feat: support direct wif

Author: fredrikaverpil

action.yml

@@ -30,6 +30,14 @@ inputs:
   gcp_workload_identity_provider:
     description: 'The Google Cloud Workload Identity Provider.'
     required: false
+  gcp_token_format:
+    description: 'The token format for authentication. Set to "access_token" to generate access tokens (requires service account), or set to empty string for direct WIF. Can be "access_token" or "id_token".'
+    required: false
+    default: 'access_token'
+  gcp_access_token_scopes:
+    description: 'The access token scopes when using token_format "access_token". Comma-separated list of OAuth 2.0 scopes.'
+    required: false
+    default: 'https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile'
   gemini_api_key:
     description: 'The API key for the Gemini API.'
     required: false
@@ -123,8 +131,13 @@ runs:
 
         # Validate Workload Identity Federation inputs
         if [[ "${INPUT_GCP_WORKLOAD_IDENTITY_PROVIDER_PRESENT:-false}" == "true" ]]; then
-          if [[ "${INPUT_GCP_PROJECT_ID_PRESENT:-false}" != "true" || "${INPUT_GCP_SERVICE_ACCOUNT_PRESENT:-false}" != "true" ]]; then
-            warn "When using Workload Identity Federation ('gcp_workload_identity_provider'), you must also provide 'gcp_project_id' and 'gcp_service_account'."
+          if [[ "${INPUT_GCP_PROJECT_ID_PRESENT:-false}" != "true" ]]; then
+            warn "When using Workload Identity Federation ('gcp_workload_identity_provider'), you must also provide 'gcp_project_id'."
+          fi
+          # Service account is required when using token_format (default behavior)
+          # Only optional when explicitly set to empty for direct WIF
+          if [[ "${INPUT_GCP_TOKEN_FORMAT}" != "" && "${INPUT_GCP_SERVICE_ACCOUNT_PRESENT:-false}" != "true" ]]; then
+            warn "When using Workload Identity Federation with token generation ('gcp_token_format'), you must also provide 'gcp_service_account'. To use direct WIF without a service account, explicitly set 'gcp_token_format' to an empty string."
           fi
           if [[ "${INPUT_USE_VERTEX_AI:-false}" == "${INPUT_USE_GEMINI_CODE_ASSIST:-false}" ]]; then
             warn "When using Workload Identity Federation, you must set exactly one of 'use_vertex_ai' or 'use_gemini_code_assist' to 'true'."
@@ -153,6 +166,7 @@ runs:
         INPUT_GCP_WORKLOAD_IDENTITY_PROVIDER_PRESENT: "${{ inputs.gcp_workload_identity_provider != '' }}"
         INPUT_GCP_PROJECT_ID_PRESENT: "${{ inputs.gcp_project_id != '' }}"
         INPUT_GCP_SERVICE_ACCOUNT_PRESENT: "${{ inputs.gcp_service_account != '' }}"
+        INPUT_GCP_TOKEN_FORMAT: '${{ inputs.gcp_token_format }}'
         INPUT_USE_VERTEX_AI: '${{ inputs.use_vertex_ai }}'
         INPUT_USE_GEMINI_CODE_ASSIST: '${{ inputs.use_gemini_code_assist }}'
 
@@ -184,8 +198,8 @@ runs:
         project_id: '${{ inputs.gcp_project_id }}'
         workload_identity_provider: '${{ inputs.gcp_workload_identity_provider }}'
         service_account: '${{ inputs.gcp_service_account }}'
-        token_format: 'access_token'
-        access_token_scopes: 'https://www.googleapis.com/auth/cloud-platform,https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile'
+        token_format: '${{ inputs.gcp_token_format }}'
+        access_token_scopes: '${{ inputs.gcp_access_token_scopes }}'
 
     - name: 'Install Gemini CLI'
       id: 'install'

docs/authentication.md

@@ -170,6 +170,10 @@ This is the standard method for authenticating directly with the Vertex AI API u
 
 - A Google Cloud project with the **Vertex AI API** enabled.
 
+**Approach 1: With Service Account (Default)**
+
+This is the default authentication approach using a service account with access token generation.
+
 **GitHub Configuration**
 
 After running the `setup_workload_identity.sh` script, add the following variables to your repository's **Settings > Secrets and variables > Actions**:
@@ -196,6 +200,33 @@ After running the `setup_workload_identity.sh` script, add the following variabl
       Explain this code
 ```
 
+**Approach 2: Direct WIF (Without Service Account)**
+
+Alternatively, you can use direct Workload Identity Federation without a service account by explicitly setting `gcp_token_format` to an empty string.
+
+**GitHub Configuration**
+
+| Variable Name               | Description                                          |
+| --------------------------- | ---------------------------------------------------- |
+| `GCP_WIF_PROVIDER`          | The resource name of the Workload Identity Provider. |
+| `GOOGLE_CLOUD_PROJECT`      | Your Google Cloud project ID.                        |
+| `GOOGLE_CLOUD_LOCATION`     | Your Google Cloud project Location.                  |
+| `GOOGLE_GENAI_USE_VERTEXAI` | Set to `true` to use Vertex AI.                      |
+
+**Example**
+
+```yaml
+- uses: 'google-github-actions/run-gemini-cli@v0'
+  with:
+    gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}'
+    gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+    gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+    gcp_token_format: ''  # Empty string for direct WIF
+    use_vertex_ai: '${{ vars.GOOGLE_GENAI_USE_VERTEXAI }}'
+    prompt: |-
+      Explain this code
+```
+
 #### Connecting to Gemini Code Assist
 
 If you have a **Gemini Code Assist** subscription, you can configure the action to use it for authentication.
@@ -204,16 +235,20 @@ If you have a **Gemini Code Assist** subscription, you can configure the action
 
 - A Google Cloud project with an active Gemini Code Assist subscription.
 
+**Approach 1: With Service Account (Default)**
+
+This is the default authentication approach using a service account with access token generation.
+
 **GitHub Configuration**
 
 After running the `setup_workload_identity.sh` script, add the following variables to your repository's **Settings > Secrets and variables > Actions**:
 
 | Variable Name           | Description                                             |
 | ----------------------- | ------------------------------------------------------- |
 | `GCP_WIF_PROVIDER`      | The resource name of the Workload Identity Provider.    |
+| `SERVICE_ACCOUNT_EMAIL` | The service account with the required permissions.      |
 | `GOOGLE_CLOUD_PROJECT`  | Your Google Cloud project ID.                           |
 | `GOOGLE_CLOUD_LOCATION` | Your Google Cloud project Location.                     |
-| `SERVICE_ACCOUNT_EMAIL` | The email of the service account for Code Assist.       |
 | `GOOGLE_GENAI_USE_GCA`  | Set to `true` to authenticate using Gemini Code Assist. |
 
 **Example**
@@ -230,6 +265,33 @@ After running the `setup_workload_identity.sh` script, add the following variabl
       Explain this code
 ```
 
+**Approach 2: Direct WIF (Without Service Account)**
+
+Alternatively, you can use direct Workload Identity Federation without a service account by explicitly setting `gcp_token_format` to an empty string.
+
+**GitHub Configuration**
+
+| Variable Name           | Description                                             |
+| ----------------------- | ------------------------------------------------------- |
+| `GCP_WIF_PROVIDER`      | The resource name of the Workload Identity Provider.    |
+| `GOOGLE_CLOUD_PROJECT`  | Your Google Cloud project ID.                           |
+| `GOOGLE_CLOUD_LOCATION` | Your Google Cloud project Location.                     |
+| `GOOGLE_GENAI_USE_GCA`  | Set to `true` to authenticate using Gemini Code Assist. |
+
+**Example**
+
+```yaml
+- uses: 'google-github-actions/run-gemini-cli@v0'
+  with:
+    gcp_workload_identity_provider: '${{ vars.GCP_WIF_PROVIDER }}'
+    gcp_project_id: '${{ vars.GOOGLE_CLOUD_PROJECT }}'
+    gcp_location: '${{ vars.GOOGLE_CLOUD_LOCATION }}'
+    gcp_token_format: ''  # Empty string for direct WIF
+    use_gemini_code_assist: '${{ vars.GOOGLE_GENAI_USE_GCA }}'
+    prompt: |-
+      Explain this code
+```
+
 ## GitHub Authentication
 
 This action requires a GitHub token to interact with the GitHub API. You can authenticate in two ways: