Updates

Author: PDowney

.github/workflows/ai-pr-comment.yml

@@ -25,12 +25,15 @@ jobs:
     steps:
       - name: Download analysis artifacts
         uses: actions/github-script@v7
+        env:
+          WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}
         with:
           script: |
+            const runId = process.env.WORKFLOW_RUN_ID;
             const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
               owner: context.repo.owner,
               repo: context.repo.repo,
-              run_id: ${{ github.event.workflow_run.id }},
+              run_id: runId,
             });
             
             const matchArtifact = artifacts.data.artifacts.find((artifact) => {
@@ -50,7 +53,7 @@ jobs:
             });
             
             const fs = require('fs');
-            fs.writeFileSync('${{ github.workspace }}/pr-analysis.zip', Buffer.from(download.data));
+            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr-analysis.zip`, Buffer.from(download.data));
 
       - name: Extract and validate artifacts
         id: extract-data
@@ -80,11 +83,17 @@ jobs:
 
       - name: Post AI review comment
         uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.extract-data.outputs.pr-number }}
+          HEAD_SHA: ${{ steps.extract-data.outputs.head-sha }}
+          AUTHOR: ${{ steps.extract-data.outputs.author }}
+          WORKFLOW_URL: ${{ github.event.workflow_run.html_url }}
         with:
           script: |
-            const prNumber = ${{ steps.extract-data.outputs.pr-number }};
-            const headSha = "${{ steps.extract-data.outputs.head-sha }}";
-            const author = "${{ steps.extract-data.outputs.author }}";
+            const prNumber = process.env.PR_NUMBER;
+            const headSha = process.env.HEAD_SHA;
+            const author = process.env.AUTHOR;
+            const workflowUrl = process.env.WORKFLOW_URL;
             
             // Validate inputs
             if (!prNumber || !headSha) {
@@ -132,7 +141,7 @@ jobs:
             
             > 🔄 **Note:** This analysis was performed securely without executing untrusted code
             
-            **Analysis Workflow:** [View Details](${{ github.event.workflow_run.html_url }})
+            **Analysis Workflow:** [View Details](${workflowUrl})
             `;
             
             await github.rest.issues.createComment({
@@ -153,13 +162,16 @@ jobs:
       - name: Download failure artifacts (if any)
         uses: actions/github-script@v7
         continue-on-error: true
+        env:
+          WORKFLOW_RUN_ID: ${{ github.event.workflow_run.id }}
         with:
           script: |
             try {
+              const runId = process.env.WORKFLOW_RUN_ID;
               const artifacts = await github.rest.actions.listWorkflowRunArtifacts({
                 owner: context.repo.owner,
                 repo: context.repo.repo,
-                run_id: ${{ github.event.workflow_run.id }},
+                run_id: runId,
               });
               
               const matchArtifact = artifacts.data.artifacts.find((artifact) => {
@@ -196,9 +208,13 @@ jobs:
 
       - name: Create failure issue
         uses: actions/github-script@v7
+        env:
+          PR_NUMBER: ${{ steps.extract-pr.outputs.pr-number }}
+          WORKFLOW_HTML_URL: ${{ github.event.workflow_run.html_url }}
         with:
           script: |
-            const prNumber = "${{ steps.extract-pr.outputs.pr-number }}";
+            const prNumber = process.env.PR_NUMBER;
+            const workflowUrl = process.env.WORKFLOW_HTML_URL;
             
             const title = `🚨 AI Analysis Failed${prNumber ? ` for PR #${prNumber}` : ''}`;
             const body = `
@@ -207,7 +223,7 @@ jobs:
             The automated AI code analysis workflow has failed and requires attention.
             
             ${prNumber ? `**Pull Request:** #${prNumber}` : '**Pull Request:** Unable to determine'}
-            **Workflow Run:** ${{ github.event.workflow_run.html_url }}
+            **Workflow Run:** ${workflowUrl}
             **Failure Time:** ${new Date().toISOString()}
             
             ### Possible Causes

.github/workflows/gemini-security-scan.yml

@@ -45,47 +45,8 @@ jobs:
       - name: Run Gemini Security Analysis
         if: steps.changed-files.outputs.any_changed == 'true'
         uses: google-github-actions/run-gemini-cli@v0.1.10
-        with:
-          prompt: |
-            You are a WordPress security expert with deep knowledge of plugin vulnerabilities.
-            
-            SECURITY SCAN INSTRUCTIONS:
-            Analyze the following code changes for security vulnerabilities. Focus on:
-            
-            🔴 CRITICAL SECURITY ISSUES:
-            - SQL Injection: Check for unsanitized database queries, missing prepared statements
-            - Cross-Site Scripting (XSS): Look for unescaped output, missing esc_html/esc_attr
-            - Cross-Site Request Forgery (CSRF): Verify nonce usage in forms and AJAX
-            - Authentication Bypass: Check user capability validation
-            - File Upload Vulnerabilities: Verify file type and size validation
-            - Directory Traversal: Look for path manipulation vulnerabilities
-            - Code Injection: Check for eval(), exec(), system() usage
-            
-            🟡 WORDPRESS-SPECIFIC SECURITY:
-            - Proper use of WordPress sanitization functions
-            - Correct capability checks (current_user_can)
-            - WordPress nonce verification
-            - Proper use of wpdb prepared statements
-            - Validation of user input and file uploads
-            - Secure handling of options and meta data
-            
-            🟢 BEST PRACTICES:
-            - Input validation and sanitization
-            - Output escaping and encoding
-            - Secure API endpoint implementation
-            - Proper error handling without information disclosure
-            
-            For each issue found:
-            1. Specify the exact file and line number
-            2. Explain the vulnerability type and risk level
-            3. Provide secure code recommendations
-            4. Reference WordPress Codex security guidelines
-            
-            If no vulnerabilities are found, confirm the code follows WordPress security standards.
-            
-            FILES TO ANALYZE:
-            ${{ steps.changed-files.outputs.all_changed_files }}
         env:
+          CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
 
       - name: Create Security Issue on Critical Findings

.github/workflows/wordpress-standards-check.yml

@@ -107,16 +107,20 @@ jobs:
             - Developer experience
             
             FILES TO ANALYZE:
-            ${{ steps.changed-files.outputs.all_changed_files }}
+            $CHANGED_FILES
         env:
+          CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
           GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
 
       - name: Comment on PR with Findings
         if: github.event_name == 'pull_request'
         uses: actions/github-script@v7
+        env:
+          FILES_COUNT: ${{ steps.changed-files.outputs.all_changed_files_count }}
         with:
           script: |
             const fs = require('fs');
+            const filesCount = process.env.FILES_COUNT;
             
             // This would be the output from Gemini CLI
             const comment = `
@@ -125,7 +129,7 @@ jobs:
             Thank you for your contribution! I've analyzed your code changes for WordPress best practices and coding standards.
             
             ### 📊 Analysis Summary
-            - **Files Analyzed:** ${{ steps.changed-files.outputs.all_changed_files_count }}
+            - **Files Analyzed:** ${filesCount}
             - **WordPress Version:** 6.5+ compatible
             - **PHP Version:** 7.4+ compatible