Adding an example for standalone security-review Github Action

[shrishabh]

This is the template for security review action.

[github-actions]

🤖 Hi @shrishabh, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[github-actions]

📋 Review Summary

This pull request introduces a new example GitHub Actions workflow for running Gemini security analysis. The workflow is well-structured and provides a good starting point for users.

🔍 General Feedback

• The use of pinned actions for create-github-app-token and checkout is a good security practice.
• The workflow correctly uses concurrency controls to prevent multiple runs.
• A high-severity issue was found regarding the use of @main for the run-gemini-cli action, which should be addressed.

[github-actions]

🟠 For security and stability, it's recommended to pin the version of the google-github-actions/run-gemini-cli action to a specific release tag instead of using @main. This prevents unexpected breaking changes or malicious code from being introduced into your workflow.

Suggested change

	--body "${MESSAGE}" \
	uses: 'google-github-actions/run-gemini-cli@v1' # ratchet:exclude

[github-actions]

🟢 For better stability and to ensure consistent builds, consider pinning the runner version to a specific version (e.g., ubuntu-22.04) instead of using ubuntu-latest.

Suggested change

	review:
	runs-on: 'ubuntu-22.04'

[QuanZhang-William]

Should we put the file to

~/examples/security-review.yml like https://github.com/google-github-actions/run-gemini-cli/tree/main/examples

[shrishabh]

Eventually, yes. I think we are waiting for the go-ahead from run-gemini-cli team to add the security-review. Adding it here so that we can test and then refer to when we move to the gemini-cli repository.

[QuanZhang-William]

If we want to test this workflow in our repo, we need to restructure the folder to .github/workflows/security-review.yml. GHA does not support subfolders under .github/workflows/.

We should also temporarily disable the original code review workflow, as it will generate duplicated comments for us.

[github-actions]

## 📋 Security Analysis Summary

This pull request adds a reusable GitHub Actions workflow for security analysis. The workflow is well-structured, but it has a potential prompt injection vulnerability and uses an unpinned version of a GitHub Action, which is not a secure practice.

🔍 General Feedback

• The workflow is well-documented and easy to understand.
• Pinning actions to a specific version is a crucial security measure to prevent supply chain attacks.
• Always treat user-provided input as untrusted and sanitize it before using it in sensitive contexts like prompts for language models.

[github-actions]

Medium The `ADDITIONAL_CONTEXT` input is passed as an environment variable to the `google-github-actions/run-gemini-cli@main` action. This input is likely used in the prompt to the Gemini model. If a user of this reusable workflow provides a malicious string, it could be used to manipulate the model's behavior, leading to a prompt injection vulnerability. The `google-github-actions/run-gemini-cli@main` action should sanitize the `ADDITIONAL_CONTEXT` input to prevent prompt injection. If sanitization is not possible, the action should provide clear documentation about the risk of prompt injection and how to mitigate it.

[github-actions]

Low The workflow uses `google-github-actions/run-gemini-cli@main`, which points to the `main` branch. This is not a secure practice because the `main` branch could be updated with a malicious version of the action.

Suggested change

	with:
	uses: 'google-github-actions/run-gemini-cli@v1.0.0' # ratchet:exclude

[anguillanneuf]

@gemini-cli /review

[github-actions]

🤖 Hi @anguillanneuf, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[github-actions]

## 📋 Review Summary

This pull request adds a new example workflow for a standalone security review GitHub Action. The workflow is well-structured and follows good practices for security and concurrency.

🔍 General Feedback

• The use of pinned actions for actions/checkout and actions/create-github-app-token is excellent.
• The workflow permissions are well-defined and scoped to what is necessary.
• The acknowledgment comment is a nice touch for user experience.

I've added a couple of inline suggestions to improve the workflow's trigger condition and to pin the run-gemini-cli action for better stability and security.

[github-actions]

🟡 The `if` condition for triggering the review on an issue comment is very specific (`github.event.comment.body == '@gemini-cli /review'`). This means that any extra text in the comment will cause the check to fail. It would be more robust to use the `contains()` function to check for the trigger phrase.

Suggested change

	jobs:
	review:
	(github.event_name == 'issue_comment' && contains(github.event.comment.body, '@gemini-cli /review'))

[github-actions]

🟠 For security and stability, it's a best practice to pin GitHub Actions to a specific version (a git tag or a commit SHA) instead of a branch like `main`. This prevents unexpected changes from breaking your workflow.

Suggested change

	uses: 'google-github-actions/run-gemini-cli@v1' # ratchet:exclude

[github-actions]

🤖 Hi @anguillanneuf, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[github-actions]

📋 Review Summary

This pull request introduces a new GitHub Actions workflow for running Gemini security analysis. The workflow is well-structured, but there are a few areas for improvement regarding maintainability and security best practices.

🔍 General Feedback

• Action Versioning: The workflow should pin actions to specific versions (tags) instead of commit SHAs or the main branch to ensure stability.
• Permissions: The id-token permission is overly permissive and should be restricted to read.
• Redundancy: There is some redundancy in the GitHub token handling that can be simplified.
• Error Handling: Consider adding explicit error handling to the workflow to provide better feedback on failures.

[github-actions]

🟡 For better workflow stability and to prevent unexpected changes, it's recommended to pin the version of the action to a specific tag instead of a commit hash.

Suggested change

	if: |-
	uses: 'actions/create-github-app-token@v1' # ratchet:actions/create-github-app-token@v2

[github-actions]

🟡 For better workflow stability and to prevent unexpected changes, it's recommended to pin the version of the action to a specific tag instead of a commit hash.

Suggested change

	--body "${MESSAGE}" \
	uses: 'actions/checkout@v4' # ratchet:actions/checkout@v5

[github-actions]

🟡 For better workflow stability and to prevent unexpected changes from the main branch, it is recommended to use a specific version tag for the google-github-actions/run-gemini-cli action.

Suggested change

	- name: 'Checkout repository'
	uses: 'google-github-actions/run-gemini-cli@v1' # ratchet:exclude

[github-actions]

🟡 The id-token permission should be set to read as it is only used for authentication with the Workload Identity Provider. The write permission is not necessary and violates the principle of least privilege.

Suggested change

	permissions:
	id-token: 'read'

[github-actions]

🟢 The secrets.GITHUB_TOKEN and github.token are redundant. You can simplify this by just using github.token.

Suggested change

	GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || github.token }}'

[github-actions]

🟢 The secrets.GITHUB_TOKEN and github.token are redundant. You can simplify this by just using github.token.

Suggested change

	uses: 'google-github-actions/run-gemini-cli@main' # ratchet:exclude
	GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || github.token }}'

[github-actions]

📋 Security Analysis Summary

This pull request introduces a new GitHub workflow for security analysis. The workflow is well-structured, but it contains a potential security vulnerability related to an unpinned GitHub Action.

🔍 General Feedback

• The workflow uses secrets to store sensitive information, which is a good practice.
• The permissions for the workflow are well-defined.

[github-actions]

Medium The GitHub Action 'google-github-actions/run-gemini-cli' is not pinned to a specific commit SHA. This could allow a malicious actor to inject code into the action and compromise the CI/CD pipeline.

Suggested change

	gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
	uses: 'google-github-actions/run-gemini-cli@v1'

[QuanZhang-William]

@gemini-cli /review

[github-actions]

🤖 Hi @QuanZhang-William, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[github-actions]

📋 Security Analysis Summary

This pull request introduces a new GitHub workflow for running Gemini security analysis. The workflow is well-structured and uses appropriate permissions. The security scan identified a few areas for improvement related to the use of third-party GitHub Actions.

🔍 General Feedback

• The workflow correctly uses secrets for sensitive data like APP_PRIVATE_KEY.
• The use of a dedicated GitHub App token for authentication is a good security practice.
• Consider pinning all GitHub Actions to a specific commit SHA for improved security and reproducibility.

[github-actions]

LOW Use of outdated GitHub Action

Suggested change

	pull-requests: 'write'
	uses: 'actions/create-github-app-token@v2'

[github-actions]

LOW Use of outdated GitHub Action

Suggested change

	🤖 Hi @${{ github.actor }}, I've received your request, and I'm working on it now! You can track my progress [in the logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details.
	uses: 'actions/checkout@v5'

[github-actions]

MEDIUM Use of mutable GitHub Action reference

Suggested change

	gh issue comment "${ISSUE_NUMBER}" \
	uses: 'google-github-actions/run-gemini-cli@v1'