Move to only use mjs files for ng-dev configuration and create validation subcommand #5
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: 'Security Review' | |
| on: | |
| pull_request_target: | |
| types: [opened, synchronize] | |
| concurrency: | |
| group: '${{ github.workflow }}-review-${{ github.event.pull_request.number }}' | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| shell: 'bash' | |
| jobs: | |
| review: | |
| # 89942104 is the user id for the angular robot account. | |
| if: | | |
| ( | |
| github.event_name == 'pull_request' && | |
| github.event.pull_request.user.id == '89942104' | |
| ) | |
| runs-on: 'ubuntu-latest' | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| pull-requests: 'write' | |
| steps: | |
| - name: 'Acknowledge request' | |
| env: | |
| GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' | |
| ISSUE_NUMBER: '${{ github.event.pull_request.number }}' | |
| MESSAGE: |- | |
| Beginning seecurity review for the pull request. Track the progres [in the logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details. | |
| REPOSITORY: '${{ github.repository }}' | |
| run: |- | |
| gh issue comment "${ISSUE_NUMBER}" \ | |
| --body "${MESSAGE}" \ | |
| --repo "${REPOSITORY}" | |
| - name: 'Checkout repository' | |
| uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0 | |
| - name: 'Run Gemini security analysis review' | |
| uses: 'google-github-actions/run-gemini-cli@f7db4b6f82ad0c3725cf4c98bdd93af80e22b4dc' # v0.1.14 | |
| id: 'gemini_security_analysis' | |
| env: | |
| GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' | |
| ISSUE_TITLE: '${{ github.event.pull_request.title }}' | |
| ISSUE_BODY: '${{ github.event.pull_request.body }}' | |
| PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number }}' | |
| REPOSITORY: '${{ github.repository }}' | |
| with: | |
| gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}' | |
| gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}' | |
| gcp_service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}' | |
| gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}' | |
| gemini_api_key: '${{ secrets.SECURITY_REVIEWER }}' | |
| gemini_cli_version: '${{ vars.GEMINI_CLI_VERSION }}' | |
| gemini_debug: '${{ fromJSON(vars.DEBUG || vars.ACTIONS_STEP_DEBUG || false) }}' | |
| gemini_model: '${{ vars.GEMINI_MODEL }}' | |
| google_api_key: '${{ secrets.GOOGLE_API_KEY }}' | |
| use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}' | |
| use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}' | |
| upload_artifacts: '${{ vars.UPLOAD_ARTIFACTS }}' | |
| extensions: | | |
| [ | |
| "https://github.com/gemini-cli-extensions/security.git" | |
| ] | |
| settings: |- | |
| { | |
| "model": { | |
| "maxSessionTurns": 100 | |
| }, | |
| "telemetry": { | |
| "enabled": true, | |
| "target": "local", | |
| "outfile": ".gemini/telemetry.log" | |
| }, | |
| "mcpServers": { | |
| "github": { | |
| "command": "docker", | |
| "args": [ | |
| "run", | |
| "-i", | |
| "--rm", | |
| "-e", | |
| "GITHUB_PERSONAL_ACCESS_TOKEN", | |
| "ghcr.io/github/github-mcp-server:v0.18.0" | |
| ], | |
| "includeTools": [ | |
| "add_comment_to_pending_review", | |
| "create_pending_pull_request_review", | |
| "pull_request_read", | |
| "submit_pending_pull_request_review" | |
| ], | |
| "env": { | |
| "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}" | |
| } | |
| } | |
| }, | |
| "tools": { | |
| "core": [ | |
| "run_shell_command(cat)", | |
| "run_shell_command(echo)", | |
| "run_shell_command(grep)", | |
| "run_shell_command(head)", | |
| "run_shell_command(tail)" | |
| ] | |
| } | |
| } | |
| prompt: '/security:analyze-github-pr' |