diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml index 252d4130..20183fc8 100644 --- a/.github/workflows/gemini-review.yml +++ b/.github/workflows/gemini-review.yml @@ -33,8 +33,9 @@ jobs: uses: 'google-github-actions/run-gemini-cli@v0' # ratchet:exclude id: 'gemini_pr_review' env: - ISSUE_TITLE: '${{ github.event.pull_request.title || github.event.issue.title }}' - ISSUE_BODY: '${{ github.event.pull_request.body || github.event.issue.body }}' + # ISSUE_TITLE and ISSUE_BODY intentionally omitted: passing raw GitHub event + # content directly as env vars is a prompt-injection vector. The gemini-cli + # agent must fetch issue/PR content via the GitHub API using PULL_REQUEST_NUMBER. PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' PR_OWNER: 'google' PR_REPO: 'secops-wrapper' diff --git a/.github/workflows/integration_test.yml b/.github/workflows/integration_test.yml index 24dac492..f19ef223 100644 --- a/.github/workflows/integration_test.yml +++ b/.github/workflows/integration_test.yml @@ -33,7 +33,7 @@ jobs: has_sha: ${{ steps.extract-sha.outputs.result != '' }} steps: - - uses: actions/checkout@v6 + - uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Extract commit SHA from comment id: extract-sha @@ -195,12 +195,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: ref: ${{ needs.check-authorization.outputs.commit_sha }} - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.11' cache: 'pip' diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 5526e33e..10a2c577 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -16,10 +16,10 @@ jobs: steps: - name: Check out repository code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.10' cache: 'pip' diff --git a/.github/workflows/publish-pypi.yml b/.github/workflows/publish-pypi.yml index 3e859aa5..8e22d4c5 100644 --- a/.github/workflows/publish-pypi.yml +++ b/.github/workflows/publish-pypi.yml @@ -26,12 +26,12 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 with: fetch-depth: 0 # Full history for changelog generation - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.11' @@ -264,10 +264,10 @@ jobs: steps: - name: Checkout code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: '3.11' diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index a6dad170..793b6b3f 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -20,10 +20,10 @@ jobs: steps: - name: Check out repository code - uses: actions/checkout@v6 + uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@v6 + uses: actions/setup-python@ece7cb06caefa5fff74198d8649806c4678c61a1 # v6 with: python-version: ${{ matrix.python-version }} cache: 'pip'