TL;DR
Bug Description
The GitHub Actions workflow for PR reviews, generated by the gemini CLI, fails to authenticate under two common and critical scenarios:
When triggered by a pull request from a forked repository.
When triggered by a pull request opened by Dependabot.
In both cases, the generated workflow uses the on: pull_request trigger. Due to GitHub's security policies, this trigger runs with restricted permissions and no access to secrets when initiated from a fork or by the Dependabot actor.
This causes the action to fail with an authentication error, making the default generated workflow unsuitable for most open-source projects without significant manual correction.
Steps to Reproduce
The issue can be reproduced in two primary ways:
Scenario A: Forked Repository
Use the gemini CLI to generate and commit the PR review workflow to a public GitHub repository.
Create a fork of that repository.
From the fork, open a pull request to the original repository.
Observe the action fail.
Scenario B: Dependabot
Use the gemini CLI to generate and commit the PR review workflow to a repository with outdated dependencies.
Ensure Dependabot security and version updates are enabled.
Wait for Dependabot to open a new PR to update a dependency.
Observe the action fail.
Expected Behavior
The generated workflow should run successfully in both scenarios, using the secrets from the base repository to authenticate with the Gemini API and perform the code review.
Actual Behavior
The action fails with an authentication error. The logs confirm that environment variables for secrets (e.g., GEMINI_API_KEY) are empty, and the step exits with the message:
Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA
Expected behavior
No response
Observed behavior
No response
Action YAML
name: '🧐 Gemini Pull Request Review'
Additional information
No response
TL;DR
Bug Description
The GitHub Actions workflow for PR reviews, generated by the gemini CLI, fails to authenticate under two common and critical scenarios:
When triggered by a pull request from a forked repository.
When triggered by a pull request opened by Dependabot.
In both cases, the generated workflow uses the on: pull_request trigger. Due to GitHub's security policies, this trigger runs with restricted permissions and no access to secrets when initiated from a fork or by the Dependabot actor.
This causes the action to fail with an authentication error, making the default generated workflow unsuitable for most open-source projects without significant manual correction.
Steps to Reproduce
The issue can be reproduced in two primary ways:
Scenario A: Forked Repository
Use the gemini CLI to generate and commit the PR review workflow to a public GitHub repository.
Create a fork of that repository.
From the fork, open a pull request to the original repository.
Observe the action fail.
Scenario B: Dependabot
Use the gemini CLI to generate and commit the PR review workflow to a repository with outdated dependencies.
Ensure Dependabot security and version updates are enabled.
Wait for Dependabot to open a new PR to update a dependency.
Observe the action fail.
Expected Behavior
The generated workflow should run successfully in both scenarios, using the secrets from the base repository to authenticate with the Gemini API and perform the code review.
Actual Behavior
The action fails with an authentication error. The logs confirm that environment variables for secrets (e.g., GEMINI_API_KEY) are empty, and the step exits with the message:
Please set an Auth method in your /home/runner/.gemini/settings.json or specify one of the following environment variables before running: GEMINI_API_KEY, GOOGLE_GENAI_USE_VERTEXAI, GOOGLE_GENAI_USE_GCA
Expected behavior
No response
Observed behavior
No response
Action YAML
Additional information
No response