Follow Security Guide to update YAML files. (#1925)

* Follow Security Guide to update YAML files. * Update checkout version to v4
aws · Nov 22, 2024 · fe616de · fe616de
1 parent fa50223
commit fe616de
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 21 deletions.
diff --git a/.github/workflows/tag-and-zip.yml b/.github/workflows/tag-and-zip.yml
@@ -16,22 +16,27 @@ jobs:
     runs-on: ubuntu-20.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.inputs.commit_id }}
       - name: Configure git identity
         run: |
             git config --global user.name "Release Workflow"
       - name: Tag Commit and Push to remote
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
         run: |
-          git tag ${{ github.event.inputs.version_number }} -a -m "AWS IoT Device SDK for Embedded C version ${{ github.event.inputs.version_number }}"
+          git tag "$VERSION_NUMBER" -a -m "AWS IoT Device SDK for Embedded C version $VERSION_NUMBER"
           git push origin --tags
       - name: Verify tag on remote
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
+          COMMIT_ID: ${{ github.event.inputs.commit_id }}
         run: |
-          git tag -d ${{ github.event.inputs.version_number }}
+          git tag -d "$VERSION_NUMBER"
           git remote update
-          git checkout tags/${{ github.event.inputs.version_number }}
-          git diff ${{ github.event.inputs.commit_id }} tags/${{ github.event.inputs.version_number }}
+          git checkout tags/"$VERSION_NUMBER"
+          git diff "$COMMIT_ID" tags/"$VERSION_NUMBER"
   create-zip:
     needs: tag-commit
     name: Create ZIP and verify package for release asset.
@@ -40,7 +45,7 @@ jobs:
       - name: Install ZIP tools
         run: sudo apt-get install zip unzip
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.inputs.commit_id }}
           path: aws-iot-device-sdk-embedded-C
@@ -54,18 +59,22 @@ jobs:
           zip -r aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}.zip aws-iot-device-sdk-embedded-C -x "*.git*"
           ls ./
       - name: Validate created ZIP
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
         run: |
           mkdir zip-check
-          mv aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}.zip zip-check
+          mv aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER".zip zip-check
           cd zip-check
-          unzip aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}.zip -d aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}
-          ls aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}
-          diff -r -x "*.git*" aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}/aws-iot-device-sdk-embedded-C/ ../aws-iot-device-sdk-embedded-C/
+          unzip aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER".zip -d aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"
+          ls aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"
+          diff -r -x "*.git*" aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"/aws-iot-device-sdk-embedded-C/ ../aws-iot-device-sdk-embedded-C/
           cd ../
       - name : Build Check Demos
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
         run: |
           sudo apt-get install -y libmosquitto-dev
-          cd zip-check/aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}/aws-iot-device-sdk-embedded-C/
+          cd zip-check/aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"/aws-iot-device-sdk-embedded-C/
           cmake -S . -B build/ \
           -G "Unix Makefiles" \
           -DBUILD_DEMOS=1 \
@@ -89,8 +98,10 @@ jobs:
           make -C build/ help | grep demo | tr -d '. ' | xargs make -C build/ -j8
           make -C demos/jobs/jobs_demo_mosquitto -j8
       - name : Build Check Tests
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
         run: |
-          cd zip-check/aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}/aws-iot-device-sdk-embedded-C/
+          cd zip-check/aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"/aws-iot-device-sdk-embedded-C/
           rm -rf ./build
           cmake -S . -B build/ \
           -G "Unix Makefiles" \
@@ -105,8 +116,10 @@ jobs:
           -DCLIENT_IDENTIFIER="ci-identifier"
           make -C build/ all -j8
       - name: Run Unit Tests
+        env:
+          VERSION_NUMBER: ${{ github.event.inputs.version_number }}
         run: |
-          cd zip-check/aws-iot-device-sdk-embedded-C-${{ github.event.inputs.version_number }}/aws-iot-device-sdk-embedded-C/build/
+          cd zip-check/aws-iot-device-sdk-embedded-C-"$VERSION_NUMBER"/aws-iot-device-sdk-embedded-C/build/
           ctest -E system --output-on-failure
           cd ..
       - name: Create artifact of ZIP

diff --git a/.github/workflows/update-submodules.yml b/.github/workflows/update-submodules.yml
@@ -25,8 +25,10 @@ jobs:
         run: |
           git config --global user.name "Submodule Updater"
       - name: Update the submodules
+        env:
+          ALLOWED: ${{ github.event.inputs.allowed }}
         run: |
-          libs=$(find libraries/standard libraries/aws -maxdepth 1 -mindepth 1 | grep "${{ github.event.inputs.allowed }}")
+          libs=$(find libraries/standard libraries/aws -maxdepth 1 -mindepth 1 | grep "$ALLOWED")
           git submodule update --remote $libs
       - name: Commit changes and Push to remote
         run: |
@@ -38,5 +40,6 @@ jobs:
       - name: Raise a Pull-Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          BRANCH: ${{ github.event.inputs.branch }}
         run: |
-          gh pr create --base ${{ github.event.inputs.branch }} --title 'Update library submodules to the latest' --body 'Update library submodules to the latest'
+          gh pr create --base "$BRANCH" --title 'Update library submodules to the latest' --body 'Update library submodules to the latest'
diff --git a/.github/workflows/version-updater.yml b/.github/workflows/version-updater.yml
@@ -19,26 +19,35 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
         with:
           ref: ${{ github.event.inputs.branch }}
       - name: Configure git identity
         run: |
           git config --global user.name "Version Updater"
       - name: Update source files with new version
+        env:
+          OLD_VERSION_NUMBER: ${{ github.event.inputs.old_version_number }}
+          NEW_VERSION_NUMBER: ${{ github.event.inputs.new_version_number }}
         run: |
-          grep -ilr ${{ github.event.inputs.old_version_number }} . | grep -Ev ".git|CHANGELOG.md|README.md|CONTRIBUTING.md" |  xargs sed -i s/${{ github.event.inputs.old_version_number }}/${{ github.event.inputs.new_version_number }}/g
+          grep -ilr "$OLD_VERSION_NUMBER" . | grep -Ev ".git|CHANGELOG.md|README.md|CONTRIBUTING.md" |  xargs sed -i s/"$OLD_VERSION_NUMBER"/"$NEW_VERSION_NUMBER"/g
       - name: Commit changes and Push to remote
+        env:
+          OLD_VERSION_NUMBER: ${{ github.event.inputs.old_version_number }}
+          NEW_VERSION_NUMBER: ${{ github.event.inputs.new_version_number }}
         run: |
-          git checkout -b updater-job/update-to-${{ github.event.inputs.new_version_number }}
-          git commit -am 'Update versioning in file from ${{ github.event.inputs.old_version_number }} to ${{ github.event.inputs.new_version_number }}'
-          git push --set-upstream origin updater-job/update-to-${{ github.event.inputs.new_version_number }}
+          git checkout -b updater-job/update-to-"$NEW_VERSION_NUMBER"
+          git commit -am "Update versioning in file from "$OLD_VERSION_NUMBER" to $NEW_VERSION_NUMBER"
+          git push --set-upstream origin updater-job/update-to-"$NEW_VERSION_NUMBER"
       - name: Raise a Pull-Request
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          OLD_VERSION_NUMBER: ${{ github.event.inputs.old_version_number }}
+          NEW_VERSION_NUMBER: ${{ github.event.inputs.new_version_number }}
+          BRANCH: ${{ github.event.inputs.branch }}
         run: |
           sudo apt-key adv --keyserver keyserver.ubuntu.com --recv-key 23F3D4EA75716059
           sudo apt-add-repository https://cli.github.com/packages
           sudo apt update
           sudo apt-get install gh
-          gh pr create --base ${{ github.event.inputs.branch }} --title 'Update source file versioning to ${{ github.event.inputs.new_version_number }}' --body 'Updater-Job: PR to update versioning in source files from ${{ github.event.inputs.old_version_numver }} to ${{ github.event.inputs.new_version_number }}'
+          gh pr create --base "$BRANCH" --title "Update source file versioning to $NEW_VERSION_NUMBER" --body "Updater-Job: PR to update versioning in source files from $OLD_VERSION_NUMBER to $NEW_VERSION_NUMBER"