Skip to content

fix: add --skip-trust to Gemini CLI command to prevent yolo override in AWF sandbox #28496

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pelikhan merged 2 commits into from
Apr 25, 2026
+11 −2
Merged

fix: add --skip-trust to Gemini CLI command to prevent yolo override in AWF sandbox #28496

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
66e4d48
Initial plan
Copilot Apr 25, 2026
95d5466
fix: add --skip-trust flag to Gemini CLI to prevent workspace trust o…
Copilot Apr 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/smoke-gemini.lock.yml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 8 additions & 0 deletions pkg/workflow/gemini_engine.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -168,6 +168,14 @@ func (e *GeminiEngine) GetExecutionSteps(workflowData *WorkflowData, logFile str
// Without this, Gemini CLI's default approval mode rejects tool calls with "Tool execution denied by policy"
geminiArgs = append(geminiArgs, "--yolo")
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Consider adding a comment explaining why --yolo comes before --skip-trust — the ordering might matter if Gemini CLI processes args sequentially for trust checks.


// Skip the workspace trust check so --yolo is not overridden to "default" approval mode.
// Gemini CLI v1.x checks whether the working directory is trusted and overrides --yolo
// with "default" approval mode (exit code 55) when the folder is untrusted.
// GEMINI_CLI_TRUST_WORKSPACE=true (also set in the step env) handles the same case via
// environment variable, but --skip-trust is more reliable when AWF's sandbox does not
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The --skip-trust flag addition is well-documented. One minor note: the comment mentions GEMINI_CLI_TRUST_WORKSPACE=true as an alternative, but it would be useful to confirm this env var is still being set in the step env block for defense-in-depth.

// forward all host environment variables into the container.
Comment on lines +171 to +176
Copy link

Copilot AI Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The comment references "Gemini CLI v1.x", but this engine currently pins @google/gemini-cli to DefaultGeminiVersion = 0.39.1. To avoid confusion when troubleshooting, consider removing the version qualifier or updating it to match the actually-supported versions (and keep the wording consistent with the existing trust-related comment later in this function).

Copilot uses AI. Check for mistakes.
geminiArgs = append(geminiArgs, "--skip-trust")
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Good fix: using --skip-trust as a direct CLI flag is more reliable than relying on GEMINI_CLI_TRUST_WORKSPACE env var, which can be silently dropped through the AWF container's forwarding chain. This ensures the trust override works regardless of env var forwarding fidelity.


// Add streaming JSON output (JSONL format, compatible with the log parser)
geminiArgs = append(geminiArgs, "--output-format", "stream-json")

Expand Down
1 change: 1 addition & 0 deletions pkg/workflow/gemini_engine_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -156,6 +156,7 @@ func TestGeminiEngineExecution(t *testing.T) {
assert.Contains(t, stepContent, "id: agentic_execution", "Should have agentic_execution ID")
assert.Contains(t, stepContent, "gemini", "Should invoke gemini command")
assert.Contains(t, stepContent, "--yolo", "Should include --yolo flag for auto-approving tool executions")
assert.Contains(t, stepContent, "--skip-trust", "Should include --skip-trust flag to prevent workspace trust check from overriding --yolo")
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot Apr 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good test coverage for the new --skip-trust flag. The assertion message is descriptive and helpful.

assert.Contains(t, stepContent, "--output-format stream-json", "Should use streaming JSON output format")
assert.Contains(t, stepContent, `--prompt "$(cat /tmp/gh-aw/aw-prompts/prompt.txt)"`, "Should include prompt argument with correct shell quoting")
assert.Contains(t, stepContent, "/tmp/test.log", "Should include log file")
Expand Down
Loading