | tee --append $GITHUB_ENV;
60+
echo "TARGET_SHA=${{ env.TARGET_COMMIT_SHA }}" | tee --append $GITHUB_ENV;
5861
- name: Use LATEST as commit SHA
59-
if: ${{ github.event_name != 'workflow_dispatch' }}
62+
if: ${{ env.EVENT_NAME != 'workflow_dispatch' }}
6063
run: |
6164
echo "TARGET_SHA=${{ github.sha }}" | tee --append $GITHUB_ENV;
6265
- name: Configure Performance Test Duration
6366
run: |
64-
echo "TEST_DURATION_MINUTES=${{ github.event.inputs.test_duration_minutes || env.DEFAULT_TEST_DURATION_MINUTES }}" | tee --append $GITHUB_ENV;
67+
echo "TEST_DURATION_MINUTES=${{ env.TEST_DURATION_MINUTES_INPUT || env.DEFAULT_TEST_DURATION_MINUTES }}" | tee --append $GITHUB_ENV;
6568
- name: Clone This Repo @ ${{ env.TARGET_SHA }}
6669
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
6770
with:
@@ -224,14 +227,14 @@ jobs:
224227
# https://github.com/open-telemetry/opentelemetry-python/pull/1478
225228
# comment-always: true
226229
fail-on-alert: true
227-
auto-push: ${{ github.event_name == 'schedule' &&
230+
auto-push: ${{ env.EVENT_NAME == 'schedule' &&
228231
steps.check-already-have-performance-results.outcome == 'failure' &&
229232
github.ref == 'refs/heads/main' }}
230233
gh-pages-branch: gh-pages
231234
benchmark-data-dir-path: soak-tests/per-commit-overall-results
232235
- name: Publish Issue if failed DURING Performance Tests
233236
uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 # v2.9.2
234-
if: ${{ github.event_name == 'schedule' &&
237+
if: ${{ env.EVENT_NAME == 'schedule' &&
235238
steps.check-failure-during-performance-tests.outcome == 'failure' }}
236239
env:
237240
APP_PLATFORM: ${{ matrix.app-platform }}
@@ -242,7 +245,7 @@ jobs:
242245
update_existing: true
243246
- name: Publish Issue if failed AFTER Performance Tests
244247
uses: JasonEtco/create-an-issue@1b14a70e4d8dc185e5cc76d3bec9eab20257b2c5 #v2.9.2
245-
if: ${{ github.event_name == 'schedule' &&
248+
if: ${{ env.EVENT_NAME == 'schedule' &&
246249
steps.check-failure-after-performance-tests.outcome == 'failure' }}
247250
env:
248251
APP_PLATFORM: ${{ matrix.app-platform }}

0 commit comments

Comments
 (0)