fix(ci): Use environment variables to prevent script injection in workflows#2191
Closed
sky333999 wants to merge 4 commits into
Closed
fix(ci): Use environment variables to prevent script injection in workflows#2191sky333999 wants to merge 4 commits into
sky333999 wants to merge 4 commits into
Conversation
…kflows Move user-controlled context interpolations (inputs.*, matrix.*, github.event.*, needs.*.outputs.*, steps.*.outputs.*, toJSON, contains) out of shell run: and nick-fields/retry command: blocks into step-level env: bindings, then reference them as shell variables. This mirrors the pattern established in PR aws#1971. Direct fixes across 23 workflows plus two indirect cases: - test-build-distributor.yml: job-level env: values derived from user inputs were referenced via ${{ env.X }} in run: blocks, which GitHub Actions expands at parse-time. Converted to shell-variable references ("$X"). - test-build-docker.yml: Copy msi step runs on windows-2022 (PowerShell default); use $env:VARNAME instead of bash-style $VARNAME. Also fixes three pre-existing correctness bugs surfaced during review: - test-artifacts.yml: elif if syntax error changed to valid elif [ ... ]. - test-artifacts.yml: Terraform destroy retry fallback previously branched on matrix.arrays.os but the corresponding apply steps branch on matrix.arrays.family. Aligned the destroy check to matrix.arrays.family so Windows-family cleanup cd's to terraform/ec2/win rather than falling through to the Linux path. - test-build-distributor.yml: LATEST_DEFAULT undefined var typo changed to LATEST_VERSION.
93c92d4 to
9308394
Compare
Contributor
Author
|
Superseded by #2200 — same commit, moved to a branch on this repo (aws/amazon-cloudwatch-agent) instead of a fork so CI runs have access to repo secrets and OIDC. Closing this PR; please review the new one. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description of changes
Move user-controlled context interpolations (inputs., matrix., github.event., needs..outputs., steps..outputs.*, toJSON, contains) out of shell run: and nick-fields/retry command: blocks into step-level env: bindings, then reference them as shell variables. This mirrors the pattern established in PR #1971.
Direct fixes across 23 workflows plus two indirect cases:
Also fixes two pre-existing bugs surfaced during review:
License
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Tests
N/A
Requirements
Before commiting your code, please do the following steps.
make fmtandmake fmt-shmake lintIntegration Tests
To run integration tests against this PR, add the
ready for testinglabel.