Try and address TOCTOU issues in gemini-cli.yml #187
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sethvargo
commented
Aug 15, 2025
There was a problem hiding this comment.
📋 Review Summary
This PR does a great job of addressing the TOCTOU vulnerability by checking out the specific commit SHA from the event. The workflow is now more secure and robust.
🔍 General Feedback
- The simplification of the workflow by removing the
get_contextstep is a great improvement. - The addition of a failure message is a nice touch for user experience.
- The changes to the prompt make it much clearer for the model to understand the context.
Great work on this PR!
c815b53 to
0ccfb28
Compare
Contributor
|
@gemini-cli /review |
There was a problem hiding this comment.
📋 Review Summary
This pull request is a great improvement that significantly refactors the workflow to be simpler, more secure, and easier to maintain. The changes to address the TOCTOU issue by checking out a specific commit SHA are excellent.
🔍 General Feedback
- The simplification of the context gathering and the prompt is a major improvement.
- Pinning the checkout action to a specific commit hash is a good security practice.
- The addition of a failure step is a great enhancement for user experience.
I have one question about the removal of the workflow_dispatch trigger. Otherwise, this is a great PR!
This ensures we check out the data from the event (instead of the head).
0ccfb28 to
c8813b7
Compare
leehagoodjames
approved these changes
Aug 15, 2025
Merged
google-github-actions-bot
added a commit
that referenced
this pull request
Aug 26, 2025
## What's Changed * fix(output): separate the stdout and stderr logs by @sethvargo in #186 * fix: correct step numbering in setup_workload_identity.sh by @jasmeetsb in #188 * Try and address TOCTOU issues in gemini-cli.yml by @sethvargo in #187 * chore: bump `actions/checkout` GitHub Actions by @Marukome0743 in #193 * docs: add gitignore recommendations across all workflows by @jerop in #198 * chore: bump `actions/create-github-app-token` from 2.0.6 to 2.1.1 by @Marukome0743 in #200 * bug(output): do not print output by default by @sethvargo in #202 * Add GOOGLE_API_KEY variable by @vivekkairi in #201 * Stream live output if (and only if) debug mode is enabled by @sethvargo in #207 * bug(debug): use `vars` (not `env`) when enabling debug mode by @sethvargo in #211 * feat: Add GEMINI_MODEL support by @vivekkairi in #214 * feat(actions): use the dispatcher pattern to separate concerns by @sethvargo in #212 * bug(ci): set id-token permissions by @sethvargo in #223 * chore: add a debugger by @sethvargo in #226 * Add release notes generation example in awesome list by @jerop in #225 * feat(invoke): update invoke prompt to better separate execution flow by @sethvargo in #227 * chore(ci): refactor scheduled triage workflow by @sethvargo in #232 * Fix triage workflow by @sethvargo in #233 * Auto trigger PR reviews when they are from branches in repo by @jerop in #234 * rename workflow from `gemini-issue-scheduled-triage` to `gemini-scheduled-triage` by @jerop in #238 * feat: rename triage workflows by @jerop in #240 * feat: rename gemini-cli to gemini-invoke by @jerop in #239 * rename PR review workflow to be consistent with the rest by @jerop in #241 * feat(workflows): refactor examples/workflows to use dispatch pattern by @jerop in #242 * feat: pin example workflows to v0 by @jerop in #246 * add google_api_key input in gemini-triage workflows by @jerop in #243 * feat: add best practices guide by @jerop in #245 ## New Contributors * @vivekkairi made their first contribution in #201 **Full Changelog**: v0.1.11...v0.1.12
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This ensures we check out the data from the event (instead of the head).
I am struggling to test this in my local branch. I keep getting failed invocations or tool command errors.