cicaddy-github 0.7.0__tar.gz → 0.8.0__tar.gz

{cicaddy_github-0.7.0 → cicaddy_github-0.8.0}/.agents/skills/cicaddy-action/SKILL.md

@@ -127,10 +127,12 @@ can reference them as bash variables (`INPUT_AI_PROVIDER`, `INPUT_AI_API_KEY`, e
 | `task_prompt` | No | Inline task prompt |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
 | `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `inline_review_comments` | No | Post AI findings as inline comments on PR diff lines (default: `false`) |
 | `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
 | `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
 | `delegation_mode` | No | `none` (default) or `auto` for sub-agent delegation |
 | `max_sub_agents` | No | Max concurrent sub-agents, 1-10 (default: `3`) |
+| `delegation_verify_findings` | No | Verify sub-agent findings against codebase (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 | `mcp_servers_config` | No | JSON array of MCP server configs |
 | `slack_webhook_url` | No | Slack webhook URL |
@@ -196,6 +198,8 @@ github = "cicaddy_github.plugin:validate"
 - `github_token`, `github_repository`, `github_ref`, `github_event_name`
 - `github_sha`, `github_run_id`, `github_pr_number`
 - `post_pr_comment` (bool)
+- `submit_review` (bool)
+- `inline_review_comments` (bool)
 
 All loaded from environment variables via `load_settings()`.
 
@@ -233,10 +237,10 @@ the `safe-to-review` label. The label is auto-removed on new pushes to prevent
 TOCTOU bypasses.
 
 ```yaml
-- uses: redhat-community-ai-tools/cicaddy-action@v0.7.0
+- uses: redhat-community-ai-tools/cicaddy-action@v0.8.0
   with:
     ai_provider: gemini
-    ai_model: gemini-3-flash-preview
+    ai_model: gemini-3.5-flash
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
@@ -252,7 +256,7 @@ file and use `uv run cicaddy run --env-file <file>`.
 ```bash
 # AI Provider
 AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
+AI_MODEL=gemini-3.5-flash
 GEMINI_API_KEY=<key>
 
 # GitHub Configuration
@@ -329,11 +333,13 @@ cicaddy-action v0.5.0+ supports AI-powered sub-agent delegation via cicaddy>=0.8
 **Action Inputs:**
 - `delegation_mode`: `none` (default) or `auto`
 - `max_sub_agents`: 1-10 (default: `3`)
+- `delegation_verify_findings`: `false` (default) — verify findings against codebase
 
 **Environment Variables:**
 - `DELEGATION_MODE`: `none` or `auto`
 - `MAX_SUB_AGENTS`: 1-10 (default: `3`)
-- `SUB_AGENT_MAX_ITERS`: 1-15 (default: `10`)
+- `SUB_AGENT_MAX_ITERS`: 1-15 (default: `5`)
+- `DELEGATION_VERIFY_FINDINGS`: verify findings against codebase (`true`/`false`)
 - `DELEGATION_AGENTS_DIR`: `.agents/delegation` (custom agent YAML directory)
 - `DELEGATION_AGENTS`: JSON array for inline custom agents
 - `TRIAGE_PROMPT`: Custom triage instructions
@@ -406,7 +412,7 @@ Or inline via `DELEGATION_AGENTS` JSON env var.
 - uses: redhat-community-ai-tools/cicaddy-action@main
   with:
     ai_provider: gemini
-    ai_model: gemini-3-flash-preview
+    ai_model: gemini-3.5-flash
     ai_api_key: ${{ secrets.AI_API_KEY }}
     task_file: tasks/pr_review.yml
     post_pr_comment: 'true'
@@ -419,7 +425,7 @@ Or inline via `DELEGATION_AGENTS` JSON env var.
 ```bash
 # .env.my-review
 AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
+AI_MODEL=gemini-3.5-flash
 GEMINI_API_KEY=<key>
 GITHUB_TOKEN=<token>
 GITHUB_REPOSITORY=owner/repo

{cicaddy_github-0.7.0 → cicaddy_github-0.8.0}/.github/workflows/pr-review.yml

@@ -49,15 +49,20 @@ jobs:
           fi
 
       - name: AI Code Review
-        uses: redhat-community-ai-tools/cicaddy-action@v0.5.0
+        uses: redhat-community-ai-tools/cicaddy-action@v0.8.0
         id: review
         with:
           ai_provider: gemini
-          ai_model: gemini-3-flash-preview
+          ai_model: gemini-3.5-flash
           ai_api_key: ${{ secrets.AI_API_KEY }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
+          # submit_review and inline_review_comments intentionally omitted —
+          # this workflow uses pull_request_target for fork PR support, and
+          # formal reviews should not be combined with pull_request_target.
+          # See docs/providers.md#submit_review-and-fork-pull-requests
           delegation_mode: auto
+          delegation_verify_findings: 'true'
           mcp_servers_config: ${{ steps.mcp.outputs.config }}
         env:
           ANALYSIS_FOCUS: "general"

{cicaddy_github-0.7.0 → cicaddy_github-0.8.0}/AGENTS.md

@@ -102,7 +102,7 @@ The cicaddy-github plugin provides:
 | `DELEGATION_AGENTS` | (empty) | JSON config for inline custom sub-agent definitions |
 | `TRIAGE_PROMPT` | (empty) | Custom triage instructions |
 
-Action inputs: `delegation_mode`, `max_sub_agents`
+Action inputs: `delegation_mode`, `max_sub_agents`, `delegation_verify_findings`
 CLI flags: `--delegation-mode auto --max-sub-agents 2`
 
 See cicaddy's [sub-agent delegation docs](https://github.com/waynesun09/cicaddy/blob/main/docs/sub-agent-delegation.md) for built-in agents, custom YAML format, and tool filtering.
@@ -124,12 +124,16 @@ All inputs use **underscores** (not hyphens) for Docker container compatibility:
 | `task_prompt` | No | Inline task prompt |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
 | `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `inline_review_comments` | No | Post AI findings as inline comments on PR diff lines (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 | `mcp_servers_config` | No | JSON array of MCP server configs |
 | `slack_webhook_url` | No | Slack webhook URL |
 | `report_template` | No | Custom HTML report template path |
+| `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
+| `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
 | `delegation_mode` | No | `none` (default) or `auto` for sub-agent delegation |
 | `max_sub_agents` | No | Max concurrent sub-agents, 1-10 (default: `3`) |
+| `delegation_verify_findings` | No | Verify sub-agent findings against codebase (default: `false`) |
 
 *Not required if provider-specific key is set via `env:`.
 
@@ -179,7 +183,7 @@ Create an env file and use `uv run cicaddy run --env-file <file>`:
 ```bash
 # AI Provider
 AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
+AI_MODEL=gemini-3.5-flash
 GEMINI_API_KEY=<key>
 
 # GitHub Configuration

{cicaddy_github-0.7.0 → cicaddy_github-0.8.0}/PKG-INFO

@@ -1,12 +1,12 @@
 Metadata-Version: 2.4
 Name: cicaddy-github
-Version: 0.7.0
+Version: 0.8.0
 Summary: GitHub Actions plugin for cicaddy AI agent framework
 Project-URL: Homepage, https://github.com/redhat-community-ai-tools/cicaddy-action
 Project-URL: Repository, https://github.com/redhat-community-ai-tools/cicaddy-action.git
 Project-URL: Issues, https://github.com/redhat-community-ai-tools/cicaddy-action/issues
 Author: Wayne Sun
-License: Apache-2.0
+License-Expression: Apache-2.0
 License-File: LICENSE
 Requires-Python: >=3.11
 Requires-Dist: cicaddy>=0.11.0
@@ -32,6 +32,29 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 - **Secret redaction** via detect-secrets for safe public outputs
 - **DSPy YAML task definitions** for customizable analysis workflows
 
+## Prerequisites
+
+The examples below use **Vertex AI with Workload Identity Federation (WIF)**
+for keyless authentication. WIF eliminates static secrets — GitHub mints a
+short-lived OIDC token per workflow run and GCP exchanges it for temporary
+credentials scoped to that job.
+
+**One-time GCP setup required:**
+
+1. Create a Workload Identity Pool and OIDC provider
+2. Create a service account with `roles/aiplatform.user`
+3. Bind the pool to the service account **scoped to your specific repository**
+   (the `--member` flag must use a `principalSet` with `attribute.repository/OWNER/REPO`
+   to enforce repository-level isolation)
+
+Store the resulting values as GitHub
+[repository variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables)
+(`vars.GCP_WIF_PROVIDER`, `vars.GCP_SERVICE_ACCOUNT`, `vars.GCP_PROJECT_ID`).
+
+See [docs/providers.md](docs/providers.md) for the full `gcloud` setup
+commands, authentication method comparison (WIF vs SA key vs API key), and
+alternative provider configurations (OpenAI, Claude, standalone Gemini API key).
+
 ## Quick Start
 
 ### AI PR Review
@@ -48,28 +71,44 @@ on:
   pull_request:
     types: [opened, synchronize]
 
-permissions:
-  pull-requests: write
-
 jobs:
   review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
-        env:
-          DELEGATION_MODE: auto
+          submit_review: 'true'
+          inline_review_comments: 'true'
+          delegation_mode: auto
+          delegation_verify_findings: 'true'
 ```
 
+> **Fork PRs**: The `pull_request` event cannot mint OIDC tokens for PRs
+> from forks, so WIF authentication will fail. To support fork PRs, use
+> `pull_request_target` with a label gate (e.g. `safe-to-review`) to
+> prevent unauthorized code execution. See
+> `.github/workflows/pr-review.yml` for an example and
+> [docs/providers.md](docs/providers.md#submit_review-and-fork-pull-requests)
+> for security details.
+
 > **Sub-Agent Delegation**: When `DELEGATION_MODE` is set to `auto`, the agent uses AI-powered triage to analyze the PR diff and spawns specialized sub-agents in parallel (e.g., code quality, security, performance). Each sub-agent runs with a focused scope and reduced token budget, and their results are aggregated into a single unified review. This produces deeper, more structured reviews compared to single-agent mode. Set `DELEGATION_MODE` to `none` to use a single agent instead. See [docs/delegation.md](docs/delegation.md) for details.
 
 ### Changelog Report on Release
@@ -84,16 +123,24 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/changelog_report.yml
 ```
 
@@ -114,23 +161,29 @@ on:
       - 'go.mod'
       - 'go.sum'
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
   dep-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version: '1.22'
+
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/go_dep_impact_review.yml
           post_pr_comment: 'true'
           run_govulncheck: 'true'
@@ -143,7 +196,9 @@ agent instead of the default PR code review agent. The `run_govulncheck`
 input enables vulnerability reachability analysis (requires Go and
 govulncheck installed in the runner).
 
-See [docs/providers.md](docs/providers.md) for provider-specific configuration including Claude via Vertex AI (GCP), OpenAI, and Anthropic API setup.
+See [docs/providers.md](docs/providers.md) for the full WIF setup guide,
+alternative providers (OpenAI, Claude, standalone Gemini API key), the
+SA key fallback, and an authentication method comparison table.
 
 ## Inputs
 
@@ -162,12 +217,42 @@ See [docs/providers.md](docs/providers.md) for provider-specific configuration i
 | `slack_webhook_url` | No | Slack webhook URL for notifications |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
 | `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `inline_review_comments` | No | Post AI findings as inline comments on PR diff lines (default: `false`) |
 | `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
 | `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
 | `delegation_mode` | No | Enable AI-powered sub-agent delegation: `none` (default) or `auto` |
 | `max_sub_agents` | No | Maximum concurrent sub-agents, 1-10 (default: `3`) |
+| `delegation_verify_findings` | No | Verify sub-agent findings against codebase to reduce false positives (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 
+### Review Output Options
+
+The action supports three independent review output options that control how results appear on a PR. All three default to `false` and can be combined:
+
+| Option | What it does |
+|--------|-------------|
+| `post_pr_comment` | Posts (or updates) a bot comment on the PR with the full review summary. On subsequent runs the same comment is updated in place. |
+| `submit_review` | Submits a formal GitHub review (APPROVE / REQUEST_CHANGES / COMMENT) based on the AI analysis. |
+| `inline_review_comments` | Attaches AI findings as inline comments on the exact diff lines. Requires `submit_review: 'true'` since inline comments are part of the GitHub review. |
+
+**Recommended combinations:**
+
+```yaml
+# Summary comment only (simplest)
+post_pr_comment: 'true'
+
+# Summary comment + inline diff comments (recommended for most teams)
+post_pr_comment: 'true'
+submit_review: 'true'
+inline_review_comments: 'true'
+
+# Formal review with inline comments, no standalone comment
+submit_review: 'true'
+inline_review_comments: 'true'
+```
+
+> **Note:** `inline_review_comments` works best with `submit_review: 'true'` and `delegation_mode: auto`. Delegation produces structured findings with file/line info that inline comments need. Without `submit_review`, inline comments are posted as a `COMMENT` review (no approval/rejection verdict).
+
 ## Outputs
 
 | Output | Description |
@@ -199,10 +284,16 @@ uv pip install -e ".[test]"
 **2. Create an env file** (e.g. `.env.my-review`):
 
 ```bash
-# AI Provider
-AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
-GEMINI_API_KEY=<your-gemini-api-key>
+# AI Provider (Gemini via Vertex AI — uses Google Cloud ADC, no API key needed)
+AI_PROVIDER=gemini-vertex
+AI_MODEL=gemini-3.5-flash
+GOOGLE_CLOUD_PROJECT=your-gcp-project
+# GOOGLE_CLOUD_LOCATION=global  # optional, defaults to "global"
+
+# AI Provider (standalone Gemini API key — alternative to Vertex AI)
+# AI_PROVIDER=gemini
+# AI_MODEL=gemini-3.5-flash
+# GEMINI_API_KEY=<your-gemini-api-key>
 
 # GitHub Configuration
 GITHUB_TOKEN=<your-github-token>
@@ -212,6 +303,8 @@ GITHUB_PR_NUMBER=42
 
 # Agent Settings
 POST_PR_COMMENT=true
+SUBMIT_REVIEW=true
+INLINE_REVIEW_COMMENTS=true
 ENABLE_LOCAL_TOOLS=true
 LOCAL_TOOLS_WORKING_DIR=.
 
@@ -257,7 +350,7 @@ uv run cicaddy validate --env-file .env.my-review
 | Variable | Required | Description |
 |----------|----------|-------------|
 | `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
-| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3-flash-preview`) |
+| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3.5-flash`) |
 | `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex` or `gemini-vertex`) |
 | `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`, falls back to `GOOGLE_CLOUD_PROJECT`) |
 | `GOOGLE_CLOUD_PROJECT` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
@@ -267,9 +360,12 @@ uv run cicaddy validate --env-file .env.my-review
 | `GITHUB_EVENT_NAME` | No | Set to `pull_request` for auto-detection (optional if `GITHUB_PR_NUMBER` is set) |
 | `GITHUB_PR_NUMBER` | Yes | PR number to review |
 | `POST_PR_COMMENT` | No | Post results as PR comment (`true`/`false`) |
+| `SUBMIT_REVIEW` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (`true`/`false`) |
+| `INLINE_REVIEW_COMMENTS` | No | Post AI findings as inline comments on PR diff lines (`true`/`false`) |
 | `AGENT_TASKS` | No | Agent task type (e.g. `go_dep_review` for Go dependency analysis) |
 | `DELEGATION_MODE` | No | `auto` for AI-powered sub-agent delegation, `none` for single-agent (default: `none`) |
 | `MAX_SUB_AGENTS` | No | Max concurrent sub-agents for delegation, 1-10 (default: `3`) |
+| `DELEGATION_VERIFY_FINDINGS` | No | Verify sub-agent findings against codebase to reduce false positives (`true`/`false`) |
 | `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent, 1-15 (default: `5`) |
 | `AI_TASK_FILE` | No | Path to DSPy YAML task file for custom workflows |
 | `RUN_GOVULNCHECK` | No | Run govulncheck for reachability analysis (`true`/`false`) |

{cicaddy_github-0.7.0 → cicaddy_github-0.8.0}/README.md

@@ -12,6 +12,29 @@ GitHub Action that wraps [cicaddy](https://github.com/waynesun09/cicaddy) for ru
 - **Secret redaction** via detect-secrets for safe public outputs
 - **DSPy YAML task definitions** for customizable analysis workflows
 
+## Prerequisites
+
+The examples below use **Vertex AI with Workload Identity Federation (WIF)**
+for keyless authentication. WIF eliminates static secrets — GitHub mints a
+short-lived OIDC token per workflow run and GCP exchanges it for temporary
+credentials scoped to that job.
+
+**One-time GCP setup required:**
+
+1. Create a Workload Identity Pool and OIDC provider
+2. Create a service account with `roles/aiplatform.user`
+3. Bind the pool to the service account **scoped to your specific repository**
+   (the `--member` flag must use a `principalSet` with `attribute.repository/OWNER/REPO`
+   to enforce repository-level isolation)
+
+Store the resulting values as GitHub
+[repository variables](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/store-information-in-variables)
+(`vars.GCP_WIF_PROVIDER`, `vars.GCP_SERVICE_ACCOUNT`, `vars.GCP_PROJECT_ID`).
+
+See [docs/providers.md](docs/providers.md) for the full `gcloud` setup
+commands, authentication method comparison (WIF vs SA key vs API key), and
+alternative provider configurations (OpenAI, Claude, standalone Gemini API key).
+
 ## Quick Start
 
 ### AI PR Review
@@ -28,28 +51,44 @@ on:
   pull_request:
     types: [opened, synchronize]
 
-permissions:
-  pull-requests: write
-
 jobs:
   review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/pr_review.yml
           post_pr_comment: 'true'
-        env:
-          DELEGATION_MODE: auto
+          submit_review: 'true'
+          inline_review_comments: 'true'
+          delegation_mode: auto
+          delegation_verify_findings: 'true'
 ```
 
+> **Fork PRs**: The `pull_request` event cannot mint OIDC tokens for PRs
+> from forks, so WIF authentication will fail. To support fork PRs, use
+> `pull_request_target` with a label gate (e.g. `safe-to-review`) to
+> prevent unauthorized code execution. See
+> `.github/workflows/pr-review.yml` for an example and
+> [docs/providers.md](docs/providers.md#submit_review-and-fork-pull-requests)
+> for security details.
+
 > **Sub-Agent Delegation**: When `DELEGATION_MODE` is set to `auto`, the agent uses AI-powered triage to analyze the PR diff and spawns specialized sub-agents in parallel (e.g., code quality, security, performance). Each sub-agent runs with a focused scope and reduced token budget, and their results are aggregated into a single unified review. This produces deeper, more structured reviews compared to single-agent mode. Set `DELEGATION_MODE` to `none` to use a single agent instead. See [docs/delegation.md](docs/delegation.md) for details.
 
 ### Changelog Report on Release
@@ -64,16 +103,24 @@ on:
 jobs:
   changelog:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
     steps:
       - uses: actions/checkout@v6
         with:
           fetch-depth: 0
 
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/changelog_report.yml
 ```
 
@@ -94,23 +141,29 @@ on:
       - 'go.mod'
       - 'go.sum'
 
-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
   dep-review:
     runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write       # Required for Workload Identity Federation
+      pull-requests: write
     steps:
       - uses: actions/checkout@v6
       - uses: actions/setup-go@v6
         with:
           go-version: '1.22'
+
+      - uses: google-github-actions/auth@v3
+        with:
+          workload_identity_provider: ${{ vars.GCP_WIF_PROVIDER }}
+          service_account: ${{ vars.GCP_SERVICE_ACCOUNT }}
+
       - uses: redhat-community-ai-tools/cicaddy-action@main
         with:
-          ai_provider: gemini
-          ai_model: gemini-3-flash-preview
-          ai_api_key: ${{ secrets.AI_API_KEY }}
+          ai_provider: gemini-vertex
+          ai_model: gemini-3.5-flash
+          google_cloud_project: ${{ vars.GCP_PROJECT_ID }}
           task_file: tasks/go_dep_impact_review.yml
           post_pr_comment: 'true'
           run_govulncheck: 'true'
@@ -123,7 +176,9 @@ agent instead of the default PR code review agent. The `run_govulncheck`
 input enables vulnerability reachability analysis (requires Go and
 govulncheck installed in the runner).
 
-See [docs/providers.md](docs/providers.md) for provider-specific configuration including Claude via Vertex AI (GCP), OpenAI, and Anthropic API setup.
+See [docs/providers.md](docs/providers.md) for the full WIF setup guide,
+alternative providers (OpenAI, Claude, standalone Gemini API key), the
+SA key fallback, and an authentication method comparison table.
 
 ## Inputs
 
@@ -142,12 +197,42 @@ See [docs/providers.md](docs/providers.md) for provider-specific configuration i
 | `slack_webhook_url` | No | Slack webhook URL for notifications |
 | `post_pr_comment` | No | Post results as PR comment (default: `false`) |
 | `submit_review` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (default: `false`) |
+| `inline_review_comments` | No | Post AI findings as inline comments on PR diff lines (default: `false`) |
 | `run_govulncheck` | No | Run govulncheck for vulnerability reachability analysis (default: `false`) |
 | `dep_review_severity_threshold` | No | Minimum semver bump to analyze: `minor` or `major` (default: `minor`) |
 | `delegation_mode` | No | Enable AI-powered sub-agent delegation: `none` (default) or `auto` |
 | `max_sub_agents` | No | Maximum concurrent sub-agents, 1-10 (default: `3`) |
+| `delegation_verify_findings` | No | Verify sub-agent findings against codebase to reduce false positives (default: `false`) |
 | `github_token` | No | GitHub token (default: `${{ github.token }}`) |
 
+### Review Output Options
+
+The action supports three independent review output options that control how results appear on a PR. All three default to `false` and can be combined:
+
+| Option | What it does |
+|--------|-------------|
+| `post_pr_comment` | Posts (or updates) a bot comment on the PR with the full review summary. On subsequent runs the same comment is updated in place. |
+| `submit_review` | Submits a formal GitHub review (APPROVE / REQUEST_CHANGES / COMMENT) based on the AI analysis. |
+| `inline_review_comments` | Attaches AI findings as inline comments on the exact diff lines. Requires `submit_review: 'true'` since inline comments are part of the GitHub review. |
+
+**Recommended combinations:**
+
+```yaml
+# Summary comment only (simplest)
+post_pr_comment: 'true'
+
+# Summary comment + inline diff comments (recommended for most teams)
+post_pr_comment: 'true'
+submit_review: 'true'
+inline_review_comments: 'true'
+
+# Formal review with inline comments, no standalone comment
+submit_review: 'true'
+inline_review_comments: 'true'
+```
+
+> **Note:** `inline_review_comments` works best with `submit_review: 'true'` and `delegation_mode: auto`. Delegation produces structured findings with file/line info that inline comments need. Without `submit_review`, inline comments are posted as a `COMMENT` review (no approval/rejection verdict).
+
 ## Outputs
 
 | Output | Description |
@@ -179,10 +264,16 @@ uv pip install -e ".[test]"
 **2. Create an env file** (e.g. `.env.my-review`):
 
 ```bash
-# AI Provider
-AI_PROVIDER=gemini
-AI_MODEL=gemini-3-flash-preview
-GEMINI_API_KEY=<your-gemini-api-key>
+# AI Provider (Gemini via Vertex AI — uses Google Cloud ADC, no API key needed)
+AI_PROVIDER=gemini-vertex
+AI_MODEL=gemini-3.5-flash
+GOOGLE_CLOUD_PROJECT=your-gcp-project
+# GOOGLE_CLOUD_LOCATION=global  # optional, defaults to "global"
+
+# AI Provider (standalone Gemini API key — alternative to Vertex AI)
+# AI_PROVIDER=gemini
+# AI_MODEL=gemini-3.5-flash
+# GEMINI_API_KEY=<your-gemini-api-key>
 
 # GitHub Configuration
 GITHUB_TOKEN=<your-github-token>
@@ -192,6 +283,8 @@ GITHUB_PR_NUMBER=42
 
 # Agent Settings
 POST_PR_COMMENT=true
+SUBMIT_REVIEW=true
+INLINE_REVIEW_COMMENTS=true
 ENABLE_LOCAL_TOOLS=true
 LOCAL_TOOLS_WORKING_DIR=.
 
@@ -237,7 +330,7 @@ uv run cicaddy validate --env-file .env.my-review
 | Variable | Required | Description |
 |----------|----------|-------------|
 | `AI_PROVIDER` | Yes | `gemini`, `openai`, `claude`, `anthropic-vertex`, or `gemini-vertex` |
-| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3-flash-preview`) |
+| `AI_MODEL` | Yes | Model identifier (e.g. `gemini-3.5-flash`) |
 | `GEMINI_API_KEY` / `OPENAI_API_KEY` / `ANTHROPIC_API_KEY` | Yes* | API key matching the provider (*not needed for `anthropic-vertex` or `gemini-vertex`) |
 | `ANTHROPIC_VERTEX_PROJECT_ID` | No | GCP project ID (required for `anthropic-vertex`, falls back to `GOOGLE_CLOUD_PROJECT`) |
 | `GOOGLE_CLOUD_PROJECT` | No | GCP project ID for Vertex AI (required for `gemini-vertex`) |
@@ -247,9 +340,12 @@ uv run cicaddy validate --env-file .env.my-review
 | `GITHUB_EVENT_NAME` | No | Set to `pull_request` for auto-detection (optional if `GITHUB_PR_NUMBER` is set) |
 | `GITHUB_PR_NUMBER` | Yes | PR number to review |
 | `POST_PR_COMMENT` | No | Post results as PR comment (`true`/`false`) |
+| `SUBMIT_REVIEW` | No | Submit formal PR review with APPROVE/REQUEST_CHANGES (`true`/`false`) |
+| `INLINE_REVIEW_COMMENTS` | No | Post AI findings as inline comments on PR diff lines (`true`/`false`) |
 | `AGENT_TASKS` | No | Agent task type (e.g. `go_dep_review` for Go dependency analysis) |
 | `DELEGATION_MODE` | No | `auto` for AI-powered sub-agent delegation, `none` for single-agent (default: `none`) |
 | `MAX_SUB_AGENTS` | No | Max concurrent sub-agents for delegation, 1-10 (default: `3`) |
+| `DELEGATION_VERIFY_FINDINGS` | No | Verify sub-agent findings against codebase to reduce false positives (`true`/`false`) |
 | `SUB_AGENT_MAX_ITERS` | No | Max iterations per sub-agent, 1-15 (default: `5`) |
 | `AI_TASK_FILE` | No | Path to DSPy YAML task file for custom workflows |
 | `RUN_GOVULNCHECK` | No | Run govulncheck for reachability analysis (`true`/`false`) |