fix: prevent script injection in workflows (release/v0.3.x) (#618)

Move github.event references to env vars to prevent script injection
vulnerabilities in run steps.

This change follows the same pattern as the main branch fix.

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

Author: thpierce

.github/workflows/post_release_version_bump.yml

@@ -8,6 +8,8 @@ on:
         required: true
 
 env:
+  VERSION: ${{ github.event.inputs.version }}
+
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -96,9 +98,9 @@ jobs:
 
       - name: Update version to next development version in main
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION }}.dev0"
           sed -i 's/__version__ = ".*"/__version__ = "'$DEV_VERSION'"/' aws-opentelemetry-distro/src/amazon/opentelemetry/distro/version.py
-          VERSION="${{ github.event.inputs.version }}"
+          VERSION="${{ env.VERSION }}"
           sed -i 's/python:v.*"/python:v'$VERSION'"/' .github/workflows/daily_scan.yml
           git add aws-opentelemetry-distro/src/amazon/opentelemetry/distro/version.py
           git add .github/workflows/daily_scan.yml
@@ -109,7 +111,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION }}.dev0"
           gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
                        --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
           

.github/workflows/pre_release_prepare.yml

@@ -12,6 +12,9 @@ on:
         default: 'false'
 
 env:
+  VERSION: ${{ github.event.inputs.version }}
+  IS_PATCH: ${{ github.event.inputs.is_patch }}
+
   AWS_DEFAULT_REGION: us-east-1
 
 permissions:
@@ -56,7 +59,7 @@ jobs:
 
       - name: Create branches
         run: |
-          IS_PATCH=${{ github.event.inputs.is_patch }}
+          IS_PATCH=${{ env.IS_PATCH }}
           if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
             echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
             exit 1
@@ -102,5 +105,5 @@ jobs:
                        --body "This PR updates the version to ${VERSION}.
           
           By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
-                       --head v${{ github.event.inputs.version }}_release \
+                       --head v${{ env.VERSION }}_release \
                        --base release/v${MAJOR_MINOR}.x

.github/workflows/release_build.yml

@@ -7,6 +7,7 @@ on:
         required: true
 
 env:
+  VERSION: ${{ github.event.inputs.version }}
   AWS_DEFAULT_REGION: us-east-1
   AWS_PUBLIC_ECR_REGION: us-east-1
   AWS_PRIVATE_ECR_REGION: us-west-2
@@ -88,15 +89,15 @@ jobs:
           TWINE_USERNAME: '__token__'
           TWINE_PASSWORD: ${{ env.TEST_PYPI_TOKEN_API_TOKEN }}
         run: |
-          twine upload --repository testpypi --skip-existing --verbose dist/aws_opentelemetry_distro-${{ github.event.inputs.version }}-py3-none-any.whl
+          twine upload --repository testpypi --skip-existing --verbose dist/aws_opentelemetry_distro-${{ env.VERSION }}-py3-none-any.whl
 
       # Publish to prod PyPI
       - name: Publish to PyPI
         env:
           TWINE_USERNAME: '__token__'
           TWINE_PASSWORD: ${{ env.PROD_PYPI_TOKEN_API_TOKEN }}
         run: |
-          twine upload --skip-existing --verbose dist/aws_opentelemetry_distro-${{ github.event.inputs.version }}-py3-none-any.whl
+          twine upload --skip-existing --verbose dist/aws_opentelemetry_distro-${{ env.VERSION }}-py3-none-any.whl
 
       # Publish to public ECR
       - name: Build and push public ECR image
@@ -107,7 +108,7 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
           tags: |
-            ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
+            ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION }}
 
       # Publish to private ECR
       - name: Build and push private ECR image
@@ -118,7 +119,7 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
           tags: |
-            ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
+            ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION }}
 
       # Publish to GitHub releases
       - name: Create GH release
@@ -127,7 +128,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         run: |
           gh release create --target "$GITHUB_REF_NAME" \
-             --title "Release v${{ github.event.inputs.version }}" \
+             --title "Release v${{ env.VERSION }}" \
              --draft \
-             "v${{ github.event.inputs.version }}" \
-             dist/aws_opentelemetry_distro-${{ github.event.inputs.version }}-py3-none-any.whl
+             "v${{ env.VERSION }}" \
+             dist/aws_opentelemetry_distro-${{ env.VERSION }}-py3-none-any.whl