debug: aggressive auth sanitization and full logging

cocosheng-g · cocosheng-g · commit ae4411491b4c · 2026-03-10T16:56:01.000-04:00
diff --git a/action.yml b/action.yml
@@ -231,6 +231,10 @@ runs:
         GEMINI_CLI_VERSION: '${{ inputs.gemini_cli_version }}'
         EXTENSIONS: '${{ inputs.extensions }}'
         USE_PNPM: '${{ inputs.use_pnpm }}'
+        GOOGLE_CLOUD_ACCESS_TOKEN: '${{ steps.auth.outputs.access_token }}'
+        GOOGLE_GENAI_USE_VERTEXAI: '${{ inputs.use_vertex_ai }}'
+        GEMINI_API_KEY: '${{ inputs.gemini_api_key }}'
+        GOOGLE_API_KEY: '${{ inputs.google_api_key }}'
       shell: 'bash'
       run: |-
         set -exuo pipefail
@@ -265,11 +269,14 @@ runs:
 
         # Sanitize authentication environment variables to avoid conflicts when installing extensions.
         if [[ -n "${GOOGLE_CLOUD_ACCESS_TOKEN:-}" ]]; then
+          echo "Using Workload Identity Federation; unsetting conflicting API keys."
           unset GEMINI_API_KEY
           unset GOOGLE_API_KEY
         elif [[ "${GOOGLE_GENAI_USE_VERTEXAI:-false}" == "true" && -n "${GOOGLE_API_KEY:-}" ]]; then
+          echo "Using Vertex AI API Key; unsetting conflicting Gemini API key."
           unset GEMINI_API_KEY
         elif [[ -n "${GEMINI_API_KEY:-}" ]]; then
+          echo "Using Gemini API Key; ensuring Vertex AI and Code Assist are disabled."
           export GOOGLE_GENAI_USE_VERTEXAI="false"
           export GOOGLE_GENAI_USE_GCA="false"
           unset GOOGLE_API_KEY
@@ -295,7 +302,7 @@ runs:
         echo "Starting Gemini CLI execution..."
 
         echo "--- Environment variables ---"
-        env | sort | grep -vE "TOKEN|KEY|PASS|SECRET" || true
+        env | sort | grep -vE "TOKEN|KEY|PASS|SECRET|GHA_CREDS" || true
         echo "--- End environment variables ---"
 
         # Create a temporary directory for storing the output, and ensure it's
@@ -316,9 +323,13 @@ runs:
         # 2. Vertex AI API Key (use_vertex_ai with google_api_key)
         # 3. Gemini API Key (gemini_api_key)
         if [[ -n "${GOOGLE_CLOUD_ACCESS_TOKEN:-}" ]]; then
-          echo "Using Workload Identity Federation; unsetting conflicting API keys."
+          echo "Using Workload Identity Federation; unsetting conflicting credentials."
           unset GEMINI_API_KEY
           unset GOOGLE_API_KEY
+          # Aggressively unset credential file pointers to prevent CLI from picking them up
+          unset GOOGLE_APPLICATION_CREDENTIALS
+          unset CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
+          unset GOOGLE_GHA_CREDS_PATH
         elif [[ "${GOOGLE_GENAI_USE_VERTEXAI:-false}" == "true" && -n "${GOOGLE_API_KEY:-}" ]]; then
           echo "Using Vertex AI API Key; unsetting conflicting Gemini API key."
           unset GEMINI_API_KEY
