Adding Vertex auth (#18)

Adding the ability to authenticate with vertex on GCP

Author: HassanJasim

.github/workflows/gemini-cli.yml

@@ -176,6 +176,9 @@ jobs:
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
           OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
+          GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          GOOGLE_GENAI_USE_VERTEXAI: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
         with:
           settings_json: |
             {

.github/workflows/gemini-issue-automated-triage.yml

@@ -67,6 +67,9 @@ jobs:
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
           OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
+          GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          GOOGLE_GENAI_USE_VERTEXAI: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
         with:
           settings_json: |-
             {

.github/workflows/gemini-issue-scheduled-triage.yml

@@ -75,6 +75,9 @@ jobs:
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
           OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
+          GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          GOOGLE_GENAI_USE_VERTEXAI: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
         with:
           settings_json: |-
             {

.github/workflows/gemini-pr-review.yml

@@ -154,6 +154,9 @@ jobs:
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
           OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
+          GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          GOOGLE_GENAI_USE_VERTEXAI: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
         with:
           settings_json: |-
             {

README.md

@@ -81,6 +81,9 @@ Set the following environment variables in your repository or workflow:
 | GEMINI_CLI_VERSION        | Controls which version of the Gemini CLI is installed. Supports npm versions (e.g., `0.1.0`, `latest`), a branch name (e.g., `main`), or a commit hash. | Variable | No       | To pin or override CLI version |
 | OTLP_GCP_WIF_PROVIDER     | The full resource name of the Workload Identity Provider.                                   | Variable | No       | If using observability       |
 | OTLP_GOOGLE_CLOUD_PROJECT | The Google Cloud project for telemetry.                                                     | Variable | No       | If using observability       |
+| GOOGLE_CLOUD_PROJECT      | The Google Cloud project for Vertex auth.                                                   | Variable | No       | If using Vertex auth         |
+| GOOGLE_CLOUD_LOCATION     | The location of the Google Cloud project for Vertex auth.                                   | Variable | No       | If using Vertex auth         |
+| GOOGLE_GENAI_USE_VERTEXAI | Set to 'true' to use Vertex AI                                                  | Variable | No       | If using Vertex auth |
 | APP_ID                    | GitHub App ID for custom authentication.                                                    | Variable | No       | If using a custom GitHub App |
 
 
@@ -93,10 +96,10 @@ save. For organization-wide or environment-specific variables, see the
 
 The following secrets are required for security:
 
-| Name              | Description                                   | Required | When Required                |
-|-------------------|-----------------------------------------------|----------|------------------------------|
-| GEMINI_API_KEY    | Your Gemini API key.                          | Yes      | Always                       |
-| APP_PRIVATE_KEY   | Private key for your GitHub App (PEM format). | No       | If using a custom GitHub App |
+| Name              | Description                                   | Required | When Required                          |
+|-------------------|-----------------------------------------------|----------|----------------------------------------|
+| GEMINI_API_KEY    | Your Gemini API key.                          | No       | If using API key from AI Studio |
+| APP_PRIVATE_KEY   | Private key for your GitHub App (PEM format). | No       | If using a custom GitHub App           |
 
 To add a secret, go to your repository's **Settings > Secrets and variables >
 Actions > New repository secret**. For more information, see the

action.yml

@@ -88,7 +88,12 @@ runs:
           npm install -g @google/gemini-cli@$VERSION_INPUT
         else
           echo "Installing Gemini CLI from GitHub: github:google-gemini/gemini-cli#$VERSION_INPUT"
-          npm install -g github:google-gemini/gemini-cli#$VERSION_INPUT
+          git clone https://github.com/google-gemini/gemini-cli.git
+          cd gemini-cli
+          git checkout $VERSION_INPUT
+          npm install
+          npm run bundle
+          npm install -g .
         fi
         echo "Verifying installation:"
         if command -v gemini >/dev/null 2>&1; then
@@ -112,6 +117,9 @@ runs:
       env:
         GEMINI_API_KEY: '${{ env.GEMINI_API_KEY }}'
         SURFACE: 'GitHub'
+        GOOGLE_CLOUD_PROJECT: '${{ env.GOOGLE_CLOUD_PROJECT }}'
+        GOOGLE_CLOUD_LOCATION: '${{ env.GOOGLE_CLOUD_LOCATION }}'
+        GOOGLE_GENAI_USE_VERTEXAI: '${{ env.GOOGLE_GENAI_USE_VERTEXAI }}'
         PROMPT: '${{ inputs.prompt }}'
 
 branding:

docs/workload-identity.md

@@ -71,7 +71,8 @@ Your user account needs these permissions in the target GCP project:
 | Option | Description | Example |
 |--------|-------------|---------|
 | `--repo OWNER/REPO` | **Required**: GitHub repository | `--repo google/my-repo` |
-| `--project PROJECT_ID` | GCP project ID (auto-detected if not provided) | `--project my-gcp-project` |
+| `--project GOOGLE_CLOUD_PROJECT` | GCP project ID (auto-detected if not provided) | `--project my-gcp-project` |
+| `--location GOOGLE_CLOUD_LOCATION` | GCP project Location (defaults to 'global') | `--location us-east1` |
 | `--pool-name NAME` | Custom pool name (default: `github`) | `--pool-name my-pool` |
 | `--help` | Show help message | |
 
@@ -84,6 +85,9 @@ Your user account needs these permissions in the target GCP project:
 # With specific project
 ./scripts/setup_workload_identity.sh --repo google/my-repo --project my-gcp-project
 
+# With specific project location
+./scripts/setup_workload_identity.sh --repo google/my-repo --location us-east1
+
 # Custom pool name
 ./scripts/setup_workload_identity.sh --repo google/my-repo --pool-name my-custom-pool
 ```
@@ -99,14 +103,16 @@ Your user account needs these permissions in the target GCP project:
 ## GitHub Configuration
 
 
-After running the script, add these **2 environment variables** to your repository or workflow configuration:
+After running the script, add these **4 environment variables** to your repository or workflow configuration:
 
 Go to: `https://github.com/OWNER/REPO/settings/variables/actions`
 
 | Environment Variable Name         | Description                                      |
 |-----------------------------------|--------------------------------------------------|
-| `OTLP_GCP_WIF_PROVIDER`           | Workload Identity Provider resource name          |
-| `OTLP_GOOGLE_CLOUD_PROJECT`       | Your Google Cloud project ID                      |
+| `OTLP_GCP_WIF_PROVIDER`           | Workload Identity Provider resource name         |
+| `OTLP_GOOGLE_CLOUD_PROJECT`       | Your Google Cloud project ID                     |
+| `GOOGLE_CLOUD_PROJECT`            | Your Google Cloud project ID                     |
+| `GOOGLE_CLOUD_LOCATION`           | Your Google Cloud project Location               |
 
 ## Additional Resources
 

scripts/setup_workload_identity.sh

@@ -51,7 +51,8 @@ print_header() {
 }
 
 # Default values
-GCP_PROJECT_ID=""
+GOOGLE_CLOUD_PROJECT=""
+GOOGLE_CLOUD_LOCATION="global"
 GITHUB_REPO=""
 POOL_NAME="github"
 
@@ -99,13 +100,17 @@ while [[ $# -gt 0 ]]; do
             shift 2
             ;;
         -p|--project)
-            GCP_PROJECT_ID="$2"
+            GOOGLE_CLOUD_PROJECT="$2"
             shift 2
             ;;
         --pool-name)
             POOL_NAME="$2"
             shift 2
             ;;
+        -l|--location)
+            GOOGLE_CLOUD_LOCATION="$2"
+            shift 2
+            ;;
         -h|--help)
             show_help
             exit 0
@@ -139,17 +144,17 @@ if [[ ! "${GITHUB_REPO}" =~ ^[a-zA-Z0-9._-]+/[a-zA-Z0-9._-]+$ ]]; then
 fi
 
 # Auto-detect project ID if not provided
-if [[ -z "${GCP_PROJECT_ID}" ]]; then
+if [[ -z "${GOOGLE_CLOUD_PROJECT}" ]]; then
     print_info "Auto-detecting Google Cloud project..."
-    GCP_PROJECT_ID=$(gcloud config get-value project 2>/dev/null)
-    if [[ -z "${GCP_PROJECT_ID}" ]]; then
+    GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project 2>/dev/null)
+    if [[ -z "${GOOGLE_CLOUD_PROJECT}" ]]; then
         print_error "Could not auto-detect Google Cloud project ID"
         echo "Please either:"
         echo "  1. Set default project: gcloud config set project YOUR_PROJECT_ID"
         echo "  2. Use --project flag: $0 --repo ${GITHUB_REPO} --project YOUR_PROJECT_ID"
         exit 1
     fi
-    print_success "Using project: ${GCP_PROJECT_ID}"
+    print_success "Using project: ${GOOGLE_CLOUD_PROJECT}"
 fi
 
 # Extract repository components
@@ -164,7 +169,7 @@ PROVIDER_NAME="gh-${REPO_HASH}"
 
 print_header "Starting Direct Workload Identity Federation setup"
 echo "📦 Repository: ${GITHUB_REPO}"
-echo "☁️ Project: ${GCP_PROJECT_ID}"
+echo "☁️ Project: ${GOOGLE_CLOUD_PROJECT}"
 echo "🏊 Pool: ${POOL_NAME}"
 echo "🆔 Provider: ${PROVIDER_NAME}"
 echo ""
@@ -180,8 +185,8 @@ if [[ -z "${GCLOUD_AUTH_LIST}" ]]; then
 fi
 
 # Test project access
-if ! gcloud projects describe "${GCP_PROJECT_ID}" > /dev/null 2>&1; then
-    print_error "Cannot access project '${GCP_PROJECT_ID}'"
+if ! gcloud projects describe "${GOOGLE_CLOUD_PROJECT}" > /dev/null 2>&1; then
+    print_error "Cannot access project '${GOOGLE_CLOUD_PROJECT}'"
     echo "Please verify:"
     echo "  1. Project ID is correct"
     echo "  2. You have permissions on this project"
@@ -196,18 +201,18 @@ print_header "Step 1: Enabling required Google Cloud APIs"
 apis_to_enable="iamcredentials.googleapis.com cloudresourcemanager.googleapis.com iam.googleapis.com sts.googleapis.com logging.googleapis.com monitoring.googleapis.com cloudtrace.googleapis.com"
 
 print_info "Enabling APIs: ${apis_to_enable}"
-gcloud services enable "${apis_to_enable}" --project="${GCP_PROJECT_ID}"
+gcloud services enable "${apis_to_enable}" --project="${GOOGLE_CLOUD_PROJECT}"
 print_success "APIs enabled successfully"
 
 # Step 2: Create Workload Identity Pool
 print_header "Step 2: Creating Workload Identity Pool"
 if ! gcloud iam workload-identity-pools describe "${POOL_NAME}" \
-    --project="${GCP_PROJECT_ID}" \
-    --location="global" &> /dev/null; then
+    --project="${GOOGLE_CLOUD_PROJECT}" \
+    --location="${GOOGLE_CLOUD_LOCATION}" &> /dev/null; then
     print_info "Creating Workload Identity Pool: ${POOL_NAME}"
     gcloud iam workload-identity-pools create "${POOL_NAME}" \
-        --project="${GCP_PROJECT_ID}" \
-        --location="global" \
+        --project="${GOOGLE_CLOUD_PROJECT}" \
+        --location="${GOOGLE_CLOUD_LOCATION}" \
         --display-name="GitHub Actions Pool"
     print_success "Workload Identity Pool created"
 else
@@ -216,22 +221,22 @@ fi
 
 # Get the pool ID
 WIF_POOL_ID=$(gcloud iam workload-identity-pools describe "${POOL_NAME}" \
-    --project="${GCP_PROJECT_ID}" \
-    --location="global" \
+    --project="${GOOGLE_CLOUD_PROJECT}" \
+    --location="${GOOGLE_CLOUD_LOCATION}" \
     --format="value(name)")
 
 # Step 3: Create Workload Identity Provider
 print_header "Step 3: Creating Workload Identity Provider"
 ATTRIBUTE_CONDITION="assertion.repository_owner == '${REPO_OWNER}'"
 
 if ! gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" \
-    --project="${GCP_PROJECT_ID}" \
-    --location="global" \
+    --project="${GOOGLE_CLOUD_PROJECT}" \
+    --location="${GOOGLE_CLOUD_LOCATION}" \
     --workload-identity-pool="${POOL_NAME}" &> /dev/null; then
     print_info "Creating Workload Identity Provider: ${PROVIDER_NAME}"
     gcloud iam workload-identity-pools providers create-oidc "${PROVIDER_NAME}" \
-        --project="${GCP_PROJECT_ID}" \
-        --location="global" \
+        --project="${GOOGLE_CLOUD_PROJECT}" \
+        --location="${GOOGLE_CLOUD_LOCATION}" \
         --workload-identity-pool="${POOL_NAME}" \
         --display-name="${PROVIDER_NAME}" \
         --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
@@ -250,29 +255,36 @@ print_info "Granting standard CI/CD permissions directly to the Workload Identit
 
 # Core observability permissions
 print_info "Granting logging permissions..."
-gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/logging.logWriter" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
 
 print_info "Granting monitoring permissions..."
-gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/monitoring.editor" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
 
 print_info "Granting tracing permissions..."
-gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/cloudtrace.agent" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
 
+
+print_info "Granting vertex permissions..."
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
+    --role="roles/aiplatform.user" \
+    --member="${PRINCIPAL_SET}" \
+    --condition=None
+
 print_success "Standard permissions granted to Workload Identity Pool"
 
 # Get the full provider name for output
 WIF_PROVIDER_FULL=$(gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" \
-    --project="${GCP_PROJECT_ID}" \
-    --location="global" \
+    --project="${GOOGLE_CLOUD_PROJECT}" \
+    --location="${GOOGLE_CLOUD_LOCATION}" \
     --workload-identity-pool="${POOL_NAME}" \
     --format="value(name)")
 
@@ -299,7 +311,13 @@ echo "🔑 Variable Name: OTLP_GCP_WIF_PROVIDER"
 echo "   Value: ${WIF_PROVIDER_FULL}"
 echo ""
 echo "☁️  Variable Name: OTLP_GOOGLE_CLOUD_PROJECT"
-echo "   Value: ${GCP_PROJECT_ID}"
+echo "   Value: ${GOOGLE_CLOUD_PROJECT}"
+echo ""
+echo "☁️ Secret Name: GOOGLE_CLOUD_LOCATION"
+echo "   Secret Value: ${GOOGLE_CLOUD_LOCATION}"
+echo ""
+echo "☁️  Secret Name: GOOGLE_CLOUD_PROJECT"
+echo "   Secret Value: ${GOOGLE_CLOUD_PROJECT}"
 echo ""
 
 print_success "Setup completed successfully! 🚀"

workflows/gemini-cli/gemini-cli.yml

@@ -176,6 +176,9 @@ jobs:
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
           OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
+          GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          GOOGLE_GENAI_USE_VERTEXAI: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
         with:
           settings_json: |
             {

workflows/issue-triage/gemini-issue-automated-triage.yml

@@ -67,6 +67,9 @@ jobs:
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
           OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
+          GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          GOOGLE_GENAI_USE_VERTEXAI: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
         with:
           settings_json: |-
             {