Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 2 additions & 9 deletions .github/workflows/release-patch-1-create-pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@ jobs:
contents: 'write'
pull-requests: 'write'
actions: 'write'
workflows: 'write'
steps:
- name: 'Checkout'
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
Expand All @@ -52,14 +53,6 @@ jobs:
- name: 'Install Script Dependencies'
run: 'npm install yargs'

- name: 'Generate GitHub App Token'
id: 'generate_token'
uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b'
with:
app-id: '${{ secrets.APP_ID }}'
private-key: '${{ secrets.PRIVATE_KEY }}'
permission-pull-requests: 'write'
permission-contents: 'write'

- name: 'Configure Git User'
run: |-
Expand All @@ -72,7 +65,7 @@ jobs:
id: 'create_patch'
env:
GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
GH_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
continue-on-error: true
run: |
# Capture output and display it in logs using tee
Expand Down
8 changes: 8 additions & 0 deletions scripts/releasing/create-patch-pr.js
Original file line number Diff line number Diff line change
Expand Up @@ -98,6 +98,14 @@ async function main() {
// Workaround for workflow permission issues: create branch from HEAD then reset to tag
run(`git checkout -b ${releaseBranch}`, dryRun);
run(`git reset --hard ${latestTag}`, dryRun);

// Ensure we're using GITHUB_TOKEN (with actions:write) for pushing workflow files
const githubToken = process.env.GITHUB_TOKEN;
const repo = process.env.GITHUB_REPOSITORY || 'google-gemini/gemini-cli';
if (githubToken) {
run(`git remote set-url origin https://x-access-token:${githubToken}@github.com/${repo}.git`, dryRun);
}
Comment on lines +104 to +107

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

There are two issues in this block:

  1. Critical Security Vulnerability: The run() helper function logs the entire command to the console, which includes the raw GITHUB_TOKEN. This exposes secrets in the workflow logs.
  2. Potential for Error: The hardcoded fallback for repo to 'google-gemini/gemini-cli' is risky. If this script is run in a different repository (like a fork) without GITHUB_REPOSITORY set, it will attempt to push to the wrong upstream repository.

The suggested change addresses both problems by:

  • Calling execSync directly to avoid logging the token.
  • Logging a masked version of the command.
  • Making GITHUB_REPOSITORY a required environment variable when GITHUB_TOKEN is present, preventing pushes to an incorrect repository.
    const repo = process.env.GITHUB_REPOSITORY;
    if (githubToken) {
      if (!repo) {
        console.error(
          'Error: GITHUB_REPOSITORY env var must be set when using GITHUB_TOKEN.'
        );
        process.exit(1);
      }
      const command = `git remote set-url origin https://x-access-token:${githubToken}@github.com/${repo}.git`;
      console.log(`> git remote set-url origin https://x-access-token:***@github.com/${repo}.git`);
      if (!dryRun) {
        try {
          execSync(command, { stdio: 'pipe' });
        } catch (err) {
          console.error('Command failed: git remote set-url');
          throw err;
        }
      }
    }


run(`git push origin ${releaseBranch}`, dryRun);
} else {
console.log(`Release branch ${releaseBranch} already exists.`);
Expand Down
Loading