feat(auth): Simplify and unify Workload Identity configuration (#33)

Renames to to create a single, unified variable for all Google Cloud
authentication.

Key changes:
- The now uses this unified provider for a more generic authentication
step.
- All documentation and workflows have been updated to use the new
variable.
- The  script is updated to reflect the new variable name in its output.

This is a follow up after
#18

<!--
Thank you for proposing a pull request! Please note that SOME TESTS WILL
LIKELY FAIL due to how GitHub exposes secrets in Pull Requests from
forks.
Someone from the team will review your Pull Request and respond.

Please describe your change and any implementation details below.
-->

Author: jerop

.github/workflows/gemini-cli.yml

@@ -174,7 +174,7 @@ jobs:
           ISSUE_NUMBER: '${{ steps.get_context.outputs.issue_number }}'
           IS_PR: '${{ steps.get_context.outputs.is_pr }}'
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
-          OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
+          GCP_WIF_PROVIDER: '${{ vars.GCP_WIF_PROVIDER }}'
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
           GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
           GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'

.github/workflows/gemini-issue-automated-triage.yml

@@ -65,7 +65,7 @@ jobs:
           REPOSITORY: '${{ github.repository }}'
           GEMINI_CLI_VERSION: '${{ vars.GEMINI_CLI_VERSION }}'
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
-          OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
+          GCP_WIF_PROVIDER: '${{ vars.GCP_WIF_PROVIDER }}'
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
           GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
           GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'

.github/workflows/gemini-issue-scheduled-triage.yml

@@ -73,7 +73,7 @@ jobs:
           REPOSITORY: '${{ github.repository }}'
           GEMINI_CLI_VERSION: '${{ vars.GEMINI_CLI_VERSION }}'
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
-          OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
+          GCP_WIF_PROVIDER: '${{ vars.GCP_WIF_PROVIDER }}'
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
           GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
           GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'

.github/workflows/gemini-pr-review.yml

@@ -152,7 +152,7 @@ jobs:
           REPOSITORY: '${{ github.repository }}'
           GEMINI_CLI_VERSION: '${{ vars.GEMINI_CLI_VERSION }}'
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
-          OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
+          GCP_WIF_PROVIDER: '${{ vars.GCP_WIF_PROVIDER }}'
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
           GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
           GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'

README.md

@@ -79,7 +79,7 @@ Set the following environment variables in your repository or workflow:
 | Name                      | Description                                                                                 | Type     | Required | When Required                |
 |---------------------------|---------------------------------------------------------------------------------------------|----------|----------|------------------------------|
 | GEMINI_CLI_VERSION        | Controls which version of the Gemini CLI is installed. Supports npm versions (e.g., `0.1.0`, `latest`), a branch name (e.g., `main`), or a commit hash. | Variable | No       | To pin or override CLI version |
-| OTLP_GCP_WIF_PROVIDER     | The full resource name of the Workload Identity Provider.                                   | Variable | No       | If using observability       |
+| GCP_WIF_PROVIDER     | The full resource name of the Workload Identity Provider.                                   | Variable | No       | If using observability       |
 | OTLP_GOOGLE_CLOUD_PROJECT | The Google Cloud project for telemetry.                                                     | Variable | No       | If using observability       |
 | GOOGLE_CLOUD_PROJECT      | The Google Cloud project for Vertex auth.                                                   | Variable | No       | If using Vertex auth         |
 | GOOGLE_CLOUD_LOCATION     | The location of the Google Cloud project for Vertex auth.                                   | Variable | No       | If using Vertex auth         |

action.yml

@@ -46,18 +46,18 @@ runs:
       env:
         SETTINGS: '${{ inputs.settings }}'
 
-    - name: 'Authenticate to Google Cloud for Telemetry'
+    - name: 'Authenticate to Google Cloud'
       if: |-
-        ${{ env.OTLP_GCP_WIF_PROVIDER != '' }}
+        ${{ env.GCP_WIF_PROVIDER != '' }}
       id: 'auth'
       uses: 'google-github-actions/auth@v2'
       with:
-        project_id: '${{ env.OTLP_GOOGLE_CLOUD_PROJECT }}'
-        workload_identity_provider: '${{ env.OTLP_GCP_WIF_PROVIDER }}'
+        project_id: '${{ env.GOOGLE_CLOUD_PROJECT }}'
+        workload_identity_provider: '${{ env.GCP_WIF_PROVIDER }}'
 
     - name: 'Run Telemetry Collector for Google Cloud'
       if: |-
-        ${{ env.OTLP_GCP_WIF_PROVIDER != '' }}
+        ${{ env.GCP_WIF_PROVIDER != '' }}
       env:
         OTLP_GOOGLE_CLOUD_PROJECT: '${{ env.OTLP_GOOGLE_CLOUD_PROJECT }}'
         GITHUB_ACTION_PATH: '${{ github.action_path }}'

docs/observability.md

@@ -49,15 +49,9 @@ For advanced configuration options, manual setup instructions, troubleshooting,
 After running the setup script, configure your GitHub Actions workflow with the provided values:
 
 ```yaml
-- uses: google-github-actions/auth@v2
-  with:
-    workload_identity_provider: ${{ vars.OTLP_GCP_WIF_PROVIDER }}
-    project_id: ${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}
-
-
 - uses: google-github-actions/run-gemini-cli@v1
   env:
-    OTLP_GCP_WIF_PROVIDER: ${{ vars.OTLP_GCP_WIF_PROVIDER }}
+    GCP_WIF_PROVIDER: ${{ vars.GCP_WIF_PROVIDER }}
     OTLP_GOOGLE_CLOUD_PROJECT: ${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}
     GEMINI_API_KEY: ${{ secrets.GEMINI_API_KEY }}
   with:

docs/workload-identity.md

@@ -39,6 +39,7 @@ The script automatically grants these essential permissions:
 - **`roles/logging.logWriter`** - Write logs to Cloud Logging
 - **`roles/monitoring.metricWriter`** - Write metrics to Cloud Monitoring
 - **`roles/cloudtrace.agent`** - Send traces to Cloud Trace
+- **`roles/aiplatform.user `** - Make inference calls to Vertex AI
 
 ## Quick Start
 
@@ -94,11 +95,10 @@ Your user account needs these permissions in the target GCP project:
 
 ### What the Script Does
 
-1. **Enables required APIs**: IAM, STS, Logging, Monitoring, Tracing
-2. **Creates Workload Identity Pool**: Shared resource (named `github` by default)
-3. **Creates Workload Identity Provider**: Unique per repository
-4. **Grants permissions**: Automatic observability permissions
-5. **Outputs configuration**: GitHub secrets and workflow example
+1. **Creates Workload Identity Pool**: Shared resource (named `github` by default)
+2. **Creates Workload Identity Provider**: Unique per repository
+3. **Grants permissions**: Automatic observability and inference permissions
+4. **Outputs configuration**: GitHub secrets and workflow example
 
 ## GitHub Configuration
 
@@ -109,7 +109,7 @@ Go to: `https://github.com/OWNER/REPO/settings/variables/actions`
 
 | Environment Variable Name         | Description                                      |
 |-----------------------------------|--------------------------------------------------|
-| `OTLP_GCP_WIF_PROVIDER`           | Workload Identity Provider resource name         |
+| `GCP_WIF_PROVIDER`                | Workload Identity Provider resource name         |
 | `OTLP_GOOGLE_CLOUD_PROJECT`       | Your Google Cloud project ID                     |
 | `GOOGLE_CLOUD_PROJECT`            | Your Google Cloud project ID                     |
 | `GOOGLE_CLOUD_LOCATION`           | Your Google Cloud project Location               |

scripts/setup_workload_identity.sh

@@ -196,16 +196,8 @@ fi
 
 print_success "Authentication and project access verified"
 
-# Step 1: Enable required APIs
-print_header "Step 1: Enabling required Google Cloud APIs"
-apis_to_enable="iamcredentials.googleapis.com cloudresourcemanager.googleapis.com iam.googleapis.com sts.googleapis.com logging.googleapis.com monitoring.googleapis.com cloudtrace.googleapis.com"
-
-print_info "Enabling APIs: ${apis_to_enable}"
-gcloud services enable "${apis_to_enable}" --project="${GOOGLE_CLOUD_PROJECT}"
-print_success "APIs enabled successfully"
-
-# Step 2: Create Workload Identity Pool
-print_header "Step 2: Creating Workload Identity Pool"
+# Step 1: Create Workload Identity Pool
+print_header "Step 1: Creating Workload Identity Pool"
 if ! gcloud iam workload-identity-pools describe "${POOL_NAME}" \
     --project="${GOOGLE_CLOUD_PROJECT}" \
     --location="${GOOGLE_CLOUD_LOCATION}" &> /dev/null; then
@@ -225,8 +217,8 @@ WIF_POOL_ID=$(gcloud iam workload-identity-pools describe "${POOL_NAME}" \
     --location="${GOOGLE_CLOUD_LOCATION}" \
     --format="value(name)")
 
-# Step 3: Create Workload Identity Provider
-print_header "Step 3: Creating Workload Identity Provider"
+# Step 2: Create Workload Identity Provider
+print_header "Step 2: Creating Workload Identity Provider"
 ATTRIBUTE_CONDITION="assertion.repository_owner == '${REPO_OWNER}'"
 
 if ! gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" \
@@ -247,13 +239,13 @@ else
     print_success "Workload Identity Provider already exists"
 fi
 
-# Step 4: Grant standard permissions to the Workload Identity Pool
-print_header "Step 4: Granting standard permissions to Workload Identity Pool"
+# Step 3: Grant required permissions to the Workload Identity Pool
+print_header "Step 3: Granting required permissions to Workload Identity Pool"
 PRINCIPAL_SET="principalSet://iam.googleapis.com/${WIF_POOL_ID}/attribute.repository/${GITHUB_REPO}"
 
-print_info "Granting standard CI/CD permissions directly to the Workload Identity Pool..."
+print_info "Granting required permissions directly to the Workload Identity Pool..."
 
-# Core observability permissions
+# Observability permissions
 print_info "Granting logging permissions..."
 gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/logging.logWriter" \
@@ -272,14 +264,14 @@ gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
 
-
+# Model inference permissions
 print_info "Granting vertex permissions..."
 gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/aiplatform.user" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
 
-print_success "Standard permissions granted to Workload Identity Pool"
+print_success "Required permissions granted to Workload Identity Pool"
 
 # Get the full provider name for output
 WIF_PROVIDER_FULL=$(gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" \
@@ -288,7 +280,7 @@ WIF_PROVIDER_FULL=$(gcloud iam workload-identity-pools providers describe "${PRO
     --workload-identity-pool="${POOL_NAME}" \
     --format="value(name)")
 
-# Step 5: Output configuration
+# Step 4: Output configuration
 print_header "🎉 Setup Complete!"
 echo ""
 print_success "Direct Workload Identity Federation has been configured for your repository!"
@@ -300,24 +292,25 @@ print_success "The following permissions have been automatically granted to your
 echo "• roles/logging.logWriter - Write logs to Cloud Logging"
 echo "• roles/monitoring.editor - Create and update metrics in Cloud Monitoring"
 echo "• roles/cloudtrace.agent - Send traces to Cloud Trace"
+echo "• roles/aiplatform.user - Use Vertex AI for model inference"
 echo ""
 
 print_header "GitHub Environment Variables Configuration"
 echo ""
 print_warning "Add these variables to your GitHub repository or workflow configuration:"
 echo "  Repository: https://github.com/${GITHUB_REPO}/settings/variables/actions"
 echo ""
-echo "🔑 Variable Name: OTLP_GCP_WIF_PROVIDER"
-echo "   Value: ${WIF_PROVIDER_FULL}"
+echo "🔑 Variable Name: GCP_WIF_PROVIDER"
+echo "   Variable Value: ${WIF_PROVIDER_FULL}"
 echo ""
 echo "☁️  Variable Name: OTLP_GOOGLE_CLOUD_PROJECT"
-echo "   Value: ${GOOGLE_CLOUD_PROJECT}"
+echo "   Variable VariableValue: ${GOOGLE_CLOUD_PROJECT}"
 echo ""
-echo "☁️ Secret Name: GOOGLE_CLOUD_LOCATION"
-echo "   Secret Value: ${GOOGLE_CLOUD_LOCATION}"
+echo "☁️  Variable Name: GOOGLE_CLOUD_PROJECT"
+echo "   Variable Value: ${GOOGLE_CLOUD_PROJECT}"
 echo ""
-echo "☁️  Secret Name: GOOGLE_CLOUD_PROJECT"
-echo "   Secret Value: ${GOOGLE_CLOUD_PROJECT}"
+echo "☁️ Variable Name: GOOGLE_CLOUD_LOCATION"
+echo "   Variable Value: ${GOOGLE_CLOUD_LOCATION}"
 echo ""
 
 print_success "Setup completed successfully! 🚀"

workflows/gemini-cli/README.md

@@ -45,7 +45,7 @@ When invoked with `@gemini-cli`, the assistant uses a customizable set of tools
 2.  **GitHub App Token (Optional)**: Required for authentication if using custom github app.
     -   Set `APP_ID` and `APP_PRIVATE_KEY` secrets in your repository.
 3.  **Telemetry (Optional)**: For observability.
-    -   Set `OTLP_GCP_WIF_PROVIDER` secret and `OTLP_GOOGLE_CLOUD_PROJECT` variable.
+    -   Set `GCP_WIF_PROVIDER` secret and `OTLP_GOOGLE_CLOUD_PROJECT` variable.
 
 ### Workflow File