Refactor Github Action per b/485167538#19358
Conversation
Summary of ChangesHello @google-admin, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request systematically refactors the way input variables are handled across multiple GitHub Actions. The change involves migrating direct input variable access within shell Highlights
Changelog
Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
|
Size Change: -2 B (0%) Total Size: 20.4 MB ℹ️ View Unchanged
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request refactors several GitHub Actions to use environment variables instead of direct input interpolation in shell scripts, which is a significant step towards mitigating shell injection vulnerabilities. However, a critical vulnerability remains: several shell commands use these new environment variables without double quotes. This exposes the scripts to word splitting and potential command injection if input values contain shell metacharacters. It is essential to wrap these variables in double quotes to ensure the security fix is robust and fully prevent command injection.
| --workspace="${INPUTS_CORE_PACKAGE_NAME}" \ | ||
| --no-tag | ||
| npm dist-tag rm ${{ inputs.core-package-name }} false --silent | ||
| npm dist-tag rm ${INPUTS_CORE_PACKAGE_NAME} false --silent |
There was a problem hiding this comment.
The environment variable INPUTS_CORE_PACKAGE_NAME is used unquoted. This creates a command injection vulnerability if the core-package-name input contains shell metacharacters, as it's subject to word splitting. Always double-quote environment variables in shell commands to prevent this.
npm dist-tag rm "${INPUTS_CORE_PACKAGE_NAME}" false --silent| --workspace="${INPUTS_CLI_PACKAGE_NAME}" \ | ||
| --no-tag | ||
| npm dist-tag rm ${{ inputs.cli-package-name }} false --silent | ||
| npm dist-tag rm ${INPUTS_CLI_PACKAGE_NAME} false --silent |
There was a problem hiding this comment.
The environment variable INPUTS_CLI_PACKAGE_NAME is used unquoted. This creates a command injection vulnerability if the cli-package-name input contains shell metacharacters, as it's subject to word splitting. Always double-quote environment variables in shell commands to prevent this.
npm dist-tag rm "${INPUTS_CLI_PACKAGE_NAME}" false --silent| --workspace="${INPUTS_A2A_PACKAGE_NAME}" \ | ||
| --no-tag | ||
| npm dist-tag rm ${{ inputs.a2a-package-name }} false --silent | ||
| npm dist-tag rm ${INPUTS_A2A_PACKAGE_NAME} false --silent |
There was a problem hiding this comment.
The environment variable INPUTS_A2A_PACKAGE_NAME is used unquoted. This creates a command injection vulnerability if the a2a-package-name input contains shell metacharacters, as it's subject to word splitting. Always double-quote environment variables in shell commands to prevent this.
npm dist-tag rm "${INPUTS_A2A_PACKAGE_NAME}" false --silent| run: |- | ||
| echo ""@google-gemini:registry=https://npm.pkg.github.com"" > ~/.npmrc | ||
| echo ""//npm.pkg.github.com/:_authToken=${{ inputs.github-token }}"" >> ~/.npmrc | ||
| echo ""//npm.pkg.github.com/:_authToken=${INPUTS_GITHUB_TOKEN}"" >> ~/.npmrc |
There was a problem hiding this comment.
The environment variable INPUTS_GITHUB_TOKEN is used unquoted. Although it appears within "", in bash these are interpreted as empty strings, leaving the variable expansion vulnerable. This creates a command injection risk if the token contains shell metacharacters. Ensure the variable itself is double-quoted.
echo "//npm.pkg.github.com/:_authToken=${INPUTS_GITHUB_TOKEN}" >> ~/.npmrc| working-directory: '${{ inputs.working-directory }}' | ||
| run: | | ||
| npm dist-tag add ${{ inputs.core-package-name }}@${{ inputs.version }} ${{ inputs.channel }} | ||
| npm dist-tag add ${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION} ${INPUTS_CHANNEL} |
There was a problem hiding this comment.
The environment variables INPUTS_CORE_PACKAGE_NAME, INPUTS_VERSION, and INPUTS_CHANNEL are used unquoted. This creates a command injection vulnerability if any of these inputs contain shell metacharacters, as they are subject to word splitting. Always double-quote environment variables in shell commands.
npm dist-tag add "${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"| working-directory: '${{ inputs.working-directory }}' | ||
| run: | | ||
| npm dist-tag add ${{ inputs.cli-package-name }}@${{ inputs.version }} ${{ inputs.channel }} | ||
| npm dist-tag add ${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION} ${INPUTS_CHANNEL} |
There was a problem hiding this comment.
The environment variables INPUTS_CLI_PACKAGE_NAME, INPUTS_VERSION, and INPUTS_CHANNEL are used unquoted. This creates a command injection vulnerability if any of these inputs contain shell metacharacters, as they are subject to word splitting. Always double-quote environment variables in shell commands.
npm dist-tag add "${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"| working-directory: '${{ inputs.working-directory }}' | ||
| run: | | ||
| npm dist-tag add ${{ inputs.a2a-package-name }}@${{ inputs.version }} ${{ inputs.channel }} | ||
| npm dist-tag add ${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION} ${INPUTS_CHANNEL} |
There was a problem hiding this comment.
The environment variables INPUTS_A2A_PACKAGE_NAME, INPUTS_VERSION, and INPUTS_CHANNEL are used unquoted. This creates a command injection vulnerability if any of these inputs contain shell metacharacters, as they are subject to word splitting. Always double-quote environment variables in shell commands.
npm dist-tag add "${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"| run: |- | ||
| npm run build:sandbox -- \ | ||
| --image google/gemini-cli-sandbox:${{ steps.image_tag.outputs.FINAL_TAG }} \ | ||
| --image google/gemini-cli-sandbox:${STEPS_IMAGE_TAG_OUTPUTS_FINAL_TAG} \ |
There was a problem hiding this comment.
The image tag variable should be quoted to ensure the shell handles the string correctly, especially since it originates from a git reference.
--image "google/gemini-cli-sandbox:${STEPS_IMAGE_TAG_OUTPUTS_FINAL_TAG}" \
gemini-cli
Bot
added
the
status/need-issue
4 participants
This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.
This is a PR to help you upgrade to the latest standards in Github Actions.
Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.