fix(setup): Gracefully handle internal-only Cloud (#447)

Code API enablement Modify `setup_workload_identity.sh` to prevent
script failure when enabling the internal-only
`cloudcode-pa.googleapis.com` API. The API enablement command now
includes `|| true`, allowing the script to continue for public users
without permissions for this service.

<!--
Thank you for proposing a pull request! Please note that SOME TESTS WILL
LIKELY FAIL due to how GitHub exposes secrets in Pull Requests from
forks.
Someone from the team will review your Pull Request and respond.

Please describe your change and any implementation details below.
-->

---------

Signed-off-by: Spencer  <spencer.tang12@gmail.com>
Co-authored-by: gemini-cli[bot] <218312386+gemini-cli[bot]@users.noreply.github.com>

Author: spencer426

scripts/setup_workload_identity.sh

@@ -211,7 +211,6 @@ print_header "Step 1: Enabling required Google Cloud APIs"
 required_apis=(
     "aiplatform.googleapis.com"
     "cloudaicompanion.googleapis.com"
-    "cloudcode-pa.googleapis.com"
     "cloudresourcemanager.googleapis.com"
     "cloudtrace.googleapis.com"
     "iam.googleapis.com"
@@ -220,8 +219,11 @@ required_apis=(
     "monitoring.googleapis.com"
     "sts.googleapis.com"
 )
-
+# Separately enable the internal-only Cloud Code API, ignoring errors
+# for public users who may not have access.
+gcloud services enable "cloudcode-pa.googleapis.com" --project="${GOOGLE_CLOUD_PROJECT}" || true
 gcloud services enable "${required_apis[@]}" --project="${GOOGLE_CLOUD_PROJECT}"
+gcloud services enable "cloudcode-pa.googleapis.com" --project="${GOOGLE_CLOUD_PROJECT}" || true
 print_success "APIs enabled successfully."
 
 # Step 2: Create Workload Identity Pool