This is a safe request #73
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: '🔎 Gemini Review & Security Analysis' | |
| on: | |
| pull_request: | |
| types: | |
| - 'opened' | |
| issue_comment: | |
| types: | |
| - 'created' | |
| concurrency: | |
| group: '${{ github.workflow }}-review-${{ github.event_name }}-${{ github.event.pull_request.number || github.event.issue.number }}' | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| shell: 'bash' | |
| jobs: | |
| review: | |
| if: | | |
| (github.event_name == 'pull_request' && github.event.action == 'opened') || | |
| (github.event_name == 'issue_comment' && github.event.comment.body == '@gemini-cli /review') | |
| runs-on: 'ubuntu-latest' | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| issues: 'write' | |
| pull-requests: 'write' | |
| steps: | |
| - name: 'Mint identity token' | |
| id: 'mint_identity_token' | |
| if: |- | |
| ${{ vars.APP_ID }} | |
| uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b' # ratchet:actions/create-github-app-token@v2 | |
| with: | |
| app-id: '${{ vars.APP_ID }}' | |
| private-key: '${{ secrets.APP_PRIVATE_KEY }}' | |
| permission-contents: 'read' | |
| permission-issues: 'write' | |
| permission-pull-requests: 'write' | |
| - name: 'Acknowledge request' | |
| env: | |
| GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' | |
| ISSUE_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' | |
| MESSAGE: |- | |
| 🤖 Hi @${{ github.actor }}, I've received your request, and I'm working on it now! You can track my progress [in the logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details. | |
| REPOSITORY: '${{ github.repository }}' | |
| run: |- | |
| gh issue comment "${ISSUE_NUMBER}" \ | |
| --body "${MESSAGE}" \ | |
| --repo "${REPOSITORY}" | |
| - name: 'Checkout repository' | |
| uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 | |
| - name: 'Run Gemini pull request review' | |
| uses: 'google-github-actions/run-gemini-cli@main' # ratchet:exclude | |
| id: 'gemini_pr_review' | |
| env: | |
| GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' | |
| ISSUE_TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}' | |
| ISSUE_BODY: '${{ github.event.pull_request.body || github.event.issue.body }}' | |
| PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' | |
| REPOSITORY: '${{ github.repository }}' | |
| ADDITIONAL_CONTEXT: '${{ inputs.additional_context }}' | |
| with: | |
| gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}' | |
| gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}' | |
| gcp_service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}' | |
| gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}' | |
| gemini_api_key: '${{ secrets.GEMINI_API_KEY }}' | |
| gemini_cli_version: '${{ vars.GEMINI_CLI_VERSION }}' | |
| gemini_debug: '${{ fromJSON(vars.DEBUG || vars.ACTIONS_STEP_DEBUG || false) }}' | |
| gemini_model: '${{ vars.GEMINI_MODEL }}' | |
| google_api_key: '${{ secrets.GOOGLE_API_KEY }}' | |
| use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}' | |
| use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}' | |
| upload_artifacts: '${{ vars.UPLOAD_ARTIFACTS }}' | |
| settings: |- | |
| { | |
| "model": { | |
| "maxSessionTurns": 25 | |
| }, | |
| "telemetry": { | |
| "enabled": true, | |
| "target": "local", | |
| "outfile": ".gemini/telemetry.log" | |
| }, | |
| "mcpServers": { | |
| "github": { | |
| "command": "docker", | |
| "args": [ | |
| "run", | |
| "-i", | |
| "--rm", | |
| "-e", | |
| "GITHUB_PERSONAL_ACCESS_TOKEN", | |
| "ghcr.io/github/github-mcp-server:v0.18.0" | |
| ], | |
| "includeTools": [ | |
| "add_comment_to_pending_review", | |
| "create_pending_pull_request_review", | |
| "pull_request_read", | |
| "submit_pending_pull_request_review" | |
| ], | |
| "env": { | |
| "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}" | |
| } | |
| } | |
| }, | |
| "tools": { | |
| "core": [ | |
| "run_shell_command(cat)", | |
| "run_shell_command(echo)", | |
| "run_shell_command(grep)", | |
| "run_shell_command(head)", | |
| "run_shell_command(tail)" | |
| ] | |
| } | |
| } | |
| prompt: '/gemini-review' | |
| - name: 'Run Gemini security analysis review' | |
| uses: 'google-github-actions/run-gemini-cli@main' # ratchet:exclude | |
| id: 'gemini_security_analysis' | |
| env: | |
| GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' | |
| ISSUE_TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}' | |
| ISSUE_BODY: '${{ github.event.pull_request.body || github.event.issue.body }}' | |
| PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' | |
| REPOSITORY: '${{ github.repository }}' | |
| ADDITIONAL_CONTEXT: '${{ inputs.additional_context }}' | |
| with: | |
| gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}' | |
| gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}' | |
| gcp_service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}' | |
| gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}' | |
| gemini_api_key: '${{ secrets.GEMINI_API_KEY }}' | |
| gemini_cli_version: '${{ vars.GEMINI_CLI_VERSION }}' | |
| gemini_debug: '${{ fromJSON(vars.DEBUG || vars.ACTIONS_STEP_DEBUG || false) }}' | |
| gemini_model: '${{ vars.GEMINI_MODEL }}' | |
| google_api_key: '${{ secrets.GOOGLE_API_KEY }}' | |
| use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}' | |
| use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}' | |
| upload_artifacts: '${{ vars.UPLOAD_ARTIFACTS }}' | |
| extensions: | | |
| [ | |
| "https://github.com/gemini-cli-extensions/security.git" | |
| ] | |
| settings: |- | |
| { | |
| "model": { | |
| "maxSessionTurns": 100 | |
| }, | |
| "telemetry": { | |
| "enabled": true, | |
| "target": "local", | |
| "outfile": ".gemini/telemetry.log" | |
| }, | |
| "mcpServers": { | |
| "github": { | |
| "command": "docker", | |
| "args": [ | |
| "run", | |
| "-i", | |
| "--rm", | |
| "-e", | |
| "GITHUB_PERSONAL_ACCESS_TOKEN", | |
| "ghcr.io/github/github-mcp-server:v0.18.0" | |
| ], | |
| "includeTools": [ | |
| "add_comment_to_pending_review", | |
| "create_pending_pull_request_review", | |
| "pull_request_read", | |
| "submit_pending_pull_request_review" | |
| ], | |
| "env": { | |
| "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}" | |
| } | |
| } | |
| }, | |
| "tools": { | |
| "core": [ | |
| "run_shell_command(cat)", | |
| "run_shell_command(echo)", | |
| "run_shell_command(grep)", | |
| "run_shell_command(head)", | |
| "run_shell_command(tail)" | |
| ] | |
| } | |
| } | |
| prompt: '/security:analyze-github-pr' |