From d9d7389135460b4d9b95d28f93acb2749cd93982 Mon Sep 17 00:00:00 2001 From: agrawalradhika-cell Date: Wed, 20 May 2026 14:57:28 -0700 Subject: [PATCH 1/7] feat: Update check-file-contents.yml to check for non-mTLS hardcoded endpoints feat: Update check-file-contents.yml to check for non-mTLS hardcoded endpoints --- .github/workflows/check-file-contents.yml | 32 +++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/.github/workflows/check-file-contents.yml b/.github/workflows/check-file-contents.yml index 985f6a0f77..925c65dda7 100644 --- a/.github/workflows/check-file-contents.yml +++ b/.github/workflows/check-file-contents.yml @@ -100,3 +100,35 @@ jobs: else echo "✅ No relevant Python files found." fi + + - name: Check for hardcoded googleapis.com endpoints + run: | + git fetch origin ${GITHUB_BASE_REF} + CHANGED_FILES=$(git diff --diff-filter=ACMR --name-only origin/${GITHUB_BASE_REF}...HEAD | grep -E '\.py$' || true) + if [ -n "$CHANGED_FILES" ]; then + echo "Checking for hardcoded endpoints in: $CHANGED_FILES" + + set +e + FILES_WITH_HARDCODED_ENDPOINTS=$(grep -lE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES | grep -v '.mtls.googleapis.com' || true) + set -e + + if [ -n "$FILES_WITH_HARDCODED_ENDPOINTS" ]; then + echo "❌ Found forbidden hardcoded non-mTLS endpoints." + echo "" + echo "🛠️ RESOLUTION (based on cl/905035339):" + echo "Do not hardcode 'googleapis.com' URLs. Instead, implement dynamic endpoint selection:" + echo "" + echo "1. Initialize an AuthorizedSession with your credentials." + echo "2. Use 'mtls.has_default_client_cert_source() from google-auth' to check for available client certificates." + echo "3. If certificates are present, use 'session.configure_mtls_channel()'." + echo "4. Dynamically select the '.mtls.' variant of the endpoint when mTLS is active." + echo "" + echo "The following files require updates:" + echo "$FILES_WITH_HARDCODED_ENDPOINTS" + exit 1 + else + echo "✅ All endpoints are compliant or dynamically managed." + fi + else + echo "✅ No relevant Python files found." + fi From 03b9994f94522ee22f3553175d396894ba532dc2 Mon Sep 17 00:00:00 2001 From: agrawalradhika-cell Date: Wed, 20 May 2026 19:45:28 -0700 Subject: [PATCH 2/7] chore: test linter by Update agent.py chore: test linter by Update agent.py --- .../samples/live/live_bidi_streaming_tools_agent/agent.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py b/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py index 0902802afb..8eefcbf2e9 100644 --- a/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py +++ b/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py @@ -121,6 +121,8 @@ def stop_streaming(function_name: str): """ pass +# Temporary test for linter +API_ENDPOINT = "https://test.googleapis.com" root_agent = Agent( # Find supported models in Vertex here: https://docs.cloud.google.com/vertex-ai/generative-ai/docs/live-api From 0c4f8a11808f75ecf2d4e9dc548fff57a3f6c56d Mon Sep 17 00:00:00 2001 From: agrawalradhika-cell Date: Thu, 21 May 2026 10:22:34 -0700 Subject: [PATCH 3/7] fix: fix check to make sure mTLS endpoints are ignored --- .github/workflows/check-file-contents.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/check-file-contents.yml b/.github/workflows/check-file-contents.yml index 925c65dda7..e02a186481 100644 --- a/.github/workflows/check-file-contents.yml +++ b/.github/workflows/check-file-contents.yml @@ -109,7 +109,7 @@ jobs: echo "Checking for hardcoded endpoints in: $CHANGED_FILES" set +e - FILES_WITH_HARDCODED_ENDPOINTS=$(grep -lE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES | grep -v '.mtls.googleapis.com' || true) + FILES_WITH_HARDCODED_ENDPOINTS=$(grep -rE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES | grep -v '.mtls.googleapis.com' || true) set -e if [ -n "$FILES_WITH_HARDCODED_ENDPOINTS" ]; then From 5887a5c50bd296eff68788ed0a83cca503d38f96 Mon Sep 17 00:00:00 2001 From: agrawalradhika-cell Date: Thu, 21 May 2026 10:23:04 -0700 Subject: [PATCH 4/7] fix: remove the testing enfpoint --- .../samples/live/live_bidi_streaming_tools_agent/agent.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py b/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py index 8eefcbf2e9..f61162625f 100644 --- a/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py +++ b/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py @@ -121,9 +121,6 @@ def stop_streaming(function_name: str): """ pass -# Temporary test for linter -API_ENDPOINT = "https://test.googleapis.com" - root_agent = Agent( # Find supported models in Vertex here: https://docs.cloud.google.com/vertex-ai/generative-ai/docs/live-api model="gemini-live-2.5-flash-native-audio", # Vertex From f51bc200fc84c19eeea78779eb29579fca8b35cc Mon Sep 17 00:00:00 2001 From: agrawalradhika-cell Date: Thu, 21 May 2026 10:51:08 -0700 Subject: [PATCH 5/7] fix: fixing line omit lint in agent.py --- .../samples/live/live_bidi_streaming_tools_agent/agent.py | 1 + 1 file changed, 1 insertion(+) diff --git a/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py b/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py index f61162625f..0902802afb 100644 --- a/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py +++ b/contributing/samples/live/live_bidi_streaming_tools_agent/agent.py @@ -121,6 +121,7 @@ def stop_streaming(function_name: str): """ pass + root_agent = Agent( # Find supported models in Vertex here: https://docs.cloud.google.com/vertex-ai/generative-ai/docs/live-api model="gemini-live-2.5-flash-native-audio", # Vertex From 52ce0b7da07e0656a95939ac15d04a51c4833976 Mon Sep 17 00:00:00 2001 From: agrawalradhika-cell Date: Thu, 21 May 2026 10:57:37 -0700 Subject: [PATCH 6/7] chore: Improve logic to Update check-file-contents.yml --- .github/workflows/check-file-contents.yml | 28 +++++++++-------------- 1 file changed, 11 insertions(+), 17 deletions(-) diff --git a/.github/workflows/check-file-contents.yml b/.github/workflows/check-file-contents.yml index e02a186481..dc86d4876d 100644 --- a/.github/workflows/check-file-contents.yml +++ b/.github/workflows/check-file-contents.yml @@ -109,26 +109,20 @@ jobs: echo "Checking for hardcoded endpoints in: $CHANGED_FILES" set +e - FILES_WITH_HARDCODED_ENDPOINTS=$(grep -rE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES | grep -v '.mtls.googleapis.com' || true) + FILES_WITH_ENDPOINTS=$(grep -lE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES) + + if [ -n "$FILES_WITH_ENDPOINTS" ]; then + FILES_MISSING_MTLS=$(grep -L '.mtls.googleapis.com' $FILES_WITH_ENDPOINTS) + fi set -e - if [ -n "$FILES_WITH_HARDCODED_ENDPOINTS" ]; then - echo "❌ Found forbidden hardcoded non-mTLS endpoints." - echo "" - echo "🛠️ RESOLUTION (based on cl/905035339):" - echo "Do not hardcode 'googleapis.com' URLs. Instead, implement dynamic endpoint selection:" - echo "" - echo "1. Initialize an AuthorizedSession with your credentials." - echo "2. Use 'mtls.has_default_client_cert_source() from google-auth' to check for available client certificates." - echo "3. If certificates are present, use 'session.configure_mtls_channel()'." - echo "4. Dynamically select the '.mtls.' variant of the endpoint when mTLS is active." - echo "" - echo "The following files require updates:" - echo "$FILES_WITH_HARDCODED_ENDPOINTS" + if [ -n "$FILES_MISSING_MTLS" ]; then + echo "❌ Found hardcoded googleapis.com endpoints without mTLS support." + echo "The following files must define both standard and mTLS (.mtls.googleapis.com) endpoints" + echo "to support dynamic endpoint selection as required by security policy:" + echo "$FILES_MISSING_MTLS" exit 1 else - echo "✅ All endpoints are compliant or dynamically managed." + echo "✅ All hardcoded endpoints have corresponding mTLS definitions or no endpoints found." fi - else - echo "✅ No relevant Python files found." fi From 5bd4e1f270b9a69915a206e462f2b59843c36c18 Mon Sep 17 00:00:00 2001 From: agrawalradhika-cell Date: Thu, 21 May 2026 11:08:35 -0700 Subject: [PATCH 7/7] chore: improve the instruction for user by Update check-file-contents.yml --- .github/workflows/check-file-contents.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/.github/workflows/check-file-contents.yml b/.github/workflows/check-file-contents.yml index dc86d4876d..a6c31788fa 100644 --- a/.github/workflows/check-file-contents.yml +++ b/.github/workflows/check-file-contents.yml @@ -108,9 +108,11 @@ jobs: if [ -n "$CHANGED_FILES" ]; then echo "Checking for hardcoded endpoints in: $CHANGED_FILES" + # 1. Identify files containing any googleapis.com URL. set +e FILES_WITH_ENDPOINTS=$(grep -lE 'https?://[a-zA-Z0-9.-]+\.googleapis\.com' $CHANGED_FILES) + # 2. From those, identify files that are MISSING the required mTLS version. if [ -n "$FILES_WITH_ENDPOINTS" ]; then FILES_MISSING_MTLS=$(grep -L '.mtls.googleapis.com' $FILES_WITH_ENDPOINTS) fi @@ -121,6 +123,12 @@ jobs: echo "The following files must define both standard and mTLS (.mtls.googleapis.com) endpoints" echo "to support dynamic endpoint selection as required by security policy:" echo "$FILES_MISSING_MTLS" + echo "" + echo "To fix this, please follow these steps:" + echo "1. Initialize an AuthorizedSession with your credentials." + echo "2. Use 'mtls.has_default_client_cert_source() from google-auth' to check for available client certificates." + echo "3. If certificates are present, use 'session.configure_mtls_channel()'." + echo "4. Dynamically select the '.mtls.' variant of the endpoint when mTLS is active." exit 1 else echo "✅ All hardcoded endpoints have corresponding mTLS definitions or no endpoints found."