Addressing PR Comments

HassanJasim · HassanJasim · commit f8a07b9e86e8 · 2025-07-22T13:21:43.000-04:00
diff --git a/README.md b/README.md
@@ -79,6 +79,8 @@ Set the following environment variables in your repository or workflow:
 | GEMINI_CLI_VERSION        | Controls which version of the Gemini CLI is installed. Supports npm versions (e.g., `0.1.0`, `latest`), a branch name (e.g., `main`), or a commit hash. | Variable | No       | To pin or override CLI version |
 | OTLP_GCP_WIF_PROVIDER     | The full resource name of the Workload Identity Provider.                                   | Variable | No       | If using observability       |
 | OTLP_GOOGLE_CLOUD_PROJECT | The Google Cloud project for telemetry.                                                     | Variable | No       | If using observability       |
+| GOOGLE_CLOUD_PROJECT      | The Google Cloud project for Vertex auth.                                                   | Variable | No       | If using Vertex auth         |
+| GOOGLE_CLOUD_LOCATION     | The location of the Google Cloud project for Vertex auth.                                   | Variable | No       | If using Vertex auth         |
 | APP_ID                    | GitHub App ID for custom authentication.                                                    | Variable | No       | If using a custom GitHub App |
 
 
@@ -91,10 +93,10 @@ save. For organization-wide or environment-specific variables, see the
 
 The following secrets are required for security:
 
-| Name              | Description                                   | Required | When Required                |
-|-------------------|-----------------------------------------------|----------|------------------------------|
-| GEMINI_API_KEY    | Your Gemini API key.                          | Yes      | Always                       |
-| APP_PRIVATE_KEY   | Private key for your GitHub App (PEM format). | No       | If using a custom GitHub App |
+| Name              | Description                                   | Required | When Required                          |
+|-------------------|-----------------------------------------------|----------|----------------------------------------|
+| GEMINI_API_KEY    | Your Gemini API key.                          | No       | If you don't intend to use vertex auth |
+| APP_PRIVATE_KEY   | Private key for your GitHub App (PEM format). | No       | If using a custom GitHub App           |
 
 To add a secret, go to your repository's **Settings > Secrets and variables >
 Actions > New repository secret**. For more information, see the
diff --git a/scripts/setup_workload_identity.sh b/scripts/setup_workload_identity.sh
@@ -51,7 +51,8 @@ print_header() {
 }
 
 # Default values
-GCP_PROJECT_ID=""
+GOOGLE_CLOUD_PROJECT=""
+GOOGLE_CLOUD_LOCATION="global"
 GITHUB_REPO=""
 POOL_NAME="github"
 
@@ -99,7 +100,7 @@ while [[ $# -gt 0 ]]; do
             shift 2
             ;;
         -p|--project)
-            GCP_PROJECT_ID="$2"
+            GOOGLE_CLOUD_PROJECT="$2"
             shift 2
             ;;
         --pool-name)
@@ -139,17 +140,17 @@ if [[ ! "${GITHUB_REPO}" =~ ^[a-zA-Z0-9._-]+/[a-zA-Z0-9._-]+$ ]]; then
 fi
 
 # Auto-detect project ID if not provided
-if [[ -z "${GCP_PROJECT_ID}" ]]; then
+if [[ -z "${GOOGLE_CLOUD_PROJECT}" ]]; then
     print_info "Auto-detecting Google Cloud project..."
-    GCP_PROJECT_ID=$(gcloud config get-value project 2>/dev/null)
-    if [[ -z "${GCP_PROJECT_ID}" ]]; then
+    GOOGLE_CLOUD_PROJECT=$(gcloud config get-value project 2>/dev/null)
+    if [[ -z "${GOOGLE_CLOUD_PROJECT}" ]]; then
         print_error "Could not auto-detect Google Cloud project ID"
         echo "Please either:"
         echo "  1. Set default project: gcloud config set project YOUR_PROJECT_ID"
         echo "  2. Use --project flag: $0 --repo ${GITHUB_REPO} --project YOUR_PROJECT_ID"
         exit 1
     fi
-    print_success "Using project: ${GCP_PROJECT_ID}"
+    print_success "Using project: ${GOOGLE_CLOUD_PROJECT}"
 fi
 
 # Extract repository components
@@ -164,7 +165,7 @@ PROVIDER_NAME="gh-${REPO_HASH}"
 
 print_header "Starting Direct Workload Identity Federation setup"
 echo "📦 Repository: ${GITHUB_REPO}"
-echo "☁️ Project: ${GCP_PROJECT_ID}"
+echo "☁️ Project: ${GOOGLE_CLOUD_PROJECT}"
 echo "🏊 Pool: ${POOL_NAME}"
 echo "🆔 Provider: ${PROVIDER_NAME}"
 echo ""
@@ -180,8 +181,8 @@ if [[ -z "${GCLOUD_AUTH_LIST}" ]]; then
 fi
 
 # Test project access
-if ! gcloud projects describe "${GCP_PROJECT_ID}" > /dev/null 2>&1; then
-    print_error "Cannot access project '${GCP_PROJECT_ID}'"
+if ! gcloud projects describe "${GOOGLE_CLOUD_PROJECT}" > /dev/null 2>&1; then
+    print_error "Cannot access project '${GOOGLE_CLOUD_PROJECT}'"
     echo "Please verify:"
     echo "  1. Project ID is correct"
     echo "  2. You have permissions on this project"
@@ -196,18 +197,18 @@ print_header "Step 1: Enabling required Google Cloud APIs"
 apis_to_enable="iamcredentials.googleapis.com cloudresourcemanager.googleapis.com iam.googleapis.com sts.googleapis.com logging.googleapis.com monitoring.googleapis.com cloudtrace.googleapis.com"
 
 print_info "Enabling APIs: ${apis_to_enable}"
-# gcloud services enable "${apis_to_enable}" --project="${GCP_PROJECT_ID}"
+gcloud services enable "${apis_to_enable}" --project="${GOOGLE_CLOUD_PROJECT}"
 print_success "APIs enabled successfully"
 
 # Step 2: Create Workload Identity Pool
 print_header "Step 2: Creating Workload Identity Pool"
 if ! gcloud iam workload-identity-pools describe "${POOL_NAME}" \
-    --project="${GCP_PROJECT_ID}" \
-    --location="global" &> /dev/null; then
+    --project="${GOOGLE_CLOUD_PROJECT}" \
+    --location="${GOOGLE_CLOUD_LOCATION}" &> /dev/null; then
     print_info "Creating Workload Identity Pool: ${POOL_NAME}"
     gcloud iam workload-identity-pools create "${POOL_NAME}" \
-        --project="${GCP_PROJECT_ID}" \
-        --location="global" \
+        --project="${GOOGLE_CLOUD_PROJECT}" \
+        --location="${GOOGLE_CLOUD_LOCATION}" \
         --display-name="GitHub Actions Pool"
     print_success "Workload Identity Pool created"
 else
@@ -216,22 +217,22 @@ fi
 
 # Get the pool ID
 WIF_POOL_ID=$(gcloud iam workload-identity-pools describe "${POOL_NAME}" \
-    --project="${GCP_PROJECT_ID}" \
-    --location="global" \
+    --project="${GOOGLE_CLOUD_PROJECT}" \
+    --location="${GOOGLE_CLOUD_LOCATION}" \
     --format="value(name)")
 
 # Step 3: Create Workload Identity Provider
 print_header "Step 3: Creating Workload Identity Provider"
 ATTRIBUTE_CONDITION="assertion.repository_owner == '${REPO_OWNER}'"
 
 if ! gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" \
-    --project="${GCP_PROJECT_ID}" \
-    --location="global" \
+    --project="${GOOGLE_CLOUD_PROJECT}" \
+    --location="${GOOGLE_CLOUD_LOCATION}" \
     --workload-identity-pool="${POOL_NAME}" &> /dev/null; then
     print_info "Creating Workload Identity Provider: ${PROVIDER_NAME}"
     gcloud iam workload-identity-pools providers create-oidc "${PROVIDER_NAME}" \
-        --project="${GCP_PROJECT_ID}" \
-        --location="global" \
+        --project="${GOOGLE_CLOUD_PROJECT}" \
+        --location="${GOOGLE_CLOUD_LOCATION}" \
         --workload-identity-pool="${POOL_NAME}" \
         --display-name="${PROVIDER_NAME}" \
         --attribute-mapping="google.subject=assertion.sub,attribute.actor=assertion.actor,attribute.repository=assertion.repository,attribute.repository_owner=assertion.repository_owner" \
@@ -250,26 +251,26 @@ print_info "Granting standard CI/CD permissions directly to the Workload Identit
 
 # Core observability permissions
 print_info "Granting logging permissions..."
-gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/logging.logWriter" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
 
 print_info "Granting monitoring permissions..."
-gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/monitoring.editor" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
 
 print_info "Granting tracing permissions..."
-gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/cloudtrace.agent" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
 
 
 print_info "Granting vertex permissions..."
-gcloud projects add-iam-policy-binding "${GCP_PROJECT_ID}" \
+gcloud projects add-iam-policy-binding "${GOOGLE_CLOUD_PROJECT}" \
     --role="roles/aiplatform.user" \
     --member="${PRINCIPAL_SET}" \
     --condition=None
@@ -278,8 +279,8 @@ print_success "Standard permissions granted to Workload Identity Pool"
 
 # Get the full provider name for output
 WIF_PROVIDER_FULL=$(gcloud iam workload-identity-pools providers describe "${PROVIDER_NAME}" \
-    --project="${GCP_PROJECT_ID}" \
-    --location="global" \
+    --project="${GOOGLE_CLOUD_PROJECT}" \
+    --location="${GOOGLE_CLOUD_LOCATION}" \
     --workload-identity-pool="${POOL_NAME}" \
     --format="value(name)")
 
@@ -306,13 +307,13 @@ echo "🔑 Variable Name: OTLP_GCP_WIF_PROVIDER"
 echo "   Value: ${WIF_PROVIDER_FULL}"
 echo ""
 echo "☁️  Variable Name: OTLP_GOOGLE_CLOUD_PROJECT"
-echo "   Value: ${GCP_PROJECT_ID}"
+echo "   Value: ${GOOGLE_CLOUD_PROJECT}"
 echo ""
 echo "☁️ Secret Name: GOOGLE_CLOUD_LOCATION"
-echo "   Secret Value: global"
+echo "   Secret Value: ${GOOGLE_CLOUD_LOCATION}"
 echo ""
 echo "☁️  Secret Name: GOOGLE_CLOUD_PROJECT"
-echo "   Secret Value: ${GCP_PROJECT_ID}"
+echo "   Secret Value: ${GOOGLE_CLOUD_PROJECT}"
 echo ""
 
 print_success "Setup completed successfully! 🚀"
