Infrastructure/11405 gemini automation #12019
Conversation
…11405-gemini-automation.
…05-gemini-automation.
…05-gemini-automation.
aaemnnosttv
left a comment
aaemnnosttv
left a comment
There was a problem hiding this comment.
Thanks @eugene-manuilov, this is a good start, just a few things to address and consider.
| - name: Run /implement command | ||
| run: | | ||
| gemini --yolo --model gemini-3-pro-preview "/implement ${{ inputs.issue_number }}" | ||
| env: | ||
| GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }} | ||
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} |
There was a problem hiding this comment.
Since we can't further restrict the capabilities of the GITHUB_TOKEN here, we should perhaps exclude it since the model should only need read-only access which it should already have as a public repo. If it is needed, perhaps we can provide a PAT with read-only access. Pushing to the repo doesn't happen until the next step anyways so I'd think this should be ok.
There was a problem hiding this comment.
Unfortunately, we need it here. I have updated the gemini settings to restrict the GitHub MCP to allow only the issue toolchain and excluded all tools except the one that reads issue details. Will it work for you?
There was a problem hiding this comment.
Thanks – can you be more specific as to what the token is needed for? If it's readonly, then I would think it might even work without a token at all (except for rate limits), but otherwise, we could provide a token which is readonly using a fine-grained token. Even with the limited toolchain, I don't think we should expose/provide a model which is capable of writing anything.
There was a problem hiding this comment.
Sure, let's use a fine-grained token that has access only to public repositories. Do you want me creating it or you will create it and add as GITHUB_READONLY_TOKEN?
There was a problem hiding this comment.
We can do that, but it would require adding another token that needs rotating due to policy limitations.
How about we split it into two jobs and configure the permissions for each to be scoped as needed? That way we can still use the default GITHUB_TOKEN but it only needs write access to create the PR (correct?). I realize this would make it a little slower because we'd need to upload the changes as an artifact and then download them again afterwards to create a PR with.
Alternatively, we could keep it as a single job and change the permissions to be read only and then use the bot token for creating the PR since permissions only apply to the github token? This might be more appropriate anyways. WDYT?
There was a problem hiding this comment.
Ok, I have moved PR creation and comment posting into a new job with write permissions and updated this job to have read-only permissions. It should solve all our concerns here, right?
Co-authored-by: Evan Mattson <[email protected]>
…05-gemini-automation.
…05-gemini-automation.
aaemnnosttv
left a comment
aaemnnosttv
left a comment
There was a problem hiding this comment.
Thanks @eugene-manuilov , this is nearly there. Just a few last details. See also my reply about the token permissions.
.gemini/settings.json
Outdated
| "exclude": [ | ||
| "github__add_issue_comment", | ||
| "github__assign_copilot_to_issue", | ||
| "github__get_label", | ||
| "github__issue_write", | ||
| "github__list_issue_types", | ||
| "github__list_issues", | ||
| "github__search_issues", | ||
| "github__sub_issue_write" | ||
| ] |
There was a problem hiding this comment.
Can we define this as an allowlist instead?
There was a problem hiding this comment.
Yeah, good idea, updated.
.gemini/commands/implement.toml
Outdated
| **1. Understand the Task** | ||
| - Carefully read the Implementation Brief from Phase 1 | ||
| - Break down complex requirements into discrete steps | ||
| - Plan your implementation approach before writing code | ||
| - Identify all files that need to be created, modified, or deleted |
There was a problem hiding this comment.
Let's update this to mention the AC being the actual requirements that must be met now that it's included in the context collected in phase 1.
.gemini/commands/implement.toml
Outdated
| Follow these implementation guidelines: | ||
| **1. Understand the Task** |
There was a problem hiding this comment.
It might not make a difference for the model to comprehend, but as an ordered list, I think the formatting should only apply to the list item text, not the number, otherwise it doesn't become an actual list.
e.g.
- step 1
- step 2
rather than
1. step 1
2. step 2
Looking below, I can see the formatting is applied inconsistently where both forms are used in different places.
| Check compliance with the extracted "Acceptance criteria": | ||
| - ✓ Implementation fulfills all points in "Acceptance criteria" |
There was a problem hiding this comment.
Great! I still think it's probably worth mentioning in the instructions to understand the task beforehand though.
There was a problem hiding this comment.
Not sure where you mean we need to add it. Can you clarify?
| implement: | ||
| name: Implement Issue | ||
| runs-on: ubuntu-latest | ||
| timeout-minutes: 60 |
There was a problem hiding this comment.
This seems longer than reasonable. How long have we seen it take so far?
There was a problem hiding this comment.
I don't know how much time it can take when we actually trigger it as a GitHub workflow. Let's have 60 for now and update once we see how it actually works.
…05-gemini-automation.
…creation using patch files and granular permissions.
2 participants
Summary
Addresses issue:
Relevant technical choices
PR Author Checklist
Do not alter or remove anything below. The following sections will be managed by moderators only.
Code Reviewer Checklist
Merge Reviewer Checklist