chore(ci): Ensure action and community workflows are consistent and not vulnerable to injection attacks (#6107)
This commit is contained in:
parent
0e8bbfb8ba
commit
b6da98e8e9
|
@ -27,79 +27,88 @@ inputs:
|
|||
runs:
|
||||
using: 'composite'
|
||||
steps:
|
||||
- name: Prepare Coverage Comment
|
||||
id: prep_coverage_comment
|
||||
shell: bash
|
||||
run: |
|
||||
cli_json_file="${{ inputs.cli_json_file }}"
|
||||
core_json_file="${{ inputs.core_json_file }}"
|
||||
cli_full_text_summary_file="${{ inputs.cli_full_text_summary_file }}"
|
||||
core_full_text_summary_file="${{ inputs.core_full_text_summary_file }}"
|
||||
comment_file="coverage-comment.md"
|
||||
|
||||
- name: 'Prepare Coverage Comment'
|
||||
id: 'prep_coverage_comment'
|
||||
shell: 'bash'
|
||||
env:
|
||||
CLI_JSON_FILE: '${{ inputs.cli_json_file }}'
|
||||
CORE_JSON_FILE: '${{ inputs.core_json_file }}'
|
||||
CLI_FULL_TEXT_SUMMARY_FILE: '${{ inputs.cli_full_text_summary_file }}'
|
||||
CORE_FULL_TEXT_SUMMARY_FILE: '${{ inputs.core_full_text_summary_file }}'
|
||||
COMMENT_FILE: 'coverage-comment.md'
|
||||
NODE_VERSION: '${{ inputs.node_version }}'
|
||||
OS: '${{ inputs.os }}'
|
||||
run: |-
|
||||
# Extract percentages using jq for the main table
|
||||
if [ -f "$cli_json_file" ]; then
|
||||
cli_lines_pct=$(jq -r '.total.lines.pct' "$cli_json_file")
|
||||
cli_statements_pct=$(jq -r '.total.statements.pct' "$cli_json_file")
|
||||
cli_functions_pct=$(jq -r '.total.functions.pct' "$cli_json_file")
|
||||
cli_branches_pct=$(jq -r '.total.branches.pct' "$cli_json_file")
|
||||
if [ -f "${CLI_JSON_FILE}" ]; then
|
||||
cli_lines_pct="$(jq -r '.total.lines.pct' "${CLI_JSON_FILE}")"
|
||||
cli_statements_pct="$(jq -r '.total.statements.pct' "${CLI_JSON_FILE}")"
|
||||
cli_functions_pct="$(jq -r '.total.functions.pct' "${CLI_JSON_FILE}")"
|
||||
cli_branches_pct="$(jq -r '.total.branches.pct' "${CLI_JSON_FILE}")"
|
||||
else
|
||||
cli_lines_pct="N/A"; cli_statements_pct="N/A"; cli_functions_pct="N/A"; cli_branches_pct="N/A"
|
||||
echo "CLI coverage-summary.json not found at: $cli_json_file" >&2 # Error to stderr
|
||||
cli_lines_pct="N/A"
|
||||
cli_statements_pct="N/A"
|
||||
cli_functions_pct="N/A"
|
||||
cli_branches_pct="N/A"
|
||||
echo "CLI coverage-summary.json not found at: ${CLI_JSON_FILE}" >&2 # Error to stderr
|
||||
fi
|
||||
|
||||
if [ -f "$core_json_file" ]; then
|
||||
core_lines_pct=$(jq -r '.total.lines.pct' "$core_json_file")
|
||||
core_statements_pct=$(jq -r '.total.statements.pct' "$core_json_file")
|
||||
core_functions_pct=$(jq -r '.total.functions.pct' "$core_json_file")
|
||||
core_branches_pct=$(jq -r '.total.branches.pct' "$core_json_file")
|
||||
if [ -f "${CORE_JSON_FILE}" ]; then
|
||||
core_lines_pct="$(jq -r '.total.lines.pct' "${CORE_JSON_FILE}")"
|
||||
core_statements_pct="$(jq -r '.total.statements.pct' "${CORE_JSON_FILE}")"
|
||||
core_functions_pct="$(jq -r '.total.functions.pct' "${CORE_JSON_FILE}")"
|
||||
core_branches_pct="$(jq -r '.total.branches.pct' "${CORE_JSON_FILE}")"
|
||||
else
|
||||
core_lines_pct="N/A"; core_statements_pct="N/A"; core_functions_pct="N/A"; core_branches_pct="N/A"
|
||||
echo "Core coverage-summary.json not found at: $core_json_file" >&2 # Error to stderr
|
||||
core_lines_pct="N/A"
|
||||
core_statements_pct="N/A"
|
||||
core_functions_pct="N/A"
|
||||
core_branches_pct="N/A"
|
||||
echo "Core coverage-summary.json not found at: ${CORE_JSON_FILE}" >&2 # Error to stderr
|
||||
fi
|
||||
|
||||
echo "## Code Coverage Summary" > "$comment_file"
|
||||
echo "" >> "$comment_file"
|
||||
echo "| Package | Lines | Statements | Functions | Branches |" >> "$comment_file"
|
||||
echo "|---|---|---|---|---|" >> "$comment_file"
|
||||
echo "| CLI | ${cli_lines_pct}% | ${cli_statements_pct}% | ${cli_functions_pct}% | ${cli_branches_pct}% |" >> "$comment_file"
|
||||
echo "| Core | ${core_lines_pct}% | ${core_statements_pct}% | ${core_functions_pct}% | ${core_branches_pct}% |" >> "$comment_file"
|
||||
echo "" >> "$comment_file"
|
||||
echo "## Code Coverage Summary" > "${COMMENT_FILE}"
|
||||
echo "" >> "${COMMENT_FILE}"
|
||||
echo "| Package | Lines | Statements | Functions | Branches |" >> "${COMMENT_FILE}"
|
||||
echo "|---|---|---|---|---|" >> "${COMMENT_FILE}"
|
||||
echo "| CLI | ${cli_lines_pct}% | ${cli_statements_pct}% | ${cli_functions_pct}% | ${cli_branches_pct}% |" >> "${COMMENT_FILE}"
|
||||
echo "| Core | ${core_lines_pct}% | ${core_statements_pct}% | ${core_functions_pct}% | ${core_branches_pct}% |" >> "${COMMENT_FILE}"
|
||||
echo "" >> "${COMMENT_FILE}"
|
||||
|
||||
# CLI Package - Collapsible Section (with full text summary from file)
|
||||
echo "<details>" >> "$comment_file"
|
||||
echo "<summary>CLI Package - Full Text Report</summary>" >> "$comment_file"
|
||||
echo "" >> "$comment_file"
|
||||
echo '```text' >> "$comment_file"
|
||||
if [ -f "$cli_full_text_summary_file" ]; then
|
||||
cat "$cli_full_text_summary_file" >> "$comment_file"
|
||||
echo "<details>" >> "${COMMENT_FILE}"
|
||||
echo "<summary>CLI Package - Full Text Report</summary>" >> "${COMMENT_FILE}"
|
||||
echo "" >> "${COMMENT_FILE}"
|
||||
echo '```text' >> "${COMMENT_FILE}"
|
||||
if [ -f "${CLI_FULL_TEXT_SUMMARY_FILE}" ]; then
|
||||
cat "${CLI_FULL_TEXT_SUMMARY_FILE}" >> "${COMMENT_FILE}"
|
||||
else
|
||||
echo "CLI full-text-summary.txt not found at: $cli_full_text_summary_file" >> "$comment_file"
|
||||
echo "CLI full-text-summary.txt not found at: ${CLI_FULL_TEXT_SUMMARY_FILE}" >> "${COMMENT_FILE}"
|
||||
fi
|
||||
echo '```' >> "$comment_file"
|
||||
echo "</details>" >> "$comment_file"
|
||||
echo "" >> "$comment_file"
|
||||
echo '```' >> "${COMMENT_FILE}"
|
||||
echo "</details>" >> "${COMMENT_FILE}"
|
||||
echo "" >> "${COMMENT_FILE}"
|
||||
|
||||
# Core Package - Collapsible Section (with full text summary from file)
|
||||
echo "<details>" >> "$comment_file"
|
||||
echo "<summary>Core Package - Full Text Report</summary>" >> "$comment_file"
|
||||
echo "" >> "$comment_file"
|
||||
echo '```text' >> "$comment_file"
|
||||
if [ -f "$core_full_text_summary_file" ]; then
|
||||
cat "$core_full_text_summary_file" >> "$comment_file"
|
||||
echo "<details>" >> "${COMMENT_FILE}"
|
||||
echo "<summary>Core Package - Full Text Report</summary>" >> "${COMMENT_FILE}"
|
||||
echo "" >> "${COMMENT_FILE}"
|
||||
echo '```text' >> "${COMMENT_FILE}"
|
||||
if [ -f "${CORE_FULL_TEXT_SUMMARY_FILE}" ]; then
|
||||
cat "${CORE_FULL_TEXT_SUMMARY_FILE}" >> "${COMMENT_FILE}"
|
||||
else
|
||||
echo "Core full-text-summary.txt not found at: $core_full_text_summary_file" >> "$comment_file"
|
||||
echo "Core full-text-summary.txt not found at: ${CORE_FULL_TEXT_SUMMARY_FILE}" >> "${COMMENT_FILE}"
|
||||
fi
|
||||
echo '```' >> "$comment_file"
|
||||
echo "</details>" >> "$comment_file"
|
||||
echo "" >> "$comment_file"
|
||||
echo '```' >> "${COMMENT_FILE}"
|
||||
echo "</details>" >> "${COMMENT_FILE}"
|
||||
echo "" >> "${COMMENT_FILE}"
|
||||
|
||||
echo "_For detailed HTML reports, please see the 'coverage-reports-${{ inputs.node_version }}-${{ inputs.os }}' artifact from the main CI run._" >> "$comment_file"
|
||||
echo "_For detailed HTML reports, please see the 'coverage-reports-${NODE_VERSION}-${OS}' artifact from the main CI run._" >> "${COMMENT_FILE}"
|
||||
|
||||
- name: Post Coverage Comment
|
||||
uses: thollander/actions-comment-pull-request@v3
|
||||
if: always()
|
||||
- name: 'Post Coverage Comment'
|
||||
uses: 'thollander/actions-comment-pull-request@65f9e5c9a1f2cd378bd74b2e057c9736982a8e74' # ratchet:thollander/actions-comment-pull-request@v3
|
||||
if: |-
|
||||
${{ always() }}
|
||||
with:
|
||||
file-path: coverage-comment.md # Use the generated file directly
|
||||
comment-tag: code-coverage-summary
|
||||
github-token: ${{ inputs.github_token }}
|
||||
file-path: 'coverage-comment.md' # Use the generated file directly
|
||||
comment-tag: 'code-coverage-summary'
|
||||
github-token: '${{ inputs.github_token }}'
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
name: Generate Weekly Community Report 📊
|
||||
name: 'Generate Weekly Community Report 📊'
|
||||
|
||||
on:
|
||||
schedule:
|
||||
|
@ -12,56 +12,57 @@ on:
|
|||
|
||||
jobs:
|
||||
generate-report:
|
||||
name: Generate Report 📝
|
||||
if: ${{ github.repository == 'google-gemini/gemini-cli' }}
|
||||
runs-on: ubuntu-latest
|
||||
name: 'Generate Report 📝'
|
||||
if: |-
|
||||
${{ github.repository == 'google-gemini/gemini-cli' }}
|
||||
runs-on: 'ubuntu-latest'
|
||||
permissions:
|
||||
issues: write
|
||||
pull-requests: read
|
||||
discussions: read
|
||||
contents: read
|
||||
id-token: write
|
||||
issues: 'write'
|
||||
pull-requests: 'read'
|
||||
discussions: 'read'
|
||||
contents: 'read'
|
||||
id-token: 'write'
|
||||
|
||||
steps:
|
||||
- name: Generate GitHub App Token 🔑
|
||||
id: generate_token
|
||||
uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2
|
||||
- name: 'Generate GitHub App Token 🔑'
|
||||
id: 'generate_token'
|
||||
uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b' # ratchet:actions/create-github-app-token@v2
|
||||
with:
|
||||
app-id: ${{ secrets.APP_ID }}
|
||||
private-key: ${{ secrets.PRIVATE_KEY }}
|
||||
app-id: '${{ secrets.APP_ID }}'
|
||||
private-key: '${{ secrets.PRIVATE_KEY }}'
|
||||
|
||||
- name: Generate Report 📜
|
||||
id: report
|
||||
- name: 'Generate Report 📜'
|
||||
id: 'report'
|
||||
env:
|
||||
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
|
||||
REPO: ${{ github.repository }}
|
||||
DAYS: ${{ github.event.inputs.days || '7' }}
|
||||
run: |
|
||||
GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
|
||||
REPO: '${{ github.repository }}'
|
||||
DAYS: '${{ github.event.inputs.days || 7 }}'
|
||||
run: |-
|
||||
set -e
|
||||
|
||||
START_DATE=$(date -u -d "$DAYS days ago" +'%Y-%m-%d')
|
||||
END_DATE=$(date -u +'%Y-%m-%d')
|
||||
echo "⏳ Generating report for contributions from $START_DATE to $END_DATE..."
|
||||
START_DATE="$(date -u -d "$DAYS days ago" +'%Y-%m-%d')"
|
||||
END_DATE="$(date -u +'%Y-%m-%d')"
|
||||
echo "⏳ Generating report for contributions from ${START_DATE} to ${END_DATE}..."
|
||||
|
||||
declare -A author_is_googler
|
||||
check_googler_status() {
|
||||
local author=$1
|
||||
if [[ "$author" == *"[bot]" ]]; then
|
||||
author_is_googler[$author]=1
|
||||
local author="$1"
|
||||
if [[ "${author}" == *"[bot]" ]]; then
|
||||
author_is_googler[${author}]=1
|
||||
return 1
|
||||
fi
|
||||
if [[ -v "author_is_googler[$author]" ]]; then
|
||||
return ${author_is_googler[$author]}
|
||||
if [[ -v "author_is_googler[${author}]" ]]; then
|
||||
return "${author_is_googler[${author}]}"
|
||||
fi
|
||||
|
||||
if gh api "orgs/googlers/members/$author" --silent 2>/dev/null; then
|
||||
echo "🧑💻 $author is a Googler."
|
||||
author_is_googler[$author]=0
|
||||
if gh api "orgs/googlers/members/${author}" --silent 2>/dev/null; then
|
||||
echo "🧑💻 ${author} is a Googler."
|
||||
author_is_googler[${author}]=0
|
||||
else
|
||||
echo "🌍 $author is a community contributor."
|
||||
author_is_googler[$author]=1
|
||||
echo "🌍 ${author} is a community contributor."
|
||||
author_is_googler[${author}]=1
|
||||
fi
|
||||
return ${author_is_googler[$author]}
|
||||
return "${author_is_googler[${author}]}"
|
||||
}
|
||||
|
||||
googler_issues=0
|
||||
|
@ -70,27 +71,27 @@ jobs:
|
|||
non_googler_prs=0
|
||||
|
||||
echo "🔎 Fetching issues and pull requests..."
|
||||
ITEMS_JSON=$(gh search issues --repo "$REPO" "created:>$START_DATE" --json author,isPullRequest --limit 1000)
|
||||
ITEMS_JSON="$(gh search issues --repo "${REPO}" "created:>${START_DATE}" --json author,isPullRequest --limit 1000)"
|
||||
|
||||
for row in $(echo "${ITEMS_JSON}" | jq -r '.[] | @base64'); do
|
||||
_jq() {
|
||||
echo ${row} | base64 --decode | jq -r ${1}
|
||||
echo "${row}" | base64 --decode | jq -r "${1}"
|
||||
}
|
||||
author=$(_jq '.author.login')
|
||||
is_pr=$(_jq '.isPullRequest')
|
||||
author="$(_jq '.author.login')"
|
||||
is_pr="$(_jq '.isPullRequest')"
|
||||
|
||||
if [[ -z "$author" || "$author" == "null" ]]; then
|
||||
if [[ -z "${author}" || "${author}" == "null" ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if check_googler_status "$author"; then
|
||||
if [[ "$is_pr" == "true" ]]; then
|
||||
if check_googler_status "${author}"; then
|
||||
if [[ "${is_pr}" == "true" ]]; then
|
||||
((googler_prs++))
|
||||
else
|
||||
((googler_issues++))
|
||||
fi
|
||||
else
|
||||
if [[ "$is_pr" == "true" ]]; then
|
||||
if [[ "${is_pr}" == "true" ]]; then
|
||||
((non_googler_prs++))
|
||||
else
|
||||
((non_googler_issues++))
|
||||
|
@ -114,19 +115,19 @@ jobs:
|
|||
}
|
||||
}
|
||||
}'''
|
||||
DISCUSSIONS_JSON=$(gh api graphql -f q="repo:$REPO created:>$START_DATE" -f query="$DISCUSSION_QUERY")
|
||||
DISCUSSIONS_JSON="$(gh api graphql -f q="repo:${REPO} created:>${START_DATE}" -f query="${DISCUSSION_QUERY}")"
|
||||
|
||||
for row in $(echo "${DISCUSSIONS_JSON}" | jq -r '.data.search.nodes[] | @base64'); do
|
||||
_jq() {
|
||||
echo ${row} | base64 --decode | jq -r ${1}
|
||||
echo "${row}" | base64 --decode | jq -r "${1}"
|
||||
}
|
||||
author=$(_jq '.author.login')
|
||||
author="$(_jq '.author.login')"
|
||||
|
||||
if [[ -z "$author" || "$author" == "null" ]]; then
|
||||
if [[ -z "${author}" || "${author}" == "null" ]]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
if check_googler_status "$author"; then
|
||||
if check_googler_status "${author}"; then
|
||||
((googler_discussions++))
|
||||
else
|
||||
((non_googler_discussions++))
|
||||
|
@ -134,7 +135,6 @@ jobs:
|
|||
done
|
||||
|
||||
echo "✍️ Generating report content..."
|
||||
REPORT_TITLE="Community Contribution Report: $START_DATE to $END_DATE"
|
||||
TOTAL_ISSUES=$((googler_issues + non_googler_issues))
|
||||
TOTAL_PRS=$((googler_prs + non_googler_prs))
|
||||
TOTAL_DISCUSSIONS=$((googler_discussions + non_googler_discussions))
|
||||
|
@ -142,7 +142,7 @@ jobs:
|
|||
REPORT_BODY=$(cat <<EOF
|
||||
### 💖 Community Contribution Report
|
||||
|
||||
**Period:** $START_DATE to $END_DATE
|
||||
**Period:** ${START_DATE} to ${END_DATE}
|
||||
|
||||
| Category | Googlers | Community | Total |
|
||||
|---|---:|---:|---:|
|
||||
|
@ -154,24 +154,29 @@ jobs:
|
|||
EOF
|
||||
)
|
||||
|
||||
echo "report_body<<EOF" >> $GITHUB_OUTPUT
|
||||
echo "$REPORT_BODY" >> $GITHUB_OUTPUT
|
||||
echo "EOF" >> $GITHUB_OUTPUT
|
||||
echo "report_body<<EOF" >> "${GITHUB_OUTPUT}"
|
||||
echo "${REPORT_BODY}" >> "${GITHUB_OUTPUT}"
|
||||
echo "EOF" >> "${GITHUB_OUTPUT}"
|
||||
|
||||
echo "📊 Community Contribution Report:"
|
||||
echo "$REPORT_BODY"
|
||||
echo "${REPORT_BODY}"
|
||||
|
||||
- name: 🤖 Get Insights from Report
|
||||
if: steps.report.outputs.report_body != ''
|
||||
uses: google-gemini/gemini-cli-action@df3f890f003d28c60a2a09d2c29e0126e4d1e2ff
|
||||
- name: '🤖 Get Insights from Report'
|
||||
if: |-
|
||||
${{ steps.report.outputs.report_body != '' }}
|
||||
uses: 'google-github-actions/run-gemini-cli@06123c6a203eb7a964ce3be7c48479cc66059f23' # ratchet:google-github-actions/run-gemini-cli@v0
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
|
||||
GITHUB_TOKEN: '${{ steps.generate_token.outputs.token }}'
|
||||
REPOSITORY: '${{ github.repository }}'
|
||||
with:
|
||||
version: 0.1.8-rc.0
|
||||
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
|
||||
OTLP_GCP_WIF_PROVIDER: ${{ secrets.OTLP_GCP_WIF_PROVIDER }}
|
||||
OTLP_GOOGLE_CLOUD_PROJECT: ${{ secrets.OTLP_GOOGLE_CLOUD_PROJECT }}
|
||||
settings_json: |
|
||||
gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}'
|
||||
gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
|
||||
gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
|
||||
gcp_service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
|
||||
gemini_api_key: '${{ secrets.GEMINI_API_KEY }}'
|
||||
use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
|
||||
use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}'
|
||||
settings: |-
|
||||
{
|
||||
"coreTools": [
|
||||
"run_shell_command(gh issue list)",
|
||||
|
@ -180,7 +185,7 @@ jobs:
|
|||
"run_shell_command(gh search prs)"
|
||||
]
|
||||
}
|
||||
prompt: |
|
||||
prompt: |-
|
||||
You are a helpful assistant that analyzes community contribution reports.
|
||||
Based on the following report, please provide a brief summary and highlight any interesting trends or potential areas for improvement.
|
||||
|
||||
|
|
|
@ -58,7 +58,7 @@ To install the latest nightly build, use the `@nightly` tag:
|
|||
npm install -g @google/gemini-cli@nightly
|
||||
```
|
||||
|
||||
We also run a Google cloud build called [release-docker.yml](../.gcp/release-docker.yaml). Which publishes the sandbox docker to match your release. This will also be moved to GH and combined with the main release file once service account permissions are sorted out.
|
||||
We also run a Google cloud build called [release-docker.yml](../.gcp/release-docker.yml). Which publishes the sandbox docker to match your release. This will also be moved to GH and combined with the main release file once service account permissions are sorted out.
|
||||
|
||||
### After the Release
|
||||
|
||||
|
|
Loading…
Reference in New Issue