From 9912577a2b425e3f1f5eb16a3ae3b9da0e49466d Mon Sep 17 00:00:00 2001
From: Seth Vargo <seth@sethvargo.com>
Date: Tue, 12 Aug 2025 22:12:28 -0400
Subject: chore(ci): Ensure docs-gen workflow are not vulnerable to injection
 attacks (#6100)

---
 .gcp/release-docker.yaml                   | 75 ------------------------------
 .gcp/release-docker.yml                    | 75 ++++++++++++++++++++++++++++++
 .github/ISSUE_TEMPLATE/bug_report.yml      |  6 +--
 .github/ISSUE_TEMPLATE/feature_request.yml |  4 +-
 .github/workflows/docs-page-action.yml     | 66 ++++++++++++--------------
 5 files changed, 111 insertions(+), 115 deletions(-)
 delete mode 100644 .gcp/release-docker.yaml
 create mode 100644 .gcp/release-docker.yml

diff --git a/.gcp/release-docker.yaml b/.gcp/release-docker.yaml
deleted file mode 100644
index 59220b8d..00000000
--- a/.gcp/release-docker.yaml
+++ /dev/null
@@ -1,75 +0,0 @@
-steps:
-  # Step 1: Install root dependencies (includes workspaces)
-  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
-    id: 'Install Dependencies'
-    entrypoint: 'npm'
-    args: ['install']
-
-  # Step 2: Authenticate for Docker (so we can push images to the artifact registry)
-  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
-    id: 'Authenticate docker'
-    entrypoint: 'npm'
-    args: ['run', 'auth']
-
-  # Step 3: Build workspace packages
-  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
-    id: 'Build packages'
-    entrypoint: 'npm'
-    args: ['run', 'build:packages']
-
-  # Step 4: Determine Docker Image Tag
-  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
-    id: 'Determine Docker Image Tag'
-    entrypoint: 'bash'
-    args:
-      - -c
-      - |
-        SHELL_TAG_NAME="$TAG_NAME"
-        FINAL_TAG="$SHORT_SHA" # Default to SHA
-        if [[ "$$SHELL_TAG_NAME" == *"-nightly"* ]]; then
-          echo "Nightly release detected."
-          FINAL_TAG="$${SHELL_TAG_NAME#v}"
-        # Also escape the variable in the regex match
-        elif [[ "$$SHELL_TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
-          echo "Official release detected."
-          FINAL_TAG="$${SHELL_TAG_NAME#v}"
-        else
-          echo "Development/RC release detected. Using commit SHA as tag."
-        fi
-        echo "Determined image tag: $$FINAL_TAG"
-        echo "$$FINAL_TAG" > /workspace/image_tag.txt
-
-  # Step 5: Build sandbox container image
-  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
-    id: 'Build sandbox Docker image'
-    entrypoint: 'bash'
-    args:
-      - -c
-      - |
-        export GEMINI_SANDBOX_IMAGE_TAG=$$(cat /workspace/image_tag.txt)
-        echo "Using Docker image tag for build: $$GEMINI_SANDBOX_IMAGE_TAG"
-        npm run build:sandbox -- --output-file /workspace/final_image_uri.txt
-    env:
-      - 'GEMINI_SANDBOX=$_CONTAINER_TOOL'
-
-  # Step 8: Publish sandbox container image
-  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
-    id: 'Publish sandbox Docker image'
-    entrypoint: 'bash'
-    args:
-      - -c
-      - |
-        set -e
-        FINAL_IMAGE_URI=$$(cat /workspace/final_image_uri.txt)
-
-        echo "Pushing sandbox image: $${FINAL_IMAGE_URI}"
-        $_CONTAINER_TOOL push "$${FINAL_IMAGE_URI}"
-    env:
-      - 'GEMINI_SANDBOX=$_CONTAINER_TOOL'
-
-options:
-  defaultLogsBucketBehavior: REGIONAL_USER_OWNED_BUCKET
-  dynamicSubstitutions: true
-
-substitutions:
-  _CONTAINER_TOOL: 'docker'
diff --git a/.gcp/release-docker.yml b/.gcp/release-docker.yml
new file mode 100644
index 00000000..59220b8d
--- /dev/null
+++ b/.gcp/release-docker.yml
@@ -0,0 +1,75 @@
+steps:
+  # Step 1: Install root dependencies (includes workspaces)
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Install Dependencies'
+    entrypoint: 'npm'
+    args: ['install']
+
+  # Step 2: Authenticate for Docker (so we can push images to the artifact registry)
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Authenticate docker'
+    entrypoint: 'npm'
+    args: ['run', 'auth']
+
+  # Step 3: Build workspace packages
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Build packages'
+    entrypoint: 'npm'
+    args: ['run', 'build:packages']
+
+  # Step 4: Determine Docker Image Tag
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Determine Docker Image Tag'
+    entrypoint: 'bash'
+    args:
+      - -c
+      - |
+        SHELL_TAG_NAME="$TAG_NAME"
+        FINAL_TAG="$SHORT_SHA" # Default to SHA
+        if [[ "$$SHELL_TAG_NAME" == *"-nightly"* ]]; then
+          echo "Nightly release detected."
+          FINAL_TAG="$${SHELL_TAG_NAME#v}"
+        # Also escape the variable in the regex match
+        elif [[ "$$SHELL_TAG_NAME" =~ ^v[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo "Official release detected."
+          FINAL_TAG="$${SHELL_TAG_NAME#v}"
+        else
+          echo "Development/RC release detected. Using commit SHA as tag."
+        fi
+        echo "Determined image tag: $$FINAL_TAG"
+        echo "$$FINAL_TAG" > /workspace/image_tag.txt
+
+  # Step 5: Build sandbox container image
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Build sandbox Docker image'
+    entrypoint: 'bash'
+    args:
+      - -c
+      - |
+        export GEMINI_SANDBOX_IMAGE_TAG=$$(cat /workspace/image_tag.txt)
+        echo "Using Docker image tag for build: $$GEMINI_SANDBOX_IMAGE_TAG"
+        npm run build:sandbox -- --output-file /workspace/final_image_uri.txt
+    env:
+      - 'GEMINI_SANDBOX=$_CONTAINER_TOOL'
+
+  # Step 8: Publish sandbox container image
+  - name: 'us-west1-docker.pkg.dev/gemini-code-dev/gemini-code-containers/gemini-code-builder'
+    id: 'Publish sandbox Docker image'
+    entrypoint: 'bash'
+    args:
+      - -c
+      - |
+        set -e
+        FINAL_IMAGE_URI=$$(cat /workspace/final_image_uri.txt)
+
+        echo "Pushing sandbox image: $${FINAL_IMAGE_URI}"
+        $_CONTAINER_TOOL push "$${FINAL_IMAGE_URI}"
+    env:
+      - 'GEMINI_SANDBOX=$_CONTAINER_TOOL'
+
+options:
+  defaultLogsBucketBehavior: REGIONAL_USER_OWNED_BUCKET
+  dynamicSubstitutions: true
+
+substitutions:
+  _CONTAINER_TOOL: 'docker'
diff --git a/.github/ISSUE_TEMPLATE/bug_report.yml b/.github/ISSUE_TEMPLATE/bug_report.yml
index 9f78e2fe..cb6a456a 100644
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -4,8 +4,8 @@ labels: ['kind/bug', 'status/need-triage']
 body:
   - type: markdown
     attributes:
-      value: |
-        > [!IMPORTANT]  
+      value: |-
+        > [!IMPORTANT]
         > Thanks for taking the time to fill out this bug report!
         >
         > Please search **[existing issues](https://github.com/google-gemini/gemini-cli/issues)** to see if an issue already exists for the bug you encountered.
@@ -30,7 +30,7 @@ body:
     attributes:
       label: Client information
       description: Please paste the full text from the `/about` command run from Gemini CLI. Also include which platform (macOS, Windows, Linux).
-      value: |
+      value: |-
         <details>
 
         ```console
diff --git a/.github/ISSUE_TEMPLATE/feature_request.yml b/.github/ISSUE_TEMPLATE/feature_request.yml
index c08de46a..bf4d4871 100644
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -4,8 +4,8 @@ labels: ['kind/enhancement', 'status/need-triage']
 body:
   - type: markdown
     attributes:
-      value: |
-        > [!IMPORTANT]  
+      value: |-
+        > [!IMPORTANT]
         > Thanks for taking the time to suggest an enhancement!
         >
         > Please search **[existing issues](https://github.com/google-gemini/gemini-cli/issues)** to see if a similar feature has already been requested.
diff --git a/.github/workflows/docs-page-action.yml b/.github/workflows/docs-page-action.yml
index 0c28dca6..59588109 100644
--- a/.github/workflows/docs-page-action.yml
+++ b/.github/workflows/docs-page-action.yml
@@ -1,54 +1,50 @@
-# Sample workflow for building and deploying a Jekyll site to GitHub Pages
-name: Deploy Jekyll with GitHub Pages dependencies preinstalled
+name: 'Deploy GitHub Pages'
 
 on:
-  # Runs on pushes targeting the default branch
   push:
     tags: 'v*'
-
-  # Allows you to run this workflow manually from the Actions tab
   workflow_dispatch:
 
-# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
 permissions:
-  contents: read
-  pages: write
-  id-token: write
+  contents: 'read'
+  pages: 'write'
+  id-token: 'write'
 
-# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
-# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+# Allow only one concurrent deployment, skipping runs queued between the run
+# in-progress and latest queued. However, do NOT cancel in-progress runs as we
+# want to allow these production deployments to complete.
 concurrency:
-  group: 'pages'
+  group: '${{ github.workflow }}'
   cancel-in-progress: false
 
 jobs:
   build:
-    # This 'if' condition is the key. It ensures the job only runs if the
-    # tag name does NOT contain the substring 'nightly'.
-    if: "contains(github.ref_name, 'nightly') == false"
-    # Build job
-    runs-on: ubuntu-latest
+    if: |-
+      ${{ !contains(github.ref_name, 'nightly') }}
+    runs-on: 'ubuntu-latest'
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-      - name: Setup Pages
-        uses: actions/configure-pages@v5
-      - name: Build with Jekyll
-        uses: actions/jekyll-build-pages@v1
+      - name: 'Checkout'
+        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
+
+      - name: 'Setup Pages'
+        uses: 'actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b' # ratchet:actions/configure-pages@v5
+
+      - name: 'Build with Jekyll'
+        uses: 'actions/jekyll-build-pages@44a6e6beabd48582f863aeeb6cb2151cc1716697' # ratchet:actions/jekyll-build-pages@v1
         with:
-          source: ./
-          destination: ./_site
-      - name: Upload artifact
-        uses: actions/upload-pages-artifact@v3
+          source: './'
+          destination: './_site'
+
+      - name: 'Upload artifact'
+        uses: 'actions/upload-pages-artifact@56afc609e74202658d3ffba0e8f6dda462b719fa' # ratchet:actions/upload-pages-artifact@v3
 
-  # Deployment job
   deploy:
     environment:
-      name: github-pages
-      url: ${{ steps.deployment.outputs.page_url }}
-    runs-on: ubuntu-latest
-    needs: build
+      name: 'github-pages'
+      url: '${{ steps.deployment.outputs.page_url }}'
+    runs-on: 'ubuntu-latest'
+    needs: 'build'
     steps:
-      - name: Deploy to GitHub Pages
-        id: deployment
-        uses: actions/deploy-pages@v4
+      - name: 'Deploy to GitHub Pages'
+        id: 'deployment'
+        uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # ratchet:actions/deploy-pages@v4
-- 
cgit v1.2.3