Skip to content

feat(patch): improve visibility of patch process#9774

Closed
skeshive wants to merge 4 commits into
mainfrom
patch-process
Closed

feat(patch): improve visibility of patch process#9774
skeshive wants to merge 4 commits into
mainfrom
patch-process

Conversation

@skeshive

Copy link
Copy Markdown
Contributor

This commit enhances the patch creation process by providing more explicit information at each stage.

  • The GitHub Actions comment on the original PR now includes the base and new versions.
  • The created patch PR has a more descriptive title and body, including the base and new versions.
  • The hotfix branch name now includes both the base and new versions for clearer identification.

Linked issues / bugs

#9245

This commit enhances the patch creation process by providing more explicit information at each stage.

- The GitHub Actions comment on the original PR now includes the base and new versions.
- The created patch PR has a more descriptive title and body, including the base and new versions.
- The hotfix branch name now includes both the base and new versions for clearer identification.
@skeshive skeshive requested review from a team as code owners September 25, 2025 19:53
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello @skeshive, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the visibility and clarity of the automated patch creation process. By embedding more version-specific information into various stages, such as GitHub Actions outputs, hotfix branch names, and the titles and bodies of generated pull requests, it becomes much easier to track and understand the context of each patch release. Additionally, the GitHub Actions comment posted on the original PR now includes these detailed version insights, ensuring all stakeholders have immediate access to critical patch information.

Highlights

  • Enhanced GitHub Actions Output: The create-patch-pr.js script now exposes base_version and new_version to GitHub Actions outputs, making these versions available for subsequent workflow steps.
  • Improved Hotfix Branch Naming: Hotfix branch names now include both the base and new versions, providing clearer identification and context for the patch.
  • More Descriptive Patch PR Titles and Bodies: The titles and bodies of automatically created patch pull requests are now more informative, explicitly stating the base and new versions involved in the patch.
  • Detailed GitHub Comments: The patch-create-comment.js script now includes the base and new versions in the GitHub Actions comment posted on the original PR, offering more comprehensive patch details.
Ignored Files
  • Ignored by pattern: .github/workflows/** (1)
    • .github/workflows/release-patch-1-create-pr.yml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request improves the visibility of the patch creation process by including base and new version information in branch names, PR titles, and comments. The changes are logical and well-implemented. I've found one area for improvement regarding version string consistency, which will enhance maintainability and prevent potential issues in downstream scripts.

Comment thread scripts/releasing/create-patch-pr.js
@github-actions

github-actions Bot commented Sep 25, 2025

Copy link
Copy Markdown

Size Change: -2 B (0%)

Total Size: 17.4 MB

ℹ️ View Unchanged
Filename Size Change
./bundle/gemini.js 17.4 MB -2 B (0%)
./bundle/sandbox-macos-permissive-closed.sb 1.03 kB 0 B
./bundle/sandbox-macos-permissive-open.sb 830 B 0 B
./bundle/sandbox-macos-permissive-proxied.sb 1.31 kB 0 B
./bundle/sandbox-macos-restrictive-closed.sb 3.29 kB 0 B
./bundle/sandbox-macos-restrictive-open.sb 3.36 kB 0 B
./bundle/sandbox-macos-restrictive-proxied.sb 3.56 kB 0 B

compressed-size-action

@skeshive skeshive marked this pull request as draft September 25, 2025 20:35
@skeshive

Copy link
Copy Markdown
Contributor Author

/gemini review

@skeshive skeshive marked this pull request as ready for review September 26, 2025 15:09
@skeshive skeshive marked this pull request as draft September 26, 2025 15:09

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request improves the visibility of the patch process by including base and new version information in branch names, PR titles, and comments. The changes are well-aligned with the goal. However, I've identified a critical security vulnerability in how outputs are written for GitHub Actions, which could lead to command injection. Please address this issue.

Comment on lines +52 to +53
appendFileSync(process.env.GITHUB_OUTPUT, `base_version=${latestTag}\n`);
appendFileSync(process.env.GITHUB_OUTPUT, `new_version=${nextVersion}\n`);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

critical

There is a potential command injection vulnerability here. The latestTag and nextVersion variables are written to the file specified by process.env.GITHUB_OUTPUT without sanitization. If either of these variables contains a newline character, it could allow an attacker to inject additional outputs into the GitHub Actions workflow.

For example, if latestTag is v1.2.3\nmalicious_output=foo, the following would be written to the output file:

base_version=v1.2.3
malicious_output=foo

This would set an unexpected output malicious_output with value foo, which could be exploited in subsequent steps.

According to GitHub Actions documentation, multiline strings are not supported for outputs written to GITHUB_OUTPUT. You should sanitize the values to remove any newline characters before writing them.

Suggested change
appendFileSync(process.env.GITHUB_OUTPUT, `base_version=${latestTag}\n`);
appendFileSync(process.env.GITHUB_OUTPUT, `new_version=${nextVersion}\n`);
appendFileSync(process.env.GITHUB_OUTPUT, `base_version=${latestTag.replace(/\r|\n/g, '')}\n`);
appendFileSync(process.env.GITHUB_OUTPUT, `new_version=${nextVersion.replace(/\r|\n/g, '')}\n`);

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mattKorwel Could you advise if this is actually a threat? IIUC these scripts run within Github's action runner?

@mattKorwel mattKorwel mentioned this pull request Sep 29, 2025
5 tasks
@skeshive skeshive closed this Sep 29, 2025
@jacob314 jacob314 deleted the patch-process branch February 19, 2026 07:14
@sripasg sripasg added the size/s A small PR label Jun 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/s A small PR

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants