From 93e09d9298747b9516ded63e5b78f7df5c7fff13 Mon Sep 17 00:00:00 2001
From: Thomas Pierce <thp@amazon.com>
Date: Tue, 10 Feb 2026 14:10:09 -0800
Subject: [PATCH] fix: prevent script injection by using env vars instead of
 github.event

---
 .github/workflows/post_release_version_bump.yml | 10 +++++-----
 .github/workflows/pre_release_prepare.yml       |  6 +++---
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/post_release_version_bump.yml b/.github/workflows/post_release_version_bump.yml
index 546d07ec5..9431bbe6a 100644
--- a/.github/workflows/post_release_version_bump.yml
+++ b/.github/workflows/post_release_version_bump.yml
@@ -8,7 +8,7 @@ on:
         required: true
 
 env:
-  VERSION: ${{ github.event.inputs.version }}
+  VERSION: ${{ env.VERSION }}
 
   AWS_DEFAULT_REGION: us-east-1
 
@@ -29,8 +29,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Get current major.minor version from main branch
         id: get_version
@@ -87,8 +87,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Determine release branch and checkout
         run: |
diff --git a/.github/workflows/pre_release_prepare.yml b/.github/workflows/pre_release_prepare.yml
index 738288734..72b062538 100644
--- a/.github/workflows/pre_release_prepare.yml
+++ b/.github/workflows/pre_release_prepare.yml
@@ -12,7 +12,7 @@ on:
         default: 'false'
 
 env:
-  VERSION: ${{ github.event.inputs.version }}
+  VERSION: ${{ env.VERSION }}
   IS_PATCH: ${{ github.event.inputs.is_patch }}
 
   AWS_DEFAULT_REGION: us-east-1
@@ -54,8 +54,8 @@ jobs:
 
       - name: Extract Major.Minor Version and setup Env variable
         run: |
-          echo "VERSION=${{ github.event.inputs.version }}" >> $GITHUB_ENV
-          echo "MAJOR_MINOR=$(echo ${{ github.event.inputs.version }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
+          echo "VERSION=${{ env.VERSION }}" >> $GITHUB_ENV
+          echo "MAJOR_MINOR=$(echo ${{ env.VERSION }} | sed -E 's/([0-9]+\.[0-9]+)\.[0-9]+/\1/')" >> $GITHUB_ENV
 
       - name: Create branches
         run: |