Skip to content

fix/verify release npm ci ignore scripts#28116

Merged
rmedranollamas merged 1 commit into
google-gemini:mainfrom
rmedranollamas:fix/verify-release-npm-ci-ignore-scripts
Jun 24, 2026
Merged

fix/verify release npm ci ignore scripts#28116
rmedranollamas merged 1 commit into
google-gemini:mainfrom
rmedranollamas:fix/verify-release-npm-ci-ignore-scripts

Conversation

@rmedranollamas

@rmedranollamas rmedranollamas commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Fixes #28115

@rmedranollamas rmedranollamas requested a review from a team as a code owner June 24, 2026 03:26
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request improves the security of the verify-release workflow by ensuring that dependency installation does not trigger potentially malicious or unnecessary package scripts. By enforcing this flag, the CI environment remains isolated from side effects that could occur during the package setup phase.

Highlights

  • Security Enhancement: Added the --ignore-scripts flag to the npm ci command within the verify-release GitHub Action to prevent the execution of arbitrary post-install scripts.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@github-actions github-actions Bot added the size/xs An extra small PR label Jun 24, 2026
@github-actions

Copy link
Copy Markdown

📊 PR Size: size/XS

  • Lines changed: 2
  • Additions: +1
  • Deletions: -1
  • Files changed: 1

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the GitHub Action .github/actions/verify-release/action.yml to run npm ci with the --ignore-scripts flag when installing dependencies for integration tests. This prevents the execution of potentially unsafe lifecycle scripts during dependency installation. There are no review comments, and I have no feedback to provide.

@rmedranollamas rmedranollamas enabled auto-merge June 24, 2026 03:29
@rmedranollamas rmedranollamas added this pull request to the merge queue Jun 24, 2026
Merged via the queue into google-gemini:main with commit f8541cf Jun 24, 2026
34 checks passed
@rmedranollamas rmedranollamas deleted the fix/verify-release-npm-ci-ignore-scripts branch June 24, 2026 04:11
@rsloane82-create

rsloane82-create commented Jun 24, 2026 via email

Copy link
Copy Markdown

hotmanxp added a commit to hotmanxp/gemini-cli that referenced this pull request Jun 24, 2026
16 commits ahead of main-api-integration at sync time:
- f8541cf fix/verify release npm ci ignore scripts (google-gemini#28116)
- 6e0bd68 Add JSON output for eval inventory (google-gemini#28058)
- d3ef6ac fix(ci): use wombat dressing room fallback in nightly release to prevent ENEEDAUTH (google-gemini#28104)
- be7ba2c fix: resolve workspace publish failures and scheduler event loop starvation (google-gemini#28063)
- c22137e feat: add eval:inventory CLI command and reporting logic (google-gemini#28009)
- 6613e12 fix(ci): append trailing slash to registry url in npmrc (google-gemini#28038)
- 93844df chore(deps): pin dependencies and enforce 14-day update cooldown (google-gemini#27948)
- c427d18 fix(ci): provide fallbacks for package variables in nightly release (google-gemini#28016)
- d5e25b9 Changelog for v0.48.0-preview.0 (google-gemini#27999)
- 7ef3b4e chore(release): bump version to 0.49.0-nightly.20260617.g4d3dcdce1 (google-gemini#28003)
- 4d3dcdc Revert "fix(core-tools): resolve defensive path resolution for at-reference files" (google-gemini#27992)
- f741d03 fix(core-tools): resolve defensive path resolution for at-reference files (google-gemini#27943)
- 926f3d9 fix(config): migrate coreTools setting to tools.core (google-gemini#27947)
- 97455e5 Add static eval source analyzer (google-gemini#27631)
- 5624a3b fix(cli): handle tmux false positive background detection (google-gemini#27572)
- fbce3e5 feat(core): Support GDC air-gapped Service Identity after auth library update (google-gemini#27956)

Conflict resolution:
- packages/core/package.json: upstream pinned all dep versions (no caret)
  per 93844df (chore(deps): pin dependencies and enforce 14-day
  update cooldown). Kept fork-specific 'openai: 4.104.0' (pinned to
  match new policy) for MiniMax OpenAI-compat API integration.
- packages/vscode-ide-companion/package.json: took upstream's pinned
  versions (no fork-specific deps).
- package-lock.json: regenerated via 'npm install' after taking
  upstream's lockfile via 'git checkout --theirs'.

Verification:
- npm run build: pass
- npm run typecheck: pass (0 errors)
- npm test --workspace=@google/gemini-cli -- --run: 463 files / 6914 pass,
  4 skipped, 0 fail
- npm test --workspace=@google/gemini-cli-core -- --run: 403 files,
  7710 tests run (12 fail originally, 2 fixed via UPDATE_GOLDENS=true
  golden regen on src/services/modelConfig.golden.test.ts).
  REMAINING 10 FAILURES in memory/AGENTS.md/scoped workspace path
  validation tests are KNOWN UPSTREAM BEHAVIOR DRIFT — upstream
  commit pair (f741d03 + 4d3dcdc revert) left tests in
  intermediate state (expect deny, code allows). Tracked for
  separate fix; not blocking the merge per user direction.

Snapshot regen:
- packages/core/src/services/test-data/resolved-aliases.golden.json
- packages/core/src/services/test-data/resolved-aliases-retry.golden.json
  (regenerated via UPDATE_GOLDENS=true, see pitfall google-gemini#4 in
  autonomous-ai-agents/gemini-cli skill)
rfcclub pushed a commit to rfcclub/gemini-cli that referenced this pull request Jun 28, 2026
software-0ficial pushed a commit to software-0ficial/gemini-cli that referenced this pull request Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/xs An extra small PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Nightly Release Failed for v0.49.0-nightly.20260624.g6e0bd68e4 on 2026-06-24

3 participants