fix: security gemini-cli SHA-pin + LICENSE rename + gitignore complete#204
Conversation
|
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request significantly expands the .gitignore file to cover various environments, logs, and build outputs, and adds an MIT License file. Feedback highlights a discrepancy where expected security updates to gemini-cli.yml are missing from the commit. Furthermore, the addition of the MIT License while the original GPL license file remains creates a legal ambiguity that needs to be addressed by removing the old license or clarifying the change.
| # Local Netlify folder | ||
| .netlify | ||
| E | ||
| # Dependencies |
There was a problem hiding this comment.
Le titre et la description de la pull request indiquent une mise à jour de sécurité (SHA-pinning) pour le fichier gemini-cli.yml, mais ce fichier n'apparaît pas dans les modifications de cette PR. Veuillez vérifier si vous avez oublié d'inclure ce fichier dans votre commit.
| @@ -0,0 +1,21 @@ | |||
| MIT License | |||
There was a problem hiding this comment.
La description indique que license.txt est renommé en LICENSE. Cependant, le fichier license.txt (sous licence GPL) est toujours présent dans le dépôt, alors que ce nouveau fichier LICENSE introduit une licence MIT. Cette situation crée une ambiguïté juridique. Il est recommandé de supprimer l'ancien fichier et de confirmer que le changement de licence est intentionnel.
There was a problem hiding this comment.
Pull request overview
This PR aims to improve repo hygiene and supply-chain security by SHA-pinning the Gemini CLI GitHub Action, standardizing the repository license filename for GitHub detection, and expanding .gitignore to cover common local/build artifacts.
Changes:
- Pin
google-github-actions/run-gemini-clito a specific commit SHA in thegemini-cliworkflow. - Add a top-level
LICENSEfile with MIT text. - Expand
.gitignoreto ignore common dependency, OS, editor, log, env, and build output files.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
LICENSE |
Adds MIT license text under the conventional LICENSE filename. |
.gitignore |
Replaces the minimal ignore list with a more complete set of common ignores. |
.github/workflows/gemini-cli.yml |
Replaces the action tag with a commit SHA to harden against supply-chain changes. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| MIT License | ||
|
|
||
| Copyright (c) 2024 DavidKRK | ||
|
|
|
@copilot je réponds quoi ? Current change ? Incoming ou both ? |
Agent-Logs-Url: https://github.com/DavidKRK/DavidKRK.github.io/sessions/183e8474-1e57-4919-ae94-ccbf1db9c803 Co-authored-by: DavidKRK <136035295+DavidKRK@users.noreply.github.com>
It's neither — no merge conflict here. The issue was simply that |
@copilot
|
Choose Incoming (gh-pages). Both versions use the same SHA pin (the security fix is preserved either way), but the incoming comment |
Sécurité + docs standards :
✅ gemini-cli.yml : SHA-pin run-gemini-cli@v0.1.10 → @06123c6a203eb7a964ce3be7c48479cc66059f23
✅ license.txt → LICENSE (reconnu par GitHub)
✅ .gitignore complété (node_modules/, .DS_Store, etc.)
Ready to merge.