Update .github directory from main branch (#9155)

Author: scidomino

.github/actions/create-pull-request/action.yml

@@ -0,0 +1,55 @@
+name: 'Create and Merge Pull Request'
+description: 'Creates a pull request and merges it automatically.'
+
+inputs:
+  branch-name:
+    description: 'The name of the branch to create the PR from.'
+    required: true
+  pr-title:
+    description: 'The title of the pull request.'
+    required: true
+  pr-body:
+    description: 'The body of the pull request.'
+    required: true
+  base-branch:
+    description: 'The branch to merge into.'
+    required: true
+    default: 'main'
+  app-id:
+    description: 'The ID of the GitHub App.'
+    required: true
+  private-key:
+    description: 'The private key of the GitHub App.'
+    required: true
+  dry-run:
+    description: 'Whether to run in dry-run mode.'
+    required: false
+    default: 'false'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Generate GitHub App Token'
+      id: 'generate_token'
+      if: "inputs.dry-run == 'false'"
+      uses: 'actions/create-github-app-token@a8d616148505b5069dccd32f177bb87d7f39123b'
+      with:
+        app-id: '${{ inputs.app-id }}'
+        private-key: '${{ inputs.private-key }}'
+        permission-pull-requests: 'write'
+        permission-contents: 'write'
+
+    - name: 'Create and Approve Pull Request'
+      if: "inputs.dry-run == 'false'"
+      env:
+        GH_TOKEN: '${{ steps.generate_token.outputs.token }}'
+      shell: 'bash'
+      run: |
+        set -e
+        PR_URL=$(gh pr create \
+          --title "${{ inputs.pr-title }}" \
+          --body "${{ inputs.pr-body }}" \
+          --base "${{ inputs.base-branch }}" \
+          --head "${{ inputs.branch-name }}" \
+          --fill)
+        gh pr merge "$PR_URL" --auto --squash

.github/actions/publish-release/action.yml

@@ -27,10 +27,19 @@ inputs:
   previous-tag:
     description: 'The previous tag to use for generating release notes.'
     required: true
+  skip-github-release:
+    description: 'Whether to skip creating a GitHub release.'
+    type: 'boolean'
+    required: false
+    default: false
   working-directory:
     description: 'The working directory to run the steps in.'
     required: false
     default: '.'
+  force-skip-tests:
+    description: 'Skip tests and validation'
+    required: false
+    default: false
 
 runs:
   using: 'composite'
@@ -102,7 +111,7 @@ runs:
         npm publish \
           --dry-run="${{ inputs.dry-run }}" \
           --workspace="@google/gemini-cli-core" \
-          --tag="${{ inputs.npm-tag }}"
+          --no-tag
 
     - name: '🔗 Install latest core package'
       working-directory: '${{ inputs.working-directory }}'
@@ -122,7 +131,31 @@ runs:
         npm publish \
           --dry-run="${{ inputs.dry-run }}" \
           --workspace="@google/gemini-cli" \
-          --tag="${{ inputs.npm-tag }}"
+          --no-tag
+
+    - name: '🔬 Verify NPM release by version'
+      uses: './.github/actions/verify-release'
+      if: "${{ inputs.dry-run == 'false' && inputs.force-skip-tests == 'false' }}"
+      with:
+        npm-package: '@google/gemini-cli@${{ inputs.release-version }}'
+        expected-version: '${{ inputs.release-version }}'
+        ref: '${{ steps.release_branch.outputs.BRANCH_NAME }}'
+
+    - name: '🏷️ Tag release'
+      uses: './.github/actions/tag-npm-release'
+      if: "${{ inputs.dry-run == 'false' }}"
+      with:
+        channel: '${{ inputs.npm-tag }}'
+        version: '${{ inputs.release-version }}'
+        dry-run: '${{ inputs.dry-run }}'
+        wombat-token-core: '${{ inputs.wombat-token-core }}'
+        wombat-token-cli: '${{ inputs.wombat-token-cli }}'
+
+    - name: 'Install deps'
+      working-directory: '${{ inputs.working-directory }}'
+      shell: 'bash'
+      run: |
+        npm install
 
     - name: '🎁 Bundle'
       working-directory: '${{ inputs.working-directory }}'
@@ -132,7 +165,7 @@ runs:
 
     - name: '🎉 Create GitHub Release'
       working-directory: '${{ inputs.working-directory }}'
-      if: "${{ inputs.dry-run == 'false' }}"
+      if: "${{ inputs.dry-run == 'false' && inputs.skip-github-release == 'false' && inputs.npm-tag != 'dev' }}"
       env:
         GITHUB_TOKEN: '${{ inputs.github-token }}'
       shell: 'bash'
@@ -143,3 +176,12 @@ runs:
           --title "Release ${{ inputs.release-tag }}" \
           --notes-start-tag "${{ inputs.previous-tag }}" \
           --generate-notes
+
+    - name: '🧹 Clean up release branch'
+      working-directory: '${{ inputs.working-directory }}'
+      if: "${{ inputs.dry-run == 'false' }}"
+      continue-on-error: true
+      shell: 'bash'
+      run: |
+        echo "Cleaning up release branch ${{ steps.release_branch.outputs.BRANCH_NAME }}..."
+        git push origin --delete "${{ steps.release_branch.outputs.BRANCH_NAME }}"

.github/actions/push-docker/action.yml

@@ -0,0 +1,73 @@
+name: 'Push to docker'
+description: 'Builds packages and pushes a docker image to GHCR'
+
+inputs:
+  github-actor:
+    description: 'Github actor'
+    required: true
+  github-secret:
+    description: 'Github secret'
+    required: true
+  ref-name:
+    description: 'Github ref name'
+    required: true
+  github-sha:
+    description: 'Github Commit SHA Hash'
+    required: true
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Checkout'
+      uses: 'actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955' # ratchet:actions/checkout@v4
+      with:
+        ref: '${{ inputs.github-sha }}'
+        fetch-depth: 0
+    - name: 'Install Dependencies'
+      shell: 'bash'
+      run: 'npm install'
+    - name: 'Set up Docker Buildx'
+      uses: 'docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435' # ratchet:docker/setup-buildx-action@v3
+    - name: 'build'
+      shell: 'bash'
+      run: 'npm run build'
+    - name: 'pack @google/gemini-cli'
+      shell: 'bash'
+      run: 'npm pack -w @google/gemini-cli --pack-destination ./packages/cli/dist'
+    - name: 'pack @google/gemini-cli-core'
+      shell: 'bash'
+      run: 'npm pack -w @google/gemini-cli-core --pack-destination ./packages/core/dist'
+    - name: 'Log in to GitHub Container Registry'
+      uses: 'docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1' # ratchet:docker/login-action@v3
+      with:
+        registry: 'ghcr.io'
+        username: '${{ inputs.github-actor }}'
+        password: '${{ inputs.github-secret }}'
+    - name: 'Get branch name'
+      id: 'branch_name'
+      shell: 'bash'
+      run: |
+        REF_NAME="${{ inputs.ref-name }}"
+        echo "name=${REF_NAME%/merge}" >> $GITHUB_OUTPUT
+    - name: 'Build and Push the Docker Image'
+      uses: 'docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83' # ratchet:docker/build-push-action@v6
+      with:
+        context: '.'
+        file: './Dockerfile'
+        push: true
+        provenance: false # avoid pushing 3 images to Aritfact Registry
+        tags: |
+          ghcr.io/${{ github.repository }}/cli:${{ steps.branch_name.outputs.name }}
+          ghcr.io/${{ github.repository }}/cli:${{ inputs.github-sha }}
+    - name: 'Create issue on failure'
+      if: |-
+        ${{ failure() }}
+      shell: 'bash'
+      env:
+        GITHUB_TOKEN: '${{ inputs.github-secret }}'
+        DETAILS_URL: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+      run: |-
+        gh issue create \
+          --title "Docker build failed" \
+          --body "The docker build failed. See the full run for details: ${DETAILS_URL}" \
+          --label "kind/bug,release-failure"

.github/actions/push-sandbox/action.yaml

@@ -0,0 +1,85 @@
+name: 'Build and push sandbox docker'
+description: 'Pushes sandbox docker image to container registry'
+
+inputs:
+  github-actor:
+    description: 'Github actor'
+    required: true
+  github-secret:
+    description: 'Github secret'
+    required: true
+  github-sha:
+    description: 'Github Commit SHA Hash'
+    required: true
+  github-ref-name:
+    description: 'Github ref name'
+    required: true
+  dry-run:
+    description: 'Whether this is a dry run.'
+    required: true
+    type: 'boolean'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Checkout'
+      uses: 'actions/checkout@v4'
+      with:
+        ref: '${{ inputs.github-sha }}'
+        fetch-depth: 0
+    - name: 'Install Dependencies'
+      shell: 'bash'
+      run: 'npm install'
+    - name: 'npm build'
+      shell: 'bash'
+      run: 'npm run build'
+    - name: 'Set up Docker Buildx'
+      uses: 'docker/setup-buildx-action@v3'
+    - name: 'Log in to GitHub Container Registry'
+      uses: 'docker/login-action@v3'
+      with:
+        registry: 'ghcr.io'
+        username: '${{ inputs.github-actor }}'
+        password: '${{ inputs.github-secret }}'
+    - name: 'determine image tag'
+      id: 'image_tag'
+      shell: 'bash'
+      run: |-
+        SHELL_TAG_NAME="${{ inputs.github-ref-name }}"
+        FINAL_TAG="${{ inputs.github-sha }}"
+        if [[ "$SHELL_TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.-]+)?$ ]]; then
+          echo "Release detected."
+          FINAL_TAG="${SHELL_TAG_NAME#v}"
+        else
+          echo "Development release detected. Using commit SHA as tag."
+        fi
+        echo "Determined image tag: $FINAL_TAG"
+        echo "FINAL_TAG=$FINAL_TAG" >> $GITHUB_OUTPUT
+    - name: 'build'
+      id: 'docker_build'
+      shell: 'bash'
+      env:
+        GEMINI_SANDBOX_IMAGE_TAG: '${{ steps.image_tag.outputs.FINAL_TAG }}'
+        GEMINI_SANDBOX: 'docker'
+      run: |-
+        npm run build:sandbox -- \
+          --image ghcr.io/${{ github.repository}}/sandbox:${{ steps.image_tag.outputs.FINAL_TAG }} \
+          --output-file final_image_uri.txt
+        echo "uri=$(cat final_image_uri.txt)" >> $GITHUB_OUTPUT
+    - name: 'publish'
+      shell: 'bash'
+      if: "${{ inputs.dry-run == 'false' }}"
+      run: |-
+        docker push "${{ steps.docker_build.outputs.uri }}"
+    - name: 'Create issue on failure'
+      if: |-
+        ${{ failure() }}
+      shell: 'bash'
+      env:
+        GITHUB_TOKEN: '${{ inputs.github-secret }}'
+        DETAILS_URL: '${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}'
+      run: |-
+        gh issue create \
+          --title "Docker build failed" \
+          --body "The docker build failed. See the full run for details: ${DETAILS_URL}" \
+          --label "kind/bug,release-failure"

.github/actions/tag-npm-release/action.yml

@@ -0,0 +1,53 @@
+name: 'Tag an NPM release'
+description: 'Tags a specific npm version to a specific channel.'
+
+inputs:
+  channel:
+    description: 'NPM Channel tag'
+    required: true
+  version:
+    description: 'version'
+    required: true
+  dry-run:
+    description: 'Whether to run in dry-run mode.'
+    required: true
+  wombat-token-core:
+    description: 'The npm token for the wombat @google/gemini-cli-core'
+    required: true
+  wombat-token-cli:
+    description: 'The npm token for wombat @google/gemini-cli'
+
+runs:
+  using: 'composite'
+  steps:
+    - name: 'Setup Node.js'
+      uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020'
+      with:
+        node-version-file: '.nvmrc'
+        registry-url: 'https://wombat-dressing-room.appspot.com'
+        scope: '@google'
+
+    - name: 'Change tag for @google/gemini-cli-core'
+      if: |-
+        ${{ inputs.dry-run == 'false' }}
+      env:
+        NODE_AUTH_TOKEN: '${{ inputs.wombat-token-core }}'
+      shell: 'bash'
+      run: |
+        npm dist-tag add @google/gemini-cli-core@${{ inputs.version }} ${{ inputs.channel }}
+
+    - name: 'Change tag for @google/gemini-cli'
+      if: |-
+        ${{ inputs.dry-run == 'false' }}
+      env:
+        NODE_AUTH_TOKEN: '${{ inputs.wombat-token-cli }}'
+      shell: 'bash'
+      run: |
+        npm dist-tag add @google/gemini-cli@${{ inputs.version }} ${{ inputs.channel }}
+
+    - name: 'Log dry run'
+      if: |-
+        ${{ inputs.dry-run == 'true' }}
+      shell: 'bash'
+      run: |
+        echo "Dry run: Would have added tag '${{ inputs.channel }}' to version '${{ inputs.version }}' for @google/gemini-cli and @google/gemini-cli-core."