feat(antigravity): pin CLI to 1.0.11 + switch vertex-ai to ADC#294
feat(antigravity): pin CLI to 1.0.11 + switch vertex-ai to ADC#294ptone wants to merge 3 commits into
Conversation
Replace the auto-updater manifest fetch with a direct download from GitHub Releases, pinned to version 1.0.11. This improves build reproducibility and picks up USE_ADC env var support needed for ADC-based Vertex AI auth. AGY_VERSION is a build ARG for easy future bumps. TARGETARCH is mapped to the release asset naming convention (amd64 → x64).
vertex-ai auth now uses Application Default Credentials instead of requiring an AGY_TOKEN OAuth refresh token. When GCP env vars (GOOGLE_CLOUD_PROJECT + GOOGLE_CLOUD_LOCATION/REGION) are present, the provisioner selects vertex-ai and the wrapper sets USE_ADC=1. Changes: - config.yaml: remove required_files from vertex-ai type - provision.py: vertex-ai no longer requires or validates AGY_TOKEN - provision.py: autodetect prioritizes GCP env vars over token - provision.py: wrapper script exports USE_ADC=1 in GCP mode - oauth-token auth path is unchanged
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request pins the Antigravity CLI to version 1.0.11 and transitions the Vertex AI authentication method to use Application Default Credentials (ADC) via USE_ADC=1 instead of requiring an AGY_TOKEN. Feedback on these changes suggests adding integrity verification (such as SHA-256 checks) for the downloaded CLI binary in the Dockerfile to mitigate security risks, and updating the autodetect configuration in config.yaml to include GOOGLE_CLOUD_PROJECT for proper Vertex AI detection.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| target_suffix: "/.gemini/antigravity-cli/antigravity-oauth-token" | ||
| autodetect: | ||
| env: | ||
| AGY_TOKEN: oauth-token |
There was a problem hiding this comment.
The autodetect configuration in config.yaml does not include vertex-ai. Since provision.py now supports autodetecting vertex-ai when GCP environment variables are present, adding GOOGLE_CLOUD_PROJECT to the autodetect.env mapping allows the host/broker to correctly identify and stage the required GCP environment variables.
AGY_TOKEN: oauth-token
GOOGLE_CLOUD_PROJECT: vertex-ai| RUN ARCH=$(case "${TARGETARCH:-amd64}" in amd64) echo "x64";; arm64) echo "arm64";; *) echo "${TARGETARCH}";; esac) \ | ||
| && curl -fsSL -o /tmp/cli.tar.gz \ | ||
| "https://github.com/google-antigravity/antigravity-cli/releases/download/${AGY_VERSION}/agy_cli_linux_${ARCH}.tar.gz" \ |
There was a problem hiding this comment.
Downloading the CLI binary directly from GitHub Releases without integrity verification is a security risk. Since the version is now pinned to 1.0.11, we can validate the downloaded tarball against a known SHA-256 hash for each supported architecture to prevent potential man-in-the-middle attacks or compromised release assets.
The host-side forwarder (container_script_harness.go) only forwards GOOGLE_CLOUD_PROJECT and GOOGLE_CLOUD_REGION to auth-candidates, not GOOGLE_CLOUD_LOCATION. Fall back to checking os.environ directly so users who set GOOGLE_CLOUD_LOCATION are correctly detected as vertex-ai.
1 participant
Summary
AGY_VERSIONbuild ARG for easy future bumps.USE_ADC=1env var. GCP env vars (GOOGLE_CLOUD_PROJECT+GOOGLE_CLOUD_LOCATION/GOOGLE_CLOUD_REGION) are sufficient — noAGY_TOKENrequired for vertex-ai mode.Changes
Dockerfile: Replace auto-updater manifest fetch with pinned GitHub release downloadconfig.yaml: Removerequired_filesfrom vertex-ai auth typeprovision.py: vertex-ai no longer requires/validates AGY_TOKEN; autodetect prioritizes GCP env vars; wrapper exportsUSE_ADC=1in GCP modeTest plan
bundle_install_test.gopassesdocker buildproduces image with/usr/local/bin/agyat 1.0.11