From 8eb484a37f0eee5869d1dcda049784045426ffa5 Mon Sep 17 00:00:00 2001
From: Joey Perrott <josephperrott@gmail.com>
Date: Mon, 10 Nov 2025 20:50:22 +0000
Subject: [PATCH] ci: set up a security reviewer action

Set up a security reviewer action which performs a security specific review against all changes made by the `angular-robot` account.

This is being done as a pilot test, testing the value of the analysis done automatically by gemini.
---
 .github/workflows/gemini-review.yml | 113 ++++++++++++++++++++++++++++
 .gitignore                          |   7 +-
 2 files changed, 119 insertions(+), 1 deletion(-)
 create mode 100644 .github/workflows/gemini-review.yml

diff --git a/.github/workflows/gemini-review.yml b/.github/workflows/gemini-review.yml
new file mode 100644
index 000000000..ea7e87226
--- /dev/null
+++ b/.github/workflows/gemini-review.yml
@@ -0,0 +1,113 @@
+name: 'Security Review'
+
+on:
+  pull_request_target:
+    types: [opened, synchronize]
+
+concurrency:
+  group: '${{ github.workflow }}-review-${{ github.event.pull_request.number }}'
+  cancel-in-progress: true
+
+defaults:
+  run:
+    shell: 'bash'
+
+jobs:
+  review:
+    # 89942104 is the user id for the angular robot account.
+    if: |
+      (
+        github.event_name == 'pull_request' &&
+        github.event.pull_request.user.id == '89942104'
+      )
+    runs-on: 'ubuntu-latest'
+    timeout-minutes: 15
+    permissions:
+      contents: 'read'
+      id-token: 'write'
+      pull-requests: 'write'
+    steps:
+      - name: 'Acknowledge request'
+        env:
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          ISSUE_NUMBER: '${{ github.event.pull_request.number }}'
+          MESSAGE: |-
+            Beginning seecurity review for the pull request. Track the progres [in the logs](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) for more details.
+          REPOSITORY: '${{ github.repository }}'
+        run: |-
+          gh issue comment "${ISSUE_NUMBER}" \
+            --body "${MESSAGE}" \
+            --repo "${REPOSITORY}"
+
+      - name: 'Checkout repository'
+        uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: 'Run Gemini security analysis review'
+        uses: 'google-github-actions/run-gemini-cli@f7db4b6f82ad0c3725cf4c98bdd93af80e22b4dc' # v0.1.14
+        id: 'gemini_security_analysis'
+        env:
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'
+          ISSUE_TITLE: '${{ github.event.pull_request.title }}'
+          ISSUE_BODY: '${{ github.event.pull_request.body }}'
+          PULL_REQUEST_NUMBER: '${{ github.event.pull_request.number }}'
+          REPOSITORY: '${{ github.repository }}'
+        with:
+          gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          gcp_service_account: '${{ vars.SERVICE_ACCOUNT_EMAIL }}'
+          gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}'
+          gemini_api_key: '${{ secrets.SECURITY_REVIEWER }}'
+          gemini_cli_version: '${{ vars.GEMINI_CLI_VERSION }}'
+          gemini_debug: '${{ fromJSON(vars.DEBUG || vars.ACTIONS_STEP_DEBUG || false) }}'
+          gemini_model: '${{ vars.GEMINI_MODEL }}'
+          google_api_key: '${{ secrets.GOOGLE_API_KEY }}'
+          use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}'
+          use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
+          upload_artifacts: '${{ vars.UPLOAD_ARTIFACTS }}'
+          extensions: |
+            [
+              "https://github.com/gemini-cli-extensions/security.git"
+            ]
+          settings: |-
+            {
+              "model": {
+                "maxSessionTurns": 100
+              },
+              "telemetry": {
+                "enabled": true,
+                "target": "local",
+                "outfile": ".gemini/telemetry.log"
+              },
+              "mcpServers": {
+                "github": {
+                  "command": "docker",
+                  "args": [
+                    "run",
+                    "-i",
+                    "--rm",
+                    "-e",
+                    "GITHUB_PERSONAL_ACCESS_TOKEN",
+                    "ghcr.io/github/github-mcp-server:v0.18.0"
+                  ],
+                  "includeTools": [
+                    "add_comment_to_pending_review",
+                    "create_pending_pull_request_review",
+                    "pull_request_read",
+                    "submit_pending_pull_request_review"
+                  ],
+                  "env": {
+                    "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
+                  }
+                }
+              },
+              "tools": {
+                "core": [
+                  "run_shell_command(cat)",
+                  "run_shell_command(echo)",
+                  "run_shell_command(grep)",
+                  "run_shell_command(head)",
+                  "run_shell_command(tail)"
+                ]
+              }
+            }
+          prompt: '/security:analyze-github-pr'
diff --git a/.gitignore b/.gitignore
index 9a9d06ad2..490f9da0d 100644
--- a/.gitignore
+++ b/.gitignore
@@ -54,4 +54,9 @@ test-results/*
 apps/*-debug.log
 
 # Ignore generated package archives
-angular-*.tgz 
\ No newline at end of file
+angular-*.tgz 
+
+# gemini-cli settings
+.gemini/
+# GitHub App credentials
+gha-creds-*.json