From f03a5e83c52171bf8594232227efcd8014f2e687 Mon Sep 17 00:00:00 2001
From: h-tsuboi918 <hiroki.tsuboi.918@gmail.com>
Date: Tue, 30 Jun 2026 01:01:30 +0900
Subject: [PATCH] ci: Ignore OAuth scopes in endpoint check

The googleapis.com endpoint compliance check treated OAuth scope URLs as service endpoints and required an mTLS counterpart. Exclude https://www.googleapis.com/auth/ URLs before checking for mTLS endpoint variants.

Fixes #6238
---
 scripts/compliance_checks.py | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/scripts/compliance_checks.py b/scripts/compliance_checks.py
index 0524ba0e3f..43df40d2fd 100755
--- a/scripts/compliance_checks.py
+++ b/scripts/compliance_checks.py
@@ -121,9 +121,16 @@ def check_cli_import(content: str, filename: str) -> bool:
 def check_mtls(content: str, filename: str) -> bool:
   if filename in _EXCLUDED_FROM_MTLS:
     return True
-  # Pattern for googleapis: https?://[a-zA-Z0-9.-]+\.googleapis\.com
-  endpoint_pattern = re.compile(r'https?://[a-zA-Z0-9.-]+\.googleapis\.com')
-  if endpoint_pattern.search(content):
+  endpoint_pattern = re.compile(
+      r'https?://[a-zA-Z0-9.-]+\.googleapis\.com[^"\'\s]*'
+  )
+  oauth_scope_pattern = re.compile(r'https?://www\.googleapis\.com/auth(/|$)')
+  endpoints = [
+      match.group(0)
+      for match in endpoint_pattern.finditer(content)
+      if not oauth_scope_pattern.match(match.group(0))
+  ]
+  if endpoints:
     return '.mtls.googleapis.com' in content
   return True