t4943: Add mktemp and trap guidance to secret-as-argument fallback

[alex-solovyev]

Summary

• Adds explicit mktemp and trap guidance to the secret-as-argument fallback pattern in build.txt:267, making the temporary file pattern more specific and secure.
• Addresses unactioned review feedback from PR t4939: Add env-var-not-argument pattern to secret handling rules #4941 (Gemini Code Assist, medium severity).

Changes

Single prose edit to .agents/prompts/build.txt line 267:

• Before: "write the secret to a temporary file (mode 0600)... and delete the file immediately after"
• After: "write the secret to a temporary file (e.g., using mktemp, with mode 0600)... and ensure the file is deleted immediately after (e.g., using a trap command for cleanup on exit or error)"

Closes #4943

[coderabbitai]

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)

• no-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 6cb1a0d6-8b6b-4179-9ed5-ff449cf5a307

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/t4943-mktemp-trap-guidance

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request improves the security guidelines for handling sensitive information within the system. It provides more explicit instructions on how to safely manage secrets when they must be passed via temporary files, ensuring proper creation and immediate deletion to mitigate potential exposure risks.

Highlights

• Enhanced Secret Handling Guidance: Explicit mktemp and trap guidance was added to the secret-as-argument fallback pattern, making the temporary file usage more specific and secure.
• Addressed Review Feedback: This change addresses previously unactioned review feedback from PR t4939: Add env-var-not-argument pattern to secret handling rules #4941, specifically a medium severity concern from Gemini Code Assist.

Changelog

• .agents/prompts/build.txt
  • Updated guidance for temporary file usage when handling secrets, adding explicit recommendations for mktemp and trap commands.

Activity

• Addressed unactioned review feedback from PR t4939: Add env-var-not-argument pattern to secret handling rules #4941 (Gemini Code Assist, medium severity).

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 362 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Sun Mar 15 18:43:55 UTC 2026: Code review monitoring started
Sun Mar 15 18:43:56 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 362

📈 Current Quality Metrics

• BUGS: 0
• CODE SMELLS: 362
• VULNERABILITIES: 0

Generated on: Sun Mar 15 18:43:58 UTC 2026

---

Generated by AI DevOps Framework Code Review Monitoring

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request improves security guidance by recommending mktemp and trap for handling secrets in temporary files. The change is beneficial. I've suggested a minor clarification to the guidance on setting file permissions and using trap to ensure the recommended pattern is portable and accurately described.

[gemini-code-assist]

This guidance can be made more precise for better security and portability.

• Explicitly mentioning chmod 0600 is more portable than relying on mktemp's mode-setting options, which differ between systems.
• Clarifying that trap ensures cleanup on script exit (e.g., with the EXIT signal) is more accurate than 'immediately after', as trap's primary benefit is robustness against unexpected termination.

  - When the target program only accepts secrets as arguments (no env var support), write the secret to a temporary file (e.g., using `mktemp` to create it and `chmod 0600` to set permissions), pass the file path as the argument, and ensure robust cleanup on script exit (e.g., using a `trap` command on the `EXIT` signal). This is a last resort — prefer programs that support env var or stdin input.

[marcusquinn]

Dispatching worker to address review suggestions.

• Model: sonnet (anthropic/claude-sonnet-4-6)
• Branch: fix/t4943-review-suggestions
• Scope: Apply Gemini suggestion: explicit chmod 0600 + trap EXIT signal clarification in build.txt
• Attempt: 1 of 1
• Direction: Apply the suggested text verbatim from the bot comment

[marcusquinn]

Opened follow-up PR #4952 on fix/t4943-review-suggestions to apply the post-merge Gemini wording update (portable chmod 0600 guidance + explicit trap on EXIT).