feat(workflows): reduce restrictions for invoking workflows for private repos #177
Conversation
leehagoodjames
force-pushed
the
issue_163
branch
from
79220f3 to
470f45e
Compare
|
@gemini-cli /review |
![gemini-cli[bot]](https://avatars.githubusercontent.com/in/1473539?s=60&v=4){kind=small}
There was a problem hiding this comment.
📋 Review Summary
The pull request relaxes the trigger conditions for the workflows in private repositories. This change is consistently applied across all workflows and seems like a reasonable trade-off between security and convenience for private repositories.
🔍 General Feedback
- The changes are clear and consistently applied to all relevant workflow files.
- The new condition
github.event.repository.private == trueis a good way to differentiate the behavior between public and private repositories. - The code is well-commented, explaining the reason for the complex condition.
|
I've had to make this adjustment manually to use these workflows. Happy to see this going through! 🥳 |
leehagoodjames
force-pushed
the
issue_163
branch
from
470f45e to
38ce66f
Compare
leehagoodjames
force-pushed
the
issue_163
branch
from
38ce66f to
2f895dc
Compare
|
@leehagoodjames it looks like this is breaking on our repo now. #180 was skipped: |
Happy to revert if that is helpful, but we were seeing skips before this change because Example from #171 |
|
Hmm okay. Weird |
## What's Changed * Highlight core tools and mcp servers in configuration docs by @jerop in #160 * feat(/review): support pull_request_review & pull_request_review_comment events by @leehagoodjames in #161 * Github-workflow to automate validation of new PRs based on Contribution Guidelines of the repository by @jasmeetsb in #162 * fix: Update gemini-issue-automated-triage.yml by @teolemon in #165 * Add instruction for code review limit. by @aliciatang07 in #168 * feat(logging): Enable debug logging across all workflows and gemini-cli by @leehagoodjames in #178 * feat(workflows): reduce restrictions for invoking workflows for private repos by @leehagoodjames in #177 * fix(runner): capture stderr and stdout after command finishes by @sethvargo in #183 * chore(logging): only enable Gemini debug when DEBUG is set by @sethvargo in #180 * feat: improve gemini issue triage workflow by @jerop in #171 ## New Contributors * @jasmeetsb made their first contribution in #162 * @teolemon made their first contribution in #165 **Full Changelog**: v0.1.10...v0.1.11
The workflows for https://github.com/google-github-actions/run-gemini-cli enable restrictions on who can invoke them, to prevent abuse scenarios by untrusted users.
A better solution would enable reliably checking repository membership with
github.event.issue.author_association, but this is not possible sincegithub.event.issue.author_associationcan returnCONTRIBUTOReven when the author is also aMEMBER. Given this, actions/github-script#643 has been filed with GitHub to allow actions to more easily check for membership.This mitigation simplifies the experience for private repos
Fixes #163