Silent success when multiple auth methods are provided (zero review output, no error)

[ASHughey]

Summary

When a workflow passes multiple auth methods to run-gemini-cli@v0 simultaneously (e.g., both gcp_workload_identity_provider AND gemini_api_key and/or google_api_key), the action emits warnings but proceeds anyway. The job exits with conclusion: success, no error surface, but produces zero observable output — no review comments, no MCP tool calls visible in the log, no error message on the PR.

The same silent-success pattern occurs when WIF is configured but neither use_vertex_ai nor use_gemini_code_assist is set to true.

This is the worst possible failure mode for a CI tool: green check, no review, no clue why.

Why this is hard to diagnose

• Job conclusion: success — no GitHub-level signal anything is wrong
• The runner log shows env setup → context load → straight to "Post job cleanup" with nothing observable in between
• No 4xx/5xx from Vertex AI or any other backend appears anywhere
• No model output, no tool calls, no error trace
• The action's validation warnings are only visible with ACTIONS_STEP_DEBUG=true as a repo secret

We spent several hours chasing quota limits, IAM roles, billing, and service-account permissions before enabling debug logging and finding the actual cause.

Reproduction

Workflow input that triggers silent failure:

uses: google-github-actions/run-gemini-cli@v0
with:
  gcp_workload_identity_provider: 'projects/.../providers/...'
  gcp_service_account: 'sa@project.iam.gserviceaccount.com'
  gemini_api_key: '${{ secrets.GEMINI_API_KEY }}'    # competing
  google_api_key: '${{ secrets.GOOGLE_API_KEY }}'    # competing
  use_vertex_ai: 'true'

With this config:

• All three auth methods are non-empty
• The action emits warnings about ambiguity but does NOT fail
• The job reports success with zero side effects

What the action actually emits (debug-only)

WARNING: Multiple authentication methods provided. Please use only one of
'gemini_api_key', 'google_api_key', or 'gcp_workload_identity_provider'.

WARNING: When using Workload Identity Federation, you must set exactly
one of 'use_vertex_ai' or 'use_gemini_code_assist' to 'true'.

Request

These warnings should be errors that fail the job, not warnings that proceed silently:

1. If multiple non-empty auth methods are provided, exit non-zero with a clear message naming which inputs are conflicting.
2. If WIF is used and neither use_vertex_ai nor use_gemini_code_assist is explicitly true, exit non-zero rather than running with no backend.
3. Surface input-validation warnings to the standard log (not only the ##[debug] channel).

The current behavior makes the action effectively impossible to debug from a green-check status alone. Failing loudly on misconfig would turn "spent a day diagnosing a green-checkmark silent-no-op" into "30 seconds of reading the error".

Workaround

Configure exactly one auth method. We removed gemini_api_key and google_api_key from our workflows and rely on WIF + Vertex AI only — see our fix PR for the diff.

Action version

google-github-actions/run-gemini-cli@v0 (SHA f77273f4c914e4bf38440cf36a0369cb64a37489 at time of report)