Refactor Github Action per b/485167538

[google-admin]

This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.

This is a PR to help you upgrade to the latest standards in Github Actions.

Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.

[gemini-code-assist]

Summary of Changes

Hello @google-admin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request standardizes and improves the security posture of several GitHub Actions by refactoring how input variables are accessed within shell scripts. Instead of directly interpolating inputs into run commands, the actions now explicitly define these inputs as environment variables, which are then referenced within the scripts. This change aligns with best practices for GitHub Actions, making the workflows more robust and less susceptible to injection vulnerabilities.

Highlights

• Security Refactoring: Refactored GitHub Actions to enhance security by explicitly mapping input variables to environment variables before use in shell scripts.
• Action: create-pull-request: Updated the create-pull-request action to pass PR title, body, base branch, and head branch inputs via environment variables.
• Action: publish-release: Modified the publish-release action to use environment variables for release tag, version, dry-run status, npm tag, and previous tag in various steps.
• Action: push-docker: Adjusted the push-docker action to utilize an environment variable for the reference name input.

Changelog

• .github/actions/create-pull-request/action.yml
  • Introduced INPUTS_PR_TITLE, INPUTS_PR_BODY, INPUTS_BASE_BRANCH, and INPUTS_BRANCH_NAME as environment variables.
  • Modified the gh pr create command to reference these new environment variables instead of direct inputs.
• .github/actions/publish-release/action.yml
  • Added INPUTS_RELEASE_TAG as an environment variable and updated its usage in the release_branch step.
  • Introduced INPUTS_RELEASE_VERSION as an environment variable and updated its usage in the Update package versions step.
  • Mapped inputs.dry-run and inputs.npm-tag to INPUTS_DRY_RUN and INPUTS_NPM_TAG environment variables for npm publish commands.
  • Updated npm install to use INPUTS_RELEASE_VERSION.
  • Mapped inputs.release-tag, steps.release_branch.outputs.BRANCH_NAME, and inputs.previous-tag to environment variables for the gh release create command.
• .github/actions/push-docker/action.yml
  • Added INPUTS_REF_NAME as an environment variable and updated its usage in the branch_name step.

Ignored Files

• Ignored by pattern: .github/workflows/** (7)
  • .github/workflows/eval.yml
  • .github/workflows/gemini-automated-issue-triage.yml
  • .github/workflows/release-change-tags.yml
  • .github/workflows/release-manual.yml
  • .github/workflows/release-patch-1-create-pr.yml
  • .github/workflows/release-patch-3-release.yml
  • .github/workflows/release-promote.yml

Activity

• This pull request was automatically generated by ghss as part of a larger effort to refactor GitHub Actions.
• It is intended to upgrade existing workflows to the latest standards, as detailed in b/485167538.
• The PR author, google-admin, indicates that it may be force-merged if not accepted.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request contains automated refactoring to enhance the security of GitHub Actions. The changes correctly replace direct context access in run scripts with environment variables, which is a best practice to prevent script injection vulnerabilities. I've reviewed the modifications across all action files, and they are implemented correctly and improve the overall security posture of the CI/CD pipeline. The changes are approved.