add codeowners file; update token permission to read only for workflow

and validate GO_VERSION is of the correct format and length

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+# https://help.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners
+
+# These owners will be the default owners for everything in
+# the repo. Unless a later match takes precedence, these accounts
+# will be requested for review when someone opens a pull request.
+* @aws/aws-ecs-agent

.github/workflows/gitsecrets.yml

@@ -2,6 +2,7 @@ name: GitSecretsScan
 
 on: [push, pull_request]
 
+permissions: read-all
 jobs:
   git-secret-check:
     name: Git Secrets Scan

.github/workflows/linux.yml

@@ -2,6 +2,7 @@ name: Linux
 
 on: [pull_request]
 
+permissions: read-all
 jobs:
   unit-tests:
     name: Linux unit tests
@@ -11,12 +12,22 @@ jobs:
         with:
           path: src/github.com/aws/amazon-ecs-agent
       - name: get GO_VERSION
+        id: get-go-version
         run:  |
           cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent
-          echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV
+          set -eou pipefail
+          go_version=$(cat -e GO_VERSION)
+          go_version=${go_version%?}
+          go_version_length=${#go_version}
+          go_version_re="^([0-9]+\.){1,2}([0-9]+)$"
+          if ! [[ $go_version_length -le 10 && $go_version =~ $go_version_re ]] ; then
+            echo "invalid GO version"
+            exit 1
+          fi
+          echo "::set-output name=GO_VERSION::$go_version"
       - uses: actions/setup-go@v2
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: ${{ steps.get-go-version.outputs.GO_VERSION }}
       - uses: actions/checkout@v2
         with:
           submodules: true

.github/workflows/static.yml

@@ -2,6 +2,7 @@ name: Static Checks
 
 on: [push, pull_request]
 
+permissions: read-all
 jobs:
   static-check:
     name: Static Analysis
@@ -11,12 +12,22 @@ jobs:
         with:
           path: src/github.com/aws/amazon-ecs-agent
       - name: get GO_VERSION
+        id: get-go-version
         run:  |
           cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent
-          echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV
+          set -eou pipefail
+          go_version=$(cat -e GO_VERSION)
+          go_version=${go_version%?}
+          go_version_length=${#go_version}
+          go_version_re="^([0-9]+\.){1,2}([0-9]+)$"
+          if ! [[ $go_version_length -le 10 && $go_version =~ $go_version_re ]] ; then
+            echo "invalid GO version"
+            exit 1
+          fi
+          echo "::set-output name=GO_VERSION::$go_version"
       - uses: actions/setup-go@v2
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: ${{ steps.get-go-version.outputs.GO_VERSION }}
       - uses: actions/checkout@v2
         with:
           path: src/github.com/aws/amazon-ecs-agent
@@ -37,12 +48,22 @@ jobs:
         with:
           path: src/github.com/aws/amazon-ecs-agent
       - name: get GO_VERSION
+        id: get-go-version
         run:  |
           cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent
-          echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV
+          set -eou pipefail
+          go_version=$(cat -e GO_VERSION)
+          go_version=${go_version%?}
+          go_version_length=${#go_version}
+          go_version_re="^([0-9]+\.){1,2}([0-9]+)$"
+          if ! [[ $go_version_length -le 10 && $go_version =~ $go_version_re ]] ; then
+            echo "invalid GO version"
+            exit 1
+          fi
+          echo "::set-output name=GO_VERSION::$go_version"
       - uses: actions/setup-go@v2
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: ${{ steps.get-go-version.outputs.GO_VERSION }}
       - uses: actions/checkout@v2
         with:
           path: src/github.com/aws/amazon-ecs-agent
@@ -63,12 +84,22 @@ jobs:
         with:
           path: src/github.com/aws/amazon-ecs-agent
       - name: get GO_VERSION
+        id: get-go-version
         run:  |
           cd $GITHUB_WORKSPACE/src/github.com/aws/amazon-ecs-agent
-          echo "GO_VERSION=$(cat GO_VERSION)" >> $GITHUB_ENV
+          set -eou pipefail
+          go_version=$(cat -e GO_VERSION)
+          go_version=${go_version%?}
+          go_version_length=${#go_version}
+          go_version_re="^([0-9]+\.){1,2}([0-9]+)$"
+          if ! [[ $go_version_length -le 10 && $go_version =~ $go_version_re ]] ; then
+            echo "invalid GO version"
+            exit 1
+          fi
+          echo "::set-output name=GO_VERSION::$go_version"
       - uses: actions/setup-go@v2
         with:
-          go-version: ${{ env.GO_VERSION }}
+          go-version: ${{ steps.get-go-version.outputs.GO_VERSION }}
       - uses: actions/checkout@v2
         with:
           submodules: true

.github/workflows/windows.yml

@@ -2,6 +2,7 @@ name: Windows
 
 on: [pull_request]
 
+permissions: read-all
 jobs:
   windows-unit-tests:
     name: Windows unit tests
@@ -11,13 +12,21 @@ jobs:
         with:
           path: src/github.com/aws/amazon-ecs-agent
       - name: get GO_VERSION
+        id: get-go-version
         run:  |
           cd "$Env:GITHUB_WORKSPACE"
           cd "src/github.com/aws/amazon-ecs-agent"
-          echo "GO_VERSION_WINDOWS=$(type GO_VERSION_WINDOWS)" | Out-File -FilePath $Env:GITHUB_ENV -Encoding utf-8 -Append
+          $ErrorActionPreference = "Stop"
+          $go_version_win = $(type GO_VERSION_WINDOWS)
+          $go_version_re = "^\d+\.{1,2}\d+$"
+          if (-Not ($go_version_win.Length -le 10 -or $go_version_win -match $go_version_re) ) {
+            echo "invalid GO version"
+            exit 1
+          }
+          Write-Output "::set-output name=GO_VERSION_WINDOWS::$go_version_win"
       - uses: actions/setup-go@v2
         with:
-          go-version: ${{ env.GO_VERSION_WINDOWS }}
+          go-version: ${{ steps.get-go-version.outputs.GO_VERSION_WINDOWS }}
       - uses: actions/checkout@v2
         with:
           submodules: true