Merge branch 'google-gemini:main' into main

Author: akabarki76

.gcp/release-docker.yaml

@@ -57,9 +57,14 @@ steps:
     args:
       - -c
       - |
-        export GEMINI_SANDBOX_IMAGE_TAG=$$(cat /workspace/image_tag.txt)
-        echo "Using Docker image tag for publish: $$GEMINI_SANDBOX_IMAGE_TAG"
-        npm run publish:sandbox
+        set -e
+        IMAGE_TAG=$(cat /workspace/image_tag.txt)
+        BASE_IMAGE_URI=$(npm run -s config get sandboxImageUri)
+        IMAGE_URI_NO_TAG=${BASE_IMAGE_URI%:*}
+        FINAL_IMAGE_URI="${IMAGE_URI_NO_TAG}:${IMAGE_TAG}"
+
+        echo "Pushing sandbox image: ${FINAL_IMAGE_URI}"
+        $_CONTAINER_TOOL push "${FINAL_IMAGE_URI}"
     env:
       - 'GEMINI_SANDBOX=$_CONTAINER_TOOL'
 

.github/workflows/ci.yml

@@ -92,7 +92,7 @@ jobs:
 
       - name: Publish Test Report (for non-forks)
         if: always() && (github.event.pull_request.head.repo.full_name == github.repository)
-        uses: dorny/test-reporter@v1
+        uses: dorny/test-reporter@v2
         with:
           name: Test Results (Node ${{ matrix.node-version }})
           path: packages/*/junit.xml
@@ -124,7 +124,7 @@ jobs:
       pull-requests: write # For commenting
     strategy:
       matrix:
-        node-version: [20.x, 22.x, 24.x] # Should match the test job's matrix
+        node-version: [22.x] # Reduce noise by only posting the comment once
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
@@ -144,3 +144,22 @@ jobs:
           core_full_text_summary_file: coverage_artifact/core/coverage/full-text-summary.txt
           node_version: ${{ matrix.node-version }}
           github_token: ${{ secrets.GITHUB_TOKEN }}
+
+  codeql:
+    name: CodeQL
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@181d5eefc20863364f96762470ba6f862bdef56b # v3
+        with:
+          languages: javascript
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@181d5eefc20863364f96762470ba6f862bdef56b # v3

.github/workflows/community-report.yml

@@ -13,6 +13,7 @@ on:
 jobs:
   generate-report:
     name: Generate Report 📝
+    if: ${{ github.repository == 'google-gemini/gemini-cli' }}
     runs-on: ubuntu-latest
     permissions:
       issues: write
@@ -24,7 +25,7 @@ jobs:
     steps:
       - name: Generate GitHub App Token 🔑
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
@@ -162,14 +163,13 @@ jobs:
 
       - name: 🤖 Get Insights from Report
         if: steps.report.outputs.report_body != ''
-        uses: google-gemini/gemini-cli-action@41c0f1b3cbd1a0b284251bd1aac034edd07a3a2f
+        uses: google-gemini/gemini-cli-action@df3f890f003d28c60a2a09d2c29e0126e4d1e2ff
         env:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
         with:
           version: 0.1.8-rc.0
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           OTLP_GCP_WIF_PROVIDER: ${{ secrets.OTLP_GCP_WIF_PROVIDER }}
-          OTLP_GCP_SERVICE_ACCOUNT: ${{ secrets.OTLP_GCP_SERVICE_ACCOUNT }}
           OTLP_GOOGLE_CLOUD_PROJECT: ${{ secrets.OTLP_GOOGLE_CLOUD_PROJECT }}
           settings_json: |
             {

.github/workflows/gemini-automated-issue-triage.yml

@@ -7,6 +7,7 @@ on:
 jobs:
   triage-issue:
     timeout-minutes: 5
+    if: ${{ github.repository == 'google-gemini/gemini-cli' }}
     permissions:
       issues: write
       contents: read
@@ -18,28 +19,32 @@ jobs:
     steps:
       - name: Generate GitHub App Token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
 
       - name: Run Gemini Issue Triage
-        uses: google-gemini/gemini-cli-action@41c0f1b3cbd1a0b284251bd1aac034edd07a3a2f
+        uses: google-gemini/gemini-cli-action@df3f890f003d28c60a2a09d2c29e0126e4d1e2ff
         env:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
         with:
           version: 0.1.8-rc.0
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           OTLP_GCP_WIF_PROVIDER: ${{ secrets.OTLP_GCP_WIF_PROVIDER }}
-          OTLP_GCP_SERVICE_ACCOUNT: ${{ secrets.OTLP_GCP_SERVICE_ACCOUNT }}
           OTLP_GOOGLE_CLOUD_PROJECT: ${{ secrets.OTLP_GOOGLE_CLOUD_PROJECT }}
           settings_json: |
             {
               "coreTools": [
                 "run_shell_command(gh label list)",
                 "run_shell_command(gh issue edit)",
                 "run_shell_command(gh issue list)"
-              ]
+              ],
+              "telemetry": {
+                "enabled": true,
+                "target": "gcp"
+              },
+              "sandbox": false
             }
           prompt: |
             You are an issue triage assistant. Analyze the current GitHub issue and apply the most appropriate existing labels.

.github/workflows/gemini-scheduled-issue-triage.yml

@@ -8,6 +8,7 @@ on:
 jobs:
   triage-issues:
     timeout-minutes: 10
+    if: ${{ github.repository == 'google-gemini/gemini-cli' }}
     runs-on: ubuntu-latest
     permissions:
       contents: read
@@ -16,7 +17,7 @@ jobs:
     steps:
       - name: Generate GitHub App Token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}
@@ -38,30 +39,33 @@ jobs:
           echo "📝 Setting output for GitHub Actions..."
           echo "issues_to_triage=$ISSUES" >> "$GITHUB_OUTPUT"
 
-          echo "💾 Writing issues to temporary file for Gemini CLI..."
-          echo "$ISSUES" > /tmp/issues_to_triage.json
-
           echo "✅ Found $(echo "$ISSUES" | jq 'length') issues to triage! 🎯"
 
       - name: Run Gemini Issue Triage
         if: steps.find_issues.outputs.issues_to_triage != '[]'
-        uses: google-gemini/gemini-cli-action@41c0f1b3cbd1a0b284251bd1aac034edd07a3a2f
+        uses: google-gemini/gemini-cli-action@df3f890f003d28c60a2a09d2c29e0126e4d1e2ff
         env:
           GITHUB_TOKEN: ${{ steps.generate_token.outputs.token }}
+          ISSUES_TO_TRIAGE: ${{ steps.find_issues.outputs.issues_to_triage }}
+          REPOSITORY: ${{ github.repository }}
         with:
           version: 0.1.8-rc.0
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
           OTLP_GCP_WIF_PROVIDER: ${{ secrets.OTLP_GCP_WIF_PROVIDER }}
-          OTLP_GCP_SERVICE_ACCOUNT: ${{ secrets.OTLP_GCP_SERVICE_ACCOUNT }}
           OTLP_GOOGLE_CLOUD_PROJECT: ${{ secrets.OTLP_GOOGLE_CLOUD_PROJECT }}
           settings_json: |
             {
               "coreTools": [
+                "run_shell_command(echo)",
                 "run_shell_command(gh label list)",
                 "run_shell_command(gh issue edit)",
-                "run_shell_command(gh issue list)",
-                "run_shell_command(cat /tmp/issues_to_triage.json)"
-              ]
+                "run_shell_command(gh issue list)"
+              ],
+              "telemetry": {
+                "enabled": true,
+                "target": "gcp"
+              },
+              "sandbox": false
             }
           prompt: |
             You are an issue triage assistant. Analyze issues and apply appropriate labels ONE AT A TIME.
@@ -70,7 +74,7 @@ jobs:
 
             Steps:
             1. Run: `gh label list --repo ${{ github.repository }} --limit 100` to see available labels
-            2. Run: `cat /tmp/issues_to_triage.json` to get the issues that need triaging
+            2. Check environment variable for issues to triage: $ISSUES_TO_TRIAGE (JSON array of issues)
             3. Parse the JSON array from step 2 and for EACH INDIVIDUAL issue, apply appropriate labels using separate commands:
                - `gh issue edit ISSUE_NUMBER --repo ${{ github.repository }} --add-label "label1"`
                - `gh issue edit ISSUE_NUMBER --repo ${{ github.repository }} --add-label "label2"`

.github/workflows/gemini-scheduled-pr-triage.yml

@@ -8,6 +8,7 @@ on:
 jobs:
   audit-prs:
     timeout-minutes: 15
+    if: ${{ github.repository == 'google-gemini/gemini-cli' }}
     permissions:
       contents: read
       id-token: write
@@ -22,7 +23,7 @@ jobs:
 
       - name: Generate GitHub App Token
         id: generate_token
-        uses: actions/create-github-app-token@v1
+        uses: actions/create-github-app-token@v2
         with:
           app-id: ${{ secrets.APP_ID }}
           private-key: ${{ secrets.PRIVATE_KEY }}

.github/workflows/release.yml

@@ -143,7 +143,7 @@ jobs:
 
       - name: Install latest core package
         if: steps.vars.outputs.is_dry_run == 'false'
-        run: npm install @google/gemini-cli-core@${{ steps.version.outputs.NPM_TAG }} --workspace=@google/gemini-cli --save-exact
+        run: npm install @google/gemini-cli-core@${{ steps.version.outputs.RELEASE_VERSION }} --workspace=@google/gemini-cli --save-exact
 
       - name: Publish @google/gemini-cli
         run: npm publish --workspace=@google/gemini-cli --tag=${{ steps.version.outputs.NPM_TAG }} ${{ steps.vars.outputs.is_dry_run == 'true' && '--dry-run' || '' }}

CONTRIBUTING.md

@@ -118,7 +118,7 @@ This command typically compiles TypeScript to JavaScript, bundles assets, and pr
 
 ### Enabling Sandboxing
 
-Container-based [sandboxing](#sandboxing) is highly recommended and requires, at a minimum, setting `GEMINI_SANDBOX=true` in your `~/.env` and ensuring a container engine (e.g. `docker` or `podman`) is available. See [Sandboxing](#sandboxing) for details.
+[Sandboxing](#sandboxing) is highly recommended and requires, at a minimum, setting `GEMINI_SANDBOX=true` in your `~/.env` and ensuring a sandboxing provider (e.g. `macOS Seatbelt`, `docker`, or `podman`) is available. See [Sandboxing](#sandboxing) for details.
 
 To build both the `gemini` CLI utility and the sandbox container, run `build:all` from the root directory:
 
@@ -284,7 +284,7 @@ Container-based sandboxing mounts the project directory (and system temp directo
 
 #### Proxied Networking
 
-All sandboxing methods, including MacOS Seatbelt using `*-proxied` profiles, support restricting outbound network traffic through a custom proxy server that can be specified as `GEMINI_SANDBOX_PROXY_COMMAND=<command>`, where `<command>` must start a proxy server that listens on `:::8877` for relevant requests. See `scripts/example-proxy.js` for a minimal proxy that only allows `HTTPS` connections to `example.com:443` (e.g. `curl https://example.com`) and declines all other requests. The proxy is started and stopped automatically alongside the sandbox.
+All sandboxing methods, including MacOS Seatbelt using `*-proxied` profiles, support restricting outbound network traffic through a custom proxy server that can be specified as `GEMINI_SANDBOX_PROXY_COMMAND=<command>`, where `<command>` must start a proxy server that listens on `:::8877` for relevant requests. See `docs/examples/proxy-script.md` for a minimal proxy that only allows `HTTPS` connections to `example.com:443` (e.g. `curl https://example.com`) and declines all other requests. The proxy is started and stopped automatically alongside the sandbox.
 
 ## Manual Publish
 

GEMINI.md

@@ -179,3 +179,7 @@ Design for a good user experience - Provide clear, minimal, and non-blocking UI
 ## Comments policy
 
 Only write high-value comments if at all. Avoid talking to the user through comments.
+
+## General style requirements
+
+Use hyphens instead of underscores in flag names (e.g. `my-flag` instead of `my_flag`).

Makefile

@@ -8,16 +8,15 @@ help:
 	@echo "Usage:"
 	@echo "  make install          - Install npm dependencies"
 	@echo "  make build            - Build the entire project"
-	@echo "  make build-sandbox    - Build the sandbox container"
-	@echo "  make build-all        - Build the project and the sandbox"
+	@echo "  make build-all        - Build the entire project"
 	@echo "  make test             - Run the test suite"
 	@echo "  make lint             - Lint the code"
 	@echo "  make format           - Format the code"
 	@echo "  make preflight        - Run formatting, linting, and tests"
 	@echo "  make clean            - Remove generated files"
 	@echo "  make start            - Start the Gemini CLI"
 	@echo "  make debug            - Start the Gemini CLI in debug mode"
-	@echo "  make release          - Publish a new release"
+	@echo ""
 	@echo "  make run-npx          - Run the CLI using npx (for testing the published package)"
 	@echo "  make create-alias     - Create a 'gemini' alias for your shell"
 
@@ -27,8 +26,6 @@ install:
 build:
 	npm run build
 
-build-sandbox:
-	npm run build:sandbox
 
 build-all:
 	npm run build:all
@@ -54,8 +51,6 @@ start:
 debug:
 	npm run debug
 
-release:
-	npm run publish:release
 
 run-npx:
 	npx https://github.com/google-gemini/gemini-cli