Skip to content

Refactor: exclude transient CI configuration files from workspace context#28216

Open
DavidAPierce wants to merge 2 commits into
mainfrom
davidapierce/workspaceContext
Open

Refactor: exclude transient CI configuration files from workspace context#28216
DavidAPierce wants to merge 2 commits into
mainfrom
davidapierce/workspaceContext

Conversation

@DavidAPierce

@DavidAPierce DavidAPierce commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Summary

This PR updates the WorkspaceContext path validation to explicitly exclude transient GitHub Actions credential files (gha-creds-*.json) from being considered part of the active workspace.

These files are dynamically generated by CI workflows (such as google-github-actions/auth) and contain transient configuration that the agent does not need to access. Explicitly excluding them ensures cleaner workspace boundaries and prevents the agent from accidentally reading or processing these temporary files during local or CI runs.

Details

  • Core: Updated isPathWithinWorkspace in workspaceContext.ts to block path segments matching the gha-creds-*.json pattern.
  • Tests: Added unit tests in workspaceContext.test.ts to verify the exclusion logic (including case-insensitivity and nested paths) and ensure standard files (like package.json) remain unaffected.

How to Validate

Execute the unit tests targeting WorkspaceContext:

npx vitest run packages/core/src/utils/workspaceContext.test.ts

Pre-Merge Checklist

  • Updated relevant documentation and README (if needed)
  • Added/updated tests (if needed)
  • Noted breaking changes (if any)
  • Validated on required platforms/methods:
    • MacOS
      • npm run
      • npx
      • Docker
      • Podman
      • Seatbelt
    • Windows
      • npm run
      • npx
      • Docker
    • Linux
      • npm run
      • npx
      • Docker

@DavidAPierce DavidAPierce requested a review from a team as a code owner June 29, 2026 21:36
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request improves the security posture of the workspace context by explicitly blacklisting GitHub Actions Workload Identity credential files. By preventing access to these sensitive files, the change mitigates potential security risks associated with accidental exposure or unauthorized access within the workspace environment.

Highlights

  • Security Enhancement: Added a new restriction to the workspace boundary enforcement to block access to GitHub Actions Workload Identity credentials matching the 'gha-creds-*.json' pattern.
  • Case-Insensitive Validation: Implemented the block using existing normalization logic to ensure that credential files are restricted regardless of their casing.
  • Test Coverage: Added comprehensive unit tests to verify that sensitive credential files are correctly rejected while standard files remain accessible.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@github-actions github-actions Bot added the size/s A small PR label Jun 29, 2026
@github-actions

Copy link
Copy Markdown

📊 PR Size: size/S

  • Lines changed: 32
  • Additions: +29
  • Deletions: -3
  • Files changed: 2

@gemini-cli gemini-cli Bot added the status/need-issue Pull requests that need to have an associated issue. label Jun 29, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the WorkspaceContext class in packages/core/src/utils/workspaceContext.ts to block GitHub Actions Workload Identity credentials by rejecting files that start with gha-creds- and end with .json. It also adds corresponding unit tests in packages/core/src/utils/workspaceContext.test.ts to verify that these sensitive files are correctly rejected while non-matching files are allowed. There are no review comments, and I have no feedback to provide.

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown

Size Change: +180 B (0%)

Total Size: 35.2 MB

Filename Size Change
./bundle/chunk-24YXB2TQ.js 0 B -661 kB (removed) 🏆
./bundle/chunk-IPCFKUE7.js 0 B -3.65 MB (removed) 🏆
./bundle/chunk-KYCSYNFS.js 0 B -3.77 kB (removed) 🏆
./bundle/chunk-UCGDOWR2.js 0 B -19.5 kB (removed) 🏆
./bundle/chunk-UCXFE3P6.js 0 B -13 kB (removed) 🏆
./bundle/chunk-UZTVMDOM.js 0 B -16.2 MB (removed) 🏆
./bundle/chunk-WFY4ZVK7.js 0 B -49.2 kB (removed) 🏆
./bundle/chunk-X6N72HU7.js 0 B -3.43 kB (removed) 🏆
./bundle/core-4XL7TSWD.js 0 B -50 kB (removed) 🏆
./bundle/devtoolsService-VNONEVR4.js 0 B -147 kB (removed) 🏆
./bundle/gemini-DPDIH4LX.js 0 B -1.04 MB (removed) 🏆
./bundle/interactiveCli-P345HBPR.js 0 B -1.3 MB (removed) 🏆
./bundle/liteRtServerManager-Q2ZJUCG3.js 0 B -2.08 kB (removed) 🏆
./bundle/oauth2-provider-37WFGRTA.js 0 B -9.12 kB (removed) 🏆
./bundle/chunk-5OOHPRGD.js 661 kB +661 kB (new file) 🆕
./bundle/chunk-6C55EYRU.js 3.65 MB +3.65 MB (new file) 🆕
./bundle/chunk-DANEOKOQ.js 49.2 kB +49.2 kB (new file) 🆕
./bundle/chunk-EHDLEPJA.js 16.2 MB +16.2 MB (new file) 🆕
./bundle/chunk-EY7FVBYD.js 3.43 kB +3.43 kB (new file) 🆕
./bundle/chunk-KR3UWEUS.js 13 kB +13 kB (new file) 🆕
./bundle/chunk-T7CG7QKT.js 3.77 kB +3.77 kB (new file) 🆕
./bundle/chunk-X725QCHM.js 19.5 kB +19.5 kB (new file) 🆕
./bundle/core-UXQB7RVR.js 50 kB +50 kB (new file) 🆕
./bundle/devtoolsService-OFWOYEYM.js 147 kB +147 kB (new file) 🆕
./bundle/gemini-UEQFR44C.js 1.04 MB +1.04 MB (new file) 🆕
./bundle/interactiveCli-WPCKJJJC.js 1.3 MB +1.3 MB (new file) 🆕
./bundle/liteRtServerManager-R465BSQL.js 2.08 kB +2.08 kB (new file) 🆕
./bundle/oauth2-provider-UJVQM5TI.js 9.12 kB +9.12 kB (new file) 🆕
ℹ️ View Unchanged
Filename Size Change
./bundle/bundled/third_party/index.js 8 MB 0 B
./bundle/chunk-34MYV7JD.js 2.45 kB 0 B
./bundle/chunk-5AUYMPVF.js 858 B 0 B
./bundle/chunk-5PS3AYFU.js 1.18 kB 0 B
./bundle/chunk-664ZODQF.js 124 kB 0 B
./bundle/chunk-DAHVX5MI.js 206 kB 0 B
./bundle/chunk-IUUIT4SU.js 56.5 kB 0 B
./bundle/chunk-TUDYL3X4.js 40.3 kB 0 B
./bundle/cleanup-SHLKDZ5Y.js 0 B -902 B (removed) 🏆
./bundle/devtools-TYCPOPV3.js 683 kB 0 B
./bundle/events-XB7DADIJ.js 418 B 0 B
./bundle/examples/hooks/scripts/on-start.js 188 B 0 B
./bundle/examples/mcp-server/example.js 1.43 kB 0 B
./bundle/gemini.js 5.38 kB 0 B
./bundle/getMachineId-bsd-TXG52NKR.js 1.55 kB 0 B
./bundle/getMachineId-darwin-7OE4DDZ6.js 1.55 kB 0 B
./bundle/getMachineId-linux-SHIFKOOX.js 1.34 kB 0 B
./bundle/getMachineId-unsupported-5U5DOEYY.js 1.06 kB 0 B
./bundle/getMachineId-win-6KLLGOI4.js 1.72 kB 0 B
./bundle/https-proxy-agent-AVGR4LHR.js 490 B 0 B
./bundle/multipart-parser-KPBZEGQU.js 11.7 kB 0 B
./bundle/sandbox-macos-permissive-open.sb 890 B 0 B
./bundle/sandbox-macos-permissive-proxied.sb 1.31 kB 0 B
./bundle/sandbox-macos-restrictive-open.sb 3.36 kB 0 B
./bundle/sandbox-macos-restrictive-proxied.sb 3.56 kB 0 B
./bundle/sandbox-macos-strict-open.sb 4.82 kB 0 B
./bundle/sandbox-macos-strict-proxied.sb 5.02 kB 0 B
./bundle/src-QVCVGIUX.js 47 kB 0 B
./bundle/src-XZYPU6PJ.js 352 kB 0 B
./bundle/start-4VAHH3BJ.js 0 B -622 B (removed) 🏆
./bundle/tree-sitter-7U6MW5PS.js 274 kB 0 B
./bundle/tree-sitter-bash-34ZGLXVX.js 1.84 MB 0 B
./bundle/worker/worker-entry.js 363 kB 0 B
./bundle/cleanup-4P6M4CIX.js 902 B +902 B (new file) 🆕
./bundle/start-BQ44JOHU.js 622 B +622 B (new file) 🆕

compressed-size-action

@DavidAPierce DavidAPierce changed the title Update workspaceContext for GitHub actions Refactor: exclude transient CI configuration files from workspace context Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

size/s A small PR status/need-issue Pull requests that need to have an associated issue.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant