Preemptive toolset auth triggers OAuth redirect on every agent invocation #437
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: '🔀 Gemini Dispatch' | |
| on: | |
| pull_request_review_comment: | |
| types: | |
| - 'created' | |
| pull_request_review: | |
| types: | |
| - 'submitted' | |
| issue_comment: | |
| types: | |
| - 'created' | |
| defaults: | |
| run: | |
| shell: 'bash' | |
| jobs: | |
| debugger: | |
| if: |- | |
| ${{ fromJSON(vars.GEMINI_DEBUG || vars.ACTIONS_STEP_DEBUG || false) }} | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| contents: 'read' | |
| steps: | |
| - name: 'Print context for debugging' | |
| env: | |
| DEBUG_event_name: '${{ github.event_name }}' | |
| DEBUG_event__action: '${{ github.event.action }}' | |
| DEBUG_event__comment__author_association: '${{ github.event.comment.author_association }}' | |
| DEBUG_event__issue__author_association: '${{ github.event.issue.author_association }}' | |
| DEBUG_event__pull_request__author_association: '${{ github.event.pull_request.author_association }}' | |
| DEBUG_event__review__author_association: '${{ github.event.review.author_association }}' | |
| DEBUG_event: '${{ toJSON(github.event) }}' | |
| run: |- | |
| env | grep '^DEBUG_' | |
| dispatch: | |
| # Only trigger if user types @gemini-cli and author association is OWNER, MEMBER, or COLLABORATOR | |
| if: |- | |
| github.event.sender.type == 'User' && | |
| startsWith(github.event.comment.body || github.event.review.body, '@gemini-cli') && | |
| contains(fromJSON('["OWNER", "MEMBER", "COLLABORATOR"]'), github.event.comment.author_association || github.event.review.author_association) | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| contents: 'read' | |
| issues: 'write' | |
| pull-requests: 'write' | |
| outputs: | |
| command: '${{ steps.extract_command.outputs.command }}' | |
| request: '${{ steps.extract_command.outputs.request }}' | |
| additional_context: '${{ steps.extract_command.outputs.additional_context }}' | |
| issue_number: '${{ github.event.pull_request.number || github.event.issue.number }}' | |
| steps: | |
| - name: 'Mint identity token' | |
| id: 'mint_identity_token' | |
| if: |- | |
| ${{ vars.APP_ID }} | |
| uses: 'actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf' # ratchet:actions/create-github-app-token@v2 | |
| with: | |
| app-id: '${{ vars.APP_ID }}' | |
| private-key: '${{ secrets.APP_PRIVATE_KEY }}' | |
| permission-contents: 'read' | |
| permission-issues: 'write' | |
| permission-pull-requests: 'write' | |
| - name: 'Extract command' | |
| id: 'extract_command' | |
| uses: 'actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd' # ratchet:actions/github-script@v8.0.0 | |
| env: | |
| REQUEST: '${{ github.event.comment.body || github.event.review.body }}' | |
| IS_PR: '${{ !!(github.event.pull_request || github.event.issue.pull_request) }}' | |
| with: | |
| script: | | |
| const request = process.env.REQUEST; | |
| const isPr = process.env.IS_PR === 'true'; | |
| core.setOutput('request', request); | |
| // Ensure request is on a PR targeting the main branch | |
| let baseRef = ''; | |
| if (context.eventName === 'pull_request_review' || context.eventName === 'pull_request_review_comment') { | |
| baseRef = context.payload.pull_request.base.ref; | |
| } else if (context.eventName === 'issue_comment' && context.payload.issue.pull_request) { | |
| const pr = await github.rest.pulls.get({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| pull_number: context.payload.issue.number | |
| }); | |
| baseRef = pr.data.base.ref; | |
| } | |
| if (isPr && baseRef !== 'main') { | |
| console.log(`Skipping: PR targets '${baseRef}', but only 'main' is allowed.`); | |
| core.setOutput('command', 'fallthrough'); | |
| return; | |
| } | |
| if (request.startsWith("@gemini-cli /review")) { | |
| if (isPr) { | |
| core.setOutput('command', 'review'); | |
| const additionalContext = request.replace(/^@gemini-cli \/review/, '').trim(); | |
| core.setOutput('additional_context', additionalContext); | |
| } else { | |
| core.setOutput('command', 'fallthrough'); | |
| } | |
| } else if (request.startsWith("@gemini-cli")) { | |
| const additionalContext = request.replace(/^@gemini-cli/, '').trim(); | |
| core.setOutput('command', 'invoke'); | |
| core.setOutput('additional_context', additionalContext); | |
| } else { | |
| core.setOutput('command', 'fallthrough'); | |
| } | |
| - name: 'Acknowledge request' | |
| env: | |
| GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' | |
| ISSUE_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' | |
| MESSAGE: |- | |
| 🤖 Hi @${{ github.actor }}, I've received your request, and I'm working on it now! You can track my progress [in the logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details. | |
| REPOSITORY: '${{ github.repository }}' | |
| run: |- | |
| gh issue comment "${ISSUE_NUMBER}" \ | |
| --body "${MESSAGE}" \ | |
| --repo "${REPOSITORY}" | |
| review: | |
| needs: 'dispatch' | |
| if: |- | |
| ${{ needs.dispatch.outputs.command == 'review' }} | |
| uses: './.github/workflows/gemini-review.yml' | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| issues: 'write' | |
| pull-requests: 'write' | |
| with: | |
| additional_context: '${{ needs.dispatch.outputs.additional_context }}' | |
| secrets: 'inherit' | |
| invoke: | |
| needs: 'dispatch' | |
| if: |- | |
| ${{ needs.dispatch.outputs.command == 'invoke' }} | |
| uses: './.github/workflows/gemini-invoke.yml' | |
| permissions: | |
| contents: 'read' | |
| id-token: 'write' | |
| issues: 'write' | |
| pull-requests: 'write' | |
| with: | |
| additional_context: '${{ needs.dispatch.outputs.additional_context }}' | |
| secrets: 'inherit' | |
| fallthrough: | |
| needs: | |
| - 'dispatch' | |
| - 'review' | |
| - 'invoke' | |
| if: |- | |
| ${{ always() && !cancelled() && (failure() || needs.dispatch.outputs.command == 'fallthrough') }} | |
| runs-on: 'ubuntu-latest' | |
| permissions: | |
| contents: 'read' | |
| issues: 'write' | |
| pull-requests: 'write' | |
| steps: | |
| - name: 'Mint identity token' | |
| id: 'mint_identity_token' | |
| if: |- | |
| ${{ vars.APP_ID }} | |
| uses: 'actions/create-github-app-token@29824e69f54612133e76f7eaac726eef6c875baf' # ratchet:actions/create-github-app-token@v2 | |
| with: | |
| app-id: '${{ vars.APP_ID }}' | |
| private-key: '${{ secrets.APP_PRIVATE_KEY }}' | |
| permission-contents: 'read' | |
| permission-issues: 'write' | |
| permission-pull-requests: 'write' | |
| - name: 'Send failure comment' | |
| env: | |
| GITHUB_TOKEN: '${{ steps.mint_identity_token.outputs.token || secrets.GITHUB_TOKEN || github.token }}' | |
| ISSUE_NUMBER: '${{ github.event.pull_request.number || github.event.issue.number }}' | |
| MESSAGE: |- | |
| 🤖 I'm sorry @${{ github.actor }}, but I was unable to process your request. Please [see the logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details. | |
| REPOSITORY: '${{ github.repository }}' | |
| run: |- | |
| gh issue comment "${ISSUE_NUMBER}" \ | |
| --body "${MESSAGE}" \ | |
| --repo "${REPOSITORY}" |