chore: set explicit tag for first publish of a2a-server #11039
Conversation
Summary of ChangesHello @adamfweidman, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request addresses a critical publishing failure for the '@google/gemini-cli-a2a-server' package within the CI/CD pipeline. The change ensures that the 'npm publish' command for this specific package now explicitly uses a provided tag, rather than attempting to publish without one, which previously resulted in a 500 Internal Server Error. This fix is essential for the successful release and availability of the 'a2a-server' component. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request correctly addresses a nightly build failure by adding an explicit --tag when publishing the a2a-server package. However, the current implementation introduces a critical command injection vulnerability by directly using a workflow input within a shell command. This vulnerability should be remediated by passing the input as an environment variable to the step instead.
| npm publish --dry-run --workspace="@google/gemini-cli-a2a-server" --no-tag | ||
| else | ||
| npm publish --workspace="@google/gemini-cli-a2a-server" --no-tag | ||
| npm publish --workspace="@google/gemini-cli-a2a-server" --tag "${{ inputs.npm-tag }}" |
There was a problem hiding this comment.
Injecting ${{ inputs.npm-tag }} directly into the shell script creates a command injection vulnerability. A malicious tag value (e.g., foo\" ; rm -rf / #) could be used to execute arbitrary commands. To mitigate this, you should pass the input as an environment variable to the step using the env keyword, and then reference the environment variable in your script (e.g., ... --tag \"$NPM_TAG\").
Example of a secure implementation:
- name: Publish a2a-server
env:
NPM_TAG: ${{ inputs.npm-tag }}
run: |
# ...
npm publish --workspace="@google/gemini-cli-a2a-server" --tag "$NPM_TAG"
# ...|
Size Change: -2 B (0%) Total Size: 17.8 MB ℹ️ View Unchanged
|
TLDR
Recommended fix from previous Nighty run is to explicitly set tag for first publish.
https://github.com/google-gemini/gemini-cli/actions/runs/18468202923/job/52627225824
Error from previous Nightly: