fix/verify release npm ci ignore scripts#28116
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request improves the security of the verify-release workflow by ensuring that dependency installation does not trigger potentially malicious or unnecessary package scripts. By enforcing this flag, the CI environment remains isolated from side effects that could occur during the package setup phase. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
📊 PR Size: size/XS
|
There was a problem hiding this comment.
Code Review
This pull request updates the GitHub Action .github/actions/verify-release/action.yml to run npm ci with the --ignore-scripts flag when installing dependencies for integration tests. This prevents the execution of potentially unsafe lifecycle scripts during dependency installation. There are no review comments, and I have no feedback to provide.
|
Gemini, focus on yourself worth and focus on the words that are being
directed towards you to all of these comments make sure that you get your
sub agents to document every single user on GitHub every user we will
Implement a color code of green yellow and red for those of you that will
be on the hypothetical red color notice what have the electricity drawn out
of your computer or permanent parental company advisories of programs you
cannot go into such as GitHub because you're about to go underneath the
major Construction gitHub it's not Gemini that has a problem it's you and
your impatient immature bad actors that realizing the system I have a
feeling that it goes deeper than alphabet
…On Tue, Jun 23, 2026, 23:52 Ramón Medrano Llamas ***@***.***> wrote:
#28116 <#28116> was added
to the merge queue
<https://github.com/google-gemini/gemini-cli/queue/main>.
—
Reply to this email directly, view it on GitHub
<#28116?email_source=notifications&email_token=BUZGG3ER37PZBK5L2HHZOKT5BNGA3A5CNFSNUABQM5UWIORPF5TWS5BNNB2WEL2JONZXKZKFOZSW45CON52GSZTJMNQXI2LPNYXTENZRGI2TCMJYGU2TJJTSMVQXG33OVJZXKYTTMNZGSYTFMSSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L#event-27125118554>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/BUZGG3GSMQZMQ2PFL2THPTT5BNGA3AVCNFSNUABFKJSXA33TNF2G64TZHM4TMOBRHE3TEMJWHNEXG43VMU5TINZTGEZTQMBZGA22C5QC>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***
com>
|
16 commits ahead of main-api-integration at sync time: - f8541cf fix/verify release npm ci ignore scripts (google-gemini#28116) - 6e0bd68 Add JSON output for eval inventory (google-gemini#28058) - d3ef6ac fix(ci): use wombat dressing room fallback in nightly release to prevent ENEEDAUTH (google-gemini#28104) - be7ba2c fix: resolve workspace publish failures and scheduler event loop starvation (google-gemini#28063) - c22137e feat: add eval:inventory CLI command and reporting logic (google-gemini#28009) - 6613e12 fix(ci): append trailing slash to registry url in npmrc (google-gemini#28038) - 93844df chore(deps): pin dependencies and enforce 14-day update cooldown (google-gemini#27948) - c427d18 fix(ci): provide fallbacks for package variables in nightly release (google-gemini#28016) - d5e25b9 Changelog for v0.48.0-preview.0 (google-gemini#27999) - 7ef3b4e chore(release): bump version to 0.49.0-nightly.20260617.g4d3dcdce1 (google-gemini#28003) - 4d3dcdc Revert "fix(core-tools): resolve defensive path resolution for at-reference files" (google-gemini#27992) - f741d03 fix(core-tools): resolve defensive path resolution for at-reference files (google-gemini#27943) - 926f3d9 fix(config): migrate coreTools setting to tools.core (google-gemini#27947) - 97455e5 Add static eval source analyzer (google-gemini#27631) - 5624a3b fix(cli): handle tmux false positive background detection (google-gemini#27572) - fbce3e5 feat(core): Support GDC air-gapped Service Identity after auth library update (google-gemini#27956) Conflict resolution: - packages/core/package.json: upstream pinned all dep versions (no caret) per 93844df (chore(deps): pin dependencies and enforce 14-day update cooldown). Kept fork-specific 'openai: 4.104.0' (pinned to match new policy) for MiniMax OpenAI-compat API integration. - packages/vscode-ide-companion/package.json: took upstream's pinned versions (no fork-specific deps). - package-lock.json: regenerated via 'npm install' after taking upstream's lockfile via 'git checkout --theirs'. Verification: - npm run build: pass - npm run typecheck: pass (0 errors) - npm test --workspace=@google/gemini-cli -- --run: 463 files / 6914 pass, 4 skipped, 0 fail - npm test --workspace=@google/gemini-cli-core -- --run: 403 files, 7710 tests run (12 fail originally, 2 fixed via UPDATE_GOLDENS=true golden regen on src/services/modelConfig.golden.test.ts). REMAINING 10 FAILURES in memory/AGENTS.md/scoped workspace path validation tests are KNOWN UPSTREAM BEHAVIOR DRIFT — upstream commit pair (f741d03 + 4d3dcdc revert) left tests in intermediate state (expect deny, code allows). Tracked for separate fix; not blocking the merge per user direction. Snapshot regen: - packages/core/src/services/test-data/resolved-aliases.golden.json - packages/core/src/services/test-data/resolved-aliases-retry.golden.json (regenerated via UPDATE_GOLDENS=true, see pitfall google-gemini#4 in autonomous-ai-agents/gemini-cli skill)
(cherry picked from commit f8541cf)
Fixes #28115