Adding Vertex auth

Author: HassanJasim

.github/workflows/gemini-pr-review.yml

@@ -63,7 +63,6 @@ jobs:
       )
     timeout-minutes: 15
     runs-on: 'ubuntu-latest'
-
     steps:
       - name: 'Checkout PR code'
         uses: 'actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683' # ratchet:actions/checkout@v4
@@ -143,6 +142,7 @@ jobs:
 
       - name: 'Run Gemini PR Review'
         uses: './'
+        # Define the common env block ONCE using an anchor
         env:
           GITHUB_TOKEN: '${{ steps.generate_token.outputs.token || secrets.GITHUB_TOKEN }}'
           PR_NUMBER: '${{ steps.get_pr.outputs.pr_number || steps.get_pr_comment.outputs.pr_number }}'
@@ -154,6 +154,9 @@ jobs:
           OTLP_GOOGLE_CLOUD_PROJECT: '${{ vars.OTLP_GOOGLE_CLOUD_PROJECT }}'
           OTLP_GCP_WIF_PROVIDER: '${{ vars.OTLP_GCP_WIF_PROVIDER }}'
           GEMINI_API_KEY: '${{ secrets.GEMINI_API_KEY }}'
+          GOOGLE_CLOUD_PROJECT: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+          GOOGLE_CLOUD_LOCATION: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+          GOOGLE_GENAI_USE_VERTEXAI: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
         with:
           settings_json: |-
             {
@@ -176,7 +179,6 @@ jobs:
             }
           prompt: |-
             ## Role
-
             You are an expert code reviewer. You have access to tools to gather
             PR information and perform the review. Use the available tools to
             gather information; do not ask for information to be provided.
@@ -188,14 +190,14 @@ jobs:
             2. Run: echo "${CHANGED_FILES}" to get the list of changed files
             3. Run: echo "${PR_NUMBER}" to get the PR number
             4. Run: echo "${ADDITIONAL_INSTRUCTIONS}" to see any specific review
-               instructions from the user
+                instructions from the user
             5. Run: gh pr diff "${PR_NUMBER}" to see the full diff
             6. For any specific files, use: cat filename, head -50 filename, or
-               tail -50 filename
+                tail -50 filename
             7. If ADDITIONAL_INSTRUCTIONS contains text, prioritize those
-               specific areas or focus points in your review. Common instruction
-               examples: "focus on security", "check performance", "review error
-               handling", "check for breaking changes"
+                specific areas or focus points in your review. Common instruction
+                examples: "focus on security", "check performance", "review error
+                handling", "check for breaking changes"
 
 
             ## Guidelines
@@ -210,9 +212,9 @@ jobs:
 
             Once you have the information, provide a comprehensive code review by:
             1. Writing your review to a file: write_file("review.md", "<your
-               detailed review feedback here>")
+                detailed review feedback here>")
             2. Posting the review: gh pr comment "${PR_NUMBER}" --body-file
-               review.md --repo "${REPOSITORY}"
+                review.md --repo "${REPOSITORY}"
 
             Review Areas:
             - **Security**: Authentication, authorization, input validation,

action.yml

@@ -95,8 +95,11 @@ runs:
 
     - name: 'Run Gemini CLI'
       env:
+        GOOGLE_GENAI_USE_VERTEXAI: '${{ env.GOOGLE_GENAI_USE_VERTEXAI }}'
         GEMINI_API_KEY: '${{ env.GEMINI_API_KEY }}'
         SURFACE: 'GitHub'
+        GOOGLE_CLOUD_PROJECT: '${{ env.GOOGLE_CLOUD_PROJECT }}'
+        GOOGLE_CLOUD_LOCATION: '${{ env.GOOGLE_CLOUD_LOCATION }}'
         PROMPT: '${{ inputs.prompt }}'
       shell: 'bash'
       run: |

scripts/setup_workload_identity.sh

@@ -196,7 +196,7 @@ print_header "Step 1: Enabling required Google Cloud APIs"
 apis_to_enable="iamcredentials.googleapis.com cloudresourcemanager.googleapis.com iam.googleapis.com sts.googleapis.com logging.googleapis.com monitoring.googleapis.com cloudtrace.googleapis.com"
 
 print_info "Enabling APIs: ${apis_to_enable}"
-gcloud services enable "${apis_to_enable}" --project="${GCP_PROJECT_ID}"
+# gcloud services enable "${apis_to_enable}" --project="${GCP_PROJECT_ID}"
 print_success "APIs enabled successfully"
 
 # Step 2: Create Workload Identity Pool
@@ -267,6 +267,13 @@ gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
 
+
+print_info "Granting vertex permissions..."
+gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
+    --role="roles/aiplatform.user" \
+    --member="${PRINCIPAL_SET}" \
+    --condition=None
+
 print_success "Standard permissions granted to Workload Identity Pool"
 
 # Get the full provider name for output
@@ -301,5 +308,11 @@ echo ""
 echo "☁️  Variable Name: OTLP_GOOGLE_CLOUD_PROJECT"
 echo "   Value: ${GCP_PROJECT_ID}"
 echo ""
+echo "☁️ Secret Name: GOOGLE_CLOUD_LOCATION"
+echo "   Secret Value: global"
+echo ""
+echo "☁️  Secret Name: GOOGLE_CLOUD_PROJECT"
+echo "   Secret Value: ${GCP_PROJECT_ID}"
+echo ""
 
 print_success "Setup completed successfully! 🚀"