fix: prevent script injection in workflows

Move github.event references to env vars to prevent script injection vulnerabilities in run steps

Author: thpierce

.github/workflows/post_release_version_bump.yml

@@ -7,9 +7,13 @@ on:
         description: 'Version number (e.g., 1.0.1)'
         required: true
 
+  VERSION: ${{ env.VERSION }}
+
 env:
   AWS_DEFAULT_REGION: us-east-1
 
+  VERSION: ${{ env.VERSION }}
+
 permissions:
   id-token: write
   contents: write
@@ -27,8 +31,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Get current major.minor version from main branch
         id: get_version
@@ -85,8 +89,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Determine release branch and checkout
         run: |
@@ -96,9 +100,9 @@ jobs:
 
       - name: Update version to next development version in main
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION }}.dev0"
           sed -i 's/__version__ = ".*"/__version__ = "'$DEV_VERSION'"/' aws-opentelemetry-distro/src/amazon/opentelemetry/distro/version.py
-          VERSION="${{ github.event.inputs.version }}"
+          VERSION="${{ env.VERSION }}"
           sed -i 's/python:v.*"/python:v'$VERSION'"/' .github/workflows/daily_scan.yml
           git add aws-opentelemetry-distro/src/amazon/opentelemetry/distro/version.py
           git add .github/workflows/daily_scan.yml
@@ -109,7 +113,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ env.BOT_TOKEN_GITHUB_RW_PATOKEN }}
         run: |
-          DEV_VERSION="${{ github.event.inputs.version }}.dev0"
+          DEV_VERSION="${{ env.VERSION }}.dev0"
           gh pr create --title "Post release $VERSION: Update version to $DEV_VERSION" \
                        --body "This PR prepares the main branch for the next development cycle by updating the version to $DEV_VERSION and updating the image version to be scanned to the latest released.
           

.github/workflows/pre_release_prepare.yml

@@ -11,9 +11,17 @@ on:
         required: true
         default: 'false'
 
+  VERSION: ${{ env.VERSION }}
+
+  IS_PATCH: ${{ env.IS_PATCH }}
+
 env:
   AWS_DEFAULT_REGION: us-east-1
 
+  VERSION: ${{ env.VERSION }}
+
+  IS_PATCH: ${{ env.IS_PATCH }}
+
 permissions:
   contents: write
   pull-requests: write
@@ -51,12 +59,12 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Create branches
         run: |
-          IS_PATCH=${{ github.event.inputs.is_patch }}
+          IS_PATCH=${{ env.IS_PATCH }}
           if [[ "$IS_PATCH" != "true" && "$IS_PATCH" != "false" ]]; then
             echo "Invalid input for IS_PATCH. Must be 'true' or 'false'."
             exit 1
@@ -102,5 +110,5 @@ jobs:
                        --body "This PR updates the version to ${VERSION}.
           
           By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice." \
-                       --head v${{ github.event.inputs.version }}_release \
+                       --head v${{ env.VERSION }}_release \
                        --base release/v${MAJOR_MINOR}.x

.github/workflows/release-lambda.yml

@@ -11,10 +11,18 @@ on:
         required: true
         default: 'us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1, af-south-1, ap-east-1, ap-south-2, ap-southeast-3, ap-southeast-4, eu-central-2, eu-south-1, eu-south-2, il-central-1, me-central-1, me-south-1, ap-southeast-5, ap-southeast-7, mx-central-1, ca-west-1, cn-north-1, cn-northwest-1'
 
+  VERSION: ${{ env.VERSION }}
+
+  AWS_REGIONS: ${{ env.AWS_REGIONS }}
+
 env:
   COMMERCIAL_REGIONS: us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1, ap-southeast-5, ap-southeast-7, mx-central-1, ca-west-1, cn-north-1, cn-northwest-1
   LAYER_NAME: AWSOpenTelemetryDistroPython
 
+  VERSION: ${{ env.VERSION }}
+
+  AWS_REGIONS: ${{ env.AWS_REGIONS }}
+
 permissions:
   id-token: write
   contents: write
@@ -29,7 +37,7 @@ jobs:
       - name: Set up regions matrix
         id: set-matrix
         run: |
-          IFS=',' read -ra REGIONS <<< "${{ github.event.inputs.aws_region }}"
+          IFS=',' read -ra REGIONS <<< "${{ env.AWS_REGIONS }}"
           MATRIX="["
           for region in "${REGIONS[@]}"; do
             trimmed_region=$(echo "$region" | xargs)
@@ -205,7 +213,7 @@ jobs:
         run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
       - name: Create Release Notes
         run: |
-          echo "AWS OpenTelemetry Lambda Layer for Python version ${{ github.event.inputs.version }}-${{ steps.commit.outputs.sha_short }}" > release_notes.md
+          echo "AWS OpenTelemetry Lambda Layer for Python version ${{ env.VERSION }}-${{ steps.commit.outputs.sha_short }}" > release_notes.md
           echo "" >> release_notes.md
           echo "" >> release_notes.md
           echo "See new Lambda Layer ARNs:" >> release_notes.md
@@ -219,10 +227,10 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token
         run: |
           gh release create --target "$GITHUB_REF_NAME" \
-             --title "Release lambda-v${{ github.event.inputs.version }}-${{ steps.commit.outputs.sha_short }}" \
+             --title "Release lambda-v${{ env.VERSION }}-${{ steps.commit.outputs.sha_short }}" \
              --notes-file release_notes.md  \
              --draft \
-             "lambda-v${{ github.event.inputs.version }}-${{ steps.commit.outputs.sha_short }}" \
+             "lambda-v${{ env.VERSION }}-${{ steps.commit.outputs.sha_short }}" \
              layer_arns.tf layer.zip
           echo Removing release_notes.md ...
           rm -f release_notes.md

.github/workflows/release_build.yml

@@ -6,6 +6,8 @@ on:
         description: The version to tag the release with, e.g., 1.2.0
         required: true
 
+  VERSION: ${{ env.VERSION }}
+
 env:
   AWS_DEFAULT_REGION: us-east-1
   AWS_PUBLIC_ECR_REGION: us-east-1
@@ -14,7 +16,9 @@ env:
   RELEASE_PRIVATE_REPOSITORY: 020628701572.dkr.ecr.us-west-2.amazonaws.com/adot-autoinstrumentation-python
   RELEASE_PRIVATE_REGISTRY: 020628701572.dkr.ecr.us-west-2.amazonaws.com
   PACKAGE_NAME: aws-opentelemetry-distro
-  ARTIFACT_NAME: aws_opentelemetry_distro-${{ github.event.inputs.version }}-py3-none-any.whl
+  ARTIFACT_NAME: aws_opentelemetry_distro-${{ env.VERSION }}-py3-none-any.whl
+
+  VERSION: ${{ env.VERSION }}
 
 permissions:
   id-token: write
@@ -108,7 +112,7 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
           tags: |
-            ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ github.event.inputs.version }}
+            ${{ env.RELEASE_PUBLIC_REPOSITORY }}:v${{ env.VERSION }}
 
       # Publish to private ECR
       - name: Build and push private ECR image
@@ -119,7 +123,7 @@ jobs:
           file: ./Dockerfile
           platforms: linux/amd64,linux/arm64
           tags: |
-            ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ github.event.inputs.version }}
+            ${{ env.RELEASE_PRIVATE_REPOSITORY }}:v${{ env.VERSION }}
 
       - name: Get SHA256 checksum of wheel file
         id: get_sha256
@@ -139,9 +143,9 @@ jobs:
           shasum -a 256 layer_artifact/layer.zip > layer_artifact/layer.zip.sha256
 
           gh release create --target "$GITHUB_REF_NAME" \
-             --title "Release v${{ github.event.inputs.version }}" \
+             --title "Release v${{ env.VERSION }}" \
              --draft \
-             "v${{ github.event.inputs.version }}" \
+             "v${{ env.VERSION }}" \
              dist/${{ env.ARTIFACT_NAME }} \
              ${{ env.ARTIFACT_NAME }}.sha256 \
              layer_artifact/layer.zip \