cicaddy-github 0.6.0__tar.gz → 0.7.1__tar.gz

{cicaddy_github-0.6.0 → cicaddy_github-0.7.1}/.agents/skills/cicaddy-action/SKILL.md

@@ -117,12 +117,20 @@ can reference them as bash variables (`INPUT_AI_PROVIDER`, `INPUT_AI_API_KEY`, e
 
 | Input | Required | Description |
 |-------|----------|-------------|
-| `ai_provider` | Yes | `gemini`, `openai`, `claude` |
+| `ai_provider` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, `gemini-vertex` |
 | `ai_model` | Yes | Model identifier |
-| `ai_api_key` | Yes* | AI provider API key (mapped to provider-specific env var) |
+| `ai_api_key` | No* | AI provider API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |
 | `task_file` | No | Path to DSPy YAML task file |
 | `task_prompt` | No | Inline task prompt |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
+| `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
+| `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
+| `delegation_mode` | No | `none` (default) or `auto` for sub-agent delegation |
+| `max_sub_agents` | No | Max concurrent sub-agents, 1-10 (default: `3`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 | `mcp_servers_config` | No | JSON array of MCP server configs |
 | `slack_webhook_url` | No | Slack webhook URL |
@@ -225,10 +233,10 @@ the `safe-to-review` label. The label is auto-removed on new pushes to prevent
 TOCTOU bypasses.
 
 ```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@v0.6.0
+- uses: redhat-community-ai-tools/cicaddy-action@v0.7.1
   with:
     ai_provider: gemini
-    ai_model: gemini-3-flash-preview
+    ai_model: gemini-3.5-flash
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
@@ -244,7 +252,7 @@ file and use `uv run cicaddy run --env-file <file>`.
 ```bash
 # AI Provider
 AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
+AI_MODEL=gemini-3.5-flash
 GEMINI_API_KEY=<key>
 
 # GitHub Configuration
@@ -398,7 +406,7 @@ Or inline via `DELEGATION_AGENTS` JSON env var.
 - uses: redhat-community-ai-tools/cicaddy-action@main
   with:
     ai_provider: gemini
-    ai_model: gemini-3-flash-preview
+    ai_model: gemini-3.5-flash
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
@@ -411,7 +419,7 @@ Or inline via `DELEGATION_AGENTS` JSON env var.
 ```bash
 # .env.my-review
 AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
+AI_MODEL=gemini-3.5-flash
 GEMINI_API_KEY=<key>
 GITHUB_TOKEN=<token>
 GITHUB_REPOSITORY=owner/repo

{cicaddy_github-0.6.0 → cicaddy_github-0.7.1}/.github/workflows/pr-review.yml

@@ -49,11 +49,11 @@ jobs:
           fi
 
       - name: AI Code Review
-        uses: redhat-community-ai-tools/cicaddy-action@v0.5.0
+        uses: redhat-community-ai-tools/cicaddy-action@v0.7.1
         id: review
         with:
           ai_provider: gemini
-          ai_model: gemini-3-flash-preview
+          ai_model: gemini-3.5-flash
           ai_api_key: ${{ secrets.AI_API_KEY }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'

{cicaddy_github-0.6.0 → cicaddy_github-0.7.1}/AGENTS.md

@@ -65,7 +65,7 @@ cicaddy-action/
 
 ### Dependencies
 
-- Depends on `cicaddy>=0.8.0` (core library) and `PyGithub>=2.1.0`
+- Depends on `cicaddy>=0.11.0` (core library) and `PyGithub>=2.1.0`
 - Follows the same agent/factory patterns as the core library
 - Extends `BaseAIAgent` from cicaddy
 
@@ -97,7 +97,7 @@ The cicaddy-github plugin provides:
 |----------|---------|-------------|
 | `DELEGATION_MODE` | `none` | `none` or `auto` |
 | `MAX_SUB_AGENTS` | `3` | Max concurrent sub-agents (1-10) |
-| `SUB_AGENT_MAX_ITERS` | `10` | Iterations per sub-agent (1-15) |
+| `SUB_AGENT_MAX_ITERS` | `5` | Iterations per sub-agent (1-15) |
 | `DELEGATION_AGENTS_DIR` | `.agents/delegation` | Custom agent YAML directory (relative to repo root) |
 | `DELEGATION_AGENTS` | (empty) | JSON config for inline custom sub-agent definitions |
 | `TRIAGE_PROMPT` | (empty) | Custom triage instructions |
@@ -113,14 +113,17 @@ All inputs use **underscores** (not hyphens) for Docker container compatibility:
 
 | Input | Required | Description |
 |-------|----------|-------------|
-| `ai_provider` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex` |
+| `ai_provider` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, `gemini-vertex` |
 | `ai_model` | Yes | Model identifier |
-| `ai_api_key` | No* | AI provider API key (not needed for `anthropic-vertex`) |
-| `vertex_project_id` | No | GCP project ID (required for `anthropic-vertex`) |
-| `cloud_ml_region` | No | Vertex AI region (default: `us-east5`) |
+| `ai_api_key` | No* | AI provider API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `cloud_ml_region` | No | **Deprecated**: use `google_cloud_location` |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |
 | `task_file` | No | Path to DSPy YAML task file |
 | `task_prompt` | No | Inline task prompt |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
+| `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 | `mcp_servers_config` | No | JSON array of MCP server configs |
 | `slack_webhook_url` | No | Slack webhook URL |
@@ -176,7 +179,7 @@ Create an env file and use `uv run cicaddy run --env-file <file>`:
 ```bash
 # AI Provider
 AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
+AI_MODEL=gemini-3.5-flash
 GEMINI_API_KEY=<key>
 
 # GitHub Configuration

{cicaddy_github-0.6.0 → cicaddy_github-0.7.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cicaddy-github
-Version: 0.6.0
+Version: 0.7.1
 Summary: GitHub Actions plugin for cicaddy AI agent framework
 Project-URL: Homepage, https://github.com/redhat-community-ai-tools/cicaddy-action
 Project-URL: Repository, https://github.com/redhat-community-ai-tools/cicaddy-action.git
@@ -9,7 +9,7 @@ Author: Wayne Sun
 License: Apache-2.0
 License-File: LICENSE
 Requires-Python: >=3.11
-Requires-Dist: cicaddy>=0.10.0
+Requires-Dist: cicaddy>=0.11.0
 Requires-Dist: detect-secrets>=1.4.0
 Requires-Dist: pygithub>=2.1.0
 Provides-Extra: test
@@ -28,10 +28,33 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 - **Sub-agent delegation** for parallel specialized reviews (security, architecture, performance, etc.)
 - **Go dependency impact analysis** for Go dependency update PRs with risk classification
 - **Changelog report generation** from git tag diffs and release notes
-- **Multiple AI providers**: Gemini, OpenAI, Claude, Claude via Vertex AI
+- **Multiple AI providers**: Gemini, OpenAI, Claude, Claude via Vertex AI, Gemini via Vertex AI
 - **Secret redaction** via detect-secrets for safe public outputs
 - **DSPy YAML task definitions** for customizable analysis workflows
 
+## Prerequisites
+
+The examples below use **Vertex AI with Workload Identity Federation (WIF)**
+for keyless authentication. WIF eliminates static secrets — GitHub mints a
+short-lived OIDC token per workflow run and GCP exchanges it for temporary
+credentials scoped to that job.
+
+**One-time GCP setup required:**
+
+1. Create a Workload Identity Pool and OIDC provider
+2. Create a service account with `roles/aiplatform.user`
+3. Bind the pool to the service account **scoped to your specific repository**
+   (the `--member` flag must use a `principalSet` with `attribute.repository/OWNER/REPO`
+   to enforce repository-level isolation)
+
+Store the resulting values as GitHub
+[repository variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables)
+(`vars.GCP_WIF_PROVIDER`, `vars.GCP_SERVICE_ACCOUNT`, `vars.GCP_PROJECT_ID`).
+
+See [docs/providers.md](docs/providers.md) for the full `gcloud` setup
+commands, authentication method comparison (WIF vs SA key vs API key), and
+alternative provider configurations (OpenAI, Claude, standalone Gemini API key).
+
 ## Quick Start
 
 ### AI PR Review
@@ -48,28 +71,42 @@ on:
   pull_request:
     types: [opened, synchronize]
 
-permissions:
-  pull-requests: write
-
 jobs:
   review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
         env:
           DELEGATION_MODE: auto
 ```
 
+> **Fork PRs**: The `pull_request` event cannot mint OIDC tokens for PRs
+> from forks, so WIF authentication will fail. To support fork PRs, use
+> `pull_request_target` with a label gate (e.g. `safe-to-review`) to
+> prevent unauthorized code execution. See
+> `.github/workflows/pr-review.yml` for an example and
+> [docs/providers.md](docs/providers.md#submit_review-and-fork-pull-requests)
+> for security details.
+
 > **Sub-Agent Delegation**: When `DELEGATION_MODE` is set to `auto`, the agent uses AI-powered triage to analyze the PR diff and spawns specialized sub-agents in parallel (e.g., code quality, security, performance). Each sub-agent runs with a focused scope and reduced token budget, and their results are aggregated into a single unified review. This produces deeper, more structured reviews compared to single-agent mode. Set `DELEGATION_MODE` to `none` to use a single agent instead. See [docs/delegation.md](docs/delegation.md) for details.
 
 ### Changelog Report on Release
@@ -84,16 +121,24 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/changelog_report.yml
 ```
 
@@ -114,23 +159,29 @@ on:
       - 'go.mod'
       - 'go.sum'
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
   dep-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version: '1.22'
+
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/go_dep_impact_review.yml
           post_pr_comment: 'true'
           run_govulncheck: 'true'
@@ -143,17 +194,20 @@ agent instead of the default PR code review agent. The `run_govulncheck`
 input enables vulnerability reachability analysis (requires Go and
 govulncheck installed in the runner).
 
-See [docs/providers.md](docs/providers.md) for provider-specific configuration including Claude via Vertex AI (GCP), OpenAI, and Anthropic API setup.
+See [docs/providers.md](docs/providers.md) for the full WIF setup guide,
+alternative providers (OpenAI, Claude, standalone Gemini API key), the
+SA key fallback, and an authentication method comparison table.
 
 ## Inputs
 
 | Input | Required | Description |
 |-------|----------|-------------|
-| `ai_provider` | Yes | AI provider: `gemini`, `openai`, `claude`, `anthropic-vertex` |
+| `ai_provider` | Yes | AI provider: `gemini`, `openai`, `claude`, `anthropic-vertex`, `gemini-vertex` |
 | `ai_model` | Yes | Model identifier |
-| `ai_api_key` | No | AI provider API key (not needed for `anthropic-vertex`) |
-| `vertex_project_id` | No | GCP project ID (required for `anthropic-vertex`) |
-| `cloud_ml_region` | No | Vertex AI region (default: `us-east5`) |
+| `ai_api_key` | No | AI provider API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`, optional fallback for `anthropic-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |
 | `task_file` | No | Path to DSPy YAML task file |
 | `task_prompt` | No | Inline task prompt (alternative to task_file) |
 | `report_template` | No | Path to custom HTML report template |
@@ -198,10 +252,16 @@ uv pip install -e ".[test]"
 **2. Create an env file** (e.g. `.env.my-review`):
 
 ```bash
-# AI Provider
-AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
-GEMINI_API_KEY=<your-gemini-api-key>
+# AI Provider (Gemini via Vertex AI — uses Google Cloud ADC, no API key needed)
+AI_PROVIDER=gemini-vertex
+AI_MODEL=gemini-3.5-flash
+GOOGLE_CLOUD_PROJECT=your-gcp-project
+# GOOGLE_CLOUD_LOCATION=global  # optional, defaults to "global"
+
+# AI Provider (standalone Gemini API key — alternative to Vertex AI)
+# AI_PROVIDER=gemini
+# AI_MODEL=gemini-3.5-flash
+# GEMINI_API_KEY=<your-gemini-api-key>
 
 # GitHub Configuration
 GITHUB_TOKEN=<your-github-token>
@@ -255,11 +315,12 @@ uv run cicaddy validate --env-file .env.my-review
 
 | Variable | Required | Description |
 |----------|----------|-------------|
-| `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, or `anthropic-vertex` |
-| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3-flash-preview`) |
-| `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex`) |
-| `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`) |
-| `CLOUD_ML_REGION` | No | Vertex AI region (default: `us-east5`) |
+| `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
+| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3.5-flash`) |
+| `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`, falls back to `GOOGLE_CLOUD_PROJECT`) |
+| `GOOGLE_CLOUD_PROJECT` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
+| `GOOGLE_CLOUD_LOCATION` | No | Vertex AI location (default: `global`) |
 | `GITHUB_TOKEN` | Yes | GitHub personal access token |
 | `GITHUB_REPOSITORY` | Yes | Target repo in `owner/repo` format |
 | `GITHUB_EVENT_NAME` | No | Set to `pull_request` for auto-detection (optional if `GITHUB_PR_NUMBER` is set) |
@@ -271,9 +332,6 @@ uv run cicaddy validate --env-file .env.my-review
 | `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent, 1-15 (default: `5`) |
 | `AI_TASK_FILE` | No | Path to DSPy YAML task file for custom workflows |
 | `RUN_GOVULNCHECK` | No | Run govulncheck for reachability analysis (`true`/`false`) |
-| `DELEGATION_MODE` | No | `none` or `auto` for sub-agent delegation |
-| `MAX_SUB_AGENTS` | No | Maximum concurrent sub-agents (default: `3`) |
-| `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent (default: `10`) |
 | `DELEGATION_AGENTS_DIR` | No | Custom agent YAML directory (default: `.agents/delegation`) |
 | `DELEGATION_AGENTS` | No | JSON config for inline custom sub-agents |
 | `TRIAGE_PROMPT` | No | Custom triage instructions |

{cicaddy_github-0.6.0 → cicaddy_github-0.7.1}/README.md

@@ -8,10 +8,33 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 - **Sub-agent delegation** for parallel specialized reviews (security, architecture, performance, etc.)
 - **Go dependency impact analysis** for Go dependency update PRs with risk classification
 - **Changelog report generation** from git tag diffs and release notes
-- **Multiple AI providers**: Gemini, OpenAI, Claude, Claude via Vertex AI
+- **Multiple AI providers**: Gemini, OpenAI, Claude, Claude via Vertex AI, Gemini via Vertex AI
 - **Secret redaction** via detect-secrets for safe public outputs
 - **DSPy YAML task definitions** for customizable analysis workflows
 
+## Prerequisites
+
+The examples below use **Vertex AI with Workload Identity Federation (WIF)**
+for keyless authentication. WIF eliminates static secrets — GitHub mints a
+short-lived OIDC token per workflow run and GCP exchanges it for temporary
+credentials scoped to that job.
+
+**One-time GCP setup required:**
+
+1. Create a Workload Identity Pool and OIDC provider
+2. Create a service account with `roles/aiplatform.user`
+3. Bind the pool to the service account **scoped to your specific repository**
+   (the `--member` flag must use a `principalSet` with `attribute.repository/OWNER/REPO`
+   to enforce repository-level isolation)
+
+Store the resulting values as GitHub
+[repository variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables)
+(`vars.GCP_WIF_PROVIDER`, `vars.GCP_SERVICE_ACCOUNT`, `vars.GCP_PROJECT_ID`).
+
+See [docs/providers.md](docs/providers.md) for the full `gcloud` setup
+commands, authentication method comparison (WIF vs SA key vs API key), and
+alternative provider configurations (OpenAI, Claude, standalone Gemini API key).
+
 ## Quick Start
 
 ### AI PR Review
@@ -28,28 +51,42 @@ on:
   pull_request:
     types: [opened, synchronize]
 
-permissions:
-  pull-requests: write
-
 jobs:
   review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
         env:
           DELEGATION_MODE: auto
 ```
 
+> **Fork PRs**: The `pull_request` event cannot mint OIDC tokens for PRs
+> from forks, so WIF authentication will fail. To support fork PRs, use
+> `pull_request_target` with a label gate (e.g. `safe-to-review`) to
+> prevent unauthorized code execution. See
+> `.github/workflows/pr-review.yml` for an example and
+> [docs/providers.md](docs/providers.md#submit_review-and-fork-pull-requests)
+> for security details.
+
 > **Sub-Agent Delegation**: When `DELEGATION_MODE` is set to `auto`, the agent uses AI-powered triage to analyze the PR diff and spawns specialized sub-agents in parallel (e.g., code quality, security, performance). Each sub-agent runs with a focused scope and reduced token budget, and their results are aggregated into a single unified review. This produces deeper, more structured reviews compared to single-agent mode. Set `DELEGATION_MODE` to `none` to use a single agent instead. See [docs/delegation.md](docs/delegation.md) for details.
 
 ### Changelog Report on Release
@@ -64,16 +101,24 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/changelog_report.yml
 ```
 
@@ -94,23 +139,29 @@ on:
       - 'go.mod'
       - 'go.sum'
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
   dep-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version: '1.22'
+
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/go_dep_impact_review.yml
           post_pr_comment: 'true'
           run_govulncheck: 'true'
@@ -123,17 +174,20 @@ agent instead of the default PR code review agent. The `run_govulncheck`
 input enables vulnerability reachability analysis (requires Go and
 govulncheck installed in the runner).
 
-See [docs/providers.md](docs/providers.md) for provider-specific configuration including Claude via Vertex AI (GCP), OpenAI, and Anthropic API setup.
+See [docs/providers.md](docs/providers.md) for the full WIF setup guide,
+alternative providers (OpenAI, Claude, standalone Gemini API key), the
+SA key fallback, and an authentication method comparison table.
 
 ## Inputs
 
 | Input | Required | Description |
 |-------|----------|-------------|
-| `ai_provider` | Yes | AI provider: `gemini`, `openai`, `claude`, `anthropic-vertex` |
+| `ai_provider` | Yes | AI provider: `gemini`, `openai`, `claude`, `anthropic-vertex`, `gemini-vertex` |
 | `ai_model` | Yes | Model identifier |
-| `ai_api_key` | No | AI provider API key (not needed for `anthropic-vertex`) |
-| `vertex_project_id` | No | GCP project ID (required for `anthropic-vertex`) |
-| `cloud_ml_region` | No | Vertex AI region (default: `us-east5`) |
+| `ai_api_key` | No | AI provider API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`, optional fallback for `anthropic-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |
 | `task_file` | No | Path to DSPy YAML task file |
 | `task_prompt` | No | Inline task prompt (alternative to task_file) |
 | `report_template` | No | Path to custom HTML report template |
@@ -178,10 +232,16 @@ uv pip install -e ".[test]"
 **2. Create an env file** (e.g. `.env.my-review`):
 
 ```bash
-# AI Provider
-AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
-GEMINI_API_KEY=<your-gemini-api-key>
+# AI Provider (Gemini via Vertex AI — uses Google Cloud ADC, no API key needed)
+AI_PROVIDER=gemini-vertex
+AI_MODEL=gemini-3.5-flash
+GOOGLE_CLOUD_PROJECT=your-gcp-project
+# GOOGLE_CLOUD_LOCATION=global  # optional, defaults to "global"
+
+# AI Provider (standalone Gemini API key — alternative to Vertex AI)
+# AI_PROVIDER=gemini
+# AI_MODEL=gemini-3.5-flash
+# GEMINI_API_KEY=<your-gemini-api-key>
 
 # GitHub Configuration
 GITHUB_TOKEN=<your-github-token>
@@ -235,11 +295,12 @@ uv run cicaddy validate --env-file .env.my-review
 
 | Variable | Required | Description |
 |----------|----------|-------------|
-| `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, or `anthropic-vertex` |
-| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3-flash-preview`) |
-| `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex`) |
-| `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`) |
-| `CLOUD_ML_REGION` | No | Vertex AI region (default: `us-east5`) |
+| `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
+| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3.5-flash`) |
+| `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`, falls back to `GOOGLE_CLOUD_PROJECT`) |
+| `GOOGLE_CLOUD_PROJECT` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
+| `GOOGLE_CLOUD_LOCATION` | No | Vertex AI location (default: `global`) |
 | `GITHUB_TOKEN` | Yes | GitHub personal access token |
 | `GITHUB_REPOSITORY` | Yes | Target repo in `owner/repo` format |
 | `GITHUB_EVENT_NAME` | No | Set to `pull_request` for auto-detection (optional if `GITHUB_PR_NUMBER` is set) |
@@ -251,9 +312,6 @@ uv run cicaddy validate --env-file .env.my-review
 | `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent, 1-15 (default: `5`) |
 | `AI_TASK_FILE` | No | Path to DSPy YAML task file for custom workflows |
 | `RUN_GOVULNCHECK` | No | Run govulncheck for reachability analysis (`true`/`false`) |
-| `DELEGATION_MODE` | No | `none` or `auto` for sub-agent delegation |
-| `MAX_SUB_AGENTS` | No | Maximum concurrent sub-agents (default: `3`) |
-| `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent (default: `10`) |
 | `DELEGATION_AGENTS_DIR` | No | Custom agent YAML directory (default: `.agents/delegation`) |
 | `DELEGATION_AGENTS` | No | JSON config for inline custom sub-agents |
 | `TRIAGE_PROMPT` | No | Custom triage instructions |

{cicaddy_github-0.6.0 → cicaddy_github-0.7.1}/action.yml

@@ -6,26 +6,31 @@ branding:
 
 inputs:
   ai_provider:
-    description: 'AI provider: gemini, openai, claude, anthropic-vertex'
+    description: 'AI provider: gemini, openai, claude, anthropic-vertex, gemini-vertex'
     required: true
   ai_model:
     description: 'Model identifier'
     required: true
   ai_api_key:
-    description: 'AI provider API key (not required for anthropic-vertex, which uses GCP ADC)'
+    description: 'AI provider API key (not required for anthropic-vertex or gemini-vertex, which use GCP ADC)'
     required: false
   vertex_project_id:
-    description: 'GCP project ID for Vertex AI Claude (required when ai_provider is anthropic-vertex)'
+    description: 'GCP project ID for Vertex AI Claude (falls back to google_cloud_project if not set)'
     required: false
   cloud_ml_region:
-    description: 'Vertex AI region (default: us-east5)'
+    description: 'DEPRECATED: Use google_cloud_location instead. Vertex AI region for anthropic-vertex.'
+    required: false
+  google_cloud_project:
+    description: 'GCP project ID for Vertex AI (required for gemini-vertex, optional fallback for anthropic-vertex)'
+    required: false
+  google_cloud_location:
+    description: 'Vertex AI location (default: global)'
     required: false
-    default: 'us-east5'
   task_file:
     description: 'Path to DSPy YAML task file'
     required: false
   task_prompt:
-    description: 'Inline task prompt (alternative to task-file)'
+    description: 'Inline task prompt (alternative to task_file)'
     required: false
   report_template:
     description: 'Path to custom HTML report template'
@@ -78,4 +83,4 @@ runs:
   using: 'docker'
   image: 'Dockerfile'
   # After first GHCR publish, switch to pre-built image for faster startup:
-  # image: 'docker://ghcr.io/redhat-community-ai-tools/cicaddy-action:0.6.0'
+  # image: 'docker://ghcr.io/redhat-community-ai-tools/cicaddy-action:0.7.1'

{cicaddy_github-0.6.0 → cicaddy_github-0.7.1}/docs/delegation.md

@@ -20,7 +20,7 @@ Add `delegation_mode` and `max_sub_agents` inputs:
 - uses: redhat-community-ai-tools/cicaddy-action@main
   with:
     ai_provider: gemini
-    ai_model: gemini-3-flash-preview
+    ai_model: gemini-3.5-flash
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
@@ -45,7 +45,7 @@ uv run cicaddy run --env-file .env.my-review --delegation-mode auto --max-sub-ag
 |-----------------|---------|-------------|
 | `DELEGATION_MODE` / `delegation_mode` | `none` | `none` (single-agent) or `auto` (AI-powered delegation) |
 | `MAX_SUB_AGENTS` / `max_sub_agents` | `3` | Maximum concurrent sub-agents (1-10) |
-| `SUB_AGENT_MAX_ITERS` | `10` | Max inference iterations per sub-agent (1-15, env var only) |
+| `SUB_AGENT_MAX_ITERS` | `5` | Max inference iterations per sub-agent (1-15, env var only) |
 | `DELEGATION_AGENTS_DIR` | `.agents/delegation` | Directory for user-defined sub-agent YAML files (env var only) |
 | `DELEGATION_AGENTS` | (empty) | JSON config for inline custom sub-agent definitions (env var only) |
 | `TRIAGE_PROMPT` | (empty) | Optional custom instructions for the triage AI (env var only) |
@@ -156,7 +156,7 @@ When using `task_file` with `delegation_mode: auto`, the task definition is prov
 
 ## Cost Considerations
 
-Delegation multiplies AI inference calls. With defaults (`MAX_SUB_AGENTS=3`, `SUB_AGENT_MAX_ITERS=10`), a single PR review can use up to 1 (triage) + 3×10 (sub-agents) + 1 (aggregation) = **32 AI calls** versus 1-15 for single-agent mode. Tune `MAX_SUB_AGENTS` and `SUB_AGENT_MAX_ITERS` based on your AI provider tier and rate limits.
+Delegation multiplies AI inference calls. With defaults (`MAX_SUB_AGENTS=3`, `SUB_AGENT_MAX_ITERS=5`), a single PR review can use up to 1 (triage) + 3×5 (sub-agents) + 1 (aggregation) = **17 AI calls** versus 1-15 for single-agent mode. Tune `MAX_SUB_AGENTS` and `SUB_AGENT_MAX_ITERS` based on your AI provider tier and rate limits.
 
 ## Troubleshooting