jcarr
/
gemini-cli
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

chore(ci): Ensure ci workflows is consistent and not vulnerable to injection attacks (#6109)

This commit is contained in:
Seth Vargo 2025-08-12 22:56:49 -04:00 committed by GitHub
parent b655d8f062
commit 214800cfc6
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 95 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

170
.github/workflows/ci.yml vendored
View File

@ -1,14 +1,20 @@
# .github/workflows/ci.yml
name: Gemini CLI CI
name: 'Gemini CLI CI'
on:
push:
branches: [main, release]
branches:
- 'main'
- 'release'
pull_request:
branches: [main, release]
branches:
- 'main'
- 'release'
merge_group:
concurrency:
group: '${{ github.workflow }}-${{ github.head_ref || github.ref }}'
cancel-in-progress: ${{ github.ref != 'refs/heads/main' && !startsWith(github.ref, 'refs/heads/release/') }}
jobs:
lint:
name: Lint
@ -51,112 +57,126 @@ jobs:
run: npm run typecheck
test:
name: Test
runs-on: ${{ matrix.os }}
needs: lint
name: 'Test'
runs-on: '${{ matrix.os }}'
needs: 'lint'
permissions:
contents: read
checks: write
pull-requests: write
contents: 'read'
checks: 'write'
pull-requests: 'write'
strategy:
fail-fast: false # So we can see all test failures
matrix:
os: [ubuntu-latest, windows-latest, macos-latest]
node-version: [20.x, 22.x, 24.x]
os:
- 'macos-latest'
- 'ubuntu-latest'
- 'windows-latest'
node-version:
- '20.x'
- '22.x'
- '24.x'
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: 'Checkout'
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
- name: Set up Node.js ${{ matrix.node-version }}
uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
- name: 'Set up Node.js ${{ matrix.node-version }}'
uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
node-version: '${{ matrix.node-version }}'
cache: 'npm'
- name: Build project
run: npm run build
- name: 'Build project'
run: |-
npm run build
- name: Install dependencies for testing
run: npm ci # Install fresh dependencies using the downloaded package-lock.json
- name: 'Install dependencies for testing'
run: |-
npm ci
- name: Run tests and generate reports
run: npm run test:ci
- name: 'Run tests and generate reports'
env:
NO_COLOR: true
run: 'npm run test:ci'
- name: Publish Test Report (for non-forks)
if: always() && (github.event.pull_request.head.repo.full_name == github.repository)
uses: dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3 # v2
- name: 'Publish Test Report (for non-forks)'
if: |-
${{ always() && (github.event.pull_request.head.repo.full_name == github.repository) }}
uses: 'dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3' # ratchet:dorny/test-reporter@v2
with:
name: Test Results (Node ${{ matrix.node-version }})
path: packages/*/junit.xml
reporter: java-junit
name: 'Test Results (Node ${{ matrix.node-version }})'
path: 'packages/*/junit.xml'
reporter: 'java-junit'
fail-on-error: 'false'
- name: Upload Test Results Artifact (for forks)
if: always() && (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository)
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
- name: 'Upload Test Results Artifact (for forks)'
if: |-
${{ always() && (github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) }}
uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
with:
name: test-results-fork-${{ matrix.node-version }}-${{ matrix.os }}
path: packages/*/junit.xml
name: 'test-results-fork-${{ matrix.node-version }}-${{ matrix.os }}'
path: 'packages/*/junit.xml'
- name: Upload coverage reports
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
if: always()
- name: 'Upload coverage reports'
if: |-
${{ always() }}
uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
with:
name: coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}
path: packages/*/coverage
name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
path: 'packages/*/coverage'
post_coverage_comment:
name: Post Coverage Comment
runs-on: ubuntu-latest
needs: test
if: always() && github.event_name == 'pull_request' && (github.event.pull_request.head.repo.full_name == github.repository)
name: 'Post Coverage Comment'
runs-on: 'ubuntu-latest'
needs: 'test'
if: |-
${{ always() && github.event_name == 'pull_request' && (github.event.pull_request.head.repo.full_name == github.repository) }}
continue-on-error: true
permissions:
contents: read # For checkout
pull-requests: write # For commenting
contents: 'read' # For checkout
pull-requests: 'write' # For commenting
strategy:
matrix:
# Reduce noise by only posting the comment once
os: [ubuntu-latest]
node-version: [22.x]
os:
- 'ubuntu-latest'
node-version:
- '22.x'
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: 'Checkout'
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
- name: Download coverage reports artifact
uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
- name: 'Download coverage reports artifact'
uses: 'actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0' # ratchet:actions/download-artifact@v5
with:
name: coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}
path: coverage_artifact # Download to a specific directory
name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
path: 'coverage_artifact' # Download to a specific directory
- name: Post Coverage Comment using Composite Action
uses: ./.github/actions/post-coverage-comment # Path to the composite action directory
- name: 'Post Coverage Comment using Composite Action'
uses: './.github/actions/post-coverage-comment' # Path to the composite action directory
with:
cli_json_file: coverage_artifact/cli/coverage/coverage-summary.json
core_json_file: coverage_artifact/core/coverage/coverage-summary.json
cli_full_text_summary_file: coverage_artifact/cli/coverage/full-text-summary.txt
core_full_text_summary_file: coverage_artifact/core/coverage/full-text-summary.txt
node_version: ${{ matrix.node-version }}
os: ${{ matrix.os }}
github_token: ${{ secrets.GITHUB_TOKEN }}
cli_json_file: 'coverage_artifact/cli/coverage/coverage-summary.json'
core_json_file: 'coverage_artifact/core/coverage/coverage-summary.json'
cli_full_text_summary_file: 'coverage_artifact/cli/coverage/full-text-summary.txt'
core_full_text_summary_file: 'coverage_artifact/core/coverage/full-text-summary.txt'
node_version: '${{ matrix.node-version }}'
os: '${{ matrix.os }}'
github_token: '${{ secrets.GITHUB_TOKEN }}'
codeql:
name: CodeQL
runs-on: ubuntu-latest
name: 'CodeQL'
runs-on: 'ubuntu-latest'
permissions:
actions: read
contents: read
security-events: write
actions: 'read'
contents: 'read'
security-events: 'write'
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: 'Checkout'
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
- name: Initialize CodeQL
uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3
- name: 'Initialize CodeQL'
uses: 'github/codeql-action/init@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/init@v3
with:
languages: javascript
languages: 'javascript'
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3
- name: 'Perform CodeQL Analysis'
uses: 'github/codeql-action/analyze@df559355d593797519d70b90fc8edd5db049e7a2' # ratchet:github/codeql-action/analyze@v3