t4943: apply Gemini review wording to secret temp-file guidance

[marcusquinn]

Summary

• Apply Gemini Code Assist wording feedback in .agents/prompts/build.txt for the secret-as-argument fallback guidance.
• Explicitly document portable file permission hardening with chmod 0600 after mktemp creation.
• Clarify cleanup semantics by referencing a trap on the EXIT signal for robust script-exit cleanup.

Context

• PR t4943: Add mktemp and trap guidance to secret-as-argument fallback #4951 is already merged, so this follow-up PR carries the post-merge wording adjustment.

Closes #4943

[coderabbitai]

Warning

Rate limit exceeded

@marcusquinn has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 3 minutes and 5 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 820701e7-e692-4be1-acc5-078ff2bf06df

📥 Commits

Reviewing files that changed from the base of the PR and between 874c302 and bf25812.

📒 Files selected for processing (1)

• .agents/prompts/build.txt

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/t4943-review-suggestions

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request refines the guidance for handling secrets that must be passed through temporary files. It incorporates feedback to enhance the clarity and security instructions, specifically detailing how to create temporary files securely and ensure their robust cleanup.

Highlights

• Gemini Code Assist Feedback: Applied wording feedback from Gemini Code Assist to the secret-as-argument fallback guidance in .agents/prompts/build.txt.
• File Permissions: Documented explicit portable file permission hardening using chmod 0600 after mktemp creation for temporary secret files.
• Cleanup Semantics: Clarified cleanup semantics by referencing the use of a trap command on the EXIT signal for robust script-exit cleanup of temporary secret files.

Changelog

• .agents/prompts/build.txt
  • Updated the guidance for handling secrets in temporary files to include mktemp and chmod 0600 for creation and trap for robust cleanup.

Activity

• This pull request is a follow-up to PR t4943: Add mktemp and trap guidance to secret-as-argument fallback #4951, which has already been merged, carrying post-merge wording adjustments.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates the guidance for handling secrets in temporary files. The change improves the previous advice by suggesting mktemp and trap for cleanup. However, the proposed mktemp and chmod sequence has a minor race condition vulnerability. My review includes a suggestion to use umask to create the temporary file with secure permissions from the start, which is a more robust approach.

[gemini-code-assist]

The guidance to use mktemp and chmod is a good step towards security, but it introduces a brief time window between file creation and permission modification. During this window, the file exists with default permissions, creating a potential race condition. A more secure pattern is to set the umask to 077 before calling mktemp. This ensures the file is created with 0600 permissions atomically, eliminating the race condition. Using a subshell like (umask 077 && mktemp) can scope the umask change to just that command.

  - When the target program only accepts secrets as arguments (no env var support), write the secret to a temporary file ensuring `0600` permissions at creation (e.g., by setting `umask 077` before calling `mktemp`), pass the file path as the argument, and ensure robust cleanup on script exit (e.g., using a `trap` command on the `EXIT` signal). This is a last resort — prefer programs that support env var or stdin input.

[marcusquinn]

Closing as superseded. PR #4951 already merged the mktemp/trap guidance to build.txt. The core improvement (mktemp + trap for cleanup) is now in main. The additional wording refinements (explicit chmod 0600, EXIT signal) are minor and can be addressed in a follow-up if needed.