fix: prevent script injection in workflows

Author: github-actions

.github/workflows/patch-release-build.yml

@@ -11,6 +11,8 @@ on:
         description: Comma separated list of commit shas to cherrypick
 
 env:
+  VERSION: ${{ env.VERSION }}
+  COMMITS: ${{ env.COMMITS }}
   AWS_DEFAULT_REGION: us-east-1
   TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test
 
@@ -30,9 +32,9 @@ jobs:
         name: Parse release branch name
         run: |
           # Sets the release-branch-name output to the version number with the last non-period element replaced with an 'x' and preprended with v.
-          echo "release-branch-name=$(echo '${{ github.event.inputs.version }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.x/')" >> $GITHUB_OUTPUT
+          echo "release-branch-name=$(echo '${{ env.VERSION }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.x/')" >> $GITHUB_OUTPUT
           # Sets the release-tag-name output to the version number with the last non-period element replace with a '0' and prepended with v
-          echo "release-tag-name=$(echo '${{ github.event.inputs.version }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.0/')" >> $GITHUB_OUTPUT
+          echo "release-tag-name=$(echo '${{ env.VERSION }}' | sed -E 's/([^.]+)\.([^.]+)\.([^.]+)/v\1.\2.0/')" >> $GITHUB_OUTPUT
       - id: checkout-release-branch
         name: Check out release branch
         # Will fail if there is no release branch yet or succeed otherwise
@@ -83,15 +85,15 @@ jobs:
         if: ${{ github.event.inputs.commits != '' }}
         run: |
           git fetch origin main
-          echo ${{ github.event.inputs.commits }} | sed -n 1'p' | tr ',' '\n' | while read word; do
+          echo ${{ env.COMMITS }} | sed -n 1'p' | tr ',' '\n' | while read word; do
               # Trim whitespaces and cherrypick
               echo $word | sed 's/ *$//g' | sed 's/^ *//g' | git cherry-pick --stdin
           done
 
       - name: Build release with Gradle
         uses: gradle/gradle-build-action@v2
         with:
-          arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ github.event.inputs.version }} --stacktrace
+          arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ env.VERSION }} --stacktrace
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
@@ -114,30 +116,30 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           push: false
-          build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
+          build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
           context: .
           platforms: linux/amd64
           tags: ${{ env.TEST_TAG }}
           load: true
 
       - name: Test docker image
         shell: bash
-        run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ github.event.inputs.version }}"
+        run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ env.VERSION }}"
 
       - name: Build and push image
         uses: docker/build-push-action@v4
         with:
           push: true
-          build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
+          build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
           context: .
           platforms: linux/amd64,linux/arm64
           tags: |
-            public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v${{ github.event.inputs.version }}
+            public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v${{ env.VERSION }}
 
       - name: Build and Publish release with Gradle
         uses: gradle/gradle-build-action@v2
         with:
-          arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
+          arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ env.VERSION }} --stacktrace
         env:
           PUBLISH_USERNAME: ${{ secrets.PUBLISH_USERNAME }}
           PUBLISH_PASSWORD: ${{ secrets.PUBLISH_PASSWORD }}
@@ -151,8 +153,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: v${{ github.event.inputs.version }}
-          release_name: Release v${{ github.event.inputs.version }}
+          tag_name: v${{ env.VERSION }}
+          release_name: Release v${{ env.VERSION }}
           draft: true
           prerelease: false
 
@@ -163,6 +165,6 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar
+          asset_path: otelagent/build/libs/aws-opentelemetry-agent-${{ env.VERSION }}.jar
           asset_name: aws-opentelemetry-agent.jar
           asset_content_type: application/java-archive

.github/workflows/release-build.yml

@@ -7,6 +7,8 @@ on:
         required: true
 
 env:
+  VERSION: ${{ env.VERSION }}
+  AWS_REGION: ${{ env.AWS_REGION }}
   AWS_DEFAULT_REGION: us-east-1
   TEST_TAG: public.ecr.aws/aws-observability/adot-autoinstrumentation-java:test
 
@@ -46,7 +48,7 @@ jobs:
       - name: Build release with Gradle
         uses: gradle/gradle-build-action@v2
         with:
-          arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ github.event.inputs.version }} --stacktrace
+          arguments: build integrationTests -PlocalDocker=true -Prelease.version=${{ env.VERSION }} --stacktrace
 
       - name: Configure AWS Credentials
         uses: aws-actions/configure-aws-credentials@v1
@@ -69,30 +71,30 @@ jobs:
         uses: docker/build-push-action@v4
         with:
           push: false
-          build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
+          build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
           context: .
           platforms: linux/amd64
           tags: ${{ env.TEST_TAG }}
           load: true
 
       - name: Test docker image
         shell: bash
-        run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ github.event.inputs.version }}"
+        run: .github/scripts/test-adot-javaagent-image.sh "${{ env.TEST_TAG }}" "${{ env.VERSION }}"
 
       - name: Build and push image
         uses: docker/build-push-action@v4
         with:
           push: true
-          build-args: "ADOT_JAVA_VERSION=${{ github.event.inputs.version }}"
+          build-args: "ADOT_JAVA_VERSION=${{ env.VERSION }}"
           context: .
           platforms: linux/amd64,linux/arm64
           tags: |
-            public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v${{ github.event.inputs.version }}
+            public.ecr.aws/aws-observability/adot-autoinstrumentation-java:v${{ env.VERSION }}
 
       - name: Build and Publish release with Gradle
         uses: gradle/gradle-build-action@v2
         with:
-          arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ github.event.inputs.version }} --stacktrace
+          arguments: build final closeAndReleaseSonatypeStagingRepository -Prelease.version=${{ env.VERSION }} --stacktrace
         env:
           PUBLISH_USERNAME: ${{ secrets.PUBLISH_USERNAME }}
           PUBLISH_PASSWORD: ${{ secrets.PUBLISH_PASSWORD }}
@@ -106,8 +108,8 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
-          tag_name: v${{ github.event.inputs.version }}
-          release_name: Release v${{ github.event.inputs.version }}
+          tag_name: v${{ env.VERSION }}
+          release_name: Release v${{ env.VERSION }}
           draft: true
           prerelease: false
 
@@ -118,6 +120,6 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           upload_url: ${{ steps.create_release.outputs.upload_url }}
-          asset_path: otelagent/build/libs/aws-opentelemetry-agent-${{ github.event.inputs.version }}.jar
+          asset_path: otelagent/build/libs/aws-opentelemetry-agent-${{ env.VERSION }}.jar
           asset_name: aws-opentelemetry-agent.jar
           asset_content_type: application/java-archive

.github/workflows/soak-testing.yml

@@ -25,6 +25,9 @@ env:
   CPU_LOAD_THRESHOLD: 55
   TOTAL_MEMORY_THRESHOLD: 4294967296 # 4 GiB
   MAX_BENCHMARKS_TO_KEEP: 100
+  TARGET_COMMIT_SHA: ${{ env.TARGET_COMMIT_SHA }}
+  TEST_DURATION_MINUTES_INPUT: ${{ env.TEST_DURATION_MINUTES_INPUT }}
+  EVENT_NAME: ${{ env.EVENT_NAME }}
   # TODO: We might be able to adapt the "Soak Tests" to be "Overhead Tests".
   # This means monitoring the Sample App's performance using high levels of TPS
   # for the Load Generator over a shorter period of testing time. For example:
@@ -52,16 +55,16 @@ jobs:
     # MARK: - GitHub Workflow Event Type Specific Values
 
       - name: Use INPUT as commit SHA
-        if: ${{ github.event_name == 'workflow_dispatch' }}
+        if: ${{ env.EVENT_NAME == 'workflow_dispatch' }}
         run: |
-          echo "TARGET_SHA=${{ github.event.inputs.target_commit_sha }}" | tee --append $GITHUB_ENV;
+          echo "TARGET_SHA=${{ env.TARGET_COMMIT_SHA }}" | tee --append $GITHUB_ENV;
       - name: Use LATEST as commit SHA
-        if: ${{ github.event_name != 'workflow_dispatch' }}
+        if: ${{ env.EVENT_NAME != 'workflow_dispatch' }}
         run: |
           echo "TARGET_SHA=${{ github.sha }}" | tee --append $GITHUB_ENV;
       - name: Configure Performance Test Duration
         run: |
-          echo "TEST_DURATION_MINUTES=${{ github.event.inputs.test_duration_minutes || env.DEFAULT_TEST_DURATION_MINUTES }}" | tee --append $GITHUB_ENV;
+          echo "TEST_DURATION_MINUTES=${{ env.TEST_DURATION_MINUTES_INPUT || env.DEFAULT_TEST_DURATION_MINUTES }}" | tee --append $GITHUB_ENV;
       - name: Clone This Repo @ ${{ env.TARGET_SHA }}
         uses: actions/checkout@v2
         with:
@@ -224,14 +227,14 @@ jobs:
           # https://github.com/open-telemetry/opentelemetry-python/pull/1478
           # comment-always: true
           fail-on-alert: true
-          auto-push: ${{ github.event_name == 'schedule' &&
+          auto-push: ${{ env.EVENT_NAME == 'schedule' &&
             steps.check-already-have-performance-results.outcome == 'failure' &&
             github.ref == 'refs/heads/main' }}
           gh-pages-branch: gh-pages
           benchmark-data-dir-path: soak-tests/per-commit-overall-results
       - name: Publish Issue if failed DURING Performance Tests
         uses: JasonEtco/create-an-issue@v2
-        if: ${{ github.event_name == 'schedule' &&
+        if: ${{ env.EVENT_NAME == 'schedule' &&
           steps.check-failure-during-performance-tests.outcome == 'failure' }}
         env:
           APP_PLATFORM: ${{ matrix.app-platform }}
@@ -242,7 +245,7 @@ jobs:
           update_existing: true
       - name: Publish Issue if failed AFTER Performance Tests
         uses: JasonEtco/create-an-issue@v2
-        if: ${{ github.event_name == 'schedule' &&
+        if: ${{ env.EVENT_NAME == 'schedule' &&
           steps.check-failure-after-performance-tests.outcome == 'failure' }}
         env:
           APP_PLATFORM: ${{ matrix.app-platform }}