Refactor Github Action per b/485167538

[google-admin]

This is a http://go/LSC run by http://go/ghss to automatically refactor your Github Actions per http://b/485167538.

This is a PR to help you upgrade to the latest standards in Github Actions.

Please merge this PR to accept the changes. NOTE: if you do not accept this PR, it may be force merged by the GHSS team. See http://b/485167538 for more details.

[gemini-code-assist]

Summary of Changes

Hello @google-admin, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request systematically refactors several GitHub Actions by migrating direct input variable usage within run scripts to environment variables. This change aligns the workflows with recommended security practices and enhances the overall robustness and clarity of the action definitions.

Highlights

• Standardized Input Access: All GitHub Action run blocks have been refactored to access inputs via explicitly defined environment variables (e.g., INPUTS_BRANCH_NAME) instead of direct ${{ inputs.<input-name> }} interpolation. This improves security by preventing potential shell injection vulnerabilities and enhances readability.
• Improved Maintainability: By centralizing input access through environment variables, the action definitions become more consistent and easier to maintain, as the scope of variables is clearly defined within each step's env block.

Changelog

• .github/actions/create-pull-request/action.yml
  • Updated gh pr create command arguments to use environment variables for branch name, PR title, body, and base branch.
• .github/actions/npm-auth-token/action.yml
  • Refactored AUTH_TOKEN and PACKAGE_NAME assignments to use environment variables for github-token, package-name, and various wombat-token inputs.
• .github/actions/publish-release/action.yml
  • Modified release branch creation to use an environment variable for release-tag.
  • Updated package version update command to use an environment variable for release-version.
  • Changed npm publish and npm dist-tag rm commands to use environment variables for dry-run and package names.
  • Refactored npm install command to use environment variables for package names and release version.
  • Updated gh release create command arguments to use environment variables for release tag, target branch, title, and previous tag.
  • Modified release branch cleanup command to use an environment variable for the branch name.
• .github/actions/push-docker/action.yml
  • Updated branch name determination to use an environment variable for ref-name.
• .github/actions/push-sandbox/action.yml
  • Refactored image tag determination to use environment variables for github-ref-name and github-sha.
  • Updated npm run build:sandbox command to use an environment variable for the image tag.
  • Changed docker push command to use an environment variable for the Docker build URI.
• .github/actions/setup-npmrc/action.yml
  • Modified _authToken setup in .npmrc to use an environment variable for github-token.
• .github/actions/tag-npm-release/action.yml
  • Updated npm dist-tag add commands for core, CLI, and a2a packages to use environment variables for package names, version, and channel.
  • Refactored dry run log message to use environment variables for channel, version, and package names.
• .github/actions/verify-release/action.yml
  • Modified version verification commands to use environment variables for expected-version and npm-package.

Ignored Files

• Ignored by pattern: .github/workflows/** (8)
  • .github/workflows/ci.yml
  • .github/workflows/deflake.yml
  • .github/workflows/e2e.yml
  • .github/workflows/eval.yml
  • .github/workflows/release-patch-3-release.yml
  • .github/workflows/release-promote.yml
  • .github/workflows/test_chained_e2e.yml
  • .github/workflows/trigger_e2e.yml

Activity

• This pull request was automatically generated by an internal tool (LSC run by GHSS) to refactor GitHub Actions.
• The changes are intended to upgrade workflows to the latest standards, as detailed in b/485167538.
• The PR description indicates that it may be force merged if not accepted, suggesting an automated compliance effort.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

Size Change: -2 B (0%)

Total Size: 20.5 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	20.5 MB	-2 B (0%)
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B

_{compressed-size-action}

[gemini-code-assist]

Code Review

This pull request refactors GitHub Actions to use environment variables for inputs, a positive step towards preventing command injection. However, a critical security vulnerability remains as these environment variables are not consistently double-quoted in shell scripts, which can still lead to command injection through word-splitting and argument injection. The review identifies these locations and provides suggestions for proper quoting. Additionally, consider cleaning up the env block in .github/actions/tag-npm-release/action.yml for better code quality.

[gemini-code-assist]

The environment variable INPUTS_CORE_PACKAGE_NAME is used unquoted, which is a critical security vulnerability. If the input core-package-name contains shell metacharacters (e.g., ;, &, |), it could lead to arbitrary command execution. Always wrap environment variables in double quotes to prevent word splitting and command injection.

        npm dist-tag rm "${INPUTS_CORE_PACKAGE_NAME}" false --silent

[gemini-code-assist]

The environment variable INPUTS_CLI_PACKAGE_NAME is used unquoted, posing a security risk. If the input cli-package-name contains shell metacharacters, it could lead to arbitrary command execution. Always wrap environment variables in double quotes to prevent word splitting and command injection.

        npm dist-tag rm "${INPUTS_CLI_PACKAGE_NAME}" false --silent

[gemini-code-assist]

The environment variable INPUTS_A2A_PACKAGE_NAME is used unquoted, posing a security risk. If the input a2a-package-name contains shell metacharacters, it could lead to arbitrary command execution. Always wrap environment variables in double quotes to prevent word splitting and command injection.

        npm dist-tag rm "${INPUTS_A2A_PACKAGE_NAME}" false --silent

[gemini-code-assist]

The environment variables INPUTS_CORE_PACKAGE_NAME, INPUTS_VERSION, and INPUTS_CHANNEL are used unquoted, which is a security vulnerability. If any of these inputs contain shell metacharacters, it could lead to arbitrary command execution. Always wrap environment variables in double quotes to prevent word splitting and command injection.

        npm dist-tag add "${INPUTS_CORE_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

The environment variables INPUTS_CLI_PACKAGE_NAME, INPUTS_VERSION, and INPUTS_CHANNEL are used unquoted, which is a security vulnerability. If any of these inputs contain shell metacharacters, it could lead to arbitrary command execution. Always wrap environment variables in double quotes to prevent word splitting and command injection.

        npm dist-tag add "${INPUTS_CLI_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

The environment variables INPUTS_A2A_PACKAGE_NAME, INPUTS_VERSION, and INPUTS_CHANNEL are used unquoted, which is a security vulnerability. If any of these inputs contain shell metacharacters, it could lead to arbitrary command execution. Always wrap environment variables in double quotes to prevent word splitting and command injection.

        npm dist-tag add "${INPUTS_A2A_PACKAGE_NAME}@${INPUTS_VERSION}" "${INPUTS_CHANNEL}"

[gemini-code-assist]

The environment variable STEPS_IMAGE_TAG_OUTPUTS_FINAL_TAG is used unquoted in a shell command. If the tag contains shell metacharacters, it could lead to arbitrary command execution. Wrap the entire argument in double quotes.

          --image "google/gemini-cli-sandbox:${STEPS_IMAGE_TAG_OUTPUTS_FINAL_TAG}" \

[gemini-code-assist]

The env block contains unnecessary empty lines which reduce readability and deviate from standard YAML formatting patterns used elsewhere in the repository.

        INPUTS_CHANNEL: ${{ inputs.channel }}
        INPUTS_VERSION: ${{ inputs.version }}
        INPUTS_CLI_PACKAGE_NAME: ${{ inputs.cli-package-name }}
        INPUTS_CORE_PACKAGE_NAME: ${{ inputs.core-package-name }}
        INPUTS_A2A_PACKAGE_NAME: ${{ inputs.a2a-package-name }}

References

1. Adhere to existing patterns in the repository. The messy formatting with unnecessary empty lines deviates from the established coding style. ^(link)