[git-tool] do not use GITHUB_TOKEN

[bukepo]

This commit stops using GITHUB_TOKEN in git-tool for better security.

Depends-On: openthread/ot-nrf528xx#989

[gemini-code-assist]

Summary of Changes

Hello @bukepo, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly improves the security posture of the git-tool script by removing its direct reliance on the GITHUB_TOKEN for fetching pull request information. The change refactors the script to receive necessary PR body content externally, enhancing security and simplifying the internal logic.

Highlights

• Security Enhancement: Eliminated the direct use of GITHUB_TOKEN within the script/git-tool by removing the get_pr_body function, which previously fetched PR details using the token.
• Refactoring: Updated the apply_dependencies function to consume the PR body from the PR_BODY environment variable (or similar input) instead of fetching it internally.
• Code Simplification: Removed calls to the now-defunct get_pr_body function from try_update and try_clone, streamlining the script's logic.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request improves security by removing the usage of GITHUB_TOKEN within the git-tool script, instead relying on a PR_BODY environment variable. The change is straightforward and effectively decouples the script from requiring direct GitHub API access.

My review identified a significant pre-existing bug in the grep pattern used to find dependent PRs. This bug would prevent the script's primary functionality from working correctly with URL-based Depends-On: declarations. I've provided a suggestion to fix this on the modified line to ensure the script functions as expected.

[github-actions]

Merging #11730 into main

name	branch	text	data	bss	total
ot-cli-ftd	6e1a6ff	478440	860	66540	545840
	46788fa	478456	860	66540	545856
	+/-	+16	+0	+0	+16
ot-ncp-ftd	6e1a6ff	444300	764	61784	506848
	46788fa	444316	764	61784	506864
	+/-	+16	+0	+0	+16
ot-cli-mtd	6e1a6ff	371408	764	51004	423176
	46788fa	371424	764	51004	423192
	+/-	+16	+0	+0	+16
ot-ncp-mtd	6e1a6ff	352524	764	46272	399560
	46788fa	352540	764	46272	399576
	+/-	+16	+0	+0	+16
ot-cli-ftd-br	6e1a6ff	575912	868	134052	710832
	46788fa	575912	868	134052	710832
	+/-	+0	+0	+0	+0
ot-rcp	6e1a6ff	63120	568	20804	84492
	46788fa	63136	568	20804	84508
	+/-	+16	+0	+0	+16

Library files

name	branch	text	data	bss	total
libopenthread-ftd.a	6e1a6ff	245690	95	40318	286103
	46788fa	245690	95	40318	286103
	+/-	+0	+0	+0	+0
libopenthread-cli-ftd.a	6e1a6ff	60743	0	8083	68826
	46788fa	60743	0	8083	68826
	+/-	+0	+0	+0	+0
libopenthread-ncp-ftd.a	6e1a6ff	33257	0	5948	39205
	46788fa	33257	0	5948	39205
	+/-	+0	+0	+0	+0
libopenthread-mtd.a	6e1a6ff	164231	0	24806	189037
	46788fa	164231	0	24806	189037
	+/-	+0	+0	+0	+0
libopenthread-cli-mtd.a	6e1a6ff	41134	0	8059	49193
	46788fa	41134	0	8059	49193
	+/-	+0	+0	+0	+0
libopenthread-ncp-mtd.a	6e1a6ff	25785	0	5948	31733
	46788fa	25785	0	5948	31733
	+/-	+0	+0	+0	+0
libopenthread-ftd-br.a	6e1a6ff	346945	100	107798	454843
	46788fa	346945	100	107798	454843
	+/-	+0	+0	+0	+0
libopenthread-cli-ftd-br.a	6e1a6ff	75982	0	8115	84097
	46788fa	75982	0	8115	84097
	+/-	+0	+0	+0	+0
libopenthread-rcp.a	6e1a6ff	9932	0	5060	14992
	46788fa	9932	0	5060	14992
	+/-	+0	+0	+0	+0
libopenthread-radio.a	6e1a6ff	19383	0	238	19621
	46788fa	19383	0	238	19621
	+/-	+0	+0	+0	+0

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 75.12%. Comparing base (6e1a6ff) to head (46788fa).
Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11730      +/-   ##
==========================================
- Coverage   75.29%   75.12%   -0.18%     
==========================================
  Files         644      644              
  Lines      100136    95863    -4273     
==========================================
- Hits        75400    72013    -3387     
+ Misses      24736    23850     -886     

see 346 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull Request Overview

This PR removes the use of GITHUB_TOKEN in the git-tool script by passing the pull request body via a new PR_BODY environment variable, and updates all CI workflows to set PR_BODY instead of exporting GITHUB_TOKEN.

• script/git-tool no longer fetches the PR body via the GitHub API and has removed the get_pr_body function; it now reads dependencies directly from PR_BODY.
• All GitHub Actions workflow files are updated to inject PR_BODY: "${{ github.event.pull_request.body }}" and no longer expose GITHUB_TOKEN to the script.

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
script/git-tool	Removed get_pr_body, updated apply_dependencies to use PR_BODY
.github/workflows/toranj.yml	Replaced GITHUB_TOKEN with PR_BODY env
.github/workflows/simulation-1.1.yml	Replaced GITHUB_TOKEN with PR_BODY env
.github/workflows/posix.yml	Replaced GITHUB_TOKEN with PR_BODY env
.github/workflows/otns.yml	Replaced GITHUB_TOKEN with PR_BODY env
.github/workflows/otbr.yml	Replaced GITHUB_TOKEN with PR_BODY env
.github/workflows/build.yml	Replaced GITHUB_TOKEN with PR_BODY env

Comments suppressed due to low confidence (2)

script/git-tool:50

• Consider adding a comment or usage note explaining that PR_BODY must be set in the environment for dependency resolution to work, or provide a fallback/error when PR_BODY is empty.

    done < <(grep -E "^Depends-On: *${project_name}" <<<"${PR_BODY:-}" || true)

.github/workflows/toranj.yml:75

• [nitpick] This env block is repeated across multiple workflows; consider defining PR_BODY at a higher level (e.g., top-level env) or using a reusable workflow to reduce duplication.

        PR_BODY: "${{ github.event.pull_request.body }}"