Refactor Github Action per b/485167538

[google-admin]

This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.

This is a PR to help you upgrade to the latest standards in Github Actions.

Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.

[gemini-code-assist]

Summary of Changes

Hello @google-admin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements an automated refactoring across several GitHub Actions to enhance their security and adhere to the latest standards. The core modification involves transitioning from direct interpolation of action inputs within run scripts to assigning these inputs to environment variables first. This systematic update ensures that all input values are safely processed, thereby preventing potential shell injection vulnerabilities and improving the overall robustness of the CI/CD workflows.

Highlights

• Refactored GitHub Action Input Handling: All affected GitHub Actions have been updated to pass inputs as explicit environment variables to their run scripts, rather than directly interpolating them.
• Enhanced Security: This change improves the security posture of the workflows by mitigating potential shell injection vulnerabilities that can arise from direct input interpolation.
• Standardized Practices: The refactoring aligns the GitHub Actions with recommended best practices for handling sensitive or dynamic input values within shell commands.

Changelog

• .github/actions/create-pull-request/action.yml
  • Updated the gh pr create command to use environment variables for branch name, PR title, body, and base branch.
• .github/actions/npm-auth-token/action.yml
  • Modified the script to access github-token, package-name, and wombat-token inputs via environment variables.
• .github/actions/publish-release/action.yml
  • Adjusted the release_branch step to use an environment variable for the release tag.
  • Updated the Update package versions step to use an environment variable for the release version.
  • Refactored npm publish commands to use environment variables for dry-run and package names.
  • Modified npm install commands to use environment variables for package names and release versions.
  • Updated the gh release create command to use environment variables for release tag, target branch, title, and previous tag.
• .github/actions/push-docker/action.yml
  • Changed the branch_name step to use an environment variable for the ref-name input.
• .github/actions/push-sandbox/action.yml
  • Updated the image_tag step to use environment variables for github-ref-name and github-sha.
  • Modified the build step to use an environment variable for the image tag.
  • Adjusted the publish step to use an environment variable for the Docker build URI.
• .github/actions/setup-npmrc/action.yml
  • Updated the setup-npmrc step to use an environment variable for the github-token.
• .github/actions/tag-npm-release/action.yml
  • Refactored npm dist-tag add commands to use environment variables for package names, versions, and channels.
  • Updated the dry run log message to use environment variables for package names, version, and channel.
• .github/actions/verify-release/action.yml
  • Modified version verification steps to use environment variables for expected version and npm package name.

Ignored Files

• Ignored by pattern: .github/workflows/** (7)
  • .github/workflows/chained_e2e.yml
  • .github/workflows/ci.yml
  • .github/workflows/deflake.yml
  • .github/workflows/eval.yml
  • .github/workflows/release-patch-3-release.yml
  • .github/workflows/release-promote.yml
  • .github/workflows/trigger_e2e.yml

Activity

• This pull request was automatically generated by GHSS (GitHub Security Scanner) to refactor GitHub Actions.
• The changes are intended to upgrade existing GitHub Actions to the latest standards as per b/485167538.
• The PR description indicates that this pull request may be force merged by the GHSS team if not accepted.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request is an automated refactoring of GitHub Actions workflows to improve security by preventing script injection. It replaces direct context access (e.g., ${{ inputs.var }}) in run steps with environment variables. The changes are generally correct and follow best practices. However, I've identified one instance where the refactoring was incomplete, leaving a potential vulnerability. My review includes a suggestion to address this.

[gemini-code-assist]

The automated refactoring to prevent script injection missed one case. The expression ${{ inputs.npm-tag != 'latest' && '--prerelease' || '' }} still uses an input context directly within the run script. To fully mitigate the risk of script injection, this should be refactored to use an environment variable and perform the conditional logic within the shell script.

      env:
        GITHUB_TOKEN: '${{ inputs.github-token }}'
        INPUTS_RELEASE_TAG: ${{ inputs.release-tag }}
        STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME: ${{ steps.release_branch.outputs.BRANCH_NAME }}
        INPUTS_PREVIOUS_TAG: ${{ inputs.previous-tag }}
        INPUTS_NPM_TAG: ${{ inputs.npm-tag }}
      shell: 'bash'
      run: |
        prerelease_arg=""
        if [[ "${INPUTS_NPM_TAG}" != 'latest' ]]; then
          prerelease_arg="--prerelease"
        fi
        gh release create "${INPUTS_RELEASE_TAG}" \
          bundle/gemini.js \
          --target "${STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME}" \
          --title "Release ${INPUTS_RELEASE_TAG}" \
          --notes-start-tag "${INPUTS_PREVIOUS_TAG}" \
          --generate-notes \
          $prerelease_arg

[github-actions]

Size Change: -2 B (0%)

Total Size: 22.2 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	22.2 MB	-2 B (0%)
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B

_{compressed-size-action}