fix: resolve hang by prioritizing authentication and unsetting conflicting credentials

cocosheng-g · cocosheng-g · commit af23e99a0d3e · 2026-03-10T17:08:42.000-04:00
diff --git a/action.yml b/action.yml
@@ -107,7 +107,7 @@ runs:
       id: 'validate_inputs'
       shell: 'bash'
       run: |-
-        set -exuo pipefail
+        set -euo pipefail
 
         # Emit a clear warning in three places without failing the step
         warn() {
@@ -237,9 +237,8 @@ runs:
         GOOGLE_API_KEY: '${{ inputs.google_api_key }}'
       shell: 'bash'
       run: |-
-        set -exuo pipefail
+        set -euo pipefail
         mkdir -p ~/.gemini
-        echo "Starting Gemini CLI installation..."
 
         VERSION_INPUT="${GEMINI_CLI_VERSION:-latest}"
 
@@ -269,14 +268,11 @@ runs:
 
         # Sanitize authentication environment variables to avoid conflicts when installing extensions.
         if [[ -n "${GOOGLE_CLOUD_ACCESS_TOKEN:-}" ]]; then
-          echo "Using Workload Identity Federation; unsetting conflicting API keys."
           unset GEMINI_API_KEY
           unset GOOGLE_API_KEY
         elif [[ "${GOOGLE_GENAI_USE_VERTEXAI:-false}" == "true" && -n "${GOOGLE_API_KEY:-}" ]]; then
-          echo "Using Vertex AI API Key; unsetting conflicting Gemini API key."
           unset GEMINI_API_KEY
         elif [[ -n "${GEMINI_API_KEY:-}" ]]; then
-          echo "Using Gemini API Key; ensuring Vertex AI and Code Assist are disabled."
           export GOOGLE_GENAI_USE_VERTEXAI="false"
           export GOOGLE_GENAI_USE_GCA="false"
           unset GOOGLE_API_KEY
@@ -298,12 +294,7 @@ runs:
       id: 'gemini_run'
       shell: 'bash'
       run: |-
-        set -exuo pipefail
-        echo "Starting Gemini CLI execution..."
-
-        echo "--- Environment variables ---"
-        env | sort | grep -vE "TOKEN|KEY|PASS|SECRET|GHA_CREDS" || true
-        echo "--- End environment variables ---"
+        set -euo pipefail
 
         # Create a temporary directory for storing the output, and ensure it's
         # cleaned up later
@@ -323,21 +314,14 @@ runs:
         # 2. Vertex AI API Key (use_vertex_ai with google_api_key)
         # 3. Gemini API Key (gemini_api_key)
         if [[ -n "${GOOGLE_CLOUD_ACCESS_TOKEN:-}" ]]; then
-          echo "Using Workload Identity Federation; unsetting conflicting credentials."
           unset GEMINI_API_KEY
           unset GOOGLE_API_KEY
-          # Aggressively unset credential file pointers to prevent CLI from picking them up and hanging.
-          # We unset CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE and GOOGLE_GHA_CREDS_PATH as they are known to cause issues.
-          # We keep GOOGLE_APPLICATION_CREDENTIALS for now to see if it's needed for MCP tools.
+          # Unset credential file pointers that might cause conflicts with the access token.
           unset CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
           unset GOOGLE_GHA_CREDS_PATH
-          # If it still hangs, we may need to unset GOOGLE_APPLICATION_CREDENTIALS too.
-          # unset GOOGLE_APPLICATION_CREDENTIALS
         elif [[ "${GOOGLE_GENAI_USE_VERTEXAI:-false}" == "true" && -n "${GOOGLE_API_KEY:-}" ]]; then
-          echo "Using Vertex AI API Key; unsetting conflicting Gemini API key."
           unset GEMINI_API_KEY
         elif [[ -n "${GEMINI_API_KEY:-}" ]]; then
-          echo "Using Gemini API Key; ensuring Vertex AI and Code Assist are disabled."
           export GOOGLE_GENAI_USE_VERTEXAI="false"
           export GOOGLE_GENAI_USE_GCA="false"
           unset GOOGLE_API_KEY
@@ -348,32 +332,16 @@ runs:
         # We capture stdout (JSON) to TEMP_STDOUT and stderr to TEMP_STDERR
         if [[ "${GEMINI_DEBUG}" = true ]]; then
           echo "::warning::Gemini CLI debug logging is enabled. This will stream responses, which could reveal sensitive information if processed with untrusted inputs."
-          echo "::: Start Gemini CLI STDOUT :::"
           if ! gemini --debug --yolo --prompt "${PROMPT}" --output-format json 2> >(tee "${TEMP_STDERR}" >&2) | tee "${TEMP_STDOUT}"; then
             FAILED=true
           fi
-          # Wait for async stderr logging to complete. This is because process substitution in Bash is async so let tee finish writing to ${TEMP_STDERR}
-          sleep 1
-          echo "::: End Gemini CLI STDOUT :::"
         else
           if ! gemini --yolo --prompt "${PROMPT}" --output-format json 2> "${TEMP_STDERR}" 1> "${TEMP_STDOUT}"; then
             FAILED=true
           fi
         fi
 
-        # Create the artifacts directory and copy full logs
-        mkdir -p gemini-artifacts
-        cp "${TEMP_STDOUT}" gemini-artifacts/stdout.log
-        cp "${TEMP_STDERR}" gemini-artifacts/stderr.log
-        if [[ -f .gemini/telemetry.log ]]; then
-          cp .gemini/telemetry.log gemini-artifacts/telemetry.log
-        else
-          # Create an empty file so the artifact upload doesn't fail if telemetry is missing
-          touch gemini-artifacts/telemetry.log
-        fi
-
         # Parse JSON output to extract response and errors
-        # If output is not valid JSON, RESPONSE will be empty and we'll rely on stderr for errors
         RESPONSE=""
         ERROR_JSON=""
         if jq -e . "${TEMP_STDOUT}" >/dev/null 2>&1; then
@@ -389,19 +357,7 @@ runs:
            fi
         fi
 
-        if { [[ -s "${TEMP_STDERR}" ]] && [[ -z "${ERROR_JSON}" ]]; }; then
-          echo "::warning::Gemini CLI stderr contains data but no valid JSON error object was extracted"
-        fi
-
-        if { [[ -s "${TEMP_STDOUT}" ]] && ! jq -e . "${TEMP_STDOUT}" >/dev/null 2>&1; }; then
-          echo "::warning::Gemini CLI stdout was not valid JSON"
-        fi
-
-
-        # Set the captured response as a step output, supporting multiline
-        echo "Finished Gemini CLI execution."
-
-        # Use a more unique delimiter to avoid collisions
+        # Use a unique delimiter to avoid collisions for multiline outputs
         EOF_DELIMITER="gh_gemini_out_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)"
 
         echo "gemini_response<<${EOF_DELIMITER}" >> "${GITHUB_OUTPUT}"
@@ -412,7 +368,6 @@ runs:
         fi
         echo "${EOF_DELIMITER}" >> "${GITHUB_OUTPUT}"
 
-        # Set the captured errors as a step output, supporting multiline
         echo "gemini_errors<<${EOF_DELIMITER}" >> "${GITHUB_OUTPUT}"
         if [[ -n "${ERROR_JSON}" ]]; then
           echo "${ERROR_JSON}" >> "${GITHUB_OUTPUT}"
@@ -462,9 +417,6 @@ runs:
              ERROR_MSG=$(jq -r '.message // .' <<< "${ERROR_JSON}")
              echo "::error title=Gemini CLI execution failed::${ERROR_MSG}"
           fi
-          echo "::: Start Gemini CLI STDERR :::"
-          cat "${TEMP_STDERR}"
-          echo "::: End Gemini CLI STDERR :::"
           exit 1
         fi
       env:
