PyPI - cicaddy-github - Versions diffs - 0.6.0__tar.gz → 0.7.0__tar.gz - Mend

cicaddy-github 0.6.0tar.gz → 0.7.0tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (51) hide show

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/.agents/skills/cicaddy-action/SKILL.md RENAMED Viewed

@@ -117,12 +117,20 @@ can reference them as bash variables (`INPUT_AI_PROVIDER`, `INPUT_AI_API_KEY`, e
 | Input | Required | Description |
 |-------|----------|-------------|
-| `ai_provider` | Yes | `gemini`, `openai`, `claude` |
+| `ai_provider` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, `gemini-vertex` |
 | `ai_model` | Yes | Model identifier |
-| `ai_api_key` | Yes* | AI provider API key (mapped to provider-specific env var) |
+| `ai_api_key` | No* | AI provider API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |
 | `task_file` | No | Path to DSPy YAML task file |
 | `task_prompt` | No | Inline task prompt |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
+| `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
+| `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
+| `delegation_mode` | No | `none` (default) or `auto` for sub-agent delegation |
+| `max_sub_agents` | No | Max concurrent sub-agents, 1-10 (default: `3`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 | `mcp_servers_config` | No | JSON array of MCP server configs |
 | `slack_webhook_url` | No | Slack webhook URL |
@@ -225,7 +233,7 @@ the `safe-to-review` label. The label is auto-removed on new pushes to prevent
 TOCTOU bypasses.
 ```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@v0.6.0
+- uses: redhat-community-ai-tools/cicaddy-action@v0.7.0
   with:
     ai_provider: gemini
     ai_model: gemini-3-flash-preview

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/AGENTS.md RENAMED Viewed

@@ -65,7 +65,7 @@ cicaddy-action/
 ### Dependencies
-- Depends on `cicaddy>=0.8.0` (core library) and `PyGithub>=2.1.0`
+- Depends on `cicaddy>=0.11.0` (core library) and `PyGithub>=2.1.0`
 - Follows the same agent/factory patterns as the core library
 - Extends `BaseAIAgent` from cicaddy
@@ -97,7 +97,7 @@ The cicaddy-github plugin provides:
 |----------|---------|-------------|
 | `DELEGATION_MODE` | `none` | `none` or `auto` |
 | `MAX_SUB_AGENTS` | `3` | Max concurrent sub-agents (1-10) |
-| `SUB_AGENT_MAX_ITERS` | `10` | Iterations per sub-agent (1-15) |
+| `SUB_AGENT_MAX_ITERS` | `5` | Iterations per sub-agent (1-15) |
 | `DELEGATION_AGENTS_DIR` | `.agents/delegation` | Custom agent YAML directory (relative to repo root) |
 | `DELEGATION_AGENTS` | (empty) | JSON config for inline custom sub-agent definitions |
 | `TRIAGE_PROMPT` | (empty) | Custom triage instructions |
@@ -113,14 +113,17 @@ All inputs use **underscores** (not hyphens) for Docker container compatibility:
 | Input | Required | Description |
 |-------|----------|-------------|
-| `ai_provider` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex` |
+| `ai_provider` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, `gemini-vertex` |
 | `ai_model` | Yes | Model identifier |
-| `ai_api_key` | No* | AI provider API key (not needed for `anthropic-vertex`) |
-| `vertex_project_id` | No | GCP project ID (required for `anthropic-vertex`) |
-| `cloud_ml_region` | No | Vertex AI region (default: `us-east5`) |
+| `ai_api_key` | No* | AI provider API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `cloud_ml_region` | No | **Deprecated**: use `google_cloud_location` |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |
 | `task_file` | No | Path to DSPy YAML task file |
 | `task_prompt` | No | Inline task prompt |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
+| `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 | `mcp_servers_config` | No | JSON array of MCP server configs |
 | `slack_webhook_url` | No | Slack webhook URL |

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cicaddy-github
-Version: 0.6.0
+Version: 0.7.0
 Summary: GitHub Actions plugin for cicaddy AI agent framework
 Project-URL: Homepage, https://github.com/redhat-community-ai-tools/cicaddy-action
 Project-URL: Repository, https://github.com/redhat-community-ai-tools/cicaddy-action.git
@@ -9,7 +9,7 @@ Author: Wayne Sun
 License: Apache-2.0
 License-File: LICENSE
 Requires-Python: >=3.11
-Requires-Dist: cicaddy>=0.10.0
+Requires-Dist: cicaddy>=0.11.0
 Requires-Dist: detect-secrets>=1.4.0
 Requires-Dist: pygithub>=2.1.0
 Provides-Extra: test
@@ -28,7 +28,7 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 - **Sub-agent delegation** for parallel specialized reviews (security, architecture, performance, etc.)
 - **Go dependency impact analysis** for Go dependency update PRs with risk classification
 - **Changelog report generation** from git tag diffs and release notes
-- **Multiple AI providers**: Gemini, OpenAI, Claude, Claude via Vertex AI
+- **Multiple AI providers**: Gemini, OpenAI, Claude, Claude via Vertex AI, Gemini via Vertex AI
 - **Secret redaction** via detect-secrets for safe public outputs
 - **DSPy YAML task definitions** for customizable analysis workflows
@@ -149,11 +149,12 @@ See [docs/providers.md](docs/providers.md) for provider-specific configuration i
 | Input | Required | Description |
 |-------|----------|-------------|
-| `ai_provider` | Yes | AI provider: `gemini`, `openai`, `claude`, `anthropic-vertex` |
+| `ai_provider` | Yes | AI provider: `gemini`, `openai`, `claude`, `anthropic-vertex`, `gemini-vertex` |
 | `ai_model` | Yes | Model identifier |
-| `ai_api_key` | No | AI provider API key (not needed for `anthropic-vertex`) |
-| `vertex_project_id` | No | GCP project ID (required for `anthropic-vertex`) |
-| `cloud_ml_region` | No | Vertex AI region (default: `us-east5`) |
+| `ai_api_key` | No | AI provider API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`, optional fallback for `anthropic-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |
 | `task_file` | No | Path to DSPy YAML task file |
 | `task_prompt` | No | Inline task prompt (alternative to task_file) |
 | `report_template` | No | Path to custom HTML report template |
@@ -255,11 +256,12 @@ uv run cicaddy validate --env-file .env.my-review
 | Variable | Required | Description |
 |----------|----------|-------------|
-| `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, or `anthropic-vertex` |
+| `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
 | `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3-flash-preview`) |
-| `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex`) |
-| `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`) |
-| `CLOUD_ML_REGION` | No | Vertex AI region (default: `us-east5`) |
+| `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`, falls back to `GOOGLE_CLOUD_PROJECT`) |
+| `GOOGLE_CLOUD_PROJECT` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
+| `GOOGLE_CLOUD_LOCATION` | No | Vertex AI location (default: `global`) |
 | `GITHUB_TOKEN` | Yes | GitHub personal access token |
 | `GITHUB_REPOSITORY` | Yes | Target repo in `owner/repo` format |
 | `GITHUB_EVENT_NAME` | No | Set to `pull_request` for auto-detection (optional if `GITHUB_PR_NUMBER` is set) |
@@ -271,9 +273,6 @@ uv run cicaddy validate --env-file .env.my-review
 | `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent, 1-15 (default: `5`) |
 | `AI_TASK_FILE` | No | Path to DSPy YAML task file for custom workflows |
 | `RUN_GOVULNCHECK` | No | Run govulncheck for reachability analysis (`true`/`false`) |
-| `DELEGATION_MODE` | No | `none` or `auto` for sub-agent delegation |
-| `MAX_SUB_AGENTS` | No | Maximum concurrent sub-agents (default: `3`) |
-| `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent (default: `10`) |
 | `DELEGATION_AGENTS_DIR` | No | Custom agent YAML directory (default: `.agents/delegation`) |
 | `DELEGATION_AGENTS` | No | JSON config for inline custom sub-agents |
 | `TRIAGE_PROMPT` | No | Custom triage instructions |

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/README.md RENAMED Viewed

@@ -8,7 +8,7 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 - **Sub-agent delegation** for parallel specialized reviews (security, architecture, performance, etc.)
 - **Go dependency impact analysis** for Go dependency update PRs with risk classification
 - **Changelog report generation** from git tag diffs and release notes
-- **Multiple AI providers**: Gemini, OpenAI, Claude, Claude via Vertex AI
+- **Multiple AI providers**: Gemini, OpenAI, Claude, Claude via Vertex AI, Gemini via Vertex AI
 - **Secret redaction** via detect-secrets for safe public outputs
 - **DSPy YAML task definitions** for customizable analysis workflows
@@ -129,11 +129,12 @@ See [docs/providers.md](docs/providers.md) for provider-specific configuration i
 | Input | Required | Description |
 |-------|----------|-------------|
-| `ai_provider` | Yes | AI provider: `gemini`, `openai`, `claude`, `anthropic-vertex` |
+| `ai_provider` | Yes | AI provider: `gemini`, `openai`, `claude`, `anthropic-vertex`, `gemini-vertex` |
 | `ai_model` | Yes | Model identifier |
-| `ai_api_key` | No | AI provider API key (not needed for `anthropic-vertex`) |
-| `vertex_project_id` | No | GCP project ID (required for `anthropic-vertex`) |
-| `cloud_ml_region` | No | Vertex AI region (default: `us-east5`) |
+| `ai_api_key` | No | AI provider API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`, optional fallback for `anthropic-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |
 | `task_file` | No | Path to DSPy YAML task file |
 | `task_prompt` | No | Inline task prompt (alternative to task_file) |
 | `report_template` | No | Path to custom HTML report template |
@@ -235,11 +236,12 @@ uv run cicaddy validate --env-file .env.my-review
 | Variable | Required | Description |
 |----------|----------|-------------|
-| `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, or `anthropic-vertex` |
+| `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
 | `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3-flash-preview`) |
-| `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex`) |
-| `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`) |
-| `CLOUD_ML_REGION` | No | Vertex AI region (default: `us-east5`) |
+| `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`, falls back to `GOOGLE_CLOUD_PROJECT`) |
+| `GOOGLE_CLOUD_PROJECT` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
+| `GOOGLE_CLOUD_LOCATION` | No | Vertex AI location (default: `global`) |
 | `GITHUB_TOKEN` | Yes | GitHub personal access token |
 | `GITHUB_REPOSITORY` | Yes | Target repo in `owner/repo` format |
 | `GITHUB_EVENT_NAME` | No | Set to `pull_request` for auto-detection (optional if `GITHUB_PR_NUMBER` is set) |
@@ -251,9 +253,6 @@ uv run cicaddy validate --env-file .env.my-review
 | `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent, 1-15 (default: `5`) |
 | `AI_TASK_FILE` | No | Path to DSPy YAML task file for custom workflows |
 | `RUN_GOVULNCHECK` | No | Run govulncheck for reachability analysis (`true`/`false`) |
-| `DELEGATION_MODE` | No | `none` or `auto` for sub-agent delegation |
-| `MAX_SUB_AGENTS` | No | Maximum concurrent sub-agents (default: `3`) |
-| `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent (default: `10`) |
 | `DELEGATION_AGENTS_DIR` | No | Custom agent YAML directory (default: `.agents/delegation`) |
 | `DELEGATION_AGENTS` | No | JSON config for inline custom sub-agents |
 | `TRIAGE_PROMPT` | No | Custom triage instructions |

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/action.yml RENAMED Viewed

@@ -6,26 +6,31 @@ branding:
 inputs:
   ai_provider:
-    description: 'AI provider: gemini, openai, claude, anthropic-vertex'
+    description: 'AI provider: gemini, openai, claude, anthropic-vertex, gemini-vertex'
     required: true
   ai_model:
     description: 'Model identifier'
     required: true
   ai_api_key:
-    description: 'AI provider API key (not required for anthropic-vertex, which uses GCP ADC)'
+    description: 'AI provider API key (not required for anthropic-vertex or gemini-vertex, which use GCP ADC)'
     required: false
   vertex_project_id:
-    description: 'GCP project ID for Vertex AI Claude (required when ai_provider is anthropic-vertex)'
+    description: 'GCP project ID for Vertex AI Claude (falls back to google_cloud_project if not set)'
     required: false
   cloud_ml_region:
-    description: 'Vertex AI region (default: us-east5)'
+    description: 'DEPRECATED: Use google_cloud_location instead. Vertex AI region for anthropic-vertex.'
+    required: false
+  google_cloud_project:
+    description: 'GCP project ID for Vertex AI (required for gemini-vertex, optional fallback for anthropic-vertex)'
+    required: false
+  google_cloud_location:
+    description: 'Vertex AI location (default: global)'
     required: false
-    default: 'us-east5'
   task_file:
     description: 'Path to DSPy YAML task file'
     required: false
   task_prompt:
-    description: 'Inline task prompt (alternative to task-file)'
+    description: 'Inline task prompt (alternative to task_file)'
     required: false
   report_template:
     description: 'Path to custom HTML report template'
@@ -78,4 +83,4 @@ runs:
   using: 'docker'
   image: 'Dockerfile'
   # After first GHCR publish, switch to pre-built image for faster startup:
-  # image: 'docker://ghcr.io/redhat-community-ai-tools/cicaddy-action:0.6.0'
+  # image: 'docker://ghcr.io/redhat-community-ai-tools/cicaddy-action:0.7.0'

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/docs/delegation.md RENAMED Viewed

@@ -45,7 +45,7 @@ uv run cicaddy run --env-file .env.my-review --delegation-mode auto --max-sub-ag
 |-----------------|---------|-------------|
 | `DELEGATION_MODE` / `delegation_mode` | `none` | `none` (single-agent) or `auto` (AI-powered delegation) |
 | `MAX_SUB_AGENTS` / `max_sub_agents` | `3` | Maximum concurrent sub-agents (1-10) |
-| `SUB_AGENT_MAX_ITERS` | `10` | Max inference iterations per sub-agent (1-15, env var only) |
+| `SUB_AGENT_MAX_ITERS` | `5` | Max inference iterations per sub-agent (1-15, env var only) |
 | `DELEGATION_AGENTS_DIR` | `.agents/delegation` | Directory for user-defined sub-agent YAML files (env var only) |
 | `DELEGATION_AGENTS` | (empty) | JSON config for inline custom sub-agent definitions (env var only) |
 | `TRIAGE_PROMPT` | (empty) | Optional custom instructions for the triage AI (env var only) |
@@ -156,7 +156,7 @@ When using `task_file` with `delegation_mode: auto`, the task definition is prov
 ## Cost Considerations
-Delegation multiplies AI inference calls. With defaults (`MAX_SUB_AGENTS=3`, `SUB_AGENT_MAX_ITERS=10`), a single PR review can use up to 1 (triage) + 3×10 (sub-agents) + 1 (aggregation) = **32 AI calls** versus 1-15 for single-agent mode. Tune `MAX_SUB_AGENTS` and `SUB_AGENT_MAX_ITERS` based on your AI provider tier and rate limits.
+Delegation multiplies AI inference calls. With defaults (`MAX_SUB_AGENTS=3`, `SUB_AGENT_MAX_ITERS=5`), a single PR review can use up to 1 (triage) + 3×5 (sub-agents) + 1 (aggregation) = **17 AI calls** versus 1-15 for single-agent mode. Tune `MAX_SUB_AGENTS` and `SUB_AGENT_MAX_ITERS` based on your AI provider tier and rate limits.
 ## Troubleshooting

cicaddy_github-0.7.0/docs/providers.md ADDED Viewed

@@ -0,0 +1,178 @@
+# AI Provider Configuration
+cicaddy-action supports multiple AI providers. This guide covers provider-specific setup.
+## Gemini
+```yaml
+- uses: redhat-community-ai-tools/cicaddy-action@main
+  with:
+    ai_provider: gemini
+    ai_model: gemini-3-flash-preview
+    ai_api_key: ${{ secrets.GEMINI_API_KEY }}
+```
+## OpenAI
+```yaml
+- uses: redhat-community-ai-tools/cicaddy-action@main
+  with:
+    ai_provider: openai
+    ai_model: gpt-4.5
+    ai_api_key: ${{ secrets.OPENAI_API_KEY }}
+```
+## Claude (Anthropic API)
+```yaml
+- uses: redhat-community-ai-tools/cicaddy-action@main
+  with:
+    ai_provider: claude
+    ai_model: claude-sonnet-4-6
+    ai_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+```
+## Claude via Vertex AI (GCP)
+Uses Google Cloud Workload Identity Federation for keyless authentication — no
+service account JSON keys to manage. This is the recommended approach for GCP.
+```yaml
+name: PR Review (Vertex AI)
+on:
+  pull_request:
+    types: [opened, synchronize]
+permissions:
+  contents: read
+  id-token: write       # Required for Workload Identity Federation
+  pull-requests: write
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: 'projects/123/locations/global/workloadIdentityPools/github/providers/my-repo'
+          service_account: 'cicaddy@my-project.iam.gserviceaccount.com'
+      - uses: redhat-community-ai-tools/cicaddy-action@main
+        with:
+          ai_provider: anthropic-vertex
+          ai_model: claude-sonnet-4-6
+          vertex_project_id: my-project
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
+```
+> **Security**: Prefer Workload Identity Federation (shown above) over service
+> account keys. If you must use a key, store the JSON as a GitHub secret and pass
+> it via `google-github-actions/auth` with `credentials_json`:
+> ```yaml
+> - uses: google-github-actions/auth@v3
+>   with:
+>     credentials_json: ${{ secrets.GCP_SA_KEY }}
+> ```
+> The auth action sets `GOOGLE_APPLICATION_CREDENTIALS` automatically — never
+> write keys to disk manually or echo them in scripts.
+## Gemini via Vertex AI (GCP)
+Uses Google Cloud authentication (Workload Identity Federation or service account)
+to call Gemini models through the Vertex AI API — no Gemini API key needed.
+```yaml
+name: PR Review (Gemini Vertex AI)
+on:
+  pull_request:
+    types: [opened, synchronize]
+permissions:
+  contents: read
+  id-token: write       # Required for Workload Identity Federation
+  pull-requests: write
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: 'projects/123/locations/global/workloadIdentityPools/github/providers/my-repo'
+          service_account: 'cicaddy@my-project.iam.gserviceaccount.com'
+      - uses: redhat-community-ai-tools/cicaddy-action@main
+        with:
+          ai_provider: gemini-vertex
+          ai_model: gemini-3-flash-preview
+          google_cloud_project: my-project
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
+```
+> **Note**: `google_cloud_project` is required for `gemini-vertex`. The
+> `google-github-actions/auth` step sets `GOOGLE_APPLICATION_CREDENTIALS`
+> automatically.
+## Migration Notes
+### Default Vertex AI location changed from `us-east5` to `global`
+Previous versions defaulted to `us-east5` via the `cloud_ml_region` input. This
+release changes the default to `global` (via the new `google_cloud_location`
+input), which routes requests to the nearest available region.
+If your workflow relied on the implicit `us-east5` default, add an explicit
+location:
+```yaml
+- uses: redhat-community-ai-tools/cicaddy-action@main
+  with:
+    google_cloud_location: us-east5   # pin to previous default
+```
+### `cloud_ml_region` is deprecated
+The `cloud_ml_region` input still works but emits a warning. Replace it with
+`google_cloud_location` in your workflows.
+## Security Considerations
+### `submit_review` and fork pull requests
+When `submit_review: 'true'` is set, the action submits a formal GitHub review
+(APPROVE or REQUEST\_CHANGES) on behalf of the token owner. If your repository
+accepts pull requests from forks and you use `pull_request_target` to expose
+secrets, an attacker could craft a PR that tricks the AI into approving
+malicious code.
+Mitigations:
+- Do **not** combine `submit_review: 'true'` with `pull_request_target` on
+  repositories that accept fork PRs.
+- Use `pull_request` (not `pull_request_target`) when possible — it runs in the
+  fork's context and cannot access repository secrets.
+- If you must use `pull_request_target`, restrict `submit_review` to trusted
+  contributors via a branch protection rule or a job-level `if:` condition.
+## Provider Inputs Reference
+| Input | Required | Description |
+|-------|----------|-------------|
+| `ai_provider` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
+| `ai_model` | Yes | Model identifier |
+| `ai_api_key` | No | API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`, optional fallback for `anthropic-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/entrypoint.sh RENAMED Viewed

@@ -14,27 +14,53 @@ case "${AI_PROVIDER}" in
   claude|anthropic) export ANTHROPIC_API_KEY="${INPUT_AI_API_KEY}" ;;
   anthropic-vertex)
     ;;  # handled below
+  gemini-vertex)
+    ;;  # handled below
   *)
-    echo "ERROR: Unknown ai_provider '${AI_PROVIDER}'. Supported: gemini, openai, claude, anthropic, anthropic-vertex"
+    echo "ERROR: Unknown ai_provider '${AI_PROVIDER}'. Supported: gemini, openai, claude, anthropic, anthropic-vertex, gemini-vertex"
     exit 3
     ;;
 esac
 # Validate API key for non-vertex providers
-if [[ "${AI_PROVIDER}" != "anthropic-vertex" && -z "${INPUT_AI_API_KEY}" ]]; then
+if [[ "${AI_PROVIDER}" != *-vertex && -z "${INPUT_AI_API_KEY}" ]]; then
   echo "ERROR: ai_api_key is required for provider '${AI_PROVIDER}'"
   exit 3
 fi
+# Export shared Vertex AI env vars
+if [[ -n "${INPUT_GOOGLE_CLOUD_PROJECT}" ]]; then
+  export GOOGLE_CLOUD_PROJECT="${INPUT_GOOGLE_CLOUD_PROJECT}"
+fi
+if [[ -n "${INPUT_GOOGLE_CLOUD_LOCATION}" ]]; then
+  export GOOGLE_CLOUD_LOCATION="${INPUT_GOOGLE_CLOUD_LOCATION}"
+fi
+# Handle gemini-vertex provider setup
+if [[ "${AI_PROVIDER}" == "gemini-vertex" ]]; then
+  if [[ -z "${GOOGLE_CLOUD_PROJECT}" ]]; then
+    echo "ERROR: ai_provider 'gemini-vertex' requires google_cloud_project input"
+    exit 3
+  fi
+  if [[ -z "${GOOGLE_APPLICATION_CREDENTIALS}" ]]; then
+    echo "WARNING: GOOGLE_APPLICATION_CREDENTIALS not set. Use google-github-actions/auth before this step."
+  fi
+  export GOOGLE_CLOUD_LOCATION="${GOOGLE_CLOUD_LOCATION:-global}"
+fi
 # Handle anthropic-vertex provider setup
 if [[ "${AI_PROVIDER}" == "anthropic-vertex" ]]; then
-  export ANTHROPIC_VERTEX_PROJECT_ID="${INPUT_VERTEX_PROJECT_ID}"
-  export CLOUD_ML_REGION="${INPUT_CLOUD_ML_REGION:-us-east5}"
-  if [[ -z "${ANTHROPIC_VERTEX_PROJECT_ID}" ]]; then
-    echo "ERROR: ai_provider 'anthropic-vertex' requires vertex_project_id input"
+  export ANTHROPIC_VERTEX_PROJECT_ID="${INPUT_VERTEX_PROJECT_ID:-$GOOGLE_CLOUD_PROJECT}"
+  # CLOUD_ML_REGION is deprecated in cicaddy core; use GOOGLE_CLOUD_LOCATION
+  if [[ -n "${INPUT_CLOUD_ML_REGION}" ]]; then
+    echo "WARNING: cloud_ml_region input is deprecated. Use google_cloud_location instead."
+    export GOOGLE_CLOUD_LOCATION="${GOOGLE_CLOUD_LOCATION:-${INPUT_CLOUD_ML_REGION}}"
+  fi
+  export GOOGLE_CLOUD_LOCATION="${GOOGLE_CLOUD_LOCATION:-global}"
+  if [[ -z "${ANTHROPIC_VERTEX_PROJECT_ID}" && -z "${GOOGLE_CLOUD_PROJECT}" ]]; then
+    echo "ERROR: ai_provider 'anthropic-vertex' requires vertex_project_id or google_cloud_project input"
     exit 3
   fi
-  # GOOGLE_APPLICATION_CREDENTIALS must be set by google-github-actions/auth
   if [[ -z "${GOOGLE_APPLICATION_CREDENTIALS}" ]]; then
     echo "WARNING: GOOGLE_APPLICATION_CREDENTIALS not set. Use google-github-actions/auth before this step."
   fi
@@ -54,7 +80,9 @@ _to_abs() {
   fi
   local full_path="${WORKSPACE}/${path}"
   # Resolve symlinks and .. components, then verify the result is under WORKSPACE
-  if [[ "$(realpath -m "$full_path")" != "${WORKSPACE}"* ]]; then
+  local resolved
+  resolved="$(realpath -m "$full_path")"
+  if [[ "$resolved" != "${WORKSPACE}/"* && "$resolved" != "${WORKSPACE}" ]]; then
     echo "ERROR: Path traversal detected: $path" >&2
     exit 1
   fi

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/pyproject.toml RENAMED Viewed

@@ -4,14 +4,14 @@ build-backend = "hatchling.build"
 [project]
 name = "cicaddy-github"
-version = "0.6.0"
+version = "0.7.0"
 description = "GitHub Actions plugin for cicaddy AI agent framework"
 readme = "README.md"
 requires-python = ">=3.11"
 license = {text = "Apache-2.0"}
 authors = [{name = "Wayne Sun"}]
 dependencies = [
-    "cicaddy>=0.10.0",
+    "cicaddy>=0.11.0",
     "PyGithub>=2.1.0",
     "detect-secrets>=1.4.0",
 ]

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/src/cicaddy_github/__init__.py RENAMED Viewed

@@ -1,3 +1,3 @@
 """cicaddy-github: GitHub Actions plugin for cicaddy AI agent framework."""
-__version__ = "0.6.0"
+__version__ = "0.7.0"

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/src/cicaddy_github/config/settings.py RENAMED Viewed

@@ -140,7 +140,17 @@ def load_settings() -> Settings:
     if os.getenv("ANTHROPIC_VERTEX_PROJECT_ID"):
         env_data["anthropic_vertex_project_id"] = os.getenv("ANTHROPIC_VERTEX_PROJECT_ID")
     if os.getenv("CLOUD_ML_REGION"):
-        env_data["cloud_ml_region"] = os.getenv("CLOUD_ML_REGION")
+        logger.warning("CLOUD_ML_REGION is deprecated; use GOOGLE_CLOUD_LOCATION instead")
+    gcp_project = os.getenv("GOOGLE_CLOUD_PROJECT")
+    if gcp_project:
+        env_data["google_cloud_project"] = gcp_project
+    elif gcp_project == "":
+        os.environ.pop("GOOGLE_CLOUD_PROJECT", None)
+    gcp_location = os.getenv("GOOGLE_CLOUD_LOCATION")
+    if gcp_location:
+        env_data["google_cloud_location"] = gcp_location
+    elif gcp_location == "":
+        os.environ.pop("GOOGLE_CLOUD_LOCATION", None)
     # MCP server configuration
     if os.getenv("MCP_SERVERS_CONFIG"):

{cicaddy_github-0.6.0 → cicaddy_github-0.7.0}/tests/unit/test_settings.py RENAMED Viewed

@@ -202,3 +202,80 @@ class TestSettingsValidation:
             settings = load_settings()
             assert settings.submit_review is True
+    def test_google_cloud_project_passed_through(self):
+        """GOOGLE_CLOUD_PROJECT is passed through to settings."""
+        env = {
+            "AI_PROVIDER": "gemini-vertex",
+            "AI_MODEL": "gemini-3-flash-preview",
+            "GOOGLE_CLOUD_PROJECT": "my-gcp-project",
+            "GOOGLE_CLOUD_LOCATION": "us-central1",
+            "MCP_SERVERS_CONFIG": "[]",
+        }
+        with patch.dict(os.environ, env, clear=False):
+            from cicaddy_github.config.settings import load_settings
+            settings = load_settings()
+            assert settings.google_cloud_project == "my-gcp-project"
+            assert settings.google_cloud_location == "us-central1"
+    def test_google_cloud_location_defaults_to_global(self):
+        """GOOGLE_CLOUD_LOCATION defaults to 'global' when not set."""
+        env = {
+            "AI_PROVIDER": "gemini-vertex",
+            "AI_MODEL": "gemini-3-flash-preview",
+            "GOOGLE_CLOUD_PROJECT": "my-gcp-project",
+            "MCP_SERVERS_CONFIG": "[]",
+        }
+        with patch.dict(os.environ, env, clear=False):
+            os.environ.pop("GOOGLE_CLOUD_LOCATION", None)
+            from cicaddy_github.config.settings import load_settings
+            settings = load_settings()
+            assert settings.google_cloud_project == "my-gcp-project"
+            assert settings.google_cloud_location == "global"
+    def test_google_cloud_project_absent(self):
+        """GOOGLE_CLOUD_PROJECT absent results in None."""
+        env = {
+            "AI_PROVIDER": "gemini",
+            "AI_MODEL": "gemini-3-flash-preview",
+            "MCP_SERVERS_CONFIG": "[]",
+        }
+        with patch.dict(os.environ, env, clear=False):
+            os.environ.pop("GOOGLE_CLOUD_PROJECT", None)
+            os.environ.pop("GOOGLE_CLOUD_LOCATION", None)
+            from cicaddy_github.config.settings import load_settings
+            settings = load_settings()
+            assert settings.google_cloud_project is None
+    def test_google_cloud_project_empty_string(self):
+        """Empty string GOOGLE_CLOUD_PROJECT is not passed through."""
+        env = {
+            "AI_PROVIDER": "gemini",
+            "AI_MODEL": "gemini-3-flash-preview",
+            "GOOGLE_CLOUD_PROJECT": "",
+            "MCP_SERVERS_CONFIG": "[]",
+        }
+        with patch.dict(os.environ, env, clear=False):
+            from cicaddy_github.config.settings import load_settings
+            settings = load_settings()
+            assert settings.google_cloud_project is None
+    def test_anthropic_vertex_with_google_cloud_project(self):
+        """anthropic-vertex provider uses GOOGLE_CLOUD_PROJECT for settings."""
+        env = {
+            "AI_PROVIDER": "anthropic-vertex",
+            "AI_MODEL": "claude-sonnet-4-20250514",
+            "GOOGLE_CLOUD_PROJECT": "my-gcp-project",
+            "ANTHROPIC_VERTEX_PROJECT_ID": "my-vertex-project",
+            "MCP_SERVERS_CONFIG": "[]",
+        }
+        with patch.dict(os.environ, env, clear=False):
+            from cicaddy_github.config.settings import load_settings
+            settings = load_settings()
+            assert settings.google_cloud_project == "my-gcp-project"
+            assert settings.anthropic_vertex_project_id == "my-vertex-project"

cicaddy_github-0.6.0/docs/providers.md DELETED Viewed

@@ -1,93 +0,0 @@
-# AI Provider Configuration
-cicaddy-action supports multiple AI providers. This guide covers provider-specific setup.
-## Gemini
-```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@main
-  with:
-    ai_provider: gemini
-    ai_model: gemini-3-flash-preview
-    ai_api_key: ${{ secrets.GEMINI_API_KEY }}
-```
-## OpenAI
-```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@main
-  with:
-    ai_provider: openai
-    ai_model: gpt-4.5
-    ai_api_key: ${{ secrets.OPENAI_API_KEY }}
-```
-## Claude (Anthropic API)
-```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@main
-  with:
-    ai_provider: claude
-    ai_model: claude-sonnet-4-6
-    ai_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-```
-## Claude via Vertex AI (GCP)
-Uses Google Cloud Workload Identity Federation for keyless authentication — no
-service account JSON keys to manage. This is the recommended approach for GCP.
-```yaml
-name: PR Review (Vertex AI)
-on:
-  pull_request:
-    types: [opened, synchronize]
-permissions:
-  contents: read
-  id-token: write       # Required for Workload Identity Federation
-  pull-requests: write
-jobs:
-  review:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-      - uses: google-github-actions/auth@v3
-        with:
-          workload_identity_provider: 'projects/123/locations/global/workloadIdentityPools/github/providers/my-repo'
-          service_account: 'cicaddy@my-project.iam.gserviceaccount.com'
-      - uses: redhat-community-ai-tools/cicaddy-action@main
-        with:
-          ai_provider: anthropic-vertex
-          ai_model: claude-sonnet-4-6
-          vertex_project_id: my-project
-          task_file: tasks/pr_review.yml
-          post_pr_comment: 'true'
-```
-> **Security**: Prefer Workload Identity Federation (shown above) over service
-> account keys. If you must use a key, store the JSON as a GitHub secret and pass
-> it via `google-github-actions/auth` with `credentials_json`:
-> ```yaml
-> - uses: google-github-actions/auth@v3
->   with:
->     credentials_json: ${{ secrets.GCP_SA_KEY }}
-> ```
-> The auth action sets `GOOGLE_APPLICATION_CREDENTIALS` automatically — never
-> write keys to disk manually or echo them in scripts.
-## Provider Inputs Reference
-| Input | Required | Description |
-|-------|----------|-------------|
-| `ai_provider` | Yes | `gemini`, `openai`, `claude`, or `anthropic-vertex` |
-| `ai_model` | Yes | Model identifier |
-| `ai_api_key` | No | API key (not needed for `anthropic-vertex`) |
-| `vertex_project_id` | No | GCP project ID (required for `anthropic-vertex`) |
-| `cloud_ml_region` | No | Vertex AI region (default: `us-east5`) |