fix(sandbox): harden image packaging integrity checks (#19552)

2026-03-10 14:10:37 -07:00 · 2026-02-24 02:32:42 +05:30
parent 0cc4f09595
commit 31960c3388
2 changed files with 12 additions and 1 deletions
--- a/.github/actions/push-sandbox/action.yml
+++ b/.github/actions/push-sandbox/action.yml
@@ -77,6 +77,14 @@ runs:
          --image google/gemini-cli-sandbox:${{ steps.image_tag.outputs.FINAL_TAG }} \
          --output-file final_image_uri.txt
        echo "uri=$(cat final_image_uri.txt)" >> $GITHUB_OUTPUT
    - name: 'verify'
      shell: 'bash'
      run: |-
        docker run --rm --entrypoint sh "${{ steps.docker_build.outputs.uri }}" -lc '
          set -e
          node -e "const fs=require(\"node:fs\"); JSON.parse(fs.readFileSync(\"/usr/local/share/npm-global/lib/node_modules/@google/gemini-cli/package.json\",\"utf8\")); JSON.parse(fs.readFileSync(\"/usr/local/share/npm-global/lib/node_modules/@google/gemini-cli-core/package.json\",\"utf8\"));"
          /usr/local/share/npm-global/bin/gemini --version >/dev/null
        '
    - name: 'publish'
      shell: 'bash'
      if: "${{ inputs.dry-run != 'true' }}"
--- a/5
+++ b/5
@@ -42,7 +42,10 @@ USER node
 # install gemini-cli and clean up
 COPY packages/cli/dist/google-gemini-cli-*.tgz /tmp/gemini-cli.tgz
 COPY packages/core/dist/google-gemini-cli-core-*.tgz /tmp/gemini-core.tgz
-RUN npm install -g /tmp/gemini-cli.tgz /tmp/gemini-core.tgz \
+RUN npm install -g /tmp/gemini-core.tgz \
  && npm install -g /tmp/gemini-cli.tgz \
  && node -e "const fs=require('node:fs'); JSON.parse(fs.readFileSync('/usr/local/share/npm-global/lib/node_modules/@google/gemini-cli/package.json','utf8')); JSON.parse(fs.readFileSync('/usr/local/share/npm-global/lib/node_modules/@google/gemini-cli-core/package.json','utf8'));" \
  && gemini --version > /dev/null \
  && npm cache clean --force \
  && rm -f /tmp/gemini-{cli,core}.tgz