google-gemini · google-admin · Feb 18, 2026
@@ -39,18 +39,22 @@ runs:
       if: "inputs.dry-run != 'true'"
       env:
         GH_TOKEN: '${{ inputs.github-token }}'
+        INPUTS_BRANCH_NAME: ${{ inputs.branch-name }}
+        INPUTS_PR_TITLE: ${{ inputs.pr-title }}
+        INPUTS_PR_BODY: ${{ inputs.pr-body }}
+        INPUTS_BASE_BRANCH: ${{ inputs.base-branch }}
       shell: 'bash'
       working-directory: '${{ inputs.working-directory }}'
       run: |
         set -e
-        if ! git ls-remote --exit-code --heads origin "${{ inputs.branch-name }}"; then
-          echo "::error::Branch '${{ inputs.branch-name }}' does not exist on the remote repository."
+        if ! git ls-remote --exit-code --heads origin "${INPUTS_BRANCH_NAME}"; then
+          echo "::error::Branch '${INPUTS_BRANCH_NAME}' does not exist on the remote repository."
           exit 1
         fi
         PR_URL=$(gh pr create \
-          --title "${{ inputs.pr-title }}" \
-          --body "${{ inputs.pr-body }}" \
-          --base "${{ inputs.base-branch }}" \
-          --head "${{ inputs.branch-name }}" \
+          --title "${INPUTS_PR_TITLE}" \
+          --body "${INPUTS_PR_BODY}" \
+          --base "${INPUTS_BASE_BRANCH}" \
+          --head "${INPUTS_BRANCH_NAME}" \
           --fill)
         gh pr merge "$PR_URL" --auto
@@ -30,16 +30,22 @@ runs:
       id: 'npm_auth_token'
       shell: 'bash'
       run: |
-        AUTH_TOKEN="${{ inputs.github-token }}"
-        PACKAGE_NAME="${{ inputs.package-name }}"
+        AUTH_TOKEN="${INPUTS_GITHUB_TOKEN}"
+        PACKAGE_NAME="${INPUTS_PACKAGE_NAME}"
         PRIVATE_REPO="@google-gemini/"
         if [[ "$PACKAGE_NAME" == "$PRIVATE_REPO"* ]]; then
-          AUTH_TOKEN="${{ inputs.github-token }}"
+          AUTH_TOKEN="${INPUTS_GITHUB_TOKEN}"
         elif [[ "$PACKAGE_NAME" == "@google/gemini-cli" ]]; then
-          AUTH_TOKEN="${{ inputs.wombat-token-cli }}"
+          AUTH_TOKEN="${INPUTS_WOMBAT_TOKEN_CLI}"
         elif [[ "$PACKAGE_NAME" == "@google/gemini-cli-core" ]]; then
-          AUTH_TOKEN="${{ inputs.wombat-token-core }}"
+          AUTH_TOKEN="${INPUTS_WOMBAT_TOKEN_CORE}"
         elif [[ "$PACKAGE_NAME" == "@google/gemini-cli-a2a-server" ]]; then
-          AUTH_TOKEN="${{ inputs.wombat-token-a2a-server }}"
+          AUTH_TOKEN="${INPUTS_WOMBAT_TOKEN_A2A_SERVER}"
         fi
         echo "auth-token=$AUTH_TOKEN" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_GITHUB_TOKEN: ${{ inputs.github-token }}
+        INPUTS_PACKAGE_NAME: ${{ inputs.package-name }}
+        INPUTS_WOMBAT_TOKEN_CLI: ${{ inputs.wombat-token-cli }}
+        INPUTS_WOMBAT_TOKEN_CORE: ${{ inputs.wombat-token-core }}
+        INPUTS_WOMBAT_TOKEN_A2A_SERVER: ${{ inputs.wombat-token-a2a-server }}
@@ -90,15 +90,19 @@ runs:
       id: 'release_branch'
       shell: 'bash'
       run: |
-        BRANCH_NAME="release/${{ inputs.release-tag }}"
+        BRANCH_NAME="release/${INPUTS_RELEASE_TAG}"
         git switch -c "${BRANCH_NAME}"
         echo "BRANCH_NAME=${BRANCH_NAME}" >> "${GITHUB_OUTPUT}"
+      env:
+        INPUTS_RELEASE_TAG: ${{ inputs.release-tag }}
 
     - name: '⬆️ Update package versions'
       working-directory: '${{ inputs.working-directory }}'
       shell: 'bash'
       run: |
-        npm run release:version "${{ inputs.release-version }}"
+        npm run release:version "${INPUTS_RELEASE_VERSION}"
+      env:
+        INPUTS_RELEASE_VERSION: ${{ inputs.release-version }}
 
     - name: '💾 Commit and Conditionally Push package versions'
       working-directory: '${{ inputs.working-directory }}'
@@ -160,23 +164,30 @@ runs:
       working-directory: '${{ inputs.working-directory }}'
       env:
         NODE_AUTH_TOKEN: '${{ steps.core-token.outputs.auth-token }}'
+        INPUTS_DRY_RUN: ${{ inputs.dry-run }}
+        INPUTS_CORE_PACKAGE_NAME: ${{ inputs.core-package-name }}
       shell: 'bash'
       run: |
         npm publish \
-          --dry-run="${{ inputs.dry-run }}" \
-          --workspace="${{ inputs.core-package-name }}" \
+          --dry-run="${INPUTS_DRY_RUN}" \
+          --workspace="${INPUTS_CORE_PACKAGE_NAME}" \
           --no-tag
-        npm dist-tag rm ${{ inputs.core-package-name }} false --silent
+        npm dist-tag rm ${INPUTS_CORE_PACKAGE_NAME} false --silent
 
     - name: '🔗 Install latest core package'
       working-directory: '${{ inputs.working-directory }}'
       if: "${{ inputs.dry-run != 'true' }}"
       shell: 'bash'
       run: |
-        npm install "${{ inputs.core-package-name }}@${{ inputs.release-version }}" \
-        --workspace="${{ inputs.cli-package-name }}" \
-        --workspace="${{ inputs.a2a-package-name }}" \
+        npm install "${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_RELEASE_VERSION}" \
+        --workspace="${INPUTS_CLI_PACKAGE_NAME}" \
+        --workspace="${INPUTS_A2A_PACKAGE_NAME}" \
         --save-exact
+      env:
+        INPUTS_CORE_PACKAGE_NAME: ${{ inputs.core-package-name }}
+        INPUTS_RELEASE_VERSION: ${{ inputs.release-version }}
+        INPUTS_CLI_PACKAGE_NAME: ${{ inputs.cli-package-name }}
+        INPUTS_A2A_PACKAGE_NAME: ${{ inputs.a2a-package-name }}
 
     - name: 'Get CLI Token'
       uses: './.github/actions/npm-auth-token'
@@ -192,13 +203,15 @@ runs:
       working-directory: '${{ inputs.working-directory }}'
       env:
         NODE_AUTH_TOKEN: '${{ steps.cli-token.outputs.auth-token }}'
+        INPUTS_DRY_RUN: ${{ inputs.dry-run }}
+        INPUTS_CLI_PACKAGE_NAME: ${{ inputs.cli-package-name }}
       shell: 'bash'
       run: |
         npm publish \
-          --dry-run="${{ inputs.dry-run }}" \
-          --workspace="${{ inputs.cli-package-name }}" \
+          --dry-run="${INPUTS_DRY_RUN}" \
+          --workspace="${INPUTS_CLI_PACKAGE_NAME}" \
           --no-tag
-        npm dist-tag rm ${{ inputs.cli-package-name }} false --silent
+        npm dist-tag rm ${INPUTS_CLI_PACKAGE_NAME} false --silent
 
     - name: 'Get a2a-server Token'
       uses: './.github/actions/npm-auth-token'
@@ -214,14 +227,16 @@ runs:
       working-directory: '${{ inputs.working-directory }}'
       env:
         NODE_AUTH_TOKEN: '${{ steps.a2a-token.outputs.auth-token }}'
+        INPUTS_DRY_RUN: ${{ inputs.dry-run }}
+        INPUTS_A2A_PACKAGE_NAME: ${{ inputs.a2a-package-name }}
       shell: 'bash'
       # Tag staging for initial release
       run: |
         npm publish \
-          --dry-run="${{ inputs.dry-run }}" \
-          --workspace="${{ inputs.a2a-package-name }}" \
+          --dry-run="${INPUTS_DRY_RUN}" \
+          --workspace="${INPUTS_A2A_PACKAGE_NAME}" \
           --no-tag
-        npm dist-tag rm ${{ inputs.a2a-package-name }} false --silent
+        npm dist-tag rm ${INPUTS_A2A_PACKAGE_NAME} false --silent
 
     - name: '🔬 Verify NPM release by version'
       uses: './.github/actions/verify-release'
@@ -255,13 +270,16 @@ runs:
       if: "${{ inputs.dry-run != 'true' && inputs.skip-github-release != 'true' && inputs.npm-tag != 'dev' && inputs.npm-registry-url != 'https://npm.pkg.github.com/' }}"
       env:
         GITHUB_TOKEN: '${{ inputs.github-token }}'
+        INPUTS_RELEASE_TAG: ${{ inputs.release-tag }}
+        STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME: ${{ steps.release_branch.outputs.BRANCH_NAME }}
+        INPUTS_PREVIOUS_TAG: ${{ inputs.previous-tag }}
       shell: 'bash'
       run: |
-        gh release create "${{ inputs.release-tag }}" \
+        gh release create "${INPUTS_RELEASE_TAG}" \
           bundle/gemini.js \
-          --target "${{ steps.release_branch.outputs.BRANCH_NAME }}" \
-          --title "Release ${{ inputs.release-tag }}" \
-          --notes-start-tag "${{ inputs.previous-tag }}" \
+          --target "${STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME}" \
+          --title "Release ${INPUTS_RELEASE_TAG}" \
+          --notes-start-tag "${INPUTS_PREVIOUS_TAG}" \
           --generate-notes \
           ${{ inputs.npm-tag != 'latest' && '--prerelease' || '' }}
 
@@ -271,5 +289,8 @@ runs:
       continue-on-error: true
       shell: 'bash'
       run: |
-        echo "Cleaning up release branch ${{ steps.release_branch.outputs.BRANCH_NAME }}..."
-        git push origin --delete "${{ steps.release_branch.outputs.BRANCH_NAME }}"
+        echo "Cleaning up release branch ${STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME}..."
+        git push origin --delete "${STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME}"
+
+      env:
+        STEPS_RELEASE_BRANCH_OUTPUTS_BRANCH_NAME: ${{ steps.release_branch.outputs.BRANCH_NAME }}
@@ -52,8 +52,10 @@ runs:
       id: 'branch_name'
       shell: 'bash'
       run: |
-        REF_NAME="${{ inputs.ref-name }}"
+        REF_NAME="${INPUTS_REF_NAME}"
         echo "name=${REF_NAME%/merge}" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_REF_NAME: ${{ inputs.ref-name }}
     - name: 'Build and Push the Docker Image'
       uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6
       with:

@@ -56,8 +56,8 @@ runs:
       id: 'image_tag'
       shell: 'bash'
       run: |-
-        SHELL_TAG_NAME="${{ inputs.github-ref-name }}"
-        FINAL_TAG="${{ inputs.github-sha }}"
+        SHELL_TAG_NAME="${INPUTS_GITHUB_REF_NAME}"
+        FINAL_TAG="${INPUTS_GITHUB_SHA}"
         if [[ "$SHELL_TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
           echo "Release detected."
           FINAL_TAG="${SHELL_TAG_NAME#v}"
@@ -66,22 +66,28 @@ runs:
         fi
         echo "Determined image tag: $FINAL_TAG"
         echo "FINAL_TAG=$FINAL_TAG" >> $GITHUB_OUTPUT
+      env:
+        INPUTS_GITHUB_REF_NAME: ${{ inputs.github-ref-name }}
+        INPUTS_GITHUB_SHA: ${{ inputs.github-sha }}
     - name: 'build'
       id: 'docker_build'
       shell: 'bash'
       env:
         GEMINI_SANDBOX_IMAGE_TAG: '${{ steps.image_tag.outputs.FINAL_TAG }}'
         GEMINI_SANDBOX: 'docker'
+        STEPS_IMAGE_TAG_OUTPUTS_FINAL_TAG: ${{ steps.image_tag.outputs.FINAL_TAG }}
       run: |-
         npm run build:sandbox -- \
-          --image google/gemini-cli-sandbox:${{ steps.image_tag.outputs.FINAL_TAG }} \
+          --image google/gemini-cli-sandbox:${STEPS_IMAGE_TAG_OUTPUTS_FINAL_TAG} \
           --output-file final_image_uri.txt
         echo "uri=$(cat final_image_uri.txt)" >> $GITHUB_OUTPUT
     - name: 'publish'
       shell: 'bash'
       if: "${{ inputs.dry-run != 'true' }}"
       run: |-
-        docker push "${{ steps.docker_build.outputs.uri }}"
+        docker push "${STEPS_DOCKER_BUILD_OUTPUTS_URI}"
+      env:
+        STEPS_DOCKER_BUILD_OUTPUTS_URI: ${{ steps.docker_build.outputs.uri }}
     - name: 'Create issue on failure'
       if: |-
         ${{ failure() }}

@@ -18,5 +18,7 @@ runs:
       shell: 'bash'
       run: |-
         echo ""@google-gemini:registry=https://npm.pkg.github.com"" > ~/.npmrc
-        echo ""//npm.pkg.github.com/:_authToken=${{ inputs.github-token }}"" >> ~/.npmrc
+        echo ""//npm.pkg.github.com/:_authToken=${INPUTS_GITHUB_TOKEN}"" >> ~/.npmrc
         echo ""@google:registry=https://wombat-dressing-room.appspot.com"" >> ~/.npmrc
+      env:
+        INPUTS_GITHUB_TOKEN: ${{ inputs.github-token }}
@@ -71,10 +71,13 @@ runs:
         ${{ inputs.dry-run != 'true' }}
       env:
         NODE_AUTH_TOKEN: '${{ steps.core-token.outputs.auth-token }}'
+        INPUTS_CORE_PACKAGE_NAME: ${{ inputs.core-package-name }}
+        INPUTS_VERSION: ${{ inputs.version }}
+        INPUTS_CHANNEL: ${{ inputs.channel }}
       shell: 'bash'
       working-directory: '${{ inputs.working-directory }}'
       run: |
-        npm dist-tag add ${{ inputs.core-package-name }}@${{ inputs.version }} ${{ inputs.channel }}
+        npm dist-tag add ${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION} ${INPUTS_CHANNEL}
 
     - name: 'Get cli Token'
       uses: './.github/actions/npm-auth-token'
@@ -91,10 +94,13 @@ runs:
         ${{ inputs.dry-run != 'true' }}
       env:
         NODE_AUTH_TOKEN: '${{ steps.cli-token.outputs.auth-token }}'
+        INPUTS_CLI_PACKAGE_NAME: ${{ inputs.cli-package-name }}
+        INPUTS_VERSION: ${{ inputs.version }}
+        INPUTS_CHANNEL: ${{ inputs.channel }}
       shell: 'bash'
       working-directory: '${{ inputs.working-directory }}'
       run: |
-        npm dist-tag add ${{ inputs.cli-package-name }}@${{ inputs.version }} ${{ inputs.channel }}
+        npm dist-tag add ${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION} ${INPUTS_CHANNEL}
 
     - name: 'Get a2a Token'
       uses: './.github/actions/npm-auth-token'
@@ -111,15 +117,29 @@ runs:
         ${{ inputs.dry-run == 'false' }}
       env:
         NODE_AUTH_TOKEN: '${{ steps.a2a-token.outputs.auth-token }}'
+        INPUTS_A2A_PACKAGE_NAME: ${{ inputs.a2a-package-name }}
+        INPUTS_VERSION: ${{ inputs.version }}
+        INPUTS_CHANNEL: ${{ inputs.channel }}
       shell: 'bash'
       working-directory: '${{ inputs.working-directory }}'
       run: |
-        npm dist-tag add ${{ inputs.a2a-package-name }}@${{ inputs.version }} ${{ inputs.channel }}
+        npm dist-tag add ${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION} ${INPUTS_CHANNEL}
 
     - name: 'Log dry run'
       if: |-
         ${{ inputs.dry-run == 'true' }}
       shell: 'bash'
       working-directory: '${{ inputs.working-directory }}'
       run: |
-        echo "Dry run: Would have added tag '${{ inputs.channel }}' to version '${{ inputs.version }}' for ${{ inputs.cli-package-name }}, ${{ inputs.core-package-name }}, and ${{ inputs.a2a-package-name }}."
+        echo "Dry run: Would have added tag '${INPUTS_CHANNEL}' to version '${INPUTS_VERSION}' for ${INPUTS_CLI_PACKAGE_NAME}, ${INPUTS_CORE_PACKAGE_NAME}, and ${INPUTS_A2A_PACKAGE_NAME}."
+
+      env:
+        INPUTS_CHANNEL: ${{ inputs.channel }}
+
+        INPUTS_VERSION: ${{ inputs.version }}
+
+        INPUTS_CLI_PACKAGE_NAME: ${{ inputs.cli-package-name }}
+
+        INPUTS_CORE_PACKAGE_NAME: ${{ inputs.core-package-name }}
+
+        INPUTS_A2A_PACKAGE_NAME: ${{ inputs.a2a-package-name }}
@@ -64,10 +64,13 @@ runs:
       working-directory: '${{ inputs.working-directory }}'
       run: |-
         gemini_version=$(gemini --version)
-        if [ "$gemini_version" != "${{ inputs.expected-version }}" ]; then
-          echo "❌ NPM Version mismatch: Got $gemini_version from ${{ inputs.npm-package }}, expected ${{ inputs.expected-version }}"
+        if [ "$gemini_version" != "${INPUTS_EXPECTED_VERSION}" ]; then
+          echo "❌ NPM Version mismatch: Got $gemini_version from ${INPUTS_NPM_PACKAGE}, expected ${INPUTS_EXPECTED_VERSION}"
           exit 1
         fi
+      env:
+        INPUTS_EXPECTED_VERSION: ${{ inputs.expected-version }}
+        INPUTS_NPM_PACKAGE: ${{ inputs.npm-package }}
 
     - name: 'Clear npm cache'
       shell: 'bash'
@@ -77,11 +80,14 @@ runs:
       shell: 'bash'
       working-directory: '${{ inputs.working-directory }}'
       run: |-
-        gemini_version=$(npx --prefer-online "${{ inputs.npm-package}}" --version)
-        if [ "$gemini_version" != "${{ inputs.expected-version }}" ]; then
-          echo "❌ NPX Run Version mismatch: Got $gemini_version from ${{ inputs.npm-package }}, expected ${{ inputs.expected-version }}"
+        gemini_version=$(npx --prefer-online "${INPUTS_NPM_PACKAGE}" --version)
+        if [ "$gemini_version" != "${INPUTS_EXPECTED_VERSION}" ]; then
+          echo "❌ NPX Run Version mismatch: Got $gemini_version from ${INPUTS_NPM_PACKAGE}, expected ${INPUTS_EXPECTED_VERSION}"
           exit 1
         fi
+      env:
+        INPUTS_NPM_PACKAGE: ${{ inputs.npm-package }}
+        INPUTS_EXPECTED_VERSION: ${{ inputs.expected-version }}
 
     - name: 'Install dependencies for integration tests'
       shell: 'bash'

@@ -53,7 +53,7 @@ jobs:
           REPO_NAME: '${{ github.event.inputs.repo_name }}'
         run: |
           mkdir -p ./pr
-          echo '${{ env.REPO_NAME }}' > ./pr/repo_name
+          echo '${REPO_NAME}' > ./pr/repo_name
       - uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
         with:
           name: 'repo_name'
@@ -321,13 +321,17 @@ jobs:
     steps:
       - name: 'Check E2E test results'
         run: |
-          if [[ ${{ needs.e2e_linux.result }} != 'success' || \
-               ${{ needs.e2e_mac.result }} != 'success' || \
-               ${{ needs.evals.result }} != 'success' ]]; then
+          if [[ ${NEEDS_E2E_LINUX_RESULT} != 'success' || \
+               ${NEEDS_E2E_MAC_RESULT} != 'success' || \
+               ${NEEDS_EVALS_RESULT} != 'success' ]]; then
             echo "One or more E2E jobs failed."
             exit 1
           fi
           echo "All required E2E jobs passed!"
+        env:
+          NEEDS_E2E_LINUX_RESULT: ${{ needs.e2e_linux.result }}
+          NEEDS_E2E_MAC_RESULT: ${{ needs.e2e_mac.result }}
+          NEEDS_EVALS_RESULT: ${{ needs.evals.result }}
 
   set_workflow_status:
     runs-on: 'gemini-cli-ubuntu-16-core'