Skip to content

Commit acb2c8e

Browse files
thpiercethpierce
committed
fix: prevent script injection by using env vars instead of github.event
1 parent 288c207 commit acb2c8e

4 files changed

Lines changed: 14 additions & 11 deletions

File tree

.github/workflows/post-release-version-bump.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -28,8 +28,8 @@ jobs:
2828

2929
- name: Extract Major.Minor Version and setup Env variable
3030
run: |
31-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
32-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
31+
echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
32+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
3333
3434
- name: Get current major.minor version from main branch
3535
id: get_version
@@ -86,8 +86,8 @@ jobs:
8686
8787
- name: Extract Major.Minor Version and setup Env variable
8888
run: |
89-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
90-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
89+
echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
90+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
9191
9292
- name: Determine release branch and checkout
9393
run: |

.github/workflows/pr-build.yml

Lines changed: 7 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,10 @@ permissions:
99
id-token: write
1010
contents: read
1111

12+
env:
13+
USER: ${{ github.event.pull_request.user.login }}
14+
LABELS: ${{ toJSON(github.event.pull_request.labels.*.name) }}
15+
1216
jobs:
1317
static-code-checks:
1418
runs-on: ubuntu-latest
@@ -21,18 +25,18 @@ jobs:
2125
if: always()
2226
run: |
2327
# Check if PR is from workflows bot or dependabot
24-
if [[ "${{ github.event.pull_request.user.login }}" == "aws-application-signals-bot" ]]; then
28+
if [[ "${{ env.USER }}" == "aws-application-signals-bot" ]]; then
2529
echo "Skipping check: PR from aws-application-signals-bot"
2630
exit 0
2731
fi
2832
29-
if [[ "${{ github.event.pull_request.user.login }}" == "dependabot[bot]" ]]; then
33+
if [[ "${{ env.USER }}" == "dependabot[bot]" ]]; then
3034
echo "Skipping check: PR from dependabot"
3135
exit 0
3236
fi
3337
3438
# Check for skip changelog label
35-
if echo '${{ toJSON(github.event.pull_request.labels.*.name) }}' | jq -r '.[]' | grep -q "skip changelog"; then
39+
if echo '${{ env.LABELS }}' | jq -r '.[]' | grep -q "skip changelog"; then
3640
echo "Skipping check: skip changelog label found"
3741
exit 0
3842
fi

.github/workflows/pre-release-prepare.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,8 @@ jobs:
5353
5454
- name: Extract Major.Minor Version and setup Env variable
5555
run: |
56-
echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
57-
echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
56+
echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
57+
echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
5858
5959
- name: Create branches
6060
run: |

.github/workflows/release-build.yml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@ env:
2020
RELEASE_PRIVATE_REPOSITORY: 020628701572.dkr.ecr.us-west-2.amazonaws.com/adot-autoinstrumentation-python
2121
RELEASE_PRIVATE_REGISTRY: 020628701572.dkr.ecr.us-west-2.amazonaws.com
2222
PACKAGE_NAME: aws-opentelemetry-distro
23-
ARTIFACT_NAME: aws_opentelemetry_distro-${{ github.event.inputs.version }}-py3-none-any.whl
23+
ARTIFACT_NAME: aws_opentelemetry_distro-${{ env.VERSION }}-py3-none-any.whl
2424
# Legacy list of commercial regions to deploy to. New regions should NOT be added here, and instead should be added to the `aws_region` default input to the workflow.
2525
LEGACY_COMMERCIAL_REGIONS: us-east-1, us-east-2, us-west-1, us-west-2, ap-south-1, ap-northeast-3, ap-northeast-2, ap-southeast-1, ap-southeast-2, ap-northeast-1, ca-central-1, eu-central-1, eu-west-1, eu-west-2, eu-west-3, eu-north-1, sa-east-1
2626
LAYER_NAME: AWSOpenTelemetryDistroPython
@@ -382,7 +382,6 @@ jobs:
382382
id: create_release
383383
env:
384384
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
385-
VERSION: ${{ github.event.inputs.version }}
386385
run: |
387386
# Extract all dependencies from pyproject.toml
388387
DEPS=$(python3 -c "

0 commit comments

Comments
 (0)