chore(ci): Ensure docs-gen workflow are not vulnerable to injection attacks (#6100)

2025-08-12 22:12:28 -04:00 · 2025-08-12 22:12:28 -04:00 · 9912577a2b
parent 431a312d4d
commit 9912577a2b
4 changed files with 37 additions and 41 deletions
--- a/.gcp/release-docker.yaml
+++ b/.gcp/release-docker.yaml
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -4,8 +4,8 @@ labels: ['kind/bug', 'status/need-triage']
 body:
  - type: markdown
    attributes:
-      value: |
-        > [!IMPORTANT]  
+      value: |-
+        > [!IMPORTANT]
        > Thanks for taking the time to fill out this bug report!
        >
        > Please search **[existing issues](https://github.com/google-gemini/gemini-cli/issues)** to see if an issue already exists for the bug you encountered.
@ -30,7 +30,7 @@ body:
    attributes:
      label: Client information
      description: Please paste the full text from the `/about` command run from Gemini CLI. Also include which platform (macOS, Windows, Linux).
-      value: |
+      value: |-
        <details>

        ```console
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -4,8 +4,8 @@ labels: ['kind/enhancement', 'status/need-triage']
 body:
  - type: markdown
    attributes:
-      value: |
-        > [!IMPORTANT]  
+      value: |-
+        > [!IMPORTANT]
        > Thanks for taking the time to suggest an enhancement!
        >
        > Please search **[existing issues](https://github.com/google-gemini/gemini-cli/issues)** to see if a similar feature has already been requested.
--- a/.github/workflows/docs-page-action.yml
+++ b/.github/workflows/docs-page-action.yml
@ -1,54 +1,50 @@
-# Sample workflow for building and deploying a Jekyll site to GitHub Pages
-name: Deploy Jekyll with GitHub Pages dependencies preinstalled
+name: 'Deploy GitHub Pages'

 on:
-  # Runs on pushes targeting the default branch
  push:
    tags: 'v*'
-
-  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:

-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
-  contents: read
-  pages: write
-  id-token: write
+  contents: 'read'
+  pages: 'write'
+  id-token: 'write'

-# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
-# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+# Allow only one concurrent deployment, skipping runs queued between the run
+# in-progress and latest queued. However, do NOT cancel in-progress runs as we
+# want to allow these production deployments to complete.
 concurrency:
-  group: 'pages'
+  group: '${{ github.workflow }}'
  cancel-in-progress: false

 jobs:
  build:
-    # This 'if' condition is the key. It ensures the job only runs if the
-    # tag name does NOT contain the substring 'nightly'.
-    if: "contains(github.ref_name, 'nightly') == false"
-    # Build job
-    runs-on: ubuntu-latest
+    if: |-
+      ${{ !contains(github.ref_name, 'nightly') }}
+    runs-on: 'ubuntu-latest'
    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Setup Pages
-        uses: actions/configure-pages@v5
-      - name: Build with Jekyll
-        uses: actions/jekyll-build-pages@v1
-        with:
-          source: ./
-          destination: ./_site
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+      - name: 'Checkout'
+        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
+
+      - name: 'Setup Pages'
+        uses: 'actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b' # ratchet:actions/configure-pages@v5
+
+      - name: 'Build with Jekyll'
+        uses: 'actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697' # ratchet:actions/jekyll-build-pages@v1
+        with:
+          source: './'
+          destination: './_site'
+
+      - name: 'Upload artifact'
+        uses: 'actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa' # ratchet:actions/upload-pages-artifact@v3

-  # Deployment job
  deploy:
    environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    runs-on: ubuntu-latest
-    needs: build
+      name: 'github-pages'
+      url: '${{ steps.deployment.outputs.page_url }}'
+    runs-on: 'ubuntu-latest'
+    needs: 'build'
    steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4
+      - name: 'Deploy to GitHub Pages'
+        id: 'deployment'
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # ratchet:actions/deploy-pages@v4