Refactor Github Action per b/485167538 by google-admin · Pull Request #19301 · google-gemini/gemini-cli

google-admin · 2026-02-17T23:39:39Z

This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.

This is a PR to help you upgrade to the latest standards in Github Actions.

Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.

gemini-code-assist · 2026-02-17T23:40:03Z

Summary of Changes

Hello @google-admin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request systematically refactors the way input variables are handled within several GitHub Actions. The core change involves explicitly defining input values as environment variables before they are used in shell run steps, which improves the security posture and maintainability of the workflows by avoiding direct interpolation and potential shell injection issues.

Highlights

Standardized GitHub Actions Input Access: Refactored all GitHub Actions to pass input variables as environment variables to shell scripts, enhancing security and consistency by preventing direct interpolation of inputs within run blocks.
Improved Shell Script Robustness: Converted direct ${{ inputs.<input-name> }} references within run steps to use explicit environment variables (e.g., $INPUTS_BRANCH_NAME), which is a recommended practice for shell scripts in GitHub Actions.

Changelog

.github/actions/create-pull-request/action.yml
- Updated the 'Create Pull Request' step to use environment variables for branch name, PR title, PR body, and base branch inputs.
.github/actions/npm-auth-token/action.yml
- Modified the 'npm_auth_token' step to pass GitHub token, package name, and various Wombat tokens as environment variables.
.github/actions/publish-release/action.yml
- Adjusted the 'release_branch' step to use an environment variable for the release tag.
- Updated the 'Update package versions' step to use an environment variable for the release version.
- Refactored the 'Publish core package' step to use environment variables for dry-run and core package name.
- Modified the 'Install latest core package' step to use environment variables for core package name, release version, CLI package name, and A2A package name.
- Updated the 'Publish cli package' step to use environment variables for dry-run and CLI package name.
- Refactored the 'Publish a2a-server package' step to use environment variables for dry-run and A2A package name.
- Adjusted the 'Create GitHub Release' step to use environment variables for release tag, branch name output, and previous tag.
- Modified the 'Clean up release branch' step to use an environment variable for the branch name output.
.github/actions/push-docker/action.yml
- Updated the 'branch_name' step to use an environment variable for the ref-name input.
.github/actions/push-sandbox/action.yml
- Modified the 'image_tag' step to use environment variables for GitHub ref name and SHA.
- Refactored the 'build' step to use an environment variable for the final image tag output.
- Adjusted the 'publish' step to use an environment variable for the Docker build URI output.
.github/actions/setup-npmrc/action.yml
- Updated the 'setup-npmrc' step to use an environment variable for the GitHub token.
.github/actions/tag-npm-release/action.yml
- Modified the 'Tag core package' step to use environment variables for core package name, version, and channel.
- Refactored the 'Tag cli package' step to use environment variables for CLI package name, version, and channel.
- Adjusted the 'Tag a2a-server package' step to use environment variables for A2A package name, version, and channel.
- Updated the 'Log dry run' step to use environment variables for channel, version, CLI package name, core package name, and A2A package name.
.github/actions/verify-release/action.yml
- Refactored the 'Verify NPM release by version' step to use environment variables for expected version and NPM package name.
- Modified the 'Verify NPX run by version' step to use environment variables for NPM package name and expected version.

Ignored Files

Ignored by pattern: .github/workflows/** (8)
- .github/workflows/ci.yml
- .github/workflows/deflake.yml
- .github/workflows/e2e.yml
- .github/workflows/eval.yml
- .github/workflows/release-patch-3-release.yml
- .github/workflows/release-promote.yml
- .github/workflows/test_chained_e2e.yml
- .github/workflows/trigger_e2e.yml

Activity

This pull request was automatically generated by the LSC (Large Scale Change) system via GHSS (GitHub Security Scanner) to refactor GitHub Actions.
The changes are intended to upgrade existing GitHub Actions to the latest standards, as detailed in b/485167538.
The author, google-admin, has indicated that this PR may be force-merged if not accepted, highlighting its importance for compliance.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	`/gemini review`	Performs a code review for the current pull request in its current state.
Pull Request Summary	`/gemini summary`	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	`/gemini help`	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

google-cla · 2026-02-17T23:40:07Z

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

github-actions · 2026-02-17T23:43:06Z

Size Change: -2 B (0%)

Total Size: 20.5 MB

ℹ️ View Unchanged

Filename	Size	Change
`./bundle/gemini.js`	20.5 MB	-2 B (0%)
`./bundle/sandbox-macos-permissive-closed.sb`	1.03 kB	0 B
`./bundle/sandbox-macos-permissive-open.sb`	890 B	0 B
`./bundle/sandbox-macos-permissive-proxied.sb`	1.31 kB	0 B
`./bundle/sandbox-macos-restrictive-closed.sb`	3.29 kB	0 B
`./bundle/sandbox-macos-restrictive-open.sb`	3.36 kB	0 B
`./bundle/sandbox-macos-restrictive-proxied.sb`	3.56 kB	0 B

_{compressed-size-action}

gemini-code-assist

Code Review

This pull request is an automated refactoring to improve the security of your GitHub Actions by using environment variables for inputs within run scripts, which helps prevent shell injection. The changes are generally correct and follow best practices. However, I've identified several instances where shell variables are not quoted in commands. This could lead to unexpected behavior or errors if the variable values contain spaces or special characters. I've added specific suggestions to quote these variables to enhance the robustness and security of the scripts.

gemini-code-assist · 2026-02-17T23:46:23Z

      run: |
        npm publish \
-          --dry-run="${{ inputs.dry-run }}" \
-          --workspace="${{ inputs.core-package-name }}" \
+          --dry-run="${INPUTS_DRY_RUN}" \
+          --workspace="${INPUTS_CORE_PACKAGE_NAME}" \
          --no-tag
-        npm dist-tag rm ${{ inputs.core-package-name }} false --silent
+        npm dist-tag rm ${INPUTS_CORE_PACKAGE_NAME} false --silent


The ${INPUTS_CORE_PACKAGE_NAME} variable should be double-quoted in the npm dist-tag rm command. This prevents potential issues like word splitting or globbing if the package name contains spaces or other shell metacharacters. While npm package names have restrictions, quoting variables in shell scripts is a crucial best practice for robustness and security.

npm publish \ --dry-run="${INPUTS_DRY_RUN}" \ --workspace="${INPUTS_CORE_PACKAGE_NAME}" \ --no-tag npm dist-tag rm "${INPUTS_CORE_PACKAGE_NAME}" false --silent

gemini-code-assist · 2026-02-17T23:46:23Z

      run: |
        npm publish \
-          --dry-run="${{ inputs.dry-run }}" \
-          --workspace="${{ inputs.cli-package-name }}" \
+          --dry-run="${INPUTS_DRY_RUN}" \
+          --workspace="${INPUTS_CLI_PACKAGE_NAME}" \
          --no-tag
-        npm dist-tag rm ${{ inputs.cli-package-name }} false --silent
+        npm dist-tag rm ${INPUTS_CLI_PACKAGE_NAME} false --silent


The ${INPUTS_CLI_PACKAGE_NAME} variable should be double-quoted to prevent shell injection vulnerabilities and ensure the script's robustness. It's a best practice to quote all variable expansions in shell commands.

npm publish \ --dry-run="${INPUTS_DRY_RUN}" \ --workspace="${INPUTS_CLI_PACKAGE_NAME}" \ --no-tag npm dist-tag rm "${INPUTS_CLI_PACKAGE_NAME}" false --silent

gemini-code-assist · 2026-02-17T23:46:23Z

      run: |
        npm publish \
-          --dry-run="${{ inputs.dry-run }}" \
-          --workspace="${{ inputs.a2a-package-name }}" \
+          --dry-run="${INPUTS_DRY_RUN}" \
+          --workspace="${INPUTS_A2A_PACKAGE_NAME}" \
          --no-tag
-        npm dist-tag rm ${{ inputs.a2a-package-name }} false --silent
+        npm dist-tag rm ${INPUTS_A2A_PACKAGE_NAME} false --silent


For consistency and security, the ${INPUTS_A2A_PACKAGE_NAME} variable should be double-quoted. This prevents unexpected behavior if the package name contains special characters.

npm publish \ --dry-run="${INPUTS_DRY_RUN}" \ --workspace="${INPUTS_A2A_PACKAGE_NAME}" \ --no-tag npm dist-tag rm "${INPUTS_A2A_PACKAGE_NAME}" false --silent

gemini-code-assist · 2026-02-17T23:46:23Z

      working-directory: '${{ inputs.working-directory }}'
      run: |
-        npm dist-tag add ${{ inputs.core-package-name }}@${{ inputs.version }} ${{ inputs.channel }}
+        npm dist-tag add ${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION} ${INPUTS_CHANNEL}


The arguments to npm dist-tag add should be quoted to prevent word splitting and globbing. This ensures the command behaves as expected even if the package name, version, or channel contain special characters.

npm dist-tag add "${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

gemini-code-assist · 2026-02-17T23:46:23Z

      working-directory: '${{ inputs.working-directory }}'
      run: |
-        npm dist-tag add ${{ inputs.cli-package-name }}@${{ inputs.version }} ${{ inputs.channel }}
+        npm dist-tag add ${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION} ${INPUTS_CHANNEL}


For robustness and security, the arguments to npm dist-tag add should be double-quoted. This prevents unexpected behavior from shell expansion.

npm dist-tag add "${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

gemini-code-assist · 2026-02-17T23:46:23Z

      working-directory: '${{ inputs.working-directory }}'
      run: |
-        npm dist-tag add ${{ inputs.a2a-package-name }}@${{ inputs.version }} ${{ inputs.channel }}
+        npm dist-tag add ${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION} ${INPUTS_CHANNEL}


Please quote the arguments for npm dist-tag add to prevent potential shell injection issues and improve script robustness.

npm dist-tag add "${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

Refactor Github Action per b/485167538

9e0ab5d

google-admin requested review from a team as code owners February 17, 2026 23:39

google-admin assigned joshualitt Feb 17, 2026

gemini-code-assist Bot reviewed Feb 17, 2026

View reviewed changes

gemini-cli Bot added the status/need-issue Pull requests that need to have an associated issue. label Feb 17, 2026

google-admin closed this Feb 18, 2026

google-admin deleted the lsc-1771371572.8860269 branch February 18, 2026 18:24

sripasg added the size/m A medium sized PR label Jun 2, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Refactor Github Action per b/485167538#19301

Refactor Github Action per b/485167538#19301
google-admin wants to merge 1 commit into
release/v0.16.0-preview.2-pr-13101from
lsc-1771371572.8860269

google-admin commented Feb 17, 2026

Uh oh!

gemini-code-assist Bot commented Feb 17, 2026

Uh oh!

google-cla Bot commented Feb 17, 2026

Uh oh!

github-actions Bot commented Feb 17, 2026

Uh oh!

gemini-code-assist Bot left a comment

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Uh oh!

Conversation

google-admin commented Feb 17, 2026

Uh oh!

gemini-code-assist Bot commented Feb 17, 2026

Summary of Changes

Highlights

Footnotes

Uh oh!

google-cla Bot commented Feb 17, 2026

Uh oh!

github-actions Bot commented Feb 17, 2026

Uh oh!

gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Choose a reason for hiding this comment

Uh oh!

gemini-code-assist Bot Feb 17, 2026

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants