cicaddy-github 0.7.0__tar.gz → 0.7.1__tar.gz

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/.agents/skills/cicaddy-action/SKILL.md

@@ -233,10 +233,10 @@ the `safe-to-review` label. The label is auto-removed on new pushes to prevent
 TOCTOU bypasses.
 
 ```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@v0.7.0
+- uses: redhat-community-ai-tools/cicaddy-action@v0.7.1
   with:
     ai_provider: gemini
-    ai_model: gemini-3-flash-preview
+    ai_model: gemini-3.5-flash
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
@@ -252,7 +252,7 @@ file and use `uv run cicaddy run --env-file <file>`.
 ```bash
 # AI Provider
 AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
+AI_MODEL=gemini-3.5-flash
 GEMINI_API_KEY=<key>
 
 # GitHub Configuration
@@ -406,7 +406,7 @@ Or inline via `DELEGATION_AGENTS` JSON env var.
 - uses: redhat-community-ai-tools/cicaddy-action@main
   with:
     ai_provider: gemini
-    ai_model: gemini-3-flash-preview
+    ai_model: gemini-3.5-flash
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
@@ -419,7 +419,7 @@ Or inline via `DELEGATION_AGENTS` JSON env var.
 ```bash
 # .env.my-review
 AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
+AI_MODEL=gemini-3.5-flash
 GEMINI_API_KEY=<key>
 GITHUB_TOKEN=<token>
 GITHUB_REPOSITORY=owner/repo

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/.github/workflows/pr-review.yml

@@ -49,11 +49,11 @@ jobs:
           fi
 
       - name: AI Code Review
-        uses: redhat-community-ai-tools/cicaddy-action@v0.5.0
+        uses: redhat-community-ai-tools/cicaddy-action@v0.7.1
         id: review
         with:
           ai_provider: gemini
-          ai_model: gemini-3-flash-preview
+          ai_model: gemini-3.5-flash
           ai_api_key: ${{ secrets.AI_API_KEY }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/AGENTS.md

@@ -179,7 +179,7 @@ Create an env file and use `uv run cicaddy run --env-file <file>`:
 ```bash
 # AI Provider
 AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
+AI_MODEL=gemini-3.5-flash
 GEMINI_API_KEY=<key>
 
 # GitHub Configuration

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: cicaddy-github
-Version: 0.7.0
+Version: 0.7.1
 Summary: GitHub Actions plugin for cicaddy AI agent framework
 Project-URL: Homepage, https://github.com/redhat-community-ai-tools/cicaddy-action
 Project-URL: Repository, https://github.com/redhat-community-ai-tools/cicaddy-action.git
@@ -32,6 +32,29 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 - **Secret redaction** via detect-secrets for safe public outputs
 - **DSPy YAML task definitions** for customizable analysis workflows
 
+## Prerequisites
+
+The examples below use **Vertex AI with Workload Identity Federation (WIF)**
+for keyless authentication. WIF eliminates static secrets — GitHub mints a
+short-lived OIDC token per workflow run and GCP exchanges it for temporary
+credentials scoped to that job.
+
+**One-time GCP setup required:**
+
+1. Create a Workload Identity Pool and OIDC provider
+2. Create a service account with `roles/aiplatform.user`
+3. Bind the pool to the service account **scoped to your specific repository**
+   (the `--member` flag must use a `principalSet` with `attribute.repository/OWNER/REPO`
+   to enforce repository-level isolation)
+
+Store the resulting values as GitHub
+[repository variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables)
+(`vars.GCP_WIF_PROVIDER`, `vars.GCP_SERVICE_ACCOUNT`, `vars.GCP_PROJECT_ID`).
+
+See [docs/providers.md](docs/providers.md) for the full `gcloud` setup
+commands, authentication method comparison (WIF vs SA key vs API key), and
+alternative provider configurations (OpenAI, Claude, standalone Gemini API key).
+
 ## Quick Start
 
 ### AI PR Review
@@ -48,28 +71,42 @@ on:
   pull_request:
     types: [opened, synchronize]
 
-permissions:
-  pull-requests: write
-
 jobs:
   review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
         env:
           DELEGATION_MODE: auto
 ```
 
+> **Fork PRs**: The `pull_request` event cannot mint OIDC tokens for PRs
+> from forks, so WIF authentication will fail. To support fork PRs, use
+> `pull_request_target` with a label gate (e.g. `safe-to-review`) to
+> prevent unauthorized code execution. See
+> `.github/workflows/pr-review.yml` for an example and
+> [docs/providers.md](docs/providers.md#submit_review-and-fork-pull-requests)
+> for security details.
+
 > **Sub-Agent Delegation**: When `DELEGATION_MODE` is set to `auto`, the agent uses AI-powered triage to analyze the PR diff and spawns specialized sub-agents in parallel (e.g., code quality, security, performance). Each sub-agent runs with a focused scope and reduced token budget, and their results are aggregated into a single unified review. This produces deeper, more structured reviews compared to single-agent mode. Set `DELEGATION_MODE` to `none` to use a single agent instead. See [docs/delegation.md](docs/delegation.md) for details.
 
 ### Changelog Report on Release
@@ -84,16 +121,24 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/changelog_report.yml
 ```
 
@@ -114,23 +159,29 @@ on:
       - 'go.mod'
       - 'go.sum'
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
   dep-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version: '1.22'
+
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/go_dep_impact_review.yml
           post_pr_comment: 'true'
           run_govulncheck: 'true'
@@ -143,7 +194,9 @@ agent instead of the default PR code review agent. The `run_govulncheck`
 input enables vulnerability reachability analysis (requires Go and
 govulncheck installed in the runner).
 
-See [docs/providers.md](docs/providers.md) for provider-specific configuration including Claude via Vertex AI (GCP), OpenAI, and Anthropic API setup.
+See [docs/providers.md](docs/providers.md) for the full WIF setup guide,
+alternative providers (OpenAI, Claude, standalone Gemini API key), the
+SA key fallback, and an authentication method comparison table.
 
 ## Inputs
 
@@ -199,10 +252,16 @@ uv pip install -e ".[test]"
 **2. Create an env file** (e.g. `.env.my-review`):
 
 ```bash
-# AI Provider
-AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
-GEMINI_API_KEY=<your-gemini-api-key>
+# AI Provider (Gemini via Vertex AI — uses Google Cloud ADC, no API key needed)
+AI_PROVIDER=gemini-vertex
+AI_MODEL=gemini-3.5-flash
+GOOGLE_CLOUD_PROJECT=your-gcp-project
+# GOOGLE_CLOUD_LOCATION=global  # optional, defaults to "global"
+
+# AI Provider (standalone Gemini API key — alternative to Vertex AI)
+# AI_PROVIDER=gemini
+# AI_MODEL=gemini-3.5-flash
+# GEMINI_API_KEY=<your-gemini-api-key>
 
 # GitHub Configuration
 GITHUB_TOKEN=<your-github-token>
@@ -257,7 +316,7 @@ uv run cicaddy validate --env-file .env.my-review
 | Variable | Required | Description |
 |----------|----------|-------------|
 | `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
-| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3-flash-preview`) |
+| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3.5-flash`) |
 | `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex` or `gemini-vertex`) |
 | `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`, falls back to `GOOGLE_CLOUD_PROJECT`) |
 | `GOOGLE_CLOUD_PROJECT` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/README.md

@@ -12,6 +12,29 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 - **Secret redaction** via detect-secrets for safe public outputs
 - **DSPy YAML task definitions** for customizable analysis workflows
 
+## Prerequisites
+
+The examples below use **Vertex AI with Workload Identity Federation (WIF)**
+for keyless authentication. WIF eliminates static secrets — GitHub mints a
+short-lived OIDC token per workflow run and GCP exchanges it for temporary
+credentials scoped to that job.
+
+**One-time GCP setup required:**
+
+1. Create a Workload Identity Pool and OIDC provider
+2. Create a service account with `roles/aiplatform.user`
+3. Bind the pool to the service account **scoped to your specific repository**
+   (the `--member` flag must use a `principalSet` with `attribute.repository/OWNER/REPO`
+   to enforce repository-level isolation)
+
+Store the resulting values as GitHub
+[repository variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables)
+(`vars.GCP_WIF_PROVIDER`, `vars.GCP_SERVICE_ACCOUNT`, `vars.GCP_PROJECT_ID`).
+
+See [docs/providers.md](docs/providers.md) for the full `gcloud` setup
+commands, authentication method comparison (WIF vs SA key vs API key), and
+alternative provider configurations (OpenAI, Claude, standalone Gemini API key).
+
 ## Quick Start
 
 ### AI PR Review
@@ -28,28 +51,42 @@ on:
   pull_request:
     types: [opened, synchronize]
 
-permissions:
-  pull-requests: write
-
 jobs:
   review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
         env:
           DELEGATION_MODE: auto
 ```
 
+> **Fork PRs**: The `pull_request` event cannot mint OIDC tokens for PRs
+> from forks, so WIF authentication will fail. To support fork PRs, use
+> `pull_request_target` with a label gate (e.g. `safe-to-review`) to
+> prevent unauthorized code execution. See
+> `.github/workflows/pr-review.yml` for an example and
+> [docs/providers.md](docs/providers.md#submit_review-and-fork-pull-requests)
+> for security details.
+
 > **Sub-Agent Delegation**: When `DELEGATION_MODE` is set to `auto`, the agent uses AI-powered triage to analyze the PR diff and spawns specialized sub-agents in parallel (e.g., code quality, security, performance). Each sub-agent runs with a focused scope and reduced token budget, and their results are aggregated into a single unified review. This produces deeper, more structured reviews compared to single-agent mode. Set `DELEGATION_MODE` to `none` to use a single agent instead. See [docs/delegation.md](docs/delegation.md) for details.
 
 ### Changelog Report on Release
@@ -64,16 +101,24 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/changelog_report.yml
 ```
 
@@ -94,23 +139,29 @@ on:
       - 'go.mod'
       - 'go.sum'
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
   dep-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version: '1.22'
+
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/go_dep_impact_review.yml
           post_pr_comment: 'true'
           run_govulncheck: 'true'
@@ -123,7 +174,9 @@ agent instead of the default PR code review agent. The `run_govulncheck`
 input enables vulnerability reachability analysis (requires Go and
 govulncheck installed in the runner).
 
-See [docs/providers.md](docs/providers.md) for provider-specific configuration including Claude via Vertex AI (GCP), OpenAI, and Anthropic API setup.
+See [docs/providers.md](docs/providers.md) for the full WIF setup guide,
+alternative providers (OpenAI, Claude, standalone Gemini API key), the
+SA key fallback, and an authentication method comparison table.
 
 ## Inputs
 
@@ -179,10 +232,16 @@ uv pip install -e ".[test]"
 **2. Create an env file** (e.g. `.env.my-review`):
 
 ```bash
-# AI Provider
-AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
-GEMINI_API_KEY=<your-gemini-api-key>
+# AI Provider (Gemini via Vertex AI — uses Google Cloud ADC, no API key needed)
+AI_PROVIDER=gemini-vertex
+AI_MODEL=gemini-3.5-flash
+GOOGLE_CLOUD_PROJECT=your-gcp-project
+# GOOGLE_CLOUD_LOCATION=global  # optional, defaults to "global"
+
+# AI Provider (standalone Gemini API key — alternative to Vertex AI)
+# AI_PROVIDER=gemini
+# AI_MODEL=gemini-3.5-flash
+# GEMINI_API_KEY=<your-gemini-api-key>
 
 # GitHub Configuration
 GITHUB_TOKEN=<your-github-token>
@@ -237,7 +296,7 @@ uv run cicaddy validate --env-file .env.my-review
 | Variable | Required | Description |
 |----------|----------|-------------|
 | `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
-| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3-flash-preview`) |
+| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3.5-flash`) |
 | `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex` or `gemini-vertex`) |
 | `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`, falls back to `GOOGLE_CLOUD_PROJECT`) |
 | `GOOGLE_CLOUD_PROJECT` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/action.yml

@@ -83,4 +83,4 @@ runs:
   using: 'docker'
   image: 'Dockerfile'
   # After first GHCR publish, switch to pre-built image for faster startup:
-  # image: 'docker://ghcr.io/redhat-community-ai-tools/cicaddy-action:0.7.0'
+  # image: 'docker://ghcr.io/redhat-community-ai-tools/cicaddy-action:0.7.1'

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/docs/delegation.md

@@ -20,7 +20,7 @@ Add `delegation_mode` and `max_sub_agents` inputs:
 - uses: redhat-community-ai-tools/cicaddy-action@main
   with:
     ai_provider: gemini
-    ai_model: gemini-3-flash-preview
+    ai_model: gemini-3.5-flash
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'

cicaddy_github-0.7.1/docs/providers.md

@@ -0,0 +1,269 @@
+# AI Provider Configuration
+
+cicaddy-action supports multiple AI providers. This guide covers provider-specific setup.
+
+## Gemini (API Key)
+
+```yaml
+- uses: redhat-community-ai-tools/cicaddy-action@main
+  with:
+    ai_provider: gemini
+    ai_model: gemini-3.5-flash
+    ai_api_key: ${{ secrets.GEMINI_API_KEY }}
+```
+
+## OpenAI
+
+```yaml
+- uses: redhat-community-ai-tools/cicaddy-action@main
+  with:
+    ai_provider: openai
+    ai_model: gpt-4.5
+    ai_api_key: ${{ secrets.OPENAI_API_KEY }}
+```
+
+## Claude (Anthropic API)
+
+```yaml
+- uses: redhat-community-ai-tools/cicaddy-action@main
+  with:
+    ai_provider: claude
+    ai_model: claude-sonnet-4-6
+    ai_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
+```
+
+## Vertex AI (GCP) — Claude & Gemini
+
+Use Google Cloud Workload Identity Federation (WIF) for keyless authentication.
+WIF eliminates static service account keys — GitHub mints a short-lived OIDC token
+per workflow run, and GCP exchanges it for temporary credentials scoped to that job.
+
+### Parameters
+
+The examples below use these placeholders. Set them as GitHub
+[repository variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables)
+(`vars.*`) so every workflow can reference them:
+
+| Placeholder | GitHub variable | How to obtain | Example |
+|-------------|-----------------|---------------|---------|
+| `GCP_PROJECT_ID` | `vars.GCP_PROJECT_ID` | `gcloud config get project` | `my-ai-project` |
+| `GCP_PROJECT_NUM` | `vars.GCP_PROJECT_NUM` | `gcloud projects describe $GCP_PROJECT_ID --format='value(projectNumber)'` | `123456789012` |
+| `GCP_WIF_PROVIDER` | `vars.GCP_WIF_PROVIDER` | Full provider resource name (see setup below) | `projects/123456789012/locations/global/workloadIdentityPools/github-pool/providers/github-provider` |
+| `GCP_SERVICE_ACCOUNT` | `vars.GCP_SERVICE_ACCOUNT` | SA email with Vertex AI permissions | `cicaddy@my-ai-project.iam.gserviceaccount.com` |
+| `GH_ORG` | — | GitHub org or user that owns the repo | `my-org` |
+| `GH_REPO` | — | Repository name | `my-repo` |
+| `GH_OWNER_ID` | — | `gh api orgs/YOUR_ORG --jq '.id'` (only needed for org-wide condition) | `12345678` |
+
+### Prerequisites
+
+**One-time GCP setup** — create a Workload Identity Pool and OIDC provider:
+
+```bash
+# Set these for your environment
+export GCP_PROJECT_ID="my-ai-project"
+export GCP_PROJECT_NUM="$(gcloud projects describe $GCP_PROJECT_ID --format='value(projectNumber)')"
+export GH_ORG="my-org"
+export GH_REPO="my-repo"
+
+# 1. Create a workload identity pool
+gcloud iam workload-identity-pools create "github-pool" \
+  --project="${GCP_PROJECT_ID}" \
+  --location="global" \
+  --display-name="GitHub Actions Pool"
+
+# 2. Create an OIDC provider linked to GitHub Actions
+#    The attribute condition restricts which repositories can authenticate.
+#    Use a per-repository condition (recommended) or per-org condition.
+#
+#    Per-repository (recommended — only YOUR_ORG/YOUR_REPO can authenticate):
+gcloud iam workload-identity-pools providers create-oidc "github-provider" \
+  --project="${GCP_PROJECT_ID}" \
+  --location="global" \
+  --workload-identity-pool="github-pool" \
+  --issuer-uri="https://token.actions.githubusercontent.com" \
+  --attribute-mapping="google.subject=assertion.sub,attribute.repository=assertion.repository,attribute.repository_owner_id=assertion.repository_owner_id" \
+  --attribute-condition="assertion.repository=='${GH_ORG}/${GH_REPO}'"
+
+#    Per-org alternative (any repo in the org can authenticate):
+#    --attribute-condition="assertion.repository_owner_id=='${GH_OWNER_ID}'"
+
+# 3. Allow the pool to impersonate a service account (per-repository scope)
+gcloud iam service-accounts add-iam-policy-binding \
+  "cicaddy@${GCP_PROJECT_ID}.iam.gserviceaccount.com" \
+  --project="${GCP_PROJECT_ID}" \
+  --role="roles/iam.workloadIdentityUser" \
+  --member="principalSet://iam.googleapis.com/projects/${GCP_PROJECT_NUM}/locations/global/workloadIdentityPools/github-pool/attribute.repository/${GH_ORG}/${GH_REPO}"
+```
+
+The service account needs `roles/aiplatform.user` to invoke Vertex AI models.
+
+> **Security**: Both the provider attribute condition (step 2) and the IAM
+> binding (step 3) should be scoped to the specific repository, not just the
+> organization. An org-wide condition lets any repo in the org mint tokens
+> and impersonate the service account. Use `repository_owner_id` (numeric,
+> immutable) if you do need org-level access — never use `repository_owner`
+> (name string, can be re-registered after deletion).
+
+### Claude via Vertex AI
+
+```yaml
+name: PR Review (Claude on Vertex AI)
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+  id-token: write       # Required for Workload Identity Federation
+  pull-requests: write
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
+      - uses: redhat-community-ai-tools/cicaddy-action@main
+        with:
+          ai_provider: anthropic-vertex
+          ai_model: claude-sonnet-4-6
+          vertex_project_id: ${{ vars.GCP_PROJECT_ID }}
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
+```
+
+### Gemini via Vertex AI
+
+```yaml
+name: PR Review (Gemini on Vertex AI)
+
+on:
+  pull_request:
+    types: [opened, synchronize]
+
+permissions:
+  contents: read
+  id-token: write
+  pull-requests: write
+
+jobs:
+  review:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
+      - uses: redhat-community-ai-tools/cicaddy-action@main
+        with:
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
+          task_file: tasks/pr_review.yml
+          post_pr_comment: 'true'
+```
+
+> **Note**: `google_cloud_project` is required for `gemini-vertex`. The
+> `google-github-actions/auth` step sets `GOOGLE_APPLICATION_CREDENTIALS`
+> automatically. No `ai_api_key` is needed.
+
+### Fallback: Service Account Key
+
+If WIF is not available (e.g., restricted GCP environments without a Workload
+Identity Pool), you can use a service account JSON key as a fallback:
+
+```yaml
+- uses: google-github-actions/auth@v3
+  with:
+    credentials_json: ${{ secrets.GCP_SA_KEY }}
+
+- uses: redhat-community-ai-tools/cicaddy-action@main
+  with:
+    ai_provider: anthropic-vertex
+    ai_model: claude-sonnet-4-6
+    vertex_project_id: ${{ vars.GCP_PROJECT_ID }}
+```
+
+The `google-github-actions/auth` action sets `GOOGLE_APPLICATION_CREDENTIALS`
+automatically in both WIF and SA key modes — never write keys to disk manually
+or echo them in scripts.
+
+> **Prefer WIF over service account keys.** SA keys are long-lived secrets
+> that can leak and require manual rotation. WIF tokens are short-lived
+> (~1 hour), scoped to the specific workflow run, and leave no secrets to manage.
+
+### Authentication Method Comparison
+
+| | WIF (recommended) | SA Key (fallback) | API Key |
+|-|--------------------|-------------------|---------|
+| Secrets to manage | None | JSON key in GitHub secret | API key in GitHub secret |
+| Token lifetime | ~1 hour (auto-issued) | Until key is revoked | Until key is revoked |
+| Rotation | Automatic | Manual (every 90 days) | Manual |
+| Blast radius | Single workflow run | Unlimited until revoked | Unlimited until revoked |
+| Audit trail | Per-job OIDC claims | SA-level logging | Key-level logging |
+| Scope control | Repo, branch, workflow | SA permissions only | Key permissions only |
+
+## Migration Notes
+
+### Default Vertex AI location changed from `us-east5` to `global`
+
+Previous versions defaulted to `us-east5` via the `cloud_ml_region` input. This
+release changes the default to `global` (via the new `google_cloud_location`
+input), which routes requests to the nearest available region.
+
+If your workflow relied on the implicit `us-east5` default, add an explicit
+location:
+
+```yaml
+- uses: redhat-community-ai-tools/cicaddy-action@main
+  with:
+    google_cloud_location: us-east5   # pin to previous default
+```
+
+### `cloud_ml_region` is deprecated
+
+The `cloud_ml_region` input still works but emits a warning. Replace it with
+`google_cloud_location` in your workflows.
+
+## Security Considerations
+
+### `submit_review` and fork pull requests
+
+When `submit_review: 'true'` is set, the action submits a formal GitHub review
+(APPROVE or REQUEST\_CHANGES) on behalf of the token owner. If your repository
+accepts pull requests from forks and you use `pull_request_target` to expose
+secrets, an attacker could craft a PR that tricks the AI into approving
+malicious code.
+
+Mitigations:
+
+- Do **not** combine `submit_review: 'true'` with `pull_request_target` on
+  repositories that accept fork PRs.
+- Use `pull_request` (not `pull_request_target`) when possible — it runs in the
+  fork's context and cannot access repository secrets.
+- If you must use `pull_request_target`, restrict `submit_review` to trusted
+  contributors via a branch protection rule or a job-level `if:` condition.
+
+## Provider Inputs Reference
+
+| Input | Required | Description |
+|-------|----------|-------------|
+| `ai_provider` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
+| `ai_model` | Yes | Model identifier |
+| `ai_api_key` | No | API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
+| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
+| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`, optional fallback for `anthropic-vertex`) |
+| `google_cloud_location` | No | Vertex AI location (default: `global`) |

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "cicaddy-github"
-version = "0.7.0"
+version = "0.7.1"
 description = "GitHub Actions plugin for cicaddy AI agent framework"
 readme = "README.md"
 requires-python = ">=3.11"

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/src/cicaddy_github/__init__.py

@@ -1,3 +1,3 @@
 """cicaddy-github: GitHub Actions plugin for cicaddy AI agent framework."""
 
-__version__ = "0.7.0"
+__version__ = "0.7.1"

{cicaddy_github-0.7.0 → cicaddy_github-0.7.1}/tests/unit/test_settings.py

@@ -207,7 +207,7 @@ class TestSettingsValidation:
         """GOOGLE_CLOUD_PROJECT is passed through to settings."""
         env = {
             "AI_PROVIDER": "gemini-vertex",
-            "AI_MODEL": "gemini-3-flash-preview",
+            "AI_MODEL": "gemini-3.5-flash",
             "GOOGLE_CLOUD_PROJECT": "my-gcp-project",
             "GOOGLE_CLOUD_LOCATION": "us-central1",
             "MCP_SERVERS_CONFIG": "[]",
@@ -223,7 +223,7 @@ class TestSettingsValidation:
         """GOOGLE_CLOUD_LOCATION defaults to 'global' when not set."""
         env = {
             "AI_PROVIDER": "gemini-vertex",
-            "AI_MODEL": "gemini-3-flash-preview",
+            "AI_MODEL": "gemini-3.5-flash",
             "GOOGLE_CLOUD_PROJECT": "my-gcp-project",
             "MCP_SERVERS_CONFIG": "[]",
         }
@@ -239,7 +239,7 @@ class TestSettingsValidation:
         """GOOGLE_CLOUD_PROJECT absent results in None."""
         env = {
             "AI_PROVIDER": "gemini",
-            "AI_MODEL": "gemini-3-flash-preview",
+            "AI_MODEL": "gemini-3.5-flash",
             "MCP_SERVERS_CONFIG": "[]",
         }
         with patch.dict(os.environ, env, clear=False):
@@ -254,7 +254,7 @@ class TestSettingsValidation:
         """Empty string GOOGLE_CLOUD_PROJECT is not passed through."""
         env = {
             "AI_PROVIDER": "gemini",
-            "AI_MODEL": "gemini-3-flash-preview",
+            "AI_MODEL": "gemini-3.5-flash",
             "GOOGLE_CLOUD_PROJECT": "",
             "MCP_SERVERS_CONFIG": "[]",
         }

cicaddy_github-0.7.0/docs/providers.md

@@ -1,178 +0,0 @@
-# AI Provider Configuration
-
-cicaddy-action supports multiple AI providers. This guide covers provider-specific setup.
-
-## Gemini
-
-```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@main
-  with:
-    ai_provider: gemini
-    ai_model: gemini-3-flash-preview
-    ai_api_key: ${{ secrets.GEMINI_API_KEY }}
-```
-
-## OpenAI
-
-```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@main
-  with:
-    ai_provider: openai
-    ai_model: gpt-4.5
-    ai_api_key: ${{ secrets.OPENAI_API_KEY }}
-```
-
-## Claude (Anthropic API)
-
-```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@main
-  with:
-    ai_provider: claude
-    ai_model: claude-sonnet-4-6
-    ai_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
-```
-
-## Claude via Vertex AI (GCP)
-
-Uses Google Cloud Workload Identity Federation for keyless authentication — no
-service account JSON keys to manage. This is the recommended approach for GCP.
-
-```yaml
-name: PR Review (Vertex AI)
-
-on:
-  pull_request:
-    types: [opened, synchronize]
-
-permissions:
-  contents: read
-  id-token: write       # Required for Workload Identity Federation
-  pull-requests: write
-
-jobs:
-  review:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - uses: google-github-actions/auth@v3
-        with:
-          workload_identity_provider: 'projects/123/locations/global/workloadIdentityPools/github/providers/my-repo'
-          service_account: 'cicaddy@my-project.iam.gserviceaccount.com'
-
-      - uses: redhat-community-ai-tools/cicaddy-action@main
-        with:
-          ai_provider: anthropic-vertex
-          ai_model: claude-sonnet-4-6
-          vertex_project_id: my-project
-          task_file: tasks/pr_review.yml
-          post_pr_comment: 'true'
-```
-
-> **Security**: Prefer Workload Identity Federation (shown above) over service
-> account keys. If you must use a key, store the JSON as a GitHub secret and pass
-> it via `google-github-actions/auth` with `credentials_json`:
-> ```yaml
-> - uses: google-github-actions/auth@v3
->   with:
->     credentials_json: ${{ secrets.GCP_SA_KEY }}
-> ```
-> The auth action sets `GOOGLE_APPLICATION_CREDENTIALS` automatically — never
-> write keys to disk manually or echo them in scripts.
-
-## Gemini via Vertex AI (GCP)
-
-Uses Google Cloud authentication (Workload Identity Federation or service account)
-to call Gemini models through the Vertex AI API — no Gemini API key needed.
-
-```yaml
-name: PR Review (Gemini Vertex AI)
-
-on:
-  pull_request:
-    types: [opened, synchronize]
-
-permissions:
-  contents: read
-  id-token: write       # Required for Workload Identity Federation
-  pull-requests: write
-
-jobs:
-  review:
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v6
-        with:
-          fetch-depth: 0
-
-      - uses: google-github-actions/auth@v3
-        with:
-          workload_identity_provider: 'projects/123/locations/global/workloadIdentityPools/github/providers/my-repo'
-          service_account: 'cicaddy@my-project.iam.gserviceaccount.com'
-
-      - uses: redhat-community-ai-tools/cicaddy-action@main
-        with:
-          ai_provider: gemini-vertex
-          ai_model: gemini-3-flash-preview
-          google_cloud_project: my-project
-          task_file: tasks/pr_review.yml
-          post_pr_comment: 'true'
-```
-
-> **Note**: `google_cloud_project` is required for `gemini-vertex`. The
-> `google-github-actions/auth` step sets `GOOGLE_APPLICATION_CREDENTIALS`
-> automatically.
-
-## Migration Notes
-
-### Default Vertex AI location changed from `us-east5` to `global`
-
-Previous versions defaulted to `us-east5` via the `cloud_ml_region` input. This
-release changes the default to `global` (via the new `google_cloud_location`
-input), which routes requests to the nearest available region.
-
-If your workflow relied on the implicit `us-east5` default, add an explicit
-location:
-
-```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@main
-  with:
-    google_cloud_location: us-east5   # pin to previous default
-```
-
-### `cloud_ml_region` is deprecated
-
-The `cloud_ml_region` input still works but emits a warning. Replace it with
-`google_cloud_location` in your workflows.
-
-## Security Considerations
-
-### `submit_review` and fork pull requests
-
-When `submit_review: 'true'` is set, the action submits a formal GitHub review
-(APPROVE or REQUEST\_CHANGES) on behalf of the token owner. If your repository
-accepts pull requests from forks and you use `pull_request_target` to expose
-secrets, an attacker could craft a PR that tricks the AI into approving
-malicious code.
-
-Mitigations:
-
-- Do **not** combine `submit_review: 'true'` with `pull_request_target` on
-  repositories that accept fork PRs.
-- Use `pull_request` (not `pull_request_target`) when possible — it runs in the
-  fork's context and cannot access repository secrets.
-- If you must use `pull_request_target`, restrict `submit_review` to trusted
-  contributors via a branch protection rule or a job-level `if:` condition.
-
-## Provider Inputs Reference
-
-| Input | Required | Description |
-|-------|----------|-------------|
-| `ai_provider` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
-| `ai_model` | Yes | Model identifier |
-| `ai_api_key` | No | API key (not needed for `anthropic-vertex` or `gemini-vertex`) |
-| `vertex_project_id` | No | GCP project ID for Vertex AI Claude (falls back to `google_cloud_project`) |
-| `google_cloud_project` | No | GCP project ID for Vertex AI (required for `gemini-vertex`, optional fallback for `anthropic-vertex`) |
-| `google_cloud_location` | No | Vertex AI location (default: `global`) |