Skip to content

Service Account is not optional #379

New issue
New issue
Open
#380
Open
Service Account is not optional#379
#380
@alethenorio

Description

@alethenorio
alethenorio
opened on Oct 24, 2025

TL;DR

The GitHub action seem to require a service account to be supplied even though it is documented optional.

Expected behavior

It should be possible to not supply a service account as a parameter to the action

Observed behavior

When trying to call the action without a service account, an error is returned

Error: google-github-actions/auth failed with: the GitHub Action workflow must specify a "service_account" to use when generating an OAuth 2.0 Access Token. If you are specifying input values via GitHub secrets, ensure the secret is being injected into the environment. By default, secrets are not passed to workflows triggered from forks, including Dependabot.

Action YAML

name: "LLM Review"

on:
  workflow_call:
    inputs:
      additional_context:
        type: "string"
        description: "Any additional context"
        required: false
        default: ""
      gemini_cli_version:
        type: "string"
        description: "Version of Gemini CLI to use (defaults to repository variable if not specified)"
        required: false
        default: ""
      gcp_workload_identity_provider:
        type: "string"
        description: "GCP Workload Identity provider"
        required: false
        default: "<some default value>"
      gcp_project_id:
        type: "string"
        description: "GCP Project ID"
        required: false
        default: "e-gemini-cli-prod"
      gcp_location:
        type: "string"
        description: "GCP Location"
        required: false
        default: "europe-west1"
      gcp_service_account:
        type: "string"
        description: "GCP Service Account"
        required: false
        default: ""
concurrency:
  group: "${{ github.workflow }}-review-${{ github.event_name }}-${{ github.event.pull_request.number || github.event.issue.number }}"
  cancel-in-progress: true

defaults:
  run:
    shell: "bash"

jobs:
  review:
    runs-on: "ubuntu-latest"
    timeout-minutes: 7
    permissions:
      contents: "read"
      id-token: "write"
      issues: "write"
      pull-requests: "write"
    steps:
      - name: "Checkout repository"
        uses: "actions/checkout@v5"

      - name: "Run Gemini pull request review"
        uses: "google-github-actions/run-gemini-cli@v0"
        id: "gemini_pr_review"
        env:
          GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN || github.token }}"
          ISSUE_TITLE: "${{ github.event.pull_request.title || github.event.issue.title }}"
          ISSUE_BODY: "${{ github.event.pull_request.body || github.event.issue.body }}"
          PULL_REQUEST_NUMBER: "${{ github.event.pull_request.number || github.event.issue.number }}"
          REPOSITORY: "${{ github.repository }}"
          ADDITIONAL_CONTEXT: "${{ inputs.additional_context }}"
        with:
          gemini_cli_version: "${{ inputs.gemini_cli_version || vars.GEMINI_CLI_VERSION }}"
          # gcp_workload_identity_provider: "${{ inputs.gcp_workload_identity_provider }}"
          gcp_project_id: "${{ inputs.gcp_project_id}}"
          gcp_location: "${{ inputs.gcp_location }}"
          # gcp_service_account: "${{ inputs.gcp_service_account }}"
          use_vertex_ai: "${{ vars.GOOGLE_GENAI_USE_VERTEXAI || 'true' }}"
          gemini_debug: "${{ fromJSON(vars.DEBUG || vars.ACTIONS_STEP_DEBUG || 'false') }}"
          settings: |-
            {
              "maxSessionTurns": 25,
              "telemetry": {
                "enabled": ${{ inputs.gcp_project_id!= '' }},
                "target": "gcp"
              },
              "mcpServers": {
                "github": {
                  "command": "docker",
                  "args": [
                    "run",
                    "-i",
                    "--rm",
                    "-e",
                    "GITHUB_PERSONAL_ACCESS_TOKEN",
                    "ghcr.io/github/github-mcp-server"
                  ],
                  "includeTools": [
                    "add_comment_to_pending_review",
                    "create_pending_pull_request_review",
                    "get_pull_request_diff",
                    "get_pull_request_files",
                    "get_pull_request",
                    "submit_pending_pull_request_review"
                  ],
                  "env": {
                    "GITHUB_PERSONAL_ACCESS_TOKEN": "${GITHUB_TOKEN}"
                  }
                }
              },
              "coreTools": [
                "run_shell_command(cat)",
                "run_shell_command(echo)",
                "run_shell_command(grep)",
                "run_shell_command(head)",
                "run_shell_command(tail)"
              ]
            }
          prompt: "Make a comprehensive code review of the current branch against the default branch."

Log output

Additional information

The main issue at hand here seems to be in the configuration of the google-github-actions/auth@v2 action here.

Even though the service account parameter is optional, the token_format and access_token_scopes parameters have hardcoded values which I believe force the error from google-github-actions/auth@v2.

A PoC was done by forking the action and removing those parameters and then it worked to not pass a service account (meaning using the Workload Identity Federation "direct access" flow mentioned in the docs).

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions