Refactor: exclude transient CI configuration files from workspace context#28216
Refactor: exclude transient CI configuration files from workspace context#28216DavidAPierce wants to merge 2 commits into
Conversation
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request improves the security posture of the workspace context by explicitly blacklisting GitHub Actions Workload Identity credential files. By preventing access to these sensitive files, the change mitigates potential security risks associated with accidental exposure or unauthorized access within the workspace environment. Highlights
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Footnotes
|
|
📊 PR Size: size/S
|
There was a problem hiding this comment.
Code Review
This pull request updates the WorkspaceContext class in packages/core/src/utils/workspaceContext.ts to block GitHub Actions Workload Identity credentials by rejecting files that start with gha-creds- and end with .json. It also adds corresponding unit tests in packages/core/src/utils/workspaceContext.test.ts to verify that these sensitive files are correctly rejected while non-matching files are allowed. There are no review comments, and I have no feedback to provide.
|
Size Change: +180 B (0%) Total Size: 35.2 MB
ℹ️ View Unchanged
|
Summary
This PR updates the
WorkspaceContextpath validation to explicitly exclude transient GitHub Actions credential files (gha-creds-*.json) from being considered part of the active workspace.These files are dynamically generated by CI workflows (such as
google-github-actions/auth) and contain transient configuration that the agent does not need to access. Explicitly excluding them ensures cleaner workspace boundaries and prevents the agent from accidentally reading or processing these temporary files during local or CI runs.Details
isPathWithinWorkspaceinworkspaceContext.tsto block path segments matching thegha-creds-*.jsonpattern.workspaceContext.test.tsto verify the exclusion logic (including case-insensitivity and nested paths) and ensure standard files (likepackage.json) remain unaffected.How to Validate
Execute the unit tests targeting
WorkspaceContext:Pre-Merge Checklist