Scion/opencode vertex auth#493
Conversation
|
Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). View this failed invocation of the CLA check for more information. For the most up to date status, view the checks section at the bottom of the pull request. |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request adds support for Vertex AI authentication to the OpenCode harness. It updates the configuration to enable Vertex AI capabilities, defines required environment variables, and implements helper functions in provision.py to resolve secrets. It also updates the authentication selection logic to support explicit and auto-detected Vertex AI authentication. The review feedback suggests enforcing the GCP metadata block guard when Vertex AI is explicitly selected and improving compatibility with standard Google Cloud SDKs by populating standard environment variables alongside custom ones.
| if explicit == "vertex-ai": | ||
| if not has_vertex_project or not has_vertex_location: | ||
| raise ValueError( | ||
| "opencode: auth type 'vertex-ai' selected but missing " | ||
| "GOOGLE_CLOUD_PROJECT/VERTEXAI_PROJECT and/or " | ||
| "GOOGLE_CLOUD_REGION/GOOGLE_CLOUD_LOCATION/VERTEX_LOCATION" | ||
| ) | ||
| return "vertex-ai", "" |
There was a problem hiding this comment.
When vertex-ai is explicitly selected, we should also respect the vertex_not_blocked guard (which checks gcp_metadata_mode). If GCP metadata access is blocked, we should raise an error immediately rather than attempting to proceed.
| if explicit == "vertex-ai": | |
| if not has_vertex_project or not has_vertex_location: | |
| raise ValueError( | |
| "opencode: auth type 'vertex-ai' selected but missing " | |
| "GOOGLE_CLOUD_PROJECT/VERTEXAI_PROJECT and/or " | |
| "GOOGLE_CLOUD_REGION/GOOGLE_CLOUD_LOCATION/VERTEX_LOCATION" | |
| ) | |
| return "vertex-ai", "" | |
| if explicit == "vertex-ai": | |
| if not vertex_not_blocked: | |
| raise ValueError( | |
| "opencode: auth type 'vertex-ai' selected but GCP metadata access is blocked" | |
| ) | |
| if not has_vertex_project or not has_vertex_location: | |
| raise ValueError( | |
| "opencode: auth type 'vertex-ai' selected but missing " | |
| "GOOGLE_CLOUD_PROJECT/VERTEXAI_PROJECT and/or " | |
| "GOOGLE_CLOUD_REGION/GOOGLE_CLOUD_LOCATION/VERTEX_LOCATION" | |
| ) | |
| return "vertex-ai", "" |
| if method == "vertex-ai": | ||
| project = _resolve_secret(secret_files, "GOOGLE_CLOUD_PROJECT", "VERTEXAI_PROJECT") | ||
| location = _resolve_secret( | ||
| secret_files, "GOOGLE_CLOUD_REGION", "GOOGLE_CLOUD_LOCATION", "VERTEX_LOCATION" | ||
| ) | ||
| if project: | ||
| env_payload["VERTEXAI_PROJECT"] = project | ||
| if location: | ||
| env_payload["VERTEX_LOCATION"] = location |
There was a problem hiding this comment.
To ensure compatibility with standard Google Cloud SDKs (which typically look for GOOGLE_CLOUD_PROJECT and GOOGLE_CLOUD_REGION rather than the custom VERTEXAI_PROJECT and VERTEX_LOCATION env vars), it is safer to populate both sets of environment variables in env_payload.
if method == "vertex-ai":
project = _resolve_secret(secret_files, "GOOGLE_CLOUD_PROJECT", "VERTEXAI_PROJECT")
location = _resolve_secret(
secret_files, "GOOGLE_CLOUD_REGION", "GOOGLE_CLOUD_LOCATION", "VERTEX_LOCATION"
)
if project:
env_payload["VERTEXAI_PROJECT"] = project
env_payload["GOOGLE_CLOUD_PROJECT"] = project
if location:
env_payload["VERTEX_LOCATION"] = location
env_payload["GOOGLE_CLOUD_REGION"] = locationAdd vertex-ai as a third auth type for the opencode harness, matching the Claude harness pattern where vertex-ai is the lowest-priority fallback after direct credentials (api-key > auth-file > vertex-ai). Autodetects when GCP project + location env vars are present and gcp_metadata_mode is not "block". When selected, writes VERTEXAI_PROJECT and VERTEX_LOCATION to outputs/env.json.
The gcp_metadata_mode field is never written to auth-candidates.json by the Go staging layer, making the guard inert. Add a comment noting it is reserved for future use rather than removing it, since the concept is actively used elsewhere in the system (e.g. claude_code harness).
ptone
force-pushed
the
scion/opencode-vertex-auth
branch
from
72c114a to
75c368d
Compare
1 participant
Fixes #<issue_number_goes_here>