From 4e10a34be81b7b36798d57a1019479aadb229347 Mon Sep 17 00:00:00 2001 From: Gal Zahavi <38544478+galz10@users.noreply.github.com> Date: Thu, 11 Jun 2026 14:38:56 -0700 Subject: [PATCH] ci: update workflow logging and policy configurations (#27853) --- .geminiignore | 1 + .github/actions/calculate-vars/action.yml | 6 ---- .../actions/create-pull-request/action.yml | 5 --- .../actions/post-coverage-comment/action.yml | 5 --- .github/actions/publish-release/action.yml | 6 ---- .github/actions/push-docker/action.yml | 5 --- .github/actions/push-sandbox/action.yml | 5 --- .github/actions/run-tests/action.yml | 5 --- .github/actions/tag-npm-release/action.yml | 6 ---- .github/actions/verify-release/action.yml | 6 ---- .github/workflows/community-report.yml | 1 + .github/workflows/docs-audit.yml | 1 + .../gemini-automated-issue-dedup.yml | 1 + .../gemini-automated-issue-triage.yml | 1 + .../gemini-scheduled-issue-dedup.yml | 1 + .../gemini-scheduled-issue-triage.yml | 2 ++ .github/workflows/release-notes.yml | 1 + package-lock.json | 34 +++++++++++++++++-- .../src/policy/policies/sandbox-default.toml | 7 ++++ 19 files changed, 47 insertions(+), 52 deletions(-) diff --git a/.geminiignore b/.geminiignore index e40b6ba36e..490b0861b5 100644 --- a/.geminiignore +++ b/.geminiignore @@ -1 +1,2 @@ packages/core/src/services/scripts/*.exe +gha-creds-*.json diff --git a/.github/actions/calculate-vars/action.yml b/.github/actions/calculate-vars/action.yml index fbe58ecfd7..e5a5ac5318 100644 --- a/.github/actions/calculate-vars/action.yml +++ b/.github/actions/calculate-vars/action.yml @@ -14,12 +14,6 @@ outputs: runs: using: 'composite' steps: - - name: 'Print inputs' - shell: 'bash' - env: - JSON_INPUTS: '${{ toJSON(inputs) }}' - run: 'echo "$JSON_INPUTS"' - - name: 'Set vars for simplified logic' id: 'set_vars' shell: 'bash' diff --git a/.github/actions/create-pull-request/action.yml b/.github/actions/create-pull-request/action.yml index fa38bd58ab..b9fdebf79a 100644 --- a/.github/actions/create-pull-request/action.yml +++ b/.github/actions/create-pull-request/action.yml @@ -30,11 +30,6 @@ inputs: runs: using: 'composite' steps: - - name: '📝 Print Inputs' - shell: 'bash' - env: - JSON_INPUTS: '${{ toJSON(inputs) }}' - run: 'echo "$JSON_INPUTS"' - name: 'Creates a Pull Request' if: "inputs.dry-run != 'true'" env: diff --git a/.github/actions/post-coverage-comment/action.yml b/.github/actions/post-coverage-comment/action.yml index a458b9e34c..6862e6be1f 100644 --- a/.github/actions/post-coverage-comment/action.yml +++ b/.github/actions/post-coverage-comment/action.yml @@ -27,11 +27,6 @@ inputs: runs: using: 'composite' steps: - - name: '📝 Print Inputs' - shell: 'bash' - env: - JSON_INPUTS: '${{ toJSON(inputs) }}' - run: 'echo "$JSON_INPUTS"' - name: 'Prepare Coverage Comment' id: 'prep_coverage_comment' shell: 'bash' diff --git a/.github/actions/publish-release/action.yml b/.github/actions/publish-release/action.yml index 1a34b1f191..2eab207280 100644 --- a/.github/actions/publish-release/action.yml +++ b/.github/actions/publish-release/action.yml @@ -75,12 +75,6 @@ inputs: runs: using: 'composite' steps: - - name: '📝 Print Inputs' - shell: 'bash' - env: - JSON_INPUTS: '${{ toJSON(inputs) }}' - run: 'echo "$JSON_INPUTS"' - - name: '👤 Configure Git User' working-directory: '${{ inputs.working-directory }}' shell: 'bash' diff --git a/.github/actions/push-docker/action.yml b/.github/actions/push-docker/action.yml index e660733428..7644b89412 100644 --- a/.github/actions/push-docker/action.yml +++ b/.github/actions/push-docker/action.yml @@ -18,11 +18,6 @@ inputs: runs: using: 'composite' steps: - - name: '📝 Print Inputs' - shell: 'bash' - env: - JSON_INPUTS: '${{ toJSON(inputs) }}' - run: 'echo "$JSON_INPUTS"' - name: 'Checkout' uses: 'actions/checkout@08eba0b27e820071cde6df949e0beb9ba4906955' # ratchet:actions/checkout@v4 with: diff --git a/.github/actions/push-sandbox/action.yml b/.github/actions/push-sandbox/action.yml index dd2d96c4a1..38fdfd3f12 100644 --- a/.github/actions/push-sandbox/action.yml +++ b/.github/actions/push-sandbox/action.yml @@ -28,11 +28,6 @@ inputs: runs: using: 'composite' steps: - - name: '📝 Print Inputs' - shell: 'bash' - env: - JSON_INPUTS: '${{ toJSON(inputs) }}' - run: 'echo "$JSON_INPUTS"' - name: 'Checkout' uses: 'actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5' # ratchet:actions/checkout@v4 with: diff --git a/.github/actions/run-tests/action.yml b/.github/actions/run-tests/action.yml index e7fc63ce8b..6dd818bb56 100644 --- a/.github/actions/run-tests/action.yml +++ b/.github/actions/run-tests/action.yml @@ -13,11 +13,6 @@ inputs: runs: using: 'composite' steps: - - name: '📝 Print Inputs' - shell: 'bash' - env: - JSON_INPUTS: '${{ toJSON(inputs) }}' - run: 'echo "$JSON_INPUTS"' - name: 'Install system dependencies' if: "runner.os == 'Linux'" run: | diff --git a/.github/actions/tag-npm-release/action.yml b/.github/actions/tag-npm-release/action.yml index 085cf15e99..479b5be623 100644 --- a/.github/actions/tag-npm-release/action.yml +++ b/.github/actions/tag-npm-release/action.yml @@ -40,12 +40,6 @@ inputs: runs: using: 'composite' steps: - - name: '📝 Print Inputs' - shell: 'bash' - env: - JSON_INPUTS: '${{ toJSON(inputs) }}' - run: 'echo "$JSON_INPUTS"' - - name: 'Setup Node.js' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' with: diff --git a/.github/actions/verify-release/action.yml b/.github/actions/verify-release/action.yml index d3d1d075d2..5d6abbce7f 100644 --- a/.github/actions/verify-release/action.yml +++ b/.github/actions/verify-release/action.yml @@ -29,12 +29,6 @@ inputs: runs: using: 'composite' steps: - - name: '📝 Print Inputs' - shell: 'bash' - env: - JSON_INPUTS: '${{ toJSON(inputs) }}' - run: 'echo "$JSON_INPUTS"' - - name: 'setup node' uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4 with: diff --git a/.github/workflows/community-report.yml b/.github/workflows/community-report.yml index e0aaf90dbf..da2c4c2df9 100644 --- a/.github/workflows/community-report.yml +++ b/.github/workflows/community-report.yml @@ -173,6 +173,7 @@ jobs: GITHUB_TOKEN: '${{ steps.generate_token.outputs.token }}' REPOSITORY: '${{ github.repository }}' with: + upload_artifacts: 'true' gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}' gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}' gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}' diff --git a/.github/workflows/docs-audit.yml b/.github/workflows/docs-audit.yml index 687bd3fb57..9ba2873278 100644 --- a/.github/workflows/docs-audit.yml +++ b/.github/workflows/docs-audit.yml @@ -32,6 +32,7 @@ jobs: env: GEMINI_CLI_TRUST_WORKSPACE: true with: + upload_artifacts: 'true' gemini_api_key: '${{ secrets.GEMINI_API_KEY }}' prompt: | Activate the 'docs-writer' skill. diff --git a/.github/workflows/gemini-automated-issue-dedup.yml b/.github/workflows/gemini-automated-issue-dedup.yml index 5fa274d7e7..d837cd8836 100644 --- a/.github/workflows/gemini-automated-issue-dedup.yml +++ b/.github/workflows/gemini-automated-issue-dedup.yml @@ -70,6 +70,7 @@ jobs: FIRESTORE_PROJECT: '${{ vars.FIRESTORE_PROJECT }}' GEMINI_CLI_TRUST_WORKSPACE: 'true' with: + upload_artifacts: 'true' gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}' gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}' gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}' diff --git a/.github/workflows/gemini-automated-issue-triage.yml b/.github/workflows/gemini-automated-issue-triage.yml index d30e5d805f..bd9435d7bc 100644 --- a/.github/workflows/gemini-automated-issue-triage.yml +++ b/.github/workflows/gemini-automated-issue-triage.yml @@ -155,6 +155,7 @@ jobs: AVAILABLE_LABELS: '${{ steps.get_labels.outputs.available_labels }}' GEMINI_CLI_TRUST_WORKSPACE: 'true' with: + upload_artifacts: 'true' gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}' gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}' gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}' diff --git a/.github/workflows/gemini-scheduled-issue-dedup.yml b/.github/workflows/gemini-scheduled-issue-dedup.yml index b18ccf7fc0..78601b6495 100644 --- a/.github/workflows/gemini-scheduled-issue-dedup.yml +++ b/.github/workflows/gemini-scheduled-issue-dedup.yml @@ -49,6 +49,7 @@ jobs: REPOSITORY: '${{ github.repository }}' FIRESTORE_PROJECT: '${{ vars.FIRESTORE_PROJECT }}' with: + upload_artifacts: 'true' gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}' gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}' gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}' diff --git a/.github/workflows/gemini-scheduled-issue-triage.yml b/.github/workflows/gemini-scheduled-issue-triage.yml index 262dd5ca48..1aae5c8445 100644 --- a/.github/workflows/gemini-scheduled-issue-triage.yml +++ b/.github/workflows/gemini-scheduled-issue-triage.yml @@ -181,6 +181,7 @@ jobs: GEMINI_STRICT_TELEMETRY_LIMITS: 'true' GEMINI_MODEL: 'gemini-3-flash-preview' with: + upload_artifacts: 'true' gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}' gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}' gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}' @@ -303,6 +304,7 @@ jobs: GEMINI_STRICT_TELEMETRY_LIMITS: 'true' GEMINI_MODEL: 'gemini-3-flash-preview' with: + upload_artifacts: 'true' gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}' gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}' gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}' diff --git a/.github/workflows/release-notes.yml b/.github/workflows/release-notes.yml index d516ee928a..6ee76fd064 100644 --- a/.github/workflows/release-notes.yml +++ b/.github/workflows/release-notes.yml @@ -74,6 +74,7 @@ jobs: env: GEMINI_CLI_TRUST_WORKSPACE: true with: + upload_artifacts: 'true' gemini_api_key: '${{ secrets.GEMINI_API_KEY }}' prompt: | Activate the 'docs-changelog' skill. diff --git a/package-lock.json b/package-lock.json index 5ed8049e84..bde6259b11 100644 --- a/package-lock.json +++ b/package-lock.json @@ -449,7 +449,8 @@ "version": "2.11.0", "resolved": "https://registry.npmjs.org/@bufbuild/protobuf/-/protobuf-2.11.0.tgz", "integrity": "sha512-sBXGT13cpmPR5BMgHE6UEEfEaShh5Ror6rfN3yEK5si7QVrtZg8LEPQb0VVhiLRUslD2yLnXtnRzG035J/mZXQ==", - "license": "(Apache-2.0 AND BSD-3-Clause)" + "license": "(Apache-2.0 AND BSD-3-Clause)", + "peer": true }, "node_modules/@bundled-es-modules/cookie": { "version": "2.0.1", @@ -1535,6 +1536,7 @@ "resolved": "https://registry.npmjs.org/@grpc/grpc-js/-/grpc-js-1.14.3.tgz", "integrity": "sha512-Iq8QQQ/7X3Sac15oB6p0FmUg/klxQvXLeileoqrTRGJYLV+/9tubbr9ipz0GKHjmXVsgFPo/+W+2cA8eNcR+XA==", "license": "Apache-2.0", + "peer": true, "dependencies": { "@grpc/proto-loader": "^0.8.0", "@js-sdsl/ordered-map": "^4.4.2" @@ -2242,6 +2244,7 @@ "integrity": "sha512-t54CUOsFMappY1Jbzb7fetWeO0n6K0k/4+/ZpkS+3Joz8I4VcvY9OiEBFRYISqaI2fq5sCiPtAjRDOzVYG8m+Q==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@octokit/auth-token": "^6.0.0", "@octokit/graphql": "^9.0.2", @@ -2422,6 +2425,7 @@ "resolved": "https://registry.npmjs.org/@opentelemetry/api/-/api-1.9.0.tgz", "integrity": "sha512-3giAOQvZiH5F9bMlMiv8+GSPMeqg0dbaeo58/0SlA9sxSqZhnUtxzX9/2FzyhS9sWQf5S0GJE0AKBrFqjpeYcg==", "license": "Apache-2.0", + "peer": true, "engines": { "node": ">=8.0.0" } @@ -2471,6 +2475,7 @@ "resolved": "https://registry.npmjs.org/@opentelemetry/core/-/core-2.7.1.tgz", "integrity": "sha512-QAqIj32AtK6+pEVNG7EOVxHdE06RP+FM5qpiEJ4RtDcFIqKUZHYhl7/7UY5efhwmwNAg7j8QbJVBLxMerc0+gw==", "license": "Apache-2.0", + "peer": true, "dependencies": { "@opentelemetry/semantic-conventions": "^1.29.0" }, @@ -2821,6 +2826,7 @@ "resolved": "https://registry.npmjs.org/@opentelemetry/resources/-/resources-2.7.1.tgz", "integrity": "sha512-DeT6KKolmC4e/dRQvMQ/RwlnzhaqeiFOXY5ngoOPJ07GgVVKxZOg9EcrNZb5aTzUn+iCrJldAgOfQm1O/QfPAQ==", "license": "Apache-2.0", + "peer": true, "dependencies": { "@opentelemetry/core": "2.7.1", "@opentelemetry/semantic-conventions": "^1.29.0" @@ -2855,6 +2861,7 @@ "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-metrics/-/sdk-metrics-2.7.1.tgz", "integrity": "sha512-MpDJdkiFDs3Pm1RHO3KByuZbuBdJEXEAkiC0+yJdsZGVCdf1RpHR6n+LHDcS7ffmfrt5kVCzJSCfm4z2C7v0uQ==", "license": "Apache-2.0", + "peer": true, "dependencies": { "@opentelemetry/core": "2.7.1", "@opentelemetry/resources": "2.7.1" @@ -2910,6 +2917,7 @@ "resolved": "https://registry.npmjs.org/@opentelemetry/sdk-trace-base/-/sdk-trace-base-2.7.1.tgz", "integrity": "sha512-NAYIlsF8MPUsKqJMiDQJTMPOmlbawC1Iz/omMLygZ1C9am8fTKYjTaI+OZM+WTY3t3Glo0wnOg/6/pac6RGPPw==", "license": "Apache-2.0", + "peer": true, "dependencies": { "@opentelemetry/core": "2.7.1", "@opentelemetry/resources": "2.7.1", @@ -4162,6 +4170,7 @@ "integrity": "sha512-6mDvHUFSjyT2B2yeNx2nUgMxh9LtOWvkhIU3uePn2I2oyNymUAX1NIsdgviM4CH+JSrp2D2hsMvJOkxY+0wNRA==", "devOptional": true, "license": "MIT", + "peer": true, "dependencies": { "csstype": "^3.0.2" } @@ -4435,6 +4444,7 @@ "integrity": "sha512-/Zb/xaIDfxeJnvishjGdcR4jmr7S+bda8PKNhRGdljDM+elXhlvN0FyPSsMnLmJUrVG9aPO6dof80wjMawsASg==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@typescript-eslint/scope-manager": "8.58.2", "@typescript-eslint/types": "8.58.2", @@ -5210,6 +5220,7 @@ "resolved": "https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz", "integrity": "sha512-NZyJarBfL7nWwIq+FDL6Zp/yHEhePMNnnJ0y3qfieCrmNvYct8uvtiV41UvlSe6apAfk0fY1FbWx+NwfmpvtTg==", "license": "MIT", + "peer": true, "bin": { "acorn": "bin/acorn" }, @@ -7321,7 +7332,8 @@ "version": "0.0.1581282", "resolved": "https://registry.npmjs.org/devtools-protocol/-/devtools-protocol-0.0.1581282.tgz", "integrity": "sha512-nv7iKtNZQshSW2hKzYNr46nM/Cfh5SEvE2oV0/SEGgc9XupIY5ggf84Cz8eJIkBce7S3bmTAauFD6aysMpnqsQ==", - "license": "BSD-3-Clause" + "license": "BSD-3-Clause", + "peer": true }, "node_modules/dezalgo": { "version": "1.0.4", @@ -7906,6 +7918,7 @@ "integrity": "sha512-GsGizj2Y1rCWDu6XoEekL3RLilp0voSePurjZIkxL3wlm5o5EC9VpgaP7lrCvjnkuLvzFBQWB3vWB3K5KQTveQ==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@eslint-community/eslint-utils": "^4.2.0", "@eslint-community/regexpp": "^4.12.1", @@ -8516,6 +8529,7 @@ "resolved": "https://registry.npmjs.org/express/-/express-5.2.1.tgz", "integrity": "sha512-hIS4idWWai69NezIdRt2xFVofaF4j+6INOpJlVOLDO8zXGpUVEVzIYk12UUi2JzjEzWL3IOAxcTubgz9Po0yXw==", "license": "MIT", + "peer": true, "dependencies": { "accepts": "^2.0.0", "body-parser": "^2.2.1", @@ -9785,6 +9799,7 @@ "resolved": "https://registry.npmjs.org/hono/-/hono-4.12.18.tgz", "integrity": "sha512-RWzP96k/yv0PQfyXnWjs6zot20TqfpfsNXhOnev8d1InAxubW93L11/oNUc3tQqn2G0bSdAOBpX+2uDFHV7kdQ==", "license": "MIT", + "peer": true, "engines": { "node": ">=16.9.0" } @@ -10047,6 +10062,7 @@ "resolved": "https://registry.npmjs.org/@jrichman/ink/-/ink-6.6.9.tgz", "integrity": "sha512-RL9sSiLQZECnjbmBwjIHOp8yVGdWF7C/uifg7ISv/e+F3nLNsfl7FdUFQs8iZARFMJAYxMFpxW6OW+HSt9drwQ==", "license": "MIT", + "peer": true, "dependencies": { "ansi-escapes": "^7.0.0", "ansi-styles": "^6.2.3", @@ -13822,6 +13838,7 @@ "resolved": "https://registry.npmjs.org/react/-/react-19.2.4.tgz", "integrity": "sha512-9nfp2hYpCwOjAN+8TZFGhtWEwgvWHXqESH8qT89AT/lWklpLON22Lc8pEtnpsZz7VmawabSU0gCjnj8aC0euHQ==", "license": "MIT", + "peer": true, "engines": { "node": ">=0.10.0" } @@ -13832,6 +13849,7 @@ "integrity": "sha512-ePrwPfxAnB+7hgnEr8vpKxL9cmnp7F322t8oqcPshbIQQhDKgFDW4tjhF2wjVbdXF9O/nyuy3sQWd9JGpiLPvA==", "devOptional": true, "license": "MIT", + "peer": true, "dependencies": { "shell-quote": "^1.6.1", "ws": "^7" @@ -15986,6 +16004,7 @@ "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "license": "MIT", + "peer": true, "engines": { "node": ">=12" }, @@ -16208,7 +16227,8 @@ "version": "2.8.1", "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz", "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==", - "license": "0BSD" + "license": "0BSD", + "peer": true }, "node_modules/tsx": { "version": "4.20.3", @@ -16216,6 +16236,7 @@ "integrity": "sha512-qjbnuR9Tr+FJOMBqJCW5ehvIo/buZq7vH7qD7JziU98h6l3qGy0a/yPFjwO+y0/T7GFpNgNAvEcPPVfyT8rrPQ==", "devOptional": true, "license": "MIT", + "peer": true, "dependencies": { "esbuild": "~0.25.0", "get-tsconfig": "^4.7.5" @@ -16381,6 +16402,7 @@ "integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==", "devOptional": true, "license": "Apache-2.0", + "peer": true, "bin": { "tsc": "bin/tsc", "tsserver": "bin/tsserver" @@ -16448,6 +16470,7 @@ "integrity": "sha512-6sMvZePQrnZH2/cJkwRpkT7DxoAWh+g6+GFRK6bV3YQo7ogi3SX5rgF6099r5Q53Ma5qeT7LGmOmuIutF4t3lA==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@typescript-eslint/scope-manager": "8.35.0", "@typescript-eslint/types": "8.35.0", @@ -16867,6 +16890,7 @@ "resolved": "https://registry.npmjs.org/vite/-/vite-7.3.2.tgz", "integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==", "license": "MIT", + "peer": true, "dependencies": { "esbuild": "^0.27.0", "fdir": "^6.5.0", @@ -17437,6 +17461,7 @@ "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "license": "MIT", + "peer": true, "engines": { "node": ">=12" }, @@ -17449,6 +17474,7 @@ "resolved": "https://registry.npmjs.org/vitest/-/vitest-3.2.4.tgz", "integrity": "sha512-LUCP5ev3GURDysTWiP47wRRUpLKMOfPh+yKTx3kVIEiu5KOMeqzpnYNsKyOoVrULivR8tLcks4+lga33Whn90A==", "license": "MIT", + "peer": true, "dependencies": { "@types/chai": "^5.2.2", "@vitest/expect": "3.2.4", @@ -18102,6 +18128,7 @@ "resolved": "https://registry.npmjs.org/zod/-/zod-3.25.76.tgz", "integrity": "sha512-gzUt/qt81nXsFGKIFcC3YnfEAx5NkunCfnDlvuBSSFS02bcXu4Lmea0AFIUwbLWxWPx3d9p8S5QoaujKcNQxcQ==", "license": "MIT", + "peer": true, "funding": { "url": "https://github.com/sponsors/colinhacks" } @@ -18625,6 +18652,7 @@ "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz", "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==", "license": "MIT", + "peer": true, "engines": { "node": ">=12" }, diff --git a/packages/core/src/policy/policies/sandbox-default.toml b/packages/core/src/policy/policies/sandbox-default.toml index 6e2db3fd03..06d087ce8d 100644 --- a/packages/core/src/policy/policies/sandbox-default.toml +++ b/packages/core/src/policy/policies/sandbox-default.toml @@ -17,3 +17,10 @@ approvedTools = ['sed', 'grep', 'awk', 'perl', 'cat', 'echo', 'Add-Content', 'Se allowOverrides = true [commands] + +[[rules]] +name = "Deny gha-creds" +toolName = "*" +argsPattern = ".*gha-creds-.*\\.json.*" +decision = "deny" +denyMessage = "Access to GitHub Actions credentials file is denied."