run-gemini-cli does not inherit authentication from google-github-actions/auth

[aoogane]

Summary

When using google-github-actions/auth@v3 with credentials_json before run-gemini-cli@v0, the action does not inherit the authentication and emits the following warning:

No authentication method provided. Please provide one of 'gemini_api_key', 'google_api_key', or 'gcp_workload_identity_provider'.

Even though the GOOGLE_APPLICATION_CREDENTIALS environment variable is correctly set by the auth action, run-gemini-cli does not recognize it and requires explicit authentication parameters.

Expected Behavior

The action should recognize authentication established by google-github-actions/auth@v3, similar to how other Google GitHub Actions work (e.g., google-github-actions/deploy-cloudrun).

Observed Behavior

1. The action emits "No authentication method provided" warning
2. Gemini CLI fails to authenticate with Vertex AI
3. The gh CLI commands within Gemini sandbox also fail to authenticate (even with GH_TOKEN env var and sandbox: false)

Workflow Configuration

- name: Authenticate to Google Cloud
  uses: google-github-actions/auth@v3
  with:
    credentials_json: ${{ secrets.GOOGLE_APPLICATION_CREDENTIALS_POC }}
    create_credentials_file: true

- name: Automatic PR Review with Gemini
  uses: google-github-actions/run-gemini-cli@v0
  with:
    use_vertex_ai: true
    gcp_project_id: 'my-project'
    gcp_location: 'global'
    gemini_debug: true
    settings: |
      {
        "model": "gemini-3-pro-preview",
        "sandbox": false
      }
    prompt: |
      Review this PR...
  env:
    GH_TOKEN: ${{ secrets.GH_PAT }}

Logs

The environment shows auth was successful:

GOOGLE_APPLICATION_CREDENTIALS: /home/runner/work/.../gha-creds-xxx.json
CLOUDSDK_AUTH_CREDENTIAL_FILE_OVERRIDE: /home/runner/work/.../gha-creds-xxx.json

But the action still warns about missing authentication.

Workaround

Currently, users must either:

1. Use gcp_workload_identity_provider parameter (requires WIF setup)
2. Pin to an older version (e.g., @v0.1.17)

Environment

• Action version: v0.1.19 / v0.1.20
• Runner: ubuntu-latest
• Auth action: google-github-actions/auth@v3

Impact

This is a breaking change for users who were previously using credentials_json with the auth action. The action should either:

1. Recognize GOOGLE_APPLICATION_CREDENTIALS environment variable
2. Document that gcp_workload_identity_provider is now required

[gemini-cli]

🤖 Hi @aoogane, I've received your request, and I'm working on it now! You can track my progress in the logs for more details.

[brant-ruan]

I also encounter that the gemini agent keeps on reporting something like:

I am unable to proceed because the gh command requires authentication, which I cannot provide. Please ensure the GitHub CLI is authenticated before attempting to list or apply labels.

However, I have set the GH_TOKEN and GITHUB_TOKEN as envs. I also tried to ask agent to look for the GH_TOKEN env, while it cannot find the env. Seems that the GH_TOKEN env is unavailable when the agent runs. Is there any countermeasure to mitigate this issue?

[pmerlin1]

Related: we hit a similar auth issue with WIF and found that the action defaults to Code Assist auth (cloudcode-pa.googleapis.com) even when use_vertex_ai is set, unless you also explicitly set use_gemini_code_assist: "false".

For WIF/service account auth targeting Vertex AI, the working config is:

use_vertex_ai: "true"
use_gemini_code_assist: "false"
gcp_location: "global"

More detail in my comment on #497: #497 (comment)