chore: Implement secure CI/CD pipeline

galz10 · galz10 · commit e95af5b0c284 · 2025-08-18T16:29:30.000-07:00
This commit introduces a more secure and robust CI/CD pipeline by separating
   untrusted and trusted workflow execution.

   Key changes include:

   - Introduced a new `.github/workflows/trusted-ci.yml` workflow for
     secret-dependent integration tests, triggered by `workflow_run` after
     untrusted checks pass in `.github/workflows/ci.yml`.
   - `ci.yml` now focuses on linting, unit tests, and building/uploading
     combined artifacts, without access to sensitive secrets.
   - `trusted-ci.yml` downloads pre-built artifacts, ensuring no direct
     execution of untrusted PR source code in the privileged environment.
   - Added a "Fail if no access to secrets" step in `trusted-ci.yml` to
     enforce integration test execution for all pull requests.
   - Refined job permissions in `trusted-ci.yml` to adhere to the principle
     of least privilege.
   - Added `environment: trusted-ci-env` to the `test` job in `trusted-ci.yml`
     to enable manual approval for sensitive operations (to be configured
     via GitHub Environments).
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -120,6 +120,12 @@ jobs:
         run: |-
           npm run build
 
+      - name: 'Upload Build Artifacts'
+        uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
+        with:
+          name: 'build-artifacts'
+          path: 'packages/*/dist'
+
       - name: 'Run type check'
         run: |-
           npm run typecheck
@@ -280,10 +286,10 @@ jobs:
         run: |-
           npm ci
 
-      - name: 'Run tests and generate reports'
+      - name: 'Run unit tests'
         env:
           NO_COLOR: true
-        run: 'npm run test:ci'
+        run: 'npm run test:unit'
 
       - name: 'Publish Test Report (for non-forks)'
         if: |-
@@ -311,44 +317,6 @@ jobs:
           name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
           path: 'packages/*/coverage'
 
-  post_coverage_comment:
-    name: 'Post Coverage Comment'
-    runs-on: 'ubuntu-latest'
-    needs: 'test'
-    if: |-
-      ${{ always() && github.event_name == 'pull_request' && (github.event.pull_request.head.repo.full_name == github.repository) }}
-    continue-on-error: true
-    permissions:
-      contents: 'read' # For checkout
-      pull-requests: 'write' # For commenting
-    strategy:
-      matrix:
-        # Reduce noise by only posting the comment once
-        os:
-          - 'ubuntu-latest'
-        node-version:
-          - '22.x'
-    steps:
-      - name: 'Checkout'
-        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
-
-      - name: 'Download coverage reports artifact'
-        uses: 'actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0' # ratchet:actions/download-artifact@v5
-        with:
-          name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
-          path: 'coverage_artifact' # Download to a specific directory
-
-      - name: 'Post Coverage Comment using Composite Action'
-        uses: './.github/actions/post-coverage-comment' # Path to the composite action directory
-        with:
-          cli_json_file: 'coverage_artifact/cli/coverage/coverage-summary.json'
-          core_json_file: 'coverage_artifact/core/coverage/coverage-summary.json'
-          cli_full_text_summary_file: 'coverage_artifact/cli/coverage/full-text-summary.txt'
-          core_full_text_summary_file: 'coverage_artifact/core/coverage/full-text-summary.txt'
-          node_version: '${{ matrix.node-version }}'
-          os: '${{ matrix.os }}'
-          github_token: '${{ secrets.GITHUB_TOKEN }}'
-
   codeql:
     name: 'CodeQL'
     runs-on: 'ubuntu-latest'
diff --git a/.github/workflows/trusted-ci.yml b/.github/workflows/trusted-ci.yml
@@ -0,0 +1,124 @@
+name: 'Gemini CLI Trusted CI'
+
+on:
+  workflow_run:
+    workflows: ['Gemini CLI CI']
+    types:
+      - 'completed'
+    branches:
+      - 'main'
+      - 'release'
+
+jobs:
+  test:
+    environment: 'trusted-ci-env'
+    name: 'Test'
+    runs-on: '${{ matrix.os }}'
+    if: |-
+      ${{ github.event.workflow_run.conclusion == 'success' &&
+          github.event.workflow_run.event == 'pull_request' }}
+    permissions:
+      contents: 'read'
+      checks: 'write'
+      pull-requests: 'write'
+    strategy:
+      fail-fast: false # So we can see all test failures
+      matrix:
+        os:
+          - 'macos-latest'
+          - 'ubuntu-latest'
+          - 'windows-latest'
+        node-version:
+          - '20.x'
+          - '22.x'
+          - '24.x'
+    steps:
+      - name: 'Checkout base branch'
+        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
+        with:
+          ref: '${{ github.event.workflow_run.base_branch }}' # Checkout base branch
+
+      - name: 'Download Build Artifacts'
+        uses: 'actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0' # ratchet:actions/download-artifact@v5
+        with:
+          name: 'build-artifacts'
+          path: '.' # Download to current directory
+
+      - name: 'Set up Node.js ${{ matrix.node-version }}'
+        uses: 'actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020' # ratchet:actions/setup-node@v4
+        with:
+          node-version: '${{ matrix.node-version }}'
+          cache: 'npm'
+
+      - name: 'Fail if no access to secrets'
+        if: '${{ secrets.GEMINI_API_KEY == '' }}' # Only run if secret is NOT available
+        run: |
+          echo "Error: Integration tests cannot be skipped due to missing GEMINI_API_KEY secret."
+          echo "This workflow requires GEMINI_API_KEY for integration tests."
+          exit 1 # This will cause the step and thus the job to fail
+
+      - name: 'Run integration tests'
+        if: '${{ secrets.GEMINI_API_KEY == '' }}' # Only run if secret is available
+        env:
+          NO_COLOR: true
+          GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}' # Access secret here
+        run: 'npm run test:integration:all'
+
+      - name: 'Publish Test Report'
+        if: |-
+          ${{ always() }}
+        uses: 'dorny/test-reporter@dc3a92680fcc15842eef52e8c4606ea7ce6bd3f3' # ratchet:dorny/test-reporter@v2
+        with:
+          name: 'Test Results (Node ${{ matrix.node-version }})'
+          path: 'packages/*/junit.xml'
+          reporter: 'java-junit'
+          fail-on-error: 'false'
+
+      - name: 'Upload coverage reports'
+        if: |-
+          ${{ always() }}
+        uses: 'actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02' # ratchet:actions/upload-artifact@v4
+        with:
+          name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
+          path: 'packages/*/coverage'
+
+  post_coverage_comment:
+    name: 'Post Coverage Comment'
+    runs-on: 'ubuntu-latest'
+    needs: 'test'
+    if: |-
+      ${{ always() && github.event.workflow_run.conclusion == 'success' &&
+          github.event.workflow_run.event == 'pull_request' }}
+    continue-on-error: true
+    permissions:
+      contents: 'read' # For checkout
+      pull-requests: 'write' # For commenting
+    strategy:
+      matrix:
+        # Reduce noise by only posting the comment once
+        os:
+          - 'ubuntu-latest'
+        node-version:
+          - '22.x'
+    steps:
+      - name: 'Checkout base branch'
+        uses: 'actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8' # ratchet:actions/checkout@v5
+        with:
+          ref: '${{ github.event.workflow_run.base_branch }}' # Checkout base branch
+
+      - name: 'Download coverage reports artifact'
+        uses: 'actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0' # ratchet:actions/download-artifact@v5
+        with:
+          name: 'coverage-reports-${{ matrix.node-version }}-${{ matrix.os }}'
+          path: 'coverage_artifact' # Download to a specific directory
+
+      - name: 'Post Coverage Comment using Composite Action'
+        uses: './.github/actions/post-coverage-comment' # Path to the composite action directory
+        with:
+          cli_json_file: 'coverage_artifact/cli/coverage/coverage-summary.json'
+          core_json_file: 'coverage_artifact/core/coverage/coverage-summary.json'
+          cli_full_text_summary_file: 'coverage_artifact/cli/coverage/full-text-summary.txt'
+          core_full_text_summary_file: 'coverage_artifact/core/coverage/full-text-summary.txt'
+          node_version: '${{ matrix.node-version }}'
+          os: '${{ matrix.os }}'
+          github_token: '${{ secrets.GITHUB_TOKEN }}'
diff --git a/package.json b/package.json
@@ -31,6 +31,7 @@
     "build:sandbox": "node scripts/build_sandbox.js --skip-npm-install-build",
     "bundle": "npm run generate && node esbuild.config.js && node scripts/copy_bundle_assets.js",
     "test": "npm run test --workspaces --if-present",
+    "test:unit": "vitest run --exclude 'integration-tests/**'",
     "test:ci": "npm run test:ci --workspaces --if-present && npm run test:scripts",
     "test:scripts": "vitest run --config ./scripts/tests/vitest.config.ts",
     "test:e2e": "cross-env VERBOSE=true KEEP_OUTPUT=true npm run test:integration:sandbox:none",
