Refactor Github Action per b/485167538

[google-admin]

This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.

This is a PR to help you upgrade to the latest standards in Github Actions.

Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.

[gemini-code-assist]

Summary of Changes

Hello @google-admin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request systematically refactors the way input variables are handled within several GitHub Actions. The core change involves explicitly defining input values as environment variables before they are used in shell run steps, which improves the security posture and maintainability of the workflows by avoiding direct interpolation and potential shell injection issues.

Highlights

• Standardized GitHub Actions Input Access: Refactored all GitHub Actions to pass input variables as environment variables to shell scripts, enhancing security and consistency by preventing direct interpolation of inputs within run blocks.
• Improved Shell Script Robustness: Converted direct ${{ inputs.<input-name> }} references within run steps to use explicit environment variables (e.g., $INPUTS_BRANCH_NAME), which is a recommended practice for shell scripts in GitHub Actions.

Changelog

• .github/actions/create-pull-request/action.yml
  • Updated the 'Create Pull Request' step to use environment variables for branch name, PR title, PR body, and base branch inputs.
• .github/actions/npm-auth-token/action.yml
  • Modified the 'npm_auth_token' step to pass GitHub token, package name, and various Wombat tokens as environment variables.
• .github/actions/publish-release/action.yml
  • Adjusted the 'release_branch' step to use an environment variable for the release tag.
  • Updated the 'Update package versions' step to use an environment variable for the release version.
  • Refactored the 'Publish core package' step to use environment variables for dry-run and core package name.
  • Modified the 'Install latest core package' step to use environment variables for core package name, release version, CLI package name, and A2A package name.
  • Updated the 'Publish cli package' step to use environment variables for dry-run and CLI package name.
  • Refactored the 'Publish a2a-server package' step to use environment variables for dry-run and A2A package name.
  • Adjusted the 'Create GitHub Release' step to use environment variables for release tag, branch name output, and previous tag.
  • Modified the 'Clean up release branch' step to use an environment variable for the branch name output.
• .github/actions/push-docker/action.yml
  • Updated the 'branch_name' step to use an environment variable for the ref-name input.
• .github/actions/push-sandbox/action.yml
  • Modified the 'image_tag' step to use environment variables for GitHub ref name and SHA.
  • Refactored the 'build' step to use an environment variable for the final image tag output.
  • Adjusted the 'publish' step to use an environment variable for the Docker build URI output.
• .github/actions/setup-npmrc/action.yml
  • Updated the 'setup-npmrc' step to use an environment variable for the GitHub token.
• .github/actions/tag-npm-release/action.yml
  • Modified the 'Tag core package' step to use environment variables for core package name, version, and channel.
  • Refactored the 'Tag cli package' step to use environment variables for CLI package name, version, and channel.
  • Adjusted the 'Tag a2a-server package' step to use environment variables for A2A package name, version, and channel.
  • Updated the 'Log dry run' step to use environment variables for channel, version, CLI package name, core package name, and A2A package name.
• .github/actions/verify-release/action.yml
  • Refactored the 'Verify NPM release by version' step to use environment variables for expected version and NPM package name.
  • Modified the 'Verify NPX run by version' step to use environment variables for NPM package name and expected version.

Ignored Files

• Ignored by pattern: .github/workflows/** (8)
  • .github/workflows/ci.yml
  • .github/workflows/deflake.yml
  • .github/workflows/e2e.yml
  • .github/workflows/eval.yml
  • .github/workflows/release-patch-3-release.yml
  • .github/workflows/release-promote.yml
  • .github/workflows/test_chained_e2e.yml
  • .github/workflows/trigger_e2e.yml

Activity

• This pull request was automatically generated by the LSC (Large Scale Change) system via GHSS (GitHub Security Scanner) to refactor GitHub Actions.
• The changes are intended to upgrade existing GitHub Actions to the latest standards, as detailed in b/485167538.
• The author, google-admin, has indicated that this PR may be force-merged if not accepted, highlighting its importance for compliance.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[github-actions]

Size Change: -2 B (0%)

Total Size: 20.5 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	20.5 MB	-2 B (0%)
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request is an automated refactoring to improve the security of your GitHub Actions by using environment variables for inputs within run scripts, which helps prevent shell injection. The changes are generally correct and follow best practices. However, I've identified several instances where shell variables are not quoted in commands. This could lead to unexpected behavior or errors if the variable values contain spaces or special characters. I've added specific suggestions to quote these variables to enhance the robustness and security of the scripts.

[gemini-code-assist]

The ${INPUTS_CORE_PACKAGE_NAME} variable should be double-quoted in the npm dist-tag rm command. This prevents potential issues like word splitting or globbing if the package name contains spaces or other shell metacharacters. While npm package names have restrictions, quoting variables in shell scripts is a crucial best practice for robustness and security.

npm publish \
  --dry-run="${INPUTS_DRY_RUN}" \
  --workspace="${INPUTS_CORE_PACKAGE_NAME}" \
  --no-tag
npm dist-tag rm "${INPUTS_CORE_PACKAGE_NAME}" false --silent

[gemini-code-assist]

The ${INPUTS_CLI_PACKAGE_NAME} variable should be double-quoted to prevent shell injection vulnerabilities and ensure the script's robustness. It's a best practice to quote all variable expansions in shell commands.

npm publish \
  --dry-run="${INPUTS_DRY_RUN}" \
  --workspace="${INPUTS_CLI_PACKAGE_NAME}" \
  --no-tag
npm dist-tag rm "${INPUTS_CLI_PACKAGE_NAME}" false --silent

[gemini-code-assist]

For consistency and security, the ${INPUTS_A2A_PACKAGE_NAME} variable should be double-quoted. This prevents unexpected behavior if the package name contains special characters.

npm publish \
  --dry-run="${INPUTS_DRY_RUN}" \
  --workspace="${INPUTS_A2A_PACKAGE_NAME}" \
  --no-tag
npm dist-tag rm "${INPUTS_A2A_PACKAGE_NAME}" false --silent

[gemini-code-assist]

The arguments to npm dist-tag add should be quoted to prevent word splitting and globbing. This ensures the command behaves as expected even if the package name, version, or channel contain special characters.

npm dist-tag add "${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

For robustness and security, the arguments to npm dist-tag add should be double-quoted. This prevents unexpected behavior from shell expansion.

npm dist-tag add "${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

Please quote the arguments for npm dist-tag add to prevent potential shell injection issues and improve script robustness.

npm dist-tag add "${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"