fix: prevent script injection in workflows

thpierce · thpierce · commit 46ace0fd0520 · 2026-02-10T12:04:44.000-08:00
Move github.event references to env vars to prevent script injection vulnerabilities in run steps
diff --git a/.github/workflows/post-release-version-bump.yml b/.github/workflows/post-release-version-bump.yml
@@ -12,6 +12,10 @@ on:
         default: 'false'
 
 env:
+  VERSION: ${{ env.VERSION }}
+  IS_PATCH: ${{ env.IS_PATCH }}
+
+
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -100,13 +104,13 @@ jobs:
 
       - name: Update version to next development version in main
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION }}.dev0"
           sed -i 's/__version__ = ".*"/__version__ = "'$DEV_VERSION'"/' aws-opentelemetry-distro/src/amazon/opentelemetry/distro/version.py
-          VERSION="${{ github.event.inputs.version }}"
+          VERSION="${{ env.VERSION }}"
           sed -i 's/python:v.*"/python:v'$VERSION'"/' .github/workflows/daily-scan.yml
           
           # for patch releases, avoid merge conflict by manually resolving CHANGELOG with main
-          if [[ "${{ github.event.inputs.is_patch }}" == "true" ]]; then
+          if [[ "${{ env.IS_PATCH }}" == "true" ]]; then
             # Copy the patch release entries
             sed -n "/^## v${VERSION}/,/^## v[0-9]/p" CHANGELOG.md | sed '$d' > /tmp/patch_release_section.txt
 
@@ -127,7 +131,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION }}.dev0"
           gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
                        --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
           
diff --git a/.github/workflows/pre-release-prepare.yml b/.github/workflows/pre-release-prepare.yml
@@ -12,6 +12,10 @@ on:
         default: 'false'
 
 env:
+  VERSION: ${{ env.VERSION }}
+  IS_PATCH: ${{ env.IS_PATCH }}
+
+
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -56,7 +60,7 @@ jobs:
 
       - name: Create branches
         run: |
-          IS_PATCH=${{ github.event.inputs.is_patch }}
+          IS_PATCH=${{ env.IS_PATCH }}
           if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
             echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
             exit 1
@@ -109,5 +113,5 @@ jobs:
                        --body "This PR updates the version to ${VERSION}.
           
           By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
-                       --head v${{ github.event.inputs.version }}_release \
+                       --head v${{ env.VERSION }}_release \
                        --base release/v${MAJOR_MINOR}.x
diff --git a/.github/workflows/release-build.yml b/.github/workflows/release-build.yml
@@ -18,13 +18,13 @@ env:
   RELEASE_PRIVATE_REPOSITORY: 020628701572.dkr.ecr.us-west-2.amazonaws.com/adot-autoinstrumentation-python
   RELEASE_PRIVATE_REGISTRY: 020628701572.dkr.ecr.us-west-2.amazonaws.com
   PACKAGE_NAME: aws-opentelemetry-distro
-  WHEEL_ARTIFACT_NAME: aws_opentelemetry_distro-${{ github.event.inputs.version }}-py3-none-any.whl
-  SOURCE_ARTIFACT_NAME: aws_opentelemetry_distro-${{ github.event.inputs.version }}.tar.gz
+  WHEEL_ARTIFACT_NAME: aws_opentelemetry_distro-${{ env.VERSION }}-py3-none-any.whl
+  SOURCE_ARTIFACT_NAME: aws_opentelemetry_distro-${{ env.VERSION }}.tar.gz
   # Legacy list of commercial regions to deploy to. New regions should NOT be added here, and instead should be added to the `aws_region` default input to the workflow.
   LEGACY_COMMERCIAL_REGIONS: us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1
   LAYER_NAME: AWSOpenTelemetryDistroPython
   LAYER_ARTIFACT_NAME: aws-opentelemetry-python-layer.zip
-  VERSION: ${{ github.event.inputs.version }}
+  VERSION: ${{ env.VERSION }}
 
 permissions:
   id-token: write
@@ -91,7 +91,7 @@ jobs:
       - name: Set up regions matrix
         id: set-matrix
         env:
-          AWS_REGIONS: ${{ github.event.inputs.aws_region }}
+          AWS_REGIONS: ${{ env.AWS_REGIONS }}
         run: |
           IFS=',' read -ra REGIONS <<< "$AWS_REGIONS"
           MATRIX="["
@@ -190,7 +190,7 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
           tags: |
-            ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
+            ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION }}
 
       # Publish to private ECR
       - name: Build and push private ECR image
@@ -201,7 +201,7 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
           tags: |
-            ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
+            ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION }}
   
   publish-layer-prod:
     runs-on: ubuntu-latest
@@ -443,7 +443,7 @@ jobs:
         id: create_release
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
-          VERSION: ${{ github.event.inputs.version }}
+          VERSION: ${{ env.VERSION }}
         run: |
           # Extract all dependencies from pyproject.toml
           DEPS=$(python3 -c "
