chore(ci): Ensure docs-gen workflow are not vulnerable to injection attacks (#6100)

This commit is contained in:
Seth Vargo 2025-08-12 22:12:28 -04:00 committed by GitHub
parent 431a312d4d
commit 9912577a2b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 37 additions and 41 deletions

View File

@ -4,8 +4,8 @@ labels: ['kind/bug', 'status/need-triage']
body:
- type: markdown
attributes:
value: |
> [!IMPORTANT]
value: |-
> [!IMPORTANT]
> Thanks for taking the time to fill out this bug report!
>
> Please search **[existing issues](https://github.com/google-gemini/gemini-cli/issues)** to see if an issue already exists for the bug you encountered.
@ -30,7 +30,7 @@ body:
attributes:
label: Client information
description: Please paste the full text from the `/about` command run from Gemini CLI. Also include which platform (macOS, Windows, Linux).
value: |
value: |-
<details>
```console

View File

@ -4,8 +4,8 @@ labels: ['kind/enhancement', 'status/need-triage']
body:
- type: markdown
attributes:
value: |
> [!IMPORTANT]
value: |-
> [!IMPORTANT]
> Thanks for taking the time to suggest an enhancement!
>
> Please search **[existing issues](https://github.com/google-gemini/gemini-cli/issues)** to see if a similar feature has already been requested.

View File

@ -1,54 +1,50 @@
# Sample workflow for building and deploying a Jekyll site to GitHub Pages
name: Deploy Jekyll with GitHub Pages dependencies preinstalled
name: 'Deploy GitHub Pages'
on:
# Runs on pushes targeting the default branch
push:
tags: 'v*'
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
permissions:
contents: read
pages: write
id-token: write
contents: 'read'
pages: 'write'
id-token: 'write'
# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
# Allow only one concurrent deployment, skipping runs queued between the run
# in-progress and latest queued. However, do NOT cancel in-progress runs as we
# want to allow these production deployments to complete.
concurrency:
group: 'pages'
group: '${{ github.workflow }}'
cancel-in-progress: false
jobs:
build:
# This 'if' condition is the key. It ensures the job only runs if the
# tag name does NOT contain the substring 'nightly'.
if: "contains(github.ref_name, 'nightly') == false"
# Build job
runs-on: ubuntu-latest
if: |-
${{ !contains(github.ref_name, 'nightly') }}
runs-on: 'ubuntu-latest'
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Pages
uses: actions/configure-pages@v5
- name: Build with Jekyll
uses: actions/jekyll-build-pages@v1
with:
source: ./
destination: ./_site
- name: Upload artifact
uses: actions/upload-pages-artifact@v3
- name: 'Checkout'
uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
- name: 'Setup Pages'
uses: 'actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b' # ratchet:actions/configure-pages@v5
- name: 'Build with Jekyll'
uses: 'actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697' # ratchet:actions/jekyll-build-pages@v1
with:
source: './'
destination: './_site'
- name: 'Upload artifact'
uses: 'actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa' # ratchet:actions/upload-pages-artifact@v3
# Deployment job
deploy:
environment:
name: github-pages
url: ${{ steps.deployment.outputs.page_url }}
runs-on: ubuntu-latest
needs: build
name: 'github-pages'
url: '${{ steps.deployment.outputs.page_url }}'
runs-on: 'ubuntu-latest'
needs: 'build'
steps:
- name: Deploy to GitHub Pages
id: deployment
uses: actions/deploy-pages@v4
- name: 'Deploy to GitHub Pages'
id: 'deployment'
uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # ratchet:actions/deploy-pages@v4