abbyswag/qwen-code
1
0
Fork 0
mirror of https://github.com/QwenLM/qwen-code.git synced 2025-12-19 09:33:53 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore(ci): Ensure action and community workflows are consistent and not vulnerable to injection attacks (#6107)

Browse Source
This commit is contained in:
Seth Vargo
2025-08-12 22:36:37 -04:00
committed by GitHub
parent 0e8bbfb8ba
commit b6da98e8e9
3 changed files with 136 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files

125
.github/actions/post-coverage-comment/action.yml vendored
View File

@@ -27,79 +27,88 @@ inputs:
runs:
using: 'composite'
steps:
- name: Prepare Coverage Comment
id: prep_coverage_comment
shell: bash
run: |
cli_json_file="${{ inputs.cli_json_file }}"
core_json_file="${{ inputs.core_json_file }}"
cli_full_text_summary_file="${{ inputs.cli_full_text_summary_file }}"
core_full_text_summary_file="${{ inputs.core_full_text_summary_file }}"
comment_file="coverage-comment.md"
- name: 'Prepare Coverage Comment'
id: 'prep_coverage_comment'
shell: 'bash'
env:
CLI_JSON_FILE: '${{ inputs.cli_json_file }}'
CORE_JSON_FILE: '${{ inputs.core_json_file }}'
CLI_FULL_TEXT_SUMMARY_FILE: '${{ inputs.cli_full_text_summary_file }}'
CORE_FULL_TEXT_SUMMARY_FILE: '${{ inputs.core_full_text_summary_file }}'
COMMENT_FILE: 'coverage-comment.md'
NODE_VERSION: '${{ inputs.node_version }}'
OS: '${{ inputs.os }}'
run: |-
# Extract percentages using jq for the main table
if [ -f "$cli_json_file" ]; then
cli_lines_pct=$(jq -r '.total.lines.pct' "$cli_json_file")
cli_statements_pct=$(jq -r '.total.statements.pct' "$cli_json_file")
cli_functions_pct=$(jq -r '.total.functions.pct' "$cli_json_file")
cli_branches_pct=$(jq -r '.total.branches.pct' "$cli_json_file")
if [ -f "${CLI_JSON_FILE}" ]; then
cli_lines_pct="$(jq -r '.total.lines.pct' "${CLI_JSON_FILE}")"
cli_statements_pct="$(jq -r '.total.statements.pct' "${CLI_JSON_FILE}")"
cli_functions_pct="$(jq -r '.total.functions.pct' "${CLI_JSON_FILE}")"
cli_branches_pct="$(jq -r '.total.branches.pct' "${CLI_JSON_FILE}")"
else
cli_lines_pct="N/A"; cli_statements_pct="N/A"; cli_functions_pct="N/A"; cli_branches_pct="N/A"
echo "CLI coverage-summary.json not found at: $cli_json_file" >&2 # Error to stderr
cli_lines_pct="N/A"
cli_statements_pct="N/A"
cli_functions_pct="N/A"
cli_branches_pct="N/A"
echo "CLI coverage-summary.json not found at: ${CLI_JSON_FILE}" >&2 # Error to stderr
fi
if [ -f "$core_json_file" ]; then
core_lines_pct=$(jq -r '.total.lines.pct' "$core_json_file")
core_statements_pct=$(jq -r '.total.statements.pct' "$core_json_file")
core_functions_pct=$(jq -r '.total.functions.pct' "$core_json_file")
core_branches_pct=$(jq -r '.total.branches.pct' "$core_json_file")
if [ -f "${CORE_JSON_FILE}" ]; then
core_lines_pct="$(jq -r '.total.lines.pct' "${CORE_JSON_FILE}")"
core_statements_pct="$(jq -r '.total.statements.pct' "${CORE_JSON_FILE}")"
core_functions_pct="$(jq -r '.total.functions.pct' "${CORE_JSON_FILE}")"
core_branches_pct="$(jq -r '.total.branches.pct' "${CORE_JSON_FILE}")"
else
core_lines_pct="N/A"; core_statements_pct="N/A"; core_functions_pct="N/A"; core_branches_pct="N/A"
echo "Core coverage-summary.json not found at: $core_json_file" >&2 # Error to stderr
core_lines_pct="N/A"
core_statements_pct="N/A"
core_functions_pct="N/A"
core_branches_pct="N/A"
echo "Core coverage-summary.json not found at: ${CORE_JSON_FILE}" >&2 # Error to stderr
fi
echo "## Code Coverage Summary" > "$comment_file"
echo "" >> "$comment_file"
echo "| Package | Lines | Statements | Functions | Branches |" >> "$comment_file"
echo "|---|---|---|---|---|" >> "$comment_file"
echo "| CLI | ${cli_lines_pct}% | ${cli_statements_pct}% | ${cli_functions_pct}% | ${cli_branches_pct}% |" >> "$comment_file"
echo "| Core | ${core_lines_pct}% | ${core_statements_pct}% | ${core_functions_pct}% | ${core_branches_pct}% |" >> "$comment_file"
echo "" >> "$comment_file"
echo "## Code Coverage Summary" > "${COMMENT_FILE}"
echo "" >> "${COMMENT_FILE}"
echo "| Package | Lines | Statements | Functions | Branches |" >> "${COMMENT_FILE}"
echo "|---|---|---|---|---|" >> "${COMMENT_FILE}"
echo "| CLI | ${cli_lines_pct}% | ${cli_statements_pct}% | ${cli_functions_pct}% | ${cli_branches_pct}% |" >> "${COMMENT_FILE}"
echo "| Core | ${core_lines_pct}% | ${core_statements_pct}% | ${core_functions_pct}% | ${core_branches_pct}% |" >> "${COMMENT_FILE}"
echo "" >> "${COMMENT_FILE}"
# CLI Package - Collapsible Section (with full text summary from file)
echo "<details>" >> "$comment_file"
echo "<summary>CLI Package - Full Text Report</summary>" >> "$comment_file"
echo "" >> "$comment_file"
echo '```text' >> "$comment_file"
if [ -f "$cli_full_text_summary_file" ]; then
cat "$cli_full_text_summary_file" >> "$comment_file"
echo "<details>" >> "${COMMENT_FILE}"
echo "<summary>CLI Package - Full Text Report</summary>" >> "${COMMENT_FILE}"
echo "" >> "${COMMENT_FILE}"
echo '```text' >> "${COMMENT_FILE}"
if [ -f "${CLI_FULL_TEXT_SUMMARY_FILE}" ]; then
cat "${CLI_FULL_TEXT_SUMMARY_FILE}" >> "${COMMENT_FILE}"
else
echo "CLI full-text-summary.txt not found at: $cli_full_text_summary_file" >> "$comment_file"
echo "CLI full-text-summary.txt not found at: ${CLI_FULL_TEXT_SUMMARY_FILE}" >> "${COMMENT_FILE}"
fi
echo '```' >> "$comment_file"
echo "</details>" >> "$comment_file"
echo "" >> "$comment_file"
echo '```' >> "${COMMENT_FILE}"
echo "</details>" >> "${COMMENT_FILE}"
echo "" >> "${COMMENT_FILE}"
# Core Package - Collapsible Section (with full text summary from file)
echo "<details>" >> "$comment_file"
echo "<summary>Core Package - Full Text Report</summary>" >> "$comment_file"
echo "" >> "$comment_file"
echo '```text' >> "$comment_file"
if [ -f "$core_full_text_summary_file" ]; then
cat "$core_full_text_summary_file" >> "$comment_file"
echo "<details>" >> "${COMMENT_FILE}"
echo "<summary>Core Package - Full Text Report</summary>" >> "${COMMENT_FILE}"
echo "" >> "${COMMENT_FILE}"
echo '```text' >> "${COMMENT_FILE}"
if [ -f "${CORE_FULL_TEXT_SUMMARY_FILE}" ]; then
cat "${CORE_FULL_TEXT_SUMMARY_FILE}" >> "${COMMENT_FILE}"
else
echo "Core full-text-summary.txt not found at: $core_full_text_summary_file" >> "$comment_file"
echo "Core full-text-summary.txt not found at: ${CORE_FULL_TEXT_SUMMARY_FILE}" >> "${COMMENT_FILE}"
fi
echo '```' >> "$comment_file"
echo "</details>" >> "$comment_file"
echo "" >> "$comment_file"
echo '```' >> "${COMMENT_FILE}"
echo "</details>" >> "${COMMENT_FILE}"
echo "" >> "${COMMENT_FILE}"
echo "_For detailed HTML reports, please see the 'coverage-reports-${{ inputs.node_version }}-${{ inputs.os }}' artifact from the main CI run._" >> "$comment_file"
echo "_For detailed HTML reports, please see the 'coverage-reports-${NODE_VERSION}-${OS}' artifact from the main CI run._" >> "${COMMENT_FILE}"
- name: Post Coverage Comment
uses: thollander/actions-comment-pull-request@v3
if: always()
- name: 'Post Coverage Comment'
uses: 'thollander/actions-comment-pull-request@65f9e5c9a1f2cd378bd74b2e057c9736982a8e74' # ratchet:thollander/actions-comment-pull-request@v3
if: |-
${{ always() }}
with:
file-path: coverage-comment.md # Use the generated file directly
comment-tag: code-coverage-summary
github-token: ${{ inputs.github_token }}
file-path: 'coverage-comment.md' # Use the generated file directly
comment-tag: 'code-coverage-summary'
github-token: '${{ inputs.github_token }}'

131
.github/workflows/community-report.yml vendored
View File

@@ -1,4 +1,4 @@
name: Generate Weekly Community Report 📊
name: 'Generate Weekly Community Report 📊'
on:
schedule:
@@ -12,56 +12,57 @@ on:
jobs:
generate-report:
name: Generate Report 📝
if: ${{ github.repository == 'google-gemini/gemini-cli' }}
runs-on: ubuntu-latest
name: 'Generate Report 📝'
if: |-
${{ github.repository == 'google-gemini/gemini-cli' }}
runs-on: 'ubuntu-latest'
permissions:
issues: write
pull-requests: read
discussions: read
contents: read
id-token: write
issues: 'write'
pull-requests: 'read'
discussions: 'read'
contents: 'read'
id-token: 'write'
steps:
- name: Generate GitHub App Token 🔑
id: generate_token
uses: actions/create-github-app-token@df432ceedc7162793a195dd1713ff69aefc7379e # v2
- name: 'Generate GitHub App Token 🔑'
id: 'generate_token'
uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b' # ratchet:actions/create-github-app-token@v2
with:
app-id: ${{ secrets.APP_ID }}
private-key: ${{ secrets.PRIVATE_KEY }}
app-id: '${{ secrets.APP_ID }}'
private-key: '${{ secrets.PRIVATE_KEY }}'
- name: Generate Report 📜
id: report
- name: 'Generate Report 📜'
id: 'report'
env:
GH_TOKEN: ${{ steps.generate_token.outputs.token }}
REPO: ${{ github.repository }}
DAYS: ${{ github.event.inputs.days || '7' }}
run: |
GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
REPO: '${{ github.repository }}'
DAYS: '${{ github.event.inputs.days || 7 }}'
run: |-
set -e
START_DATE=$(date -u -d "$DAYS days ago" +'%Y-%m-%d')
END_DATE=$(date -u +'%Y-%m-%d')
echo "⏳ Generating report for contributions from $START_DATE to $END_DATE..."
START_DATE="$(date -u -d "$DAYS days ago" +'%Y-%m-%d')"
END_DATE="$(date -u +'%Y-%m-%d')"
echo "⏳ Generating report for contributions from ${START_DATE} to ${END_DATE}..."
declare -A author_is_googler
check_googler_status() {
local author=$1
if [[ "$author" == *"[bot]" ]]; then
author_is_googler[$author]=1
local author="$1"
if [[ "${author}" == *"[bot]" ]]; then
author_is_googler[${author}]=1
return 1
fi
if [[ -v "author_is_googler[$author]" ]]; then
return ${author_is_googler[$author]}
if [[ -v "author_is_googler[${author}]" ]]; then
return "${author_is_googler[${author}]}"
fi
if gh api "orgs/googlers/members/$author" --silent 2>/dev/null; then
echo "🧑‍💻 $author is a Googler."
author_is_googler[$author]=0
if gh api "orgs/googlers/members/${author}" --silent 2>/dev/null; then
echo "🧑‍💻 ${author} is a Googler."
author_is_googler[${author}]=0
else
echo "🌍 $author is a community contributor."
author_is_googler[$author]=1
echo "🌍 ${author} is a community contributor."
author_is_googler[${author}]=1
fi
return ${author_is_googler[$author]}
return "${author_is_googler[${author}]}"
}
googler_issues=0
@@ -70,27 +71,27 @@ jobs:
non_googler_prs=0
echo "🔎 Fetching issues and pull requests..."
ITEMS_JSON=$(gh search issues --repo "$REPO" "created:>$START_DATE" --json author,isPullRequest --limit 1000)
ITEMS_JSON="$(gh search issues --repo "${REPO}" "created:>${START_DATE}" --json author,isPullRequest --limit 1000)"
for row in $(echo "${ITEMS_JSON}" | jq -r '.[] | @base64'); do
_jq() {
echo ${row} | base64 --decode | jq -r ${1}
echo "${row}" | base64 --decode | jq -r "${1}"
}
author=$(_jq '.author.login')
is_pr=$(_jq '.isPullRequest')
author="$(_jq '.author.login')"
is_pr="$(_jq '.isPullRequest')"
if [[ -z "$author" || "$author" == "null" ]]; then
if [[ -z "${author}" || "${author}" == "null" ]]; then
continue
fi
if check_googler_status "$author"; then
if [[ "$is_pr" == "true" ]]; then
if check_googler_status "${author}"; then
if [[ "${is_pr}" == "true" ]]; then
((googler_prs++))
else
((googler_issues++))
fi
else
if [[ "$is_pr" == "true" ]]; then
if [[ "${is_pr}" == "true" ]]; then
((non_googler_prs++))
else
((non_googler_issues++))
@@ -114,19 +115,19 @@ jobs:
}
}
}'''
DISCUSSIONS_JSON=$(gh api graphql -f q="repo:$REPO created:>$START_DATE" -f query="$DISCUSSION_QUERY")
DISCUSSIONS_JSON="$(gh api graphql -f q="repo:${REPO} created:>${START_DATE}" -f query="${DISCUSSION_QUERY}")"
for row in $(echo "${DISCUSSIONS_JSON}" | jq -r '.data.search.nodes[] | @base64'); do
_jq() {
echo ${row} | base64 --decode | jq -r ${1}
echo "${row}" | base64 --decode | jq -r "${1}"
}
author=$(_jq '.author.login')
author="$(_jq '.author.login')"
if [[ -z "$author" || "$author" == "null" ]]; then
if [[ -z "${author}" || "${author}" == "null" ]]; then
continue
fi
if check_googler_status "$author"; then
if check_googler_status "${author}"; then
((googler_discussions++))
else
((non_googler_discussions++))
@@ -134,7 +135,6 @@ jobs:
done
echo "✍️ Generating report content..."
REPORT_TITLE="Community Contribution Report: $START_DATE to $END_DATE"
TOTAL_ISSUES=$((googler_issues + non_googler_issues))
TOTAL_PRS=$((googler_prs + non_googler_prs))
TOTAL_DISCUSSIONS=$((googler_discussions + non_googler_discussions))
@@ -142,7 +142,7 @@ jobs:
REPORT_BODY=$(cat <<EOF
### 💖 Community Contribution Report
**Period:** $START_DATE to $END_DATE
**Period:** ${START_DATE} to ${END_DATE}
| Category | Googlers | Community | Total |
|---|---:|---:|---:|
@@ -154,24 +154,29 @@ jobs:
EOF
)
echo "report_body<<EOF" >> $GITHUB_OUTPUT
echo "$REPORT_BODY" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
echo "report_body<<EOF" >> "${GITHUB_OUTPUT}"
echo "${REPORT_BODY}" >> "${GITHUB_OUTPUT}"
echo "EOF" >> "${GITHUB_OUTPUT}"
echo "📊 Community Contribution Report:"
echo "$REPORT_BODY"
echo "${REPORT_BODY}"
- name: 🤖 Get Insights from Report
if: steps.report.outputs.report_body != ''
uses: google-gemini/gemini-cli-action@df3f890f003d28c60a2a09d2c29e0126e4d1e2ff
- name: '🤖 Get Insights from Report'
if: |-
${{ steps.report.outputs.report_body != '' }}
uses: 'google-github-actions/run-gemini-cli@06123c6a203eb7a964ce3be7c48479cc66059f23' # ratchet:google-github-actions/run-gemini-cli@v0
env:
GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
GITHUB_TOKEN: '${{ steps.generate_token.outputs.token }}'
REPOSITORY: '${{ github.repository }}'
with:
version: 0.1.8-rc.0
GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
OTLP_GCP_WIF_PROVIDER: ${{ secrets.OTLP_GCP_WIF_PROVIDER }}
OTLP_GOOGLE_CLOUD_PROJECT: ${{ secrets.OTLP_GOOGLE_CLOUD_PROJECT }}
settings_json: |
gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}'
gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
gcp_service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
gemini_api_key: '${{ secrets.GEMINI_API_KEY }}'
use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}'
settings: |-
{
"coreTools": [
"run_shell_command(gh issue list)",
@@ -180,7 +185,7 @@ jobs:
"run_shell_command(gh search prs)"
]
}
prompt: |
prompt: |-
You are a helpful assistant that analyzes community contribution reports.
Based on the following report, please provide a brief summary and highlight any interesting trends or potential areas for improvement.