Refactor Github Action per b/485167538

[google-admin]

This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.

This is a PR to help you upgrade to the latest standards in Github Actions.

Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.

[gemini-code-assist]

Summary of Changes

Hello @google-admin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a significant refactoring across several GitHub Actions to improve their security posture and adhere to updated best practices. The core change involves modifying how action inputs are consumed within shell scripts, transitioning from direct interpolation to the use of explicitly defined environment variables. This update mitigates potential shell injection risks and standardizes input handling across the affected workflows, ensuring a more robust and secure CI/CD pipeline.

Highlights

• GitHub Actions Refactoring: All modified GitHub Actions (create-pull-request, npm-auth-token, publish-release, push-docker, push-sandbox, setup-npmrc, tag-npm-release, verify-release) have been refactored to pass input variables to environment variables before use within run steps. This enhances security by preventing shell injection vulnerabilities.
• Standardized Input Handling: The change standardizes how inputs are accessed within shell scripts in GitHub Actions, moving from direct ${{ inputs.<input-name> }} interpolation to using intermediate environment variables like ${INPUTS_BRANCH_NAME}.
• Automated Update: This pull request is an automated refactoring initiated by the GHSS team to align with the latest GitHub Actions standards, as detailed in b/485167538.

Changelog

• .github/actions/create-pull-request/action.yml
  • Migrated direct input access to environment variables for branch-name, pr-title, pr-body, and base-branch.
  • Modified gh pr create command to use the new environment variables.
• .github/actions/npm-auth-token/action.yml
  • Converted direct input references to environment variables for github-token, package-name, and various wombat-token inputs.
  • Adjusted run script to consume these new environment variables.
• .github/actions/publish-release/action.yml
  • Updated release_branch step to use an environment variable for release-tag.
  • Modified Update package versions step to use an environment variable for release-version.
  • Converted npm publish commands to use environment variables for dry-run and package names.
  • Adjusted npm install command to use environment variables for package names and versions.
  • Refactored gh release create command to use environment variables for release details.
  • Updated release branch cleanup to use an environment variable for the branch name.
• .github/actions/push-docker/action.yml
  • Migrated ref-name input to an environment variable in the branch_name step.
• .github/actions/push-sandbox/action.yml
  • Converted github-ref-name and github-sha inputs to environment variables in the image_tag step.
  • Updated build step to use an environment variable for the FINAL_TAG output.
  • Modified publish step to use an environment variable for the Docker build URI output.
• .github/actions/setup-npmrc/action.yml
  • Migrated github-token input to an environment variable for setting up .npmrc.
• .github/actions/tag-npm-release/action.yml
  • Converted core-package-name, version, and channel inputs to environment variables for core package dist-tag.
  • Updated CLI package dist-tag to use environment variables for cli-package-name, version, and channel.
  • Refactored a2a package dist-tag and dry run logging to use environment variables for package names, version, and channel.
• .github/actions/verify-release/action.yml
  • Migrated expected-version and npm-package inputs to environment variables for NPM version verification.
  • Updated NPX run version verification to use environment variables for npm-package and expected-version.

Ignored Files

• Ignored by pattern: .github/workflows/** (7)
  • .github/workflows/chained_e2e.yml
  • .github/workflows/ci.yml
  • .github/workflows/deflake.yml
  • .github/workflows/eval.yml
  • .github/workflows/release-patch-3-release.yml
  • .github/workflows/release-promote.yml
  • .github/workflows/trigger_e2e.yml

Activity

• The pull request was automatically generated by google-admin as part of an LSC run by GHSS.
• The changes are a refactoring effort to upgrade GitHub Actions to the latest standards, as per b/485167538.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

Size Change: -2 B (0%)

Total Size: 22 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	22 MB	-2 B (0%)
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request is an automated refactoring to improve the security of your GitHub Actions by using environment variables for inputs within run steps. This is a great improvement as it prevents potential script injection vulnerabilities. The changes are applied consistently across most of the action files.

I've found one place where the refactoring is incomplete and an inline expression is still used. I've left a specific comment with a suggestion to complete the refactoring for that step.

[gemini-code-assist]

While most of the action has been refactored to use environment variables, this run step still contains an inline expression: ${{ inputs.npm-tag != 'latest' && '--prerelease' || '' }}. To be consistent with the refactoring and improve security and readability, this logic should be moved into the shell script itself.

To apply the suggestion, please also add INPUTS_NPM_TAG: ${{ inputs.npm-tag }} to the env block for this step.

        PRERELEASE_FLAG=""
        if [[ "${INPUTS_NPM_TAG}" != 'latest' ]]; then
          PRERELEASE_FLAG="--prerelease"
        fi
        gh release create "${INPUTS_RELEASE_TAG}" \
          bundle/gemini.js \
          --target "${STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME}" \
          --title "Release ${INPUTS_RELEASE_TAG}" \
          --notes-start-tag "${INPUTS_PREVIOUS_TAG}" \
          --generate-notes \
          $PRERELEASE_FLAG