Refactor Github Action per b/485167538

[google-admin]

This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.

This is a PR to help you upgrade to the latest standards in Github Actions.

Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.

[gemini-code-assist]

Summary of Changes

Hello @google-admin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request systematically refactors several Github Actions to align with updated best practices for handling input variables within run steps. The core change involves transitioning from direct inputs context access within shell commands to using explicitly defined environment variables. This update aims to bolster the security posture of the workflows and improve the clarity and maintainability of the action definitions.

Highlights

• Github Actions Refactoring: All modified Github Actions have been refactored to pass input variables into the env context before being used in run scripts. This standardizes how inputs are accessed within shell commands.
• Enhanced Security and Readability: This change improves security by mitigating potential shell injection vulnerabilities and enhances the readability of action scripts by explicitly defining inputs as environment variables.

Changelog

• .github/actions/create-pull-request/action.yml
  • Updated input variable access for branch name, PR title, body, and base branch within the gh pr create command.
• .github/actions/npm-auth-token/action.yml
  • Refactored input variable usage for github-token, package-name, and various wombat-token inputs by passing them as environment variables.
• .github/actions/publish-release/action.yml
  • Modified input variable handling for release-tag and release-version in the release branch creation and package version update steps.
  • Adjusted input variable access for dry-run, core-package-name, cli-package-name, a2a-package-name, and release-version in npm publish and install steps.
  • Updated input variable usage for release-tag, release_branch.outputs.BRANCH_NAME, and previous-tag in the gh release create command.
  • Refactored input variable access for release_branch.outputs.BRANCH_NAME in the release branch cleanup step.
• .github/actions/push-docker/action.yml
  • Adjusted input variable access for ref-name when determining the branch name.
• .github/actions/push-sandbox/action.yml
  • Changed input variable usage for github-ref-name and github-sha in the image tag determination step.
  • Updated input variable access for image_tag.outputs.FINAL_TAG in the docker build command.
  • Refactored input variable usage for docker_build.outputs.uri in the docker push command.
• .github/actions/setup-npmrc/action.yml
  • Modified input variable access for github-token when configuring the .npmrc file.
• .github/actions/tag-npm-release/action.yml
  • Updated input variable usage for core-package-name, version, and channel in the npm dist-tag add command for core packages.
  • Refactored input variable access for cli-package-name, version, and channel in the npm dist-tag add command for CLI packages.
  • Adjusted input variable usage for a2a-package-name, version, and channel in the npm dist-tag add command for a2a packages and in the dry run log message.
• .github/actions/verify-release/action.yml
  • Modified input variable access for expected-version and npm-package in the version verification steps for both gemini --version and npx commands.

Ignored Files

• Ignored by pattern: .github/workflows/** (8)
  • .github/workflows/ci.yml
  • .github/workflows/deflake.yml
  • .github/workflows/e2e.yml
  • .github/workflows/eval.yml
  • .github/workflows/release-patch-3-release.yml
  • .github/workflows/release-promote.yml
  • .github/workflows/test_chained_e2e.yml
  • .github/workflows/trigger_e2e.yml

Activity

• The pull request was automatically generated by google-admin via an LSC run by GHSS.
• The purpose is to refactor Github Actions to meet updated standards as per internal bug b/485167538.
• The PR description indicates that it may be force merged if not accepted, suggesting a mandatory update.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the GitHub Actions workflows to improve security by passing inputs as environment variables instead of directly injecting them into scripts. This is a good practice. However, the refactoring is incomplete and introduces command injection vulnerabilities in several places because the environment variables are used without proper quoting in shell commands. These vulnerabilities are critical and must be fixed. I've added specific comments with suggestions on how to fix them.

[gemini-code-assist]

This automated refactoring correctly moves the input to an environment variable. However, the variable is then used unquoted in the shell command. This can lead to a command injection vulnerability if the package name contains shell metacharacters. Please quote the variable to prevent this.

        npm dist-tag rm "${INPUTS_CORE_PACKAGE_NAME}" false --silent

[gemini-code-assist]

This automated refactoring correctly moves the input to an environment variable. However, the variable is then used unquoted in the shell command. This can lead to a command injection vulnerability if the package name contains shell metacharacters. Please quote the variable to prevent this.

        npm dist-tag rm "${INPUTS_CLI_PACKAGE_NAME}" false --silent

[gemini-code-assist]

This automated refactoring correctly moves the input to an environment variable. However, the variable is then used unquoted in the shell command. This can lead to a command injection vulnerability if the package name contains shell metacharacters. Please quote the variable to prevent this.

        npm dist-tag rm "${INPUTS_A2A_PACKAGE_NAME}" false --silent

[gemini-code-assist]

This automated refactoring correctly moves inputs to environment variables. However, the variables are then used unquoted in the shell command. This can lead to a command injection vulnerability if the package name, version, or channel contain shell metacharacters. Please quote the variables to prevent this.

        npm dist-tag add "${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

This automated refactoring correctly moves inputs to environment variables. However, the variables are then used unquoted in the shell command. This can lead to a command injection vulnerability if the package name, version, or channel contain shell metacharacters. Please quote the variables to prevent this.

        npm dist-tag add "${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

This automated refactoring correctly moves inputs to environment variables. However, the variables are then used unquoted in the shell command. This can lead to a command injection vulnerability if the package name, version, or channel contain shell metacharacters. Please quote the variables to prevent this.

        npm dist-tag add "${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

The image tag from the previous step is used here unquoted. While the expected values (Git SHA or release tag) are likely safe, it is a security best practice to always quote variables in shell commands to prevent unexpected behavior or vulnerabilities from special characters. Please add quotes around the image argument.

          --image "google/gemini-cli-sandbox:${STEPS_IMAGE_TAG_OUTPUTS_FINAL_TAG}" \

[github-actions]

Size Change: -2 B (0%)

Total Size: 20.5 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	20.5 MB	-2 B (0%)
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B

_{compressed-size-action}