Refactor Github Action per b/485167538

[google-admin]

This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.

This is a PR to help you upgrade to the latest standards in Github Actions.

Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.

[gemini-code-assist]

Summary of Changes

Hello @google-admin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors several GitHub Actions to align with updated standards, specifically addressing an internal bug (b/485167538). The core change involves explicitly passing input variables to run steps via environment variables, enhancing security and maintainability of the workflows. This is an automated refactor initiated by the GHSS team.

Highlights

• GitHub Actions Refactoring: All modified GitHub Actions (create-pull-request, npm-auth-token, publish-release, push-docker, push-sandbox, setup-npmrc, tag-npm-release, verify-release) have been updated to align with updated standards.
• Environment Variable Usage: Input variables and step outputs are now consistently passed to run steps using explicit env blocks, rather than direct interpolation within the run script.
• Security and Maintainability: This change improves the robustness and security of the GitHub Actions by ensuring variables are correctly scoped and handled, preventing potential shell injection issues and making the scripts easier to debug.

Changelog

• .github/actions/create-pull-request/action.yml
  • Updated gh pr create command to use environment variables for branch name, PR title, body, and base branch.
• .github/actions/npm-auth-token/action.yml
  • Modified the script to retrieve github-token, package-name, and wombat-token inputs from environment variables.
• .github/actions/publish-release/action.yml
  • Adjusted the release_branch step to use an environment variable for release-tag.
  • Updated the Update package versions step to use an environment variable for release-version.
  • Refactored npm publish and npm install commands to consume dry-run, core-package-name, release-version, cli-package-name, and a2a-package-name from environment variables.
  • Modified gh release create command to use environment variables for release-tag, release_branch output, and previous-tag.
  • Updated the cleanup step to use an environment variable for the release_branch output.
• .github/actions/push-docker/action.yml
  • Changed the branch_name step to use an environment variable for ref-name.
• .github/actions/push-sandbox/action.yml
  • Updated the image_tag step to use environment variables for github-ref-name and github-sha.
  • Modified the build step to use an environment variable for image_tag output.
  • Refactored the publish step to use an environment variable for docker_build output.
• .github/actions/setup-npmrc/action.yml
  • Updated the npmrc configuration to use an environment variable for github-token.
• .github/actions/tag-npm-release/action.yml
  • Modified npm dist-tag add commands and the dry run log message to use environment variables for package names, version, and channel.
• .github/actions/verify-release/action.yml
  • Updated version verification commands to use environment variables for expected-version and npm-package.

Ignored Files

• Ignored by pattern: .github/workflows/** (7)
  • .github/workflows/chained_e2e.yml
  • .github/workflows/ci.yml
  • .github/workflows/deflake.yml
  • .github/workflows/eval.yml
  • .github/workflows/release-patch-3-release.yml
  • .github/workflows/release-promote.yml
  • .github/workflows/trigger_e2e.yml

Activity

• Automated refactor initiated by the GHSS team.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: -2 B (0%)

Total Size: 22.2 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	22.2 MB	-2 B (0%)
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request aims to improve the security of GitHub Actions by using environment variables for inputs in run scripts, which is a good step towards preventing shell injection vulnerabilities. However, a security audit has identified multiple high-severity command injection vulnerabilities. While the migration to environment variables is a correct security practice, the implementation is flawed as it fails to properly quote these variables when used in shell commands. This oversight can still lead to arbitrary command execution if an attacker controls the action's inputs. I've left specific comments with suggestions to add the necessary quotes to fully mitigate these issues.

[gemini-code-assist]

A high-severity command injection vulnerability exists here. The INPUTS_CORE_PACKAGE_NAME environment variable is used unquoted in the run script, allowing an attacker to inject malicious shell commands if they control the core-package-name input. Enclose the variable in double quotes to prevent this.

        npm dist-tag rm "${INPUTS_CORE_PACKAGE_NAME}" false --silent

[gemini-code-assist]

A high-severity command injection vulnerability exists here. The INPUTS_CLI_PACKAGE_NAME environment variable is used unquoted in the run script, allowing an attacker to inject malicious shell commands if they control the cli-package-name input. Enclose the variable in double quotes to prevent this.

        npm dist-tag rm "${INPUTS_CLI_PACKAGE_NAME}" false --silent

[gemini-code-assist]

A high-severity command injection vulnerability exists here. The INPUTS_A2A_PACKAGE_NAME environment variable is used unquoted in the run script, allowing an attacker to inject malicious shell commands if they control the a2a-package-name input. Enclose the variable in double quotes to prevent this.

        npm dist-tag rm "${INPUTS_A2A_PACKAGE_NAME}" false --silent

[gemini-code-assist]

A high-severity command injection vulnerability exists here. Environment variables are used unquoted in the run script, allowing an attacker to inject malicious shell commands if they control these input values. Enclose the variables in double quotes to ensure they are treated as single strings and prevent this.

        npm dist-tag add "${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

A high-severity command injection vulnerability exists here. Environment variables are used unquoted in the run script, allowing an attacker to inject malicious shell commands if they control these input values. Enclose the variables in double quotes to ensure they are treated as single strings and prevent this.

        npm dist-tag add "${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

A high-severity command injection vulnerability exists here. Environment variables are used unquoted in the run script, allowing an attacker to inject malicious shell commands if they control these input values. Enclose the variables in double quotes to ensure they are treated as single strings and prevent this.

        npm dist-tag add "${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

The variables in this echo command are unquoted, which is a security risk that can lead to command injection if a variable contains shell metacharacters like $(...). Using printf with format specifiers is the recommended, safer way to print dynamic values in shell scripts.

        printf 'Dry run: Would have added tag '\''%s'\'' to version '\''%s'\'' for %s, %s, and %s.\n' "${INPUTS_CHANNEL}" "${INPUTS_VERSION}" "${INPUTS_CLI_PACKAGE_NAME}" "${INPUTS_CORE_PACKAGE_NAME}" "${INPUTS_A2A_PACKAGE_NAME}"