fix: robust output and tuned auth sanitization

Author: cocosheng-g

action.yml

@@ -326,10 +326,13 @@ runs:
           echo "Using Workload Identity Federation; unsetting conflicting credentials."
           unset GEMINI_API_KEY
           unset GOOGLE_API_KEY
-          # Aggressively unset credential file pointers to prevent CLI from picking them up
-          unset GOOGLE_APPLICATION_CREDENTIALS
+          # Aggressively unset credential file pointers to prevent CLI from picking them up and hanging.
+          # We unset CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE and GOOGLE_GHA_CREDS_PATH as they are known to cause issues.
+          # We keep GOOGLE_APPLICATION_CREDENTIALS for now to see if it's needed for MCP tools.
           unset CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE
           unset GOOGLE_GHA_CREDS_PATH
+          # If it still hangs, we may need to unset GOOGLE_APPLICATION_CREDENTIALS too.
+          # unset GOOGLE_APPLICATION_CREDENTIALS
         elif [[ "${GOOGLE_GENAI_USE_VERTEXAI:-false}" == "true" && -n "${GOOGLE_API_KEY:-}" ]]; then
           echo "Using Vertex AI API Key; unsetting conflicting Gemini API key."
           unset GEMINI_API_KEY
@@ -376,12 +379,18 @@ runs:
         if jq -e . "${TEMP_STDOUT}" >/dev/null 2>&1; then
            RESPONSE=$(jq -r '.response // ""' "${TEMP_STDOUT}")
         fi
-        if jq -e . "${TEMP_STDERR}" >/dev/null 2>&1; then
-           ERROR_JSON=$(jq -c '.error // empty' "${TEMP_STDERR}")
+
+        # Stderr might contain non-JSON (like stack traces), so we try to extract the last valid JSON object
+        if grep -q "{" "${TEMP_STDERR}"; then
+           # Extract the last curly-braced block from stderr
+           ERROR_CANDIDATE=$(tac "${TEMP_STDERR}" | awk '/^}/{p=1} p; /^{/{if(p)exit}' | tac)
+           if [[ -n "${ERROR_CANDIDATE}" ]] && jq -e . <<< "${ERROR_CANDIDATE}" >/dev/null 2>&1; then
+              ERROR_JSON=$(jq -c '.error // empty' <<< "${ERROR_CANDIDATE}")
+           fi
         fi
 
-        if { [[ -s "${TEMP_STDERR}" ]] && ! jq -e . "${TEMP_STDERR}" >/dev/null 2>&1; }; then
-          echo "::warning::Gemini CLI stderr was not valid JSON"
+        if { [[ -s "${TEMP_STDERR}" ]] && [[ -z "${ERROR_JSON}" ]]; }; then
+          echo "::warning::Gemini CLI stderr contains data but no valid JSON error object was extracted"
         fi
 
         if { [[ -s "${TEMP_STDOUT}" ]] && ! jq -e . "${TEMP_STDOUT}" >/dev/null 2>&1; }; then
@@ -391,22 +400,26 @@ runs:
 
         # Set the captured response as a step output, supporting multiline
         echo "Finished Gemini CLI execution."
-        echo "gemini_response<<EOF" >> "${GITHUB_OUTPUT}"
+
+        # Use a more unique delimiter to avoid collisions
+        EOF_DELIMITER="gh_gemini_out_$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 8 | head -n 1)"
+
+        echo "gemini_response<<${EOF_DELIMITER}" >> "${GITHUB_OUTPUT}"
         if [[ -n "${RESPONSE}" ]]; then
           echo "${RESPONSE}" >> "${GITHUB_OUTPUT}"
-        else
+        elif [[ -s "${TEMP_STDOUT}" ]]; then
           cat "${TEMP_STDOUT}" >> "${GITHUB_OUTPUT}"
         fi
-        echo "EOF" >> "${GITHUB_OUTPUT}"
+        echo "${EOF_DELIMITER}" >> "${GITHUB_OUTPUT}"
 
         # Set the captured errors as a step output, supporting multiline
-        echo "gemini_errors<<EOF" >> "${GITHUB_OUTPUT}"
+        echo "gemini_errors<<${EOF_DELIMITER}" >> "${GITHUB_OUTPUT}"
         if [[ -n "${ERROR_JSON}" ]]; then
           echo "${ERROR_JSON}" >> "${GITHUB_OUTPUT}"
-        else
+        elif [[ -s "${TEMP_STDERR}" ]]; then
           cat "${TEMP_STDERR}" >> "${GITHUB_OUTPUT}"
         fi
-        echo "EOF" >> "${GITHUB_OUTPUT}"
+        echo "${EOF_DELIMITER}" >> "${GITHUB_OUTPUT}"
 
         # Generate Job Summary
         if [[ -n "${GITHUB_STEP_SUMMARY:-}" ]]; then