Refactor Github Action per b/485167538

[google-admin]

This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.

This is a PR to help you upgrade to the latest standards in Github Actions.

Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.

[gemini-code-assist]

Summary of Changes

Hello @google-admin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request systematically refactors several Github Actions by modifying how input parameters are consumed within their shell execution steps. The core change involves explicitly defining input values as environment variables before they are used in run scripts, which standardizes variable access and improves the overall security posture of the workflows.

Highlights

• Github Actions Refactoring: Updated all Github Actions to pass input variables as environment variables to run steps, enhancing security and consistency by preventing direct shell interpolation of inputs.
• Security Improvement: Mitigated potential shell injection vulnerabilities by standardizing the way action inputs are accessed within shell scripts.
• Automated Change: This refactoring was performed automatically by an internal tool (ghss) as part of a larger initiative (LSC) to upgrade Github Actions to the latest standards.

Changelog

• .github/actions/create-pull-request/action.yml
  • Converted direct input references for branch name, PR title, body, and base branch to environment variables within the gh pr create command.
• .github/actions/npm-auth-token/action.yml
  • Refactored all input tokens and package names to be accessed via environment variables within the npm_auth_token step.
• .github/actions/publish-release/action.yml
  • Updated release tag and version inputs to environment variables for branch creation and package version updates.
  • Modified npm publish and install commands to use environment variables for dry-run status, package names, and release versions.
  • Changed GitHub release creation parameters to use environment variables for release tag, target branch, title, and previous tag.
• .github/actions/push-docker/action.yml
  • Converted the ref-name input to an environment variable for determining the Docker branch name.
• .github/actions/push-sandbox/action.yml
  • Refactored github-ref-name and github-sha inputs to environment variables for image tag determination.
  • Updated the Docker build command to use an environment variable for the image tag.
  • Modified the Docker push command to use an environment variable for the image URI.
• .github/actions/setup-npmrc/action.yml
  • Changed the github-token input to an environment variable when configuring the npmrc file.
• .github/actions/tag-npm-release/action.yml
  • Converted package name, version, and channel inputs to environment variables for npm dist-tag commands across core, cli, and a2a packages.
  • Updated the dry run log message to reference package names, version, and channel via environment variables.
• .github/actions/verify-release/action.yml
  • Refactored expected version and npm package inputs to environment variables for version verification checks.

Ignored Files

• Ignored by pattern: .github/workflows/** (8)
  • .github/workflows/ci.yml
  • .github/workflows/deflake.yml
  • .github/workflows/e2e.yml
  • .github/workflows/eval.yml
  • .github/workflows/release-patch-3-release.yml
  • .github/workflows/release-promote.yml
  • .github/workflows/test_chained_e2e.yml
  • .github/workflows/trigger_e2e.yml

Activity

• This pull request was automatically generated by http://go/ghss as part of a http://go/LSC run.
• The changes are intended to upgrade Github Actions to the latest standards per http://b/485167538.
• The author (google-admin) notes that if not merged, the PR may be force merged by the GHSS team.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: -2 B (0%)

Total Size: 20.6 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	20.6 MB	-2 B (0%)
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request is an automated refactoring to improve security in GitHub Actions by moving context expressions to environment variables. This is a good practice. However, the refactoring is incomplete and leaves several command injection vulnerabilities by not quoting the environment variables in shell commands. I've added comments with critical severity to point out these issues and suggest fixes.

[gemini-code-assist]

The environment variable INPUTS_CORE_PACKAGE_NAME is used without quotes. This can lead to a command injection vulnerability if the package name contains spaces or other shell metacharacters. Please enclose it in double quotes to prevent this.

        npm dist-tag rm "${INPUTS_CORE_PACKAGE_NAME}" false --silent

[gemini-code-assist]

The environment variable INPUTS_CLI_PACKAGE_NAME is used without quotes. This can lead to a command injection vulnerability if the package name contains spaces or other shell metacharacters. Please enclose it in double quotes to prevent this.

        npm dist-tag rm "${INPUTS_CLI_PACKAGE_NAME}" false --silent

[gemini-code-assist]

The environment variable INPUTS_A2A_PACKAGE_NAME is used without quotes. This can lead to a command injection vulnerability if the package name contains spaces or other shell metacharacters. Please enclose it in double quotes to prevent this.

        npm dist-tag rm "${INPUTS_A2A_PACKAGE_NAME}" false --silent

[gemini-code-assist]

The environment variables are used without quotes, which can lead to a command injection vulnerability. Please enclose the arguments in double quotes to prevent word splitting and unexpected behavior.

        npm dist-tag add "${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

The environment variables are used without quotes, which can lead to a command injection vulnerability. Please enclose the arguments in double quotes to prevent word splitting and unexpected behavior.

        npm dist-tag add "${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

The environment variables are used without quotes, which can lead to a command injection vulnerability. Please enclose the arguments in double quotes to prevent word splitting and unexpected behavior.

        npm dist-tag add "${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"