fix: implement authentication priority to prevent CLI hang

cocosheng-g · cocosheng-g · commit 011910824d6e · 2026-03-10T16:19:21.000-04:00
diff --git a/action.yml b/action.yml
@@ -134,7 +134,7 @@ runs:
         fi
 
         if [[ ${auth_methods} -gt 1 ]]; then
-          warn "Multiple authentication methods provided. Please use only one of 'gemini_api_key', 'google_api_key', or 'gcp_workload_identity_provider'."
+          echo "::notice title=Authentication priority::Multiple authentication methods provided. The action will prioritize them in the following order: 1. Workload Identity Federation, 2. Vertex AI API Key, 3. Gemini API Key. Conflicting environment variables will be unset for the CLI."
         fi
 
         # Validate Workload Identity Federation inputs
@@ -260,6 +260,20 @@ runs:
           echo "Error: Gemini CLI not found in PATH"
           exit 1
         fi
+
+        # Sanitize authentication environment variables to avoid conflicts when installing extensions.
+        if [[ -n "${GOOGLE_CLOUD_ACCESS_TOKEN:-}" ]]; then
+          unset GEMINI_API_KEY
+          unset GOOGLE_API_KEY
+        elif [[ "${GOOGLE_GENAI_USE_VERTEXAI:-false}" == "true" && -n "${GOOGLE_API_KEY:-}" ]]; then
+          unset GEMINI_API_KEY
+        elif [[ -n "${GEMINI_API_KEY:-}" ]]; then
+          export GOOGLE_GENAI_USE_VERTEXAI="false"
+          export GOOGLE_GENAI_USE_GCA="false"
+          unset GOOGLE_API_KEY
+          unset GOOGLE_CLOUD_ACCESS_TOKEN
+        fi
+
         if [[ -n "${EXTENSIONS}" ]]; then
           echo "Installing Gemini CLI extensions:"
           echo "${EXTENSIONS}" | jq -r '.[]' | while IFS= read -r extension; do
@@ -289,6 +303,26 @@ runs:
         # Keep track of whether we've failed
         FAILED=false
 
+        # Sanitize authentication environment variables to avoid conflicts.
+        # Priority:
+        # 1. Workload Identity Federation (use_vertex_ai or use_gemini_code_assist with access token)
+        # 2. Vertex AI API Key (use_vertex_ai with google_api_key)
+        # 3. Gemini API Key (gemini_api_key)
+        if [[ -n "${GOOGLE_CLOUD_ACCESS_TOKEN:-}" ]]; then
+          echo "Using Workload Identity Federation; unsetting conflicting API keys."
+          unset GEMINI_API_KEY
+          unset GOOGLE_API_KEY
+        elif [[ "${GOOGLE_GENAI_USE_VERTEXAI:-false}" == "true" && -n "${GOOGLE_API_KEY:-}" ]]; then
+          echo "Using Vertex AI API Key; unsetting conflicting Gemini API key."
+          unset GEMINI_API_KEY
+        elif [[ -n "${GEMINI_API_KEY:-}" ]]; then
+          echo "Using Gemini API Key; ensuring Vertex AI and Code Assist are disabled."
+          export GOOGLE_GENAI_USE_VERTEXAI="false"
+          export GOOGLE_GENAI_USE_GCA="false"
+          unset GOOGLE_API_KEY
+          unset GOOGLE_CLOUD_ACCESS_TOKEN
+        fi
+
         # Run Gemini CLI with the provided prompt, using JSON output format
         # We capture stdout (JSON) to TEMP_STDOUT and stderr to TEMP_STDERR
         if [[ "${GEMINI_DEBUG}" = true ]]; then
