refactor(core): Improve environment variable handling in shell execution

[galz10]

Summary

This PR addresses to improve environment variable handling in the shell execution service.

Details

The shell execution service has been updated to improve environment variables in shell. This involved modifying how process.env is passed to spawned shell processes and ensuring proper cleanup of test environments.

Related Issues

None.

How to Validate

The changes were validated by running existing unit tests for shellExecutionService.test.ts. Also setting GITHUB_SHA or SURFACE env var.

Pre-Merge Checklist

• Updated relevant documentation and README (if needed)
• Added/updated tests (if needed)
• Noted breaking changes (if any)
• Validated on required platforms/methods:
  • MacOS
    • npm run
    • npx
    • Docker
    • Podman
    • Seatbelt
  • Windows
    • npm run
    • npx
    • Docker
  • Linux
    • npm run
    • npx
    • Docker

[gemini-code-assist]

Summary of Changes

Hello @galz10, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refactors the core shell execution service to provide more controlled handling of environment variables when spawning child processes. The primary goal is to prevent the automatic inheritance of all parent process environment variables in specific scenarios, particularly within CI/CD environments, while ensuring that essential variables are still passed. This change improves security and predictability by limiting the exposure of potentially sensitive or irrelevant environment data to spawned shells.

Highlights

• Environment Variable Filtering: The shell execution service now conditionally filters process.env variables. If GITHUB_SHA is set or SURFACE is 'Github', the spawned shell processes will not inherit the parent process.env, preventing unintended environment leakage in CI/CD or specific deployment contexts.
• Enhanced Test Coverage: New unit tests have been added to shellExecutionService.test.ts to explicitly verify the correct behavior of environment variable handling, covering both scenarios where process.env is included and excluded.
• Test Environment Cleanup: The test suite now includes an afterEach hook using vi.unstubAllEnvs() to ensure that environment variables stubbed during tests are properly cleaned up, preventing test pollution.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request improves security by conditionally passing environment variables to spawned shell processes, preventing the parent process's environment from being inherited in CI environments. The implementation is sound, but the new security logic is duplicated. My feedback focuses on refactoring this duplication to improve maintainability and reduce future risks.

[github-actions]

Size Change: +866 B (0%)

Total Size: 21.5 MB

ℹ️ View Unchanged

Filename	Size	Change
./bundle/gemini.js	21.5 MB	+866 B (0%)
./bundle/sandbox-macos-permissive-closed.sb	1.03 kB	0 B
./bundle/sandbox-macos-permissive-open.sb	890 B	0 B
./bundle/sandbox-macos-permissive-proxied.sb	1.31 kB	0 B
./bundle/sandbox-macos-restrictive-closed.sb	3.29 kB	0 B
./bundle/sandbox-macos-restrictive-open.sb	3.36 kB	0 B
./bundle/sandbox-macos-restrictive-proxied.sb	3.56 kB	0 B

_{compressed-size-action}

[galz10]

/patch preview

[github-actions]

✅ Patch workflow(s) dispatched successfully!

📋 Details:

• Channels: preview
• Commit: 171103aedc9f3eecf6736f318adaf1386ad1b818
• Workflows Created: 1

🔗 Track Progress:

• View patch workflows
• This workflow run

[github-actions]

🚀 Patch PR Created!

📋 Patch Details:

• Environment: prod
• Channel: preview → will publish to npm tag preview
• Commit: 171103aedc9f3eecf6736f318adaf1386ad1b818
• Hotfix Branch: hotfix/v0.20.0-preview.2/0.20.0-preview.5/preview/cherry-pick-171103a/pr-14742
• Hotfix PR: #14752

📝 Next Steps:

1. Review and approve the hotfix PR: #14752
2. Once merged, the patch release will automatically trigger
3. You'll receive updates here when the release completes

🔗 Track Progress:

• View hotfix PR #14752

[github-actions]

🚀 Patch Release Started!

📋 Release Details:

• Environment: prod
• Channel: preview → publishing to npm tag preview
• Version: v0.20.0-preview.2
• Hotfix PR: Merged ✅
• Release Branch: release/v0.20.0-preview.2-pr-14742

⏳ Status: The patch release is now running. You'll receive another update when it completes.

🔗 Track Progress:

• View release workflow

[github-actions]

✅ Patch Release Complete!

📦 Release Details:

• Version: 0.20.0-preview.5
• NPM Tag: preview
• Channel: preview
• Dry Run: false

🎉 Status: Your patch has been successfully released and published to npm!

📝 What's Available:

• GitHub Release: View release v0.20.0-preview.5
• NPM Package: npm install @google/gemini-cli@preview

🔗 Links:

• GitHub Release
• Workflow Run