pull #11
pull #11
Conversation
Removed unnecessary instructions from README.
Chore/add readme trivy
Bumps [actions/checkout](https://github.com/actions/checkout) from 4 to 5. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v4...v5) --- updated-dependencies: - dependency-name: actions/checkout dependency-version: '5' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 5 to 6. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v5...v6) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <[email protected]>
Update Readme.md
Bumps node from 22-alpine to 25-alpine. --- updated-dependencies: - dependency-name: node dependency-version: 25-alpine dependency-type: direct:production ... Signed-off-by: dependabot[bot] <[email protected]>
…ions/checkout-5 Bump actions/checkout from 4 to 5
…ker/build-push-action-6 Bump docker/build-push-action from 5 to 6
There was a problem hiding this comment.
Pull Request Overview
This pull request transitions from a specific versioned dependency to using the latest version, updates the Node.js base image, adds comprehensive security documentation, and consolidates GitHub Actions workflows.
- Changes package dependency from a specific version to "latest"
- Updates Node.js base image from version 22 to version 25
- Adds security policy, usage instructions, and update documentation
- Consolidates multiple GitHub Actions workflows into a single unified workflow
Reviewed Changes
Copilot reviewed 11 out of 12 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| package.json | Updates @google/gemini-cli dependency from pinned version to "latest" |
| Dockerfile | Updates Node.js base image from version 22 to version 25 |
| README.md | Fixes typo, updates documentation to reflect new workflow names and enhanced security features |
| USAGE.md | Adds comprehensive usage instructions for running the containerized application |
| UPDATE-PACKAGE.md | Adds documentation for manual and automated package update processes |
| SECURITY.md | Adds formal security policy with vulnerability reporting guidelines |
| .github/workflows/build-and-scan.yml | Adds new consolidated workflow for building and scanning images |
| .github/workflows/docker-build-scan.yml | Removes old workflow file |
| .github/workflows/docker-build-scan-publish.yml | Removes old workflow file |
| .github/workflows/release.yml | Removes old release workflow file |
| .github/dependabot.yml | Adds Dependabot configuration for automated dependency management |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| # secure-gemini | ||
|
|
||
| This repository contains a minimal, security-conscious Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:22-alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate. | ||
| This repository contains a minimal, security-harneded Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:22-alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate. |
There was a problem hiding this comment.
Corrected spelling of 'harneded' to 'hardened'.
| This repository contains a minimal, security-harneded Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:22-alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate. | |
| This repository contains a minimal, security-hardened Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:22-alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate. |
| # secure-gemini | ||
|
|
||
| This repository contains a minimal, security-conscious Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:22-alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate. | ||
| This repository contains a minimal, security-harneded Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:22-alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate. |
There was a problem hiding this comment.
The README states the image is built on node:22-alpine, but the Dockerfile now uses node:25-alpine. These should be consistent. Update the README to match the actual Node.js version used in the Dockerfile (once the Dockerfile version is corrected).
| This project isn't just a `Dockerfile`; it's a complete, secure software lifecycle. | ||
|
|
||
| This repository contains a minimal, security-conscious Docker image for running the Google Gemini CLI (`@google/gemini-cli`). The image is built on `node:22-alpine`, uses a non-root user, upgrades base packages, updates npm, and runs `npm audit` during the image build as a security gate. | ||
| - ✅ **Hardened Base Image:** Built on `node:22-alpine` and patches OS packages (`apk upgrade`) during the build to mitigate known vulnerabilities. |
There was a problem hiding this comment.
The README references node:22-alpine, but the Dockerfile now uses node:25-alpine. Update this reference to match the actual version used in the Dockerfile (once the Dockerfile version is corrected).
| # reviewers: | ||
| # - "kalvinparker" | ||
|
|
||
| # 2. Check for updates to the Docker base image (node:22-alpine) |
There was a problem hiding this comment.
The comment references node:22-alpine, but the Dockerfile now uses node:25-alpine. Update this comment to reflect the actual base image version (once the Dockerfile version is corrected).
| # 2. Check for updates to the Docker base image (node:22-alpine) | |
| # 2. Check for updates to the Docker base image (node:25-alpine) |
| { | ||
| "dependencies": { | ||
| "@google/gemini-cli": "^0.8.2" | ||
| "@google/gemini-cli": "latest" |
There was a problem hiding this comment.
Using 'latest' for dependencies is not recommended in production as it can lead to unpredictable builds and potential breaking changes. Consider using a specific version with a caret (^) or tilde (~) range instead, such as ^0.9.0 or pinning to a specific version.
| "@google/gemini-cli": "latest" | |
| "@google/gemini-cli": "^0.9.0" |
|
|
||
| ```powershell | ||
| docker build -t secure-gemini-cli:latest . | ||
| docker build -t secure-gemini-cli:latest |
There was a problem hiding this comment.
The docker build command is missing the build context argument. It should be docker build -t secure-gemini-cli:latest . (note the period at the end representing the current directory as the build context).
| docker build -t secure-gemini-cli:latest | |
| docker build -t secure-gemini-cli:latest . |
|
|
||
| | Version | Supported | | ||
| | ------- | ------------------ | | ||
| | `master` branch | :white_check_mark: | |
There was a problem hiding this comment.
The table references master branch, but line 15 and other parts of the document refer to the main branch. This should be consistent. Use main instead of master to match the actual branch name.
| | `master` branch | :white_check_mark: | | |
| | `main` branch | :white_check_mark: | |
No description provided.