Validate input parameters for authentication

[kuisathaverat]

TL;DR

I have a Workload Identity Provider (WIP) configuration that works with google-github-actions/auth@v2, I have tried to use the same WIP with google-github-actions/run-gemini-cli@main, and it seems to be ignored. It tries to use the API token.

Expected behavior

I added the following roles to the service account we use for our WIP (we use it with google-github-actions/auth@v2 daily)

Configuring the WIP we use with google-github-actions/auth@v2 daily, and updating the service account we use with the following roles:

roles/logging.logWriter: To write logs to Cloud Logging.
roles/monitoring.editor: To write metrics to Cloud Monitoring.
roles/cloudtrace.agent: To send traces to Cloud Trace.
roles/aiplatform.user: To make inference calls to Vertex AI.
roles/cloudaicompanion.user: To make inference calls using Gemini Code Assist.
roles/iam.serviceAccountTokenCreator: To generate access tokens.

And running the action with the WIP configuration. The action should run the prompt without errors.

Observed behavior

The Gemini CLI tries to use the API Key instead of the Google Credentials.
It creates the credentials files, but for some reason, the action does not use them.

Action YAML

- name: Gemini CLI
        uses: google-github-actions/run-gemini-cli@main
        id: gemini-cli-run
        with:
          gemini_debug: "true"
          gcp_workload_identity_provider: '${{ secrets.WORKLOAD_IDENTITY_PROVIDER_ID }}'
          gcp_service_account: '${{ secrets.SERVICE_ACCOUNT_EMAIL }}'
          gcp_project_id: '${{ vars.GCP_PROJECT }}'
          prompt: "hi"

Log output

2025-09-01T14:35:40.0430394Z ##[group]Run google-github-actions/run-gemini-cli@v0
2025-09-01T14:35:40.0430799Z with:
2025-09-01T14:35:40.0431398Z   gcp_workload_identity_provider: ***
2025-09-01T14:35:40.0431882Z   gcp_service_account: ***
2025-09-01T14:35:40.0432113Z   gcp_project_id: my-project
2025-09-01T14:35:40.0432649Z   prompt: 
hi

2025-09-01T14:35:40.0433186Z   use_vertex_ai: false
2025-09-01T14:35:40.0433396Z   use_gemini_code_assist: false
2025-09-01T14:35:40.0433616Z   gemini_cli_version: latest
2025-09-01T14:35:40.0433858Z env:
2025-09-01T14:35:40.0434164Z   GH_TOKEN: ***
2025-09-01T14:35:40.0434670Z ##[endgroup]
2025-09-01T14:35:40.0583749Z ##[group]Run google-github-actions/auth@v2
2025-09-01T14:35:40.0584017Z with:
2025-09-01T14:35:40.0584214Z   project_id: my-project
2025-09-01T14:35:40.0584847Z   workload_identity_provider: ***
2025-09-01T14:35:40.0585309Z   service_account: ***
2025-09-01T14:35:40.0585515Z   token_format: access_token
2025-09-01T14:35:40.0586387Z   access_token_scopes: https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile
2025-09-01T14:35:40.0587092Z   create_credentials_file: true
2025-09-01T14:35:40.0587338Z   export_environment_variables: true
2025-09-01T14:35:40.0587584Z   universe: googleapis.com
2025-09-01T14:35:40.0587809Z   cleanup_credentials: true
2025-09-01T14:35:40.0588037Z   access_token_lifetime: 3600s
2025-09-01T14:35:40.0588267Z   id_token_include_email: false
2025-09-01T14:35:40.0588481Z env:
2025-09-01T14:35:40.0588744Z   GH_TOKEN: ***
2025-09-01T14:35:40.0589231Z ##[endgroup]
2025-09-01T14:35:40.2405313Z Created credentials file at "/home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json"
2025-09-01T14:35:40.4042766Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2025-09-01T14:35:40.4043120Z env:
2025-09-01T14:35:40.4043736Z   CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json
2025-09-01T14:35:40.4044792Z   GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json
2025-09-01T14:35:40.4045781Z   GOOGLE_GHA_CREDS_PATH: /home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json
2025-09-01T14:35:40.4046661Z   CLOUDSDK_CORE_PROJECT: my-project
2025-09-01T14:35:40.4046965Z   CLOUDSDK_PROJECT: my-project
2025-09-01T14:35:40.4047246Z   GCLOUD_PROJECT: my-project
2025-09-01T14:35:40.4047731Z   GCP_PROJECT: my-project
2025-09-01T14:35:40.4048024Z   GOOGLE_CLOUD_PROJECT: my-project
2025-09-01T14:35:40.4048439Z   GH_TOKEN: ***
2025-09-01T14:35:40.4049182Z   OTLP_GOOGLE_CLOUD_PROJECT: my-project
2025-09-01T14:35:40.4049639Z   GITHUB_ACTION_PATH: /home/runner/work/_actions/google-github-actions/run-gemini-cli/v0
2025-09-01T14:35:40.4050050Z ##[endgroup]
2025-09-01T14:35:40.4823792Z Unable to find image 'otel/opentelemetry-collector-contrib:0.128.0' locally
2025-09-01T14:35:40.7799517Z 0.128.0: Pulling from otel/opentelemetry-collector-contrib
2025-09-01T14:35:40.8648643Z 516cf8f3105f: Pulling fs layer
2025-09-01T14:35:40.8657891Z 22bbe0bff504: Pulling fs layer
2025-09-01T14:35:40.8659269Z 85e6603fa2d3: Pulling fs layer
2025-09-01T14:35:40.9588699Z 85e6603fa2d3: Verifying Checksum
2025-09-01T14:35:40.9589738Z 85e6603fa2d3: Download complete
2025-09-01T14:35:40.9709865Z 516cf8f3105f: Verifying Checksum
2025-09-01T14:35:40.9712576Z 516cf8f3105f: Download complete
2025-09-01T14:35:40.9861387Z 516cf8f3105f: Pull complete
2025-09-01T14:35:42.3771432Z 22bbe0bff504: Verifying Checksum
2025-09-01T14:35:42.3772230Z 22bbe0bff504: Download complete
2025-09-01T14:35:47.4037550Z 22bbe0bff504: Pull complete
2025-09-01T14:35:47.4208550Z 85e6603fa2d3: Pull complete
2025-09-01T14:35:47.4249828Z Digest: sha256:1ab0baba0ee3695d823c46653d8a6e8894896e668ce8bd7ebe002e948d827bc7
2025-09-01T14:35:47.4263744Z Status: Downloaded newer image for otel/opentelemetry-collector-contrib:0.128.0
2025-09-01T14:35:47.4439924Z 0a124dabdc4ce55c3dda7ac85635161f50d81a80c2ac5c3ada7312ee70d2304a
2025-09-01T14:35:47.5755030Z ##[group]Run set -euo pipefail
2025-09-01T14:35:47.5810194Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2025-09-01T14:35:47.5810731Z env:
2025-09-01T14:35:47.5812903Z   CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json
2025-09-01T14:35:47.5814762Z   GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json
2025-09-01T14:35:47.5816866Z   GOOGLE_GHA_CREDS_PATH: /home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json
2025-09-01T14:35:47.5817950Z   CLOUDSDK_CORE_PROJECT: my-project
2025-09-01T14:35:47.5818446Z   CLOUDSDK_PROJECT: my-project
2025-09-01T14:35:47.5818897Z   GCLOUD_PROJECT: my-project
2025-09-01T14:35:47.5819331Z   GCP_PROJECT: my-project
2025-09-01T14:35:47.5819782Z   GOOGLE_CLOUD_PROJECT: my-project
2025-09-01T14:35:47.5820729Z   GH_TOKEN: ***
2025-09-01T14:35:47.5821537Z   GEMINI_CLI_VERSION: latest
2025-09-01T14:35:47.5821893Z ##[endgroup]
2025-09-01T14:35:47.5892350Z Installing Gemini CLI from npm: @google/gemini-cli@latest
2025-09-01T14:36:20.6307794Z Verifying installation:
2025-09-01T14:36:22.1924523Z 0.2.2
2025-09-01T14:36:22.2118893Z shell: /usr/bin/bash --noprofile --norc -e -o pipefail {0}
2025-09-01T14:36:22.2119209Z env:
2025-09-01T14:36:22.2119819Z   CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json
2025-09-01T14:36:22.2120888Z   GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json
2025-09-01T14:36:22.2121853Z   GOOGLE_GHA_CREDS_PATH: /home/runner/work/repo/repo/gha-creds-37b63f6c9010bbed.json
2025-09-01T14:36:22.2122468Z   CLOUDSDK_CORE_PROJECT: my-project
2025-09-01T14:36:22.2122921Z   CLOUDSDK_PROJECT: my-project
2025-09-01T14:36:22.2123208Z   GCLOUD_PROJECT: my-project
2025-09-01T14:36:22.2123482Z   GCP_PROJECT: my-project
2025-09-01T14:36:22.2123753Z   GOOGLE_CLOUD_PROJECT: my-project
2025-09-01T14:36:22.2124193Z   GH_TOKEN: ***
2025-09-01T14:36:22.2124681Z   GEMINI_API_KEY: 
2025-09-01T14:36:22.2124865Z   SURFACE: GitHub
2025-09-01T14:36:22.2125061Z   GOOGLE_CLOUD_LOCATION: 
2025-09-01T14:36:22.2125289Z   GOOGLE_GENAI_USE_VERTEXAI: false
2025-09-01T14:36:22.2125537Z   GOOGLE_GENAI_USE_GCA: false
2025-09-01T14:36:22.2130161Z   GOOGLE_CLOUD_ACCESS_TOKEN: ***
2025-09-01T14:36:22.2130679Z   PROMPT: 
hi

2025-09-01T14:36:22.2131197Z ##[endgroup]
2025-09-01T14:36:23.7814911Z ##[error]Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA
2025-09-01T14:36:23.7816593Z Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA
2025-09-01T14:36:23.7819290Z ##[error]Process completed with exit code 1.

Additional information

No response

[gemini-cli]

🤖 Hi @kuisathaverat, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[jerop]

@kuisathaverat did you set either GOOGLE_GENAI_USE_VERTEXAI or GOOGLE_GENAI_USE_GCA? You could also directly set the inputs use_vertex_ai or use_gemini_code_assist

https://github.com/google-github-actions/run-gemini-cli/blob/main/docs/authentication.md#connecting-to-gemini-code-assist

[kuisathaverat]

I set none of those flags. Are they needed to enable the WIP? I did not expect that, I thought it authenticated against the project like google-github-actions/auth. I see they are simple booleans. Why not have the action choose the default for me? I really do not care for my use case.

[jerop]

The default is API key - you have to set those values to use Vertex AI or Code Assist once you've set up WIF for your GCP project, I guess we could pick one of them assuming you have the right subscriptions? Giving the user control to choose is also the default behavior when running Gemini CLI locally - cc @benw307

[kuisathaverat]

I double-check that the service account has the permissions described in the documentation

setting use_vertex_ai: "true"

Error: Update your environment and try again (no reload needed if using .env)!
See logs for more details
Error: Process completed with exit code 1.

setting use_gemini_code_assist: "true"

Error:     at async Config.refreshAuth (file:///usr/local/lib/node_modules/@google/gemini-cli/node_modules/@google/gemini-cli-core/dist/src/config/config.js:282:9)
See logs for more details
Error: Process completed with exit code 1.

None of the errors provides much detail about what is happening, and enabling debug gives you more information.

Using Vertex, I ask for more stuff.

Error: Update your environment and try again (no reload needed if using .env)!
See logs for more details
Error: Process completed with exit code 1.
##[debug]Set output gemini_response = 
##[debug]Set output gemini_errors = When using Vertex AI, you must specify either:
##[debug]• GOOGLE_CLOUD_PROJECT and GOOGLE_CLOUD_LOCATION environment variables.

Using code assist, it says the API is not enabled. I checked, and it is.

##[debug]Error: Cloud Code Private API has not been used in project REDACTED before or it is disabled. Enable it by visiting https://console.developers.google.com/apis/api/cloudcode-pa.googleapis.com/overview?project=REDACTED then retry. If you enabled this API recently, wait a few minutes for the action to propagate to our systems and retry.
##[debug]    at Gaxios._request (/usr/local/lib/node_modules/@google/gemini-cli/node_modules/gaxios/build/src/gaxios.js:142:23)
##[debug]    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
##[debug]    at async OAuth2Client.requestAsync (/usr/local/lib/node_modules/@google/gemini-cli/node_modules/google-auth-library/build/src/auth/oauth2client.js:429:18)
##[debug]    at async CodeAssistServer.requestPost (file:///usr/local/lib/node_modules/@google/gemini-cli/node_modules/@google/gemini-cli-core/dist/src/code_assist/server.js:55:21)
##[debug]    at async CodeAssistServer.loadCodeAssist (file:///usr/local/lib/node_modules/@google/gemini-cli/node_modules/@google/gemini-cli-core/dist/src/code_assist/server.js:39:16)
##[debug]    at async setupUser (file:///usr/local/lib/node_modules/@google/gemini-cli/node_modules/@google/gemini-cli-core/dist/src/code_assist/setup.js:26:21)
##[debug]    at async createCodeAssistContentGenerator (file:///usr/local/lib/node_modules/@google/gemini-cli/node_modules/@google/gemini-cli-core/dist/src/code_assist/codeAssist.js:15:26)
##[debug]    at async createContentGenerator (file:///usr/local/lib/node_modules/@google/gemini-cli/node_modules/@google/gemini-cli-core/dist/src/core/contentGenerator.js:57:44)
##[debug]    at async GeminiClient.initialize (file:///usr/local/lib/node_modules/@google/gemini-cli/node_modules/@google/gemini-cli-core/dist/src/core/client.js:98:33)
##[debug]    at async Config.refreshAuth (file:///usr/local/lib/node_modules/@google/gemini-cli/node_modules/@google/gemini-cli-core/dist/src/config/config.js:282:9)
##[debug]Finished: run

It states that the API is not enabled, but checking Gemini for Google Cloud and Vertex AI API reveals that they are indeed enabled, so I am unsure. The thing that works with an API key. I don't understand why the service needs to allow a new API to use WIP.

Finally, Vertex AI works for me, adding the location to the parameters.

BTW, using the API Key and using Vertex AI with the exact same prompt and parameters, the result is pretty different.

[kuisathaverat]

In short, it's a lack of validation on the parameters that makes the user have to try and error to find the proper parameters. And the error messages by default do not give context or details about the error.

[jerop]

In short, it's a lack of validation on the parameters that makes the user have to try and error to find the proper parameters. And the error messages by default do not give context or details about the error.

This is great feedback, will make this issue about validating that the parameters are set as expected for it to work instead of relying on documentation alone, thank you!