diff --git a/.github/workflows/chained_e2e.yml b/.github/workflows/chained_e2e.yml index fe87fb1d5..5319fa825 100644 --- a/.github/workflows/chained_e2e.yml +++ b/.github/workflows/chained_e2e.yml @@ -115,7 +115,7 @@ jobs: if: "github.repository == 'google-gemini/gemini-cli' && always()" steps: - name: 'Set pending status' - uses: 'myrotvorets/set-commit-status-action@16037e056d73b2d3c88e37e393ff369047f70886' # ratchet:myrotvorets/set-commit-status-action@master + uses: 'myrotvorets/set-commit-status-action@8595a0295138ef0f89657bff1c381470ac272aae' # ratchet:myrotvorets/set-commit-status-action@master if: "github.repository == 'google-gemini/gemini-cli' && always()" with: allowForks: 'true' @@ -385,7 +385,7 @@ jobs: - 'e2e' steps: - name: 'Set workflow status' - uses: 'myrotvorets/set-commit-status-action@16037e056d73b2d3c88e37e393ff369047f70886' # ratchet:myrotvorets/set-commit-status-action@master + uses: 'myrotvorets/set-commit-status-action@8595a0295138ef0f89657bff1c381470ac272aae' # ratchet:myrotvorets/set-commit-status-action@master if: "github.repository == 'google-gemini/gemini-cli' && always()" with: allowForks: 'true' diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index d40b49bb6..290fe1f4f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -125,7 +125,7 @@ jobs: - name: 'Checkout' uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 - name: 'Link Checker' - uses: 'lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2' # ratchet: lycheeverse/lychee-action@v2.6.1 + uses: 'lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411' # ratchet: lycheeverse/lychee-action@v2.8.0 with: args: '--verbose --accept 200,503 ./**/*.md' fail: true @@ -358,7 +358,7 @@ jobs: ref: '${{ github.event.inputs.branch_ref || github.ref }}' fetch-depth: 1 - - uses: 'preactjs/compressed-size-action@946a292cd35bd1088e0d7eb92b69d1a8d5b5d76a' + - uses: 'preactjs/compressed-size-action@66325aad6443cb7cf89c4bfcd414aea2367cda94' with: repo-token: '${{ secrets.GITHUB_TOKEN }}' pattern: './bundle/**/*.{js,sb}' diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml new file mode 100644 index 000000000..ec93be49f --- /dev/null +++ b/.github/workflows/codeql.yml @@ -0,0 +1,103 @@ +# For most projects, this workflow file will not need changing; you simply need +# to commit it to your repository. +# +# You may wish to alter this file to override the set of languages analyzed, +# or to provide custom queries or build logic. +# +# ******** NOTE ******** +# We have attempted to detect the languages in your repository. Please check +# the `language` matrix defined below to confirm you have the correct set of +# supported CodeQL languages. +# +name: "CodeQL Advanced" + +on: + push: + branches: [ "main" ] + pull_request: + branches: [ "main" ] + schedule: + - cron: '23 8 * * 4' + +jobs: + analyze: + name: Analyze (${{ matrix.language }}) + # Runner size impacts CodeQL analysis time. To learn more, please see: + # - https://gh.io/recommended-hardware-resources-for-running-codeql + # - https://gh.io/supported-runners-and-hardware-resources + # - https://gh.io/using-larger-runners (GitHub.com only) + # Consider using larger runners or machines with greater resources for possible analysis time improvements. + runs-on: ${{ (matrix.language == 'swift' && 'macos-latest') || 'ubuntu-latest' }} + permissions: + # required for all workflows + security-events: write + + # required to fetch internal or private CodeQL packs + packages: read + + # only required for workflows in private repositories + actions: read + contents: read + + strategy: + fail-fast: false + matrix: + include: + - language: actions + build-mode: none + - language: csharp + build-mode: none + - language: javascript-typescript + build-mode: none + # CodeQL supports the following values keywords for 'language': 'actions', 'c-cpp', 'csharp', 'go', 'java-kotlin', 'javascript-typescript', 'python', 'ruby', 'rust', 'swift' + # Use `c-cpp` to analyze code written in C, C++ or both + # Use 'java-kotlin' to analyze code written in Java, Kotlin or both + # Use 'javascript-typescript' to analyze code written in JavaScript, TypeScript or both + # To learn more about changing the languages that are analyzed or customizing the build mode for your analysis, + # see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/customizing-your-advanced-setup-for-code-scanning. + # If you are analyzing a compiled language, you can modify the 'build-mode' for that language to customize how + # your codebase is analyzed, see https://docs.github.com/en/code-security/code-scanning/creating-an-advanced-setup-for-code-scanning/codeql-code-scanning-for-compiled-languages + steps: + - name: Checkout repository + uses: actions/checkout@v4 + + # Add any setup steps before running the `github/codeql-action/init` action. + # This includes steps like installing compilers or runtimes (`actions/setup-node` + # or others). This is typically only required for manual builds. + # - name: Setup runtime (example) + # uses: actions/setup-example@v1 + + # Initializes the CodeQL tools for scanning. + - name: Initialize CodeQL + uses: github/codeql-action/init@v4 + with: + languages: ${{ matrix.language }} + build-mode: ${{ matrix.build-mode }} + # If you wish to specify custom queries, you can do so here or in a config file. + # By default, queries listed here will override any specified in a config file. + # Prefix the list here with "+" to use these queries and those in the config file. + + # For more details on CodeQL's query packs, refer to: https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs + # queries: security-extended,security-and-quality + + # If the analyze step fails for one of the languages you are analyzing with + # "We were unable to automatically build your code", modify the matrix above + # to set the build mode to "manual" for that language. Then modify this step + # to build your code. + # ℹī¸ Command-line programs to run using the OS shell. + # 📚 See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idstepsrun + - name: Run manual build steps + if: matrix.build-mode == 'manual' + shell: bash + run: | + echo 'If you are using a "manual" build mode for one or more of the' \ + 'languages you are analyzing, replace this with the commands to build' \ + 'your code, for example:' + echo ' make bootstrap' + echo ' make release' + exit 1 + + - name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v4 + with: + category: "/language:${{matrix.language}}" diff --git a/.github/workflows/community-report.yml b/.github/workflows/community-report.yml index e0aaf90db..a9a1df061 100644 --- a/.github/workflows/community-report.yml +++ b/.github/workflows/community-report.yml @@ -168,7 +168,7 @@ jobs: - name: '🤖 Get Insights from Report' if: |- ${{ steps.report.outputs.report_body != '' }} - uses: 'google-github-actions/run-gemini-cli@a3bf79042542528e91937b3a3a6fbc4967ee3c31' # ratchet:google-github-actions/run-gemini-cli@v0 + uses: 'google-github-actions/run-gemini-cli@9dbec29a20fab3f35017a40ad0eb798a257d4d51' # ratchet:google-github-actions/run-gemini-cli@v0 env: GITHUB_TOKEN: '${{ steps.generate_token.outputs.token }}' REPOSITORY: '${{ github.repository }}' diff --git a/.github/workflows/eval-guidance.yml b/.github/workflows/eval-guidance.yml index e1f1ab316..1458764bf 100644 --- a/.github/workflows/eval-guidance.yml +++ b/.github/workflows/eval-guidance.yml @@ -54,7 +54,7 @@ jobs: - name: 'Post Guidance Comment' if: "steps.detect.outputs.STEERING_DETECTED == 'true'" - uses: 'thollander/actions-comment-pull-request@65f9e5c9a1f2cd378bd74b2e057c9736982a8e74' # ratchet:thollander/actions-comment-pull-request@v3 + uses: 'thollander/actions-comment-pull-request@e4a76dd2b0a3c2027c3fd84147a67c22ee4c90fa' # ratchet:thollander/actions-comment-pull-request@v3 with: comment-tag: 'eval-guidance-bot' message: | diff --git a/.github/workflows/gemini-automated-issue-dedup.yml b/.github/workflows/gemini-automated-issue-dedup.yml index 0fe02b553..cb3899238 100644 --- a/.github/workflows/gemini-automated-issue-dedup.yml +++ b/.github/workflows/gemini-automated-issue-dedup.yml @@ -50,14 +50,14 @@ jobs: uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 - name: 'Log in to GitHub Container Registry' - uses: 'docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1' # ratchet:docker/login-action@v3 + uses: 'docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2' # ratchet:docker/login-action@v3 with: registry: 'ghcr.io' username: '${{ github.actor }}' password: '${{ secrets.GITHUB_TOKEN }}' - name: 'Find Duplicate Issues' - uses: 'google-github-actions/run-gemini-cli@a3bf79042542528e91937b3a3a6fbc4967ee3c31' # ratchet:google-github-actions/run-gemini-cli@v0 + uses: 'google-github-actions/run-gemini-cli@9dbec29a20fab3f35017a40ad0eb798a257d4d51' # ratchet:google-github-actions/run-gemini-cli@v0 id: 'gemini_issue_deduplication' env: GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/workflows/gemini-automated-issue-triage.yml b/.github/workflows/gemini-automated-issue-triage.yml index 1cab2abaa..dd9d5e081 100644 --- a/.github/workflows/gemini-automated-issue-triage.yml +++ b/.github/workflows/gemini-automated-issue-triage.yml @@ -130,7 +130,7 @@ jobs: return labelNames; - name: 'Run Gemini Issue Analysis' - uses: 'google-github-actions/run-gemini-cli@a3bf79042542528e91937b3a3a6fbc4967ee3c31' # ratchet:google-github-actions/run-gemini-cli@v0 + uses: 'google-github-actions/run-gemini-cli@9dbec29a20fab3f35017a40ad0eb798a257d4d51' # ratchet:google-github-actions/run-gemini-cli@v0 id: 'gemini_issue_analysis' env: GITHUB_TOKEN: '' # Do not pass any auth token here since this runs on untrusted inputs diff --git a/.github/workflows/gemini-scheduled-issue-dedup.yml b/.github/workflows/gemini-scheduled-issue-dedup.yml index 46a6f4628..2aaf8d066 100644 --- a/.github/workflows/gemini-scheduled-issue-dedup.yml +++ b/.github/workflows/gemini-scheduled-issue-dedup.yml @@ -30,14 +30,14 @@ jobs: uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5 - name: 'Log in to GitHub Container Registry' - uses: 'docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1' # ratchet:docker/login-action@v3 + uses: 'docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2' # ratchet:docker/login-action@v3 with: registry: 'ghcr.io' username: '${{ github.actor }}' password: '${{ secrets.GITHUB_TOKEN }}' - name: 'Run Gemini Issue Deduplication Refresh' - uses: 'google-github-actions/run-gemini-cli@a3bf79042542528e91937b3a3a6fbc4967ee3c31' # ratchet:google-github-actions/run-gemini-cli@v0 + uses: 'google-github-actions/run-gemini-cli@9dbec29a20fab3f35017a40ad0eb798a257d4d51' # ratchet:google-github-actions/run-gemini-cli@v0 id: 'gemini_refresh_embeddings' env: GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}' diff --git a/.github/workflows/gemini-scheduled-issue-triage.yml b/.github/workflows/gemini-scheduled-issue-triage.yml index 50dd56883..eed664eab 100644 --- a/.github/workflows/gemini-scheduled-issue-triage.yml +++ b/.github/workflows/gemini-scheduled-issue-triage.yml @@ -101,7 +101,7 @@ jobs: if: |- (steps.get_issue_from_event.outputs.issues_to_triage != '' && steps.get_issue_from_event.outputs.issues_to_triage != '[]') || (steps.find_issues.outputs.issues_to_triage != '' && steps.find_issues.outputs.issues_to_triage != '[]') - uses: 'google-github-actions/run-gemini-cli@a3bf79042542528e91937b3a3a6fbc4967ee3c31' # ratchet:google-github-actions/run-gemini-cli@v0 + uses: 'google-github-actions/run-gemini-cli@9dbec29a20fab3f35017a40ad0eb798a257d4d51' # ratchet:google-github-actions/run-gemini-cli@v0 id: 'gemini_issue_analysis' env: GITHUB_TOKEN: '' # Do not pass any auth token here since this runs on untrusted inputs diff --git a/.github/workflows/links.yml b/.github/workflows/links.yml index 1ed45019f..f923ce56e 100644 --- a/.github/workflows/links.yml +++ b/.github/workflows/links.yml @@ -20,6 +20,6 @@ jobs: - name: 'Link Checker' id: 'lychee' - uses: 'lycheeverse/lychee-action@885c65f3dc543b57c898c8099f4e08c8afd178a2' # ratchet: lycheeverse/lychee-action@v2.6.1 + uses: 'lycheeverse/lychee-action@8646ba30535128ac92d33dfc9133794bfdd9b411' # ratchet: lycheeverse/lychee-action@v2.8.0 with: args: '--verbose --no-progress --accept 200,503 ./**/*.md' diff --git a/.github/workflows/no-response.yml b/.github/workflows/no-response.yml index abaad9dbb..dcc998e14 100644 --- a/.github/workflows/no-response.yml +++ b/.github/workflows/no-response.yml @@ -18,7 +18,7 @@ jobs: group: '${{ github.workflow }}-no-response' cancel-in-progress: true steps: - - uses: 'actions/stale@5bef64f19d7facfb25b37b414482c7164d639639' # ratchet:actions/stale@v9 + - uses: 'actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f' # ratchet:actions/stale@v10.2.0 with: repo-token: '${{ secrets.GITHUB_TOKEN }}' days-before-stale: -1 diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index a5a2f90db..f5e0b62b4 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -69,7 +69,7 @@ jobs: - name: 'Generate Changelog with Gemini' if: "steps.validate_version.outputs.CONTINUE == 'true'" - uses: 'google-github-actions/run-gemini-cli@a3bf79042542528e91937b3a3a6fbc4967ee3c31' # ratchet:google-github-actions/run-gemini-cli@v0 + uses: 'google-github-actions/run-gemini-cli@9dbec29a20fab3f35017a40ad0eb798a257d4d51' # ratchet:google-github-actions/run-gemini-cli@v0 with: gemini_api_key: '${{ secrets.GEMINI_API_KEY }}' prompt: | diff --git a/.github/workflows/release-promote.yml b/.github/workflows/release-promote.yml index b822ce2f8..09d94ec1e 100644 --- a/.github/workflows/release-promote.yml +++ b/.github/workflows/release-promote.yml @@ -157,6 +157,8 @@ jobs: name: 'Test ${{ matrix.channel }}' needs: 'calculate-versions' runs-on: 'ubuntu-latest' + permissions: + contents: 'read' strategy: fail-fast: false matrix: diff --git a/.github/workflows/stale.yml b/.github/workflows/stale.yml index 4a975869f..71167122d 100644 --- a/.github/workflows/stale.yml +++ b/.github/workflows/stale.yml @@ -23,7 +23,7 @@ jobs: group: '${{ github.workflow }}-stale' cancel-in-progress: true steps: - - uses: 'actions/stale@5bef64f19d7facfb25b37b414482c7164d639639' # ratchet:actions/stale@v9 + - uses: 'actions/stale@b5d41d4e1d5dceea10e7104786b73624c18a190f' # ratchet:actions/stale@v10.2.0 with: repo-token: '${{ secrets.GITHUB_TOKEN }}' stale-issue-message: >- diff --git a/package-lock.json b/package-lock.json index ea985a7be..c0bd7583a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -17555,7 +17555,7 @@ "@google/gemini-cli-test-utils": "file:../test-utils", "@types/command-exists": "^1.2.3", "@types/hast": "^3.0.4", - "@types/node": "^20.11.24", + "@types/node": "^25.5.0", "@types/react": "^19.2.0", "@types/semver": "^7.7.0", "@types/shell-quote": "^1.7.5", @@ -17569,6 +17569,16 @@ "node": ">=20" } }, + "packages/cli/node_modules/@types/node": { + "version": "25.5.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz", + "integrity": "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==", + "dev": true, + "license": "MIT", + "dependencies": { + "undici-types": "~7.18.0" + } + }, "packages/cli/node_modules/ansi-escapes": { "version": "7.3.0", "resolved": "https://registry.npmjs.org/ansi-escapes/-/ansi-escapes-7.3.0.tgz", @@ -17674,6 +17684,13 @@ "node": ">=18" } }, + "packages/cli/node_modules/undici-types": { + "version": "7.18.2", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz", + "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==", + "dev": true, + "license": "MIT" + }, "packages/core": { "name": "@google/gemini-cli-core", "version": "0.36.0-nightly.20260317.2f90b4653", @@ -18002,7 +18019,7 @@ "devDependencies": { "@types/cors": "^2.8.19", "@types/express": "^5.0.3", - "@types/node": "20.x", + "@types/node": "^25.5.0", "@types/vscode": "^1.99.0", "@typescript-eslint/eslint-plugin": "^8.31.1", "@typescript-eslint/parser": "^8.31.1", @@ -18017,12 +18034,29 @@ "vscode": "^1.99.0" } }, + "packages/vscode-ide-companion/node_modules/@types/node": { + "version": "25.5.0", + "resolved": "https://registry.npmjs.org/@types/node/-/node-25.5.0.tgz", + "integrity": "sha512-jp2P3tQMSxWugkCUKLRPVUpGaL5MVFwF8RDuSRztfwgN1wmqJeMSbKlnEtQqU8UrhTmzEmZdu2I6v2dpp7XIxw==", + "dev": true, + "license": "MIT", + "dependencies": { + "undici-types": "~7.18.0" + } + }, "packages/vscode-ide-companion/node_modules/@types/vscode": { "version": "1.99.0", "resolved": "https://registry.npmjs.org/@types/vscode/-/vscode-1.99.0.tgz", "integrity": "sha512-30sjmas1hQ0gVbX68LAWlm/YYlEqUErunPJJKLpEl+xhK0mKn+jyzlCOpsdTwfkZfPy4U6CDkmygBLC3AB8W9Q==", "dev": true, "license": "MIT" + }, + "packages/vscode-ide-companion/node_modules/undici-types": { + "version": "7.18.2", + "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.18.2.tgz", + "integrity": "sha512-AsuCzffGHJybSaRrmr5eHr81mwJU3kjw6M+uprWvCXiNeN9SOGwQ3Jn8jb8m3Z6izVgknn1R0FTCEAP2QrLY/w==", + "dev": true, + "license": "MIT" } } } diff --git a/packages/cli/package.json b/packages/cli/package.json index 95a570bf5..3622d5e9c 100644 --- a/packages/cli/package.json +++ b/packages/cli/package.json @@ -75,7 +75,7 @@ "@google/gemini-cli-test-utils": "file:../test-utils", "@types/command-exists": "^1.2.3", "@types/hast": "^3.0.4", - "@types/node": "^20.11.24", + "@types/node": "^25.5.0", "@types/react": "^19.2.0", "@types/semver": "^7.7.0", "@types/shell-quote": "^1.7.5", diff --git a/packages/vscode-ide-companion/package.json b/packages/vscode-ide-companion/package.json index b2a2912c7..9a0c7ae17 100644 --- a/packages/vscode-ide-companion/package.json +++ b/packages/vscode-ide-companion/package.json @@ -125,7 +125,7 @@ "devDependencies": { "@types/cors": "^2.8.19", "@types/express": "^5.0.3", - "@types/node": "20.x", + "@types/node": "25.x", "@types/vscode": "^1.99.0", "@typescript-eslint/eslint-plugin": "^8.31.1", "@typescript-eslint/parser": "^8.31.1",