This guide provides best practices for using the Gemini CLI GitHub Action, with a focus on repository security and operational excellence.
A secure repository is the foundation for any reliable and safe automation. We strongly recommend implementing the following security measures.
Protecting your branches and tags is critical to preventing unauthorized changes. You can use repository rulesets to configure protection for your branches and tags.
We recommend the following at a minimum for your main branch:
- Require a pull request before merging
- Require a minimum number of approvals
- Dismiss stale approvals
- Require status checks to pass before merging
For more information, see the GitHub documentation on managing branch protections.
To prevent fraudulent or accidental approvals, you can restrict who can approve pull requests.
- CODEOWNERS: Use a
CODEOWNERSfile to define individuals or teams that are responsible for code in your repository. - Code review limits: Limit code review approvals to specific users or teams.
For the most secure authentication to Google Cloud, we recommend using Workload Identity Federation. This keyless authentication method eliminates the need to manage long-lived service account keys.
For detailed instructions on how to set up Workload Identity Federation, please refer to our Authentication documentation.
Never hardcode secrets (e.g., API keys, tokens) in your workflows. Use GitHub Secrets to store sensitive information.
To ensure the stability and security of your workflows, pin the Gemini CLI action to a specific version.
uses: google-github-actions/run-gemini-cli@v0When creating your own workflows, we recommend starting with the examples provided in this repository. These examples demonstrate how to use the run-gemini-cli action for various use cases, such as pull request reviews, issue triage, and more.
Ensure the new workflows you create follow the principle of least privilege. Only grant the permissions necessary to perform the required tasks.
To gain deeper insights into the performance and behavior of Gemini CLI, you can enable OpenTelemetry to send traces, metrics, and logs to your Google Cloud project. This is highly recommended for production environments to monitor for unexpected behavior and performance issues.
For detailed instructions on how to set up and configure observability, please refer to our Observability documentation.