feat(GHA workflows): Add run-gemini-cli GHA workflows to repo PR's#86
Conversation
CallumHYoung
requested review from
QuanZhang-William,
capachino,
evanotero,
heltonduarte,
pedrour and
shrishabh
as code owners
.github/workflows/gemini-review.yml
Outdated
| use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}' | ||
| extensions: | | ||
| [ | ||
| "https://github.com/CallumHYoung/security.git" |
There was a problem hiding this comment.
Should be https://github.com/gemini-cli-extensions/security
There was a problem hiding this comment.
Good catch - done
.github/workflows/gemini-review.yml
Outdated
| @@ -0,0 +1,175 @@ | |||
| name: '🔎 Gemini Review' | |||
There was a problem hiding this comment.
Maybe add a comment saying it is a "fork" from https://github.com/google-github-actions/run-gemini-cli/tree/main/examples/workflows/pr-review
There was a problem hiding this comment.
Yeah good idea. Done
.github/workflows/gemini-invoke.yml
Outdated
| ] | ||
| } | ||
| } | ||
| prompt: '/gemini-invoke' No newline at end of file |
There was a problem hiding this comment.
Do we need to dogfood this in our repo?
There was a problem hiding this comment.
No need to even have this. I kept it becuase it's generic use of cli in the PR. We don't need this
There was a problem hiding this comment.
Maybe it is good to have a minimalistic version of this installed in our repo? Maybe even without the pr-review? We could then refer to this when we try to launch that in gemini-cli?
There was a problem hiding this comment.
Agreed - I don't think we need to dogfood this in our repo. The goal here is to make it simple for others to dogfood the workflow. So please update the readme here or in a separate PR 🙏
I'd say let's keep the pr-review for a unified PR review experience per discussion with run-gemini-cli GHA team.
There was a problem hiding this comment.
Good feedback. I'll update this with a much simpler workflow so it's really easy to copy the example and deploy it to their repositories.
|
nit: please also update PR title to |
.github/workflows/gemini-review.yml
Outdated
| jobs: | ||
| review: | ||
| runs-on: 'ubuntu-latest' | ||
| timeout-minutes: 7 |
There was a problem hiding this comment.
For larger changes, time for security review might be longer than 7 mins. Is there a constraint that requires us to keep this at 7 mins?
There was a problem hiding this comment.
No constraint. Happy to increase this too, this seems to be running pretty regularly under 7 in local testing. I'll double it for the time being as the timeout doesn't matter too much here
There was a problem hiding this comment.
Sounds good.
QQ for my understanding: if the security scan goes on for more than 15 mins - does the timeout mean that the process/GHA will be killed?
There was a problem hiding this comment.
The docs say that GitHub will kill the task if it reaches the timeout - I don't think it kills the entire GHA, just the job with the assigned timeout
| @@ -111,9 +111,9 @@ You will now begin executing the plan. The following are your precise instructio | |||
| - Retrieve the GitHub repository name from the environment variable "${REPOSITORY}". | |||
| - Retrieve the GitHub pull request number from the environment variable "${PULL_REQUEST_NUMBER}". | |||
| - Retrieve the additional user instructions and context from the environment variable "${ADDITIONAL_CONTEXT}". | |||
There was a problem hiding this comment.
Just to note here: This can be a surface for prompt injection attack, but since only maintainers are allowed to run this, this is not a problem at the moment.
There was a problem hiding this comment.
Agreed. This is copied from run-gemini-cli who should be notified of this too.
Another way for this extension to be useful being added other repo's like run-gemini-cli 😄
CallumHYoung
changed the title
|
Just FYI - this PR will only work after #85 is submitted! |
QuanZhang-William
merged commit facc88b
into
gemini-cli-extensions:main
3 participants
This adds the workflows from google-github-actions/run-gemini-cli to invoke GeminiCLI as a GHA
Additionally, in gemini-review we now install the security extension, and include a security review as an additional step in the workflow
I've also included the .env file in our .gitignore so I (and someone else) doesn't accidentally leak their Gemini API key from using Gemini CLI on the repo
Tested